[Topic 247959]

About Kaspersky Machine Learning for Anomaly Detection

The early anomaly detection system known as Kaspersky Machine Learning for Anomaly Detection (hereinafter also referred to as Kaspersky MLAD or "the application") is specialized software designed to prevent failures, accidents or degradation of industrial installations, technological processes, and complex cyberphysical systems. By analyzing telemetry data using machine learning techniques (artificial intelligence), Kaspersky MLAD detects signs of an abnormal situation before it is detected by traditional monitoring systems.

Kaspersky MLAD detects anomalies in industrial processes regardless of their causes. Anomalies may be caused by the following:

• Physical factors, such as damage to equipment or malfunctioning sensors.
• The human factor, such as intentional or inadvertent inappropriate actions by the operator, hardware configuration, change of operating mode or settings, or a switch to manual control.
• Cyberattacks.

Main capabilities of Kaspersky MLAD:

• Detects abnormal behavior of the monitored asset in real time.
• Identifies signals that display the largest deviations from normal behavior.
• Allows you to analyze incidents taking into account information about similar incidents.
• Allows expert classification and annotation of incidents.
• Allows you to notify users about detected incidents through the web interface, by email, by sending messages to Kaspersky Industrial CyberSecurity for Networks, and using industrial data transfer protocols.
• Allows you to use models based on both machine learning and arbitrary rules for anomaly detection.
• Displays historical and real-time data as graphs according to the specified tag sets, along with the results of processing this data with ML models.
• Lets you manage the log of detected incidents.
• Allows you to create ML models and add predictive elements, elliptic envelope-based elements, and diagnostic rule-based elements to it.
• Provides training of predictive elements and elliptic envelope-based elements.
• Allows to create templates based on the added ML models and add ML models to Kaspersky MLAD based on the created templates.
• Allows you to define the way to organize the data of the monitored asset in the form of an asset tree.

• Allows you to receive telemetry data over HTTP, OPC UA, MQTT, AMQP, CEF, and WebSocket protocols, and via a specialized protocol over HTTPS from Kaspersky Industrial CyberSecurity for Networks.
• Detects and handles terminations and interruptions of the incoming data stream, and restores missed observations.
• Based on data on events received from external systems, recognizes principles as repeated events or patterns, and identifies new events and patterns in the event stream.
• Displays the detected events as a graph and a table, and shows detected patterns as a layered hierarchy of nested items.
• Sends alerts about the detection of certain events, patterns, or values of the event parameters received by the Event Processor in the data stream from the monitored asset.

[Topic 247960]

Distribution kit

Kaspersky MLAD is delivered as an archive file named Kaspersky_MLAD_5.0.0.-<build number>_ru-RU_en-US.tar.xz, which contains the following files:

• Installation script and all files required for system installation.
• Scripts for updating, checking, and backing up the application.
• Files containing the text of the End User License Agreement in English and in Russian.
• Files containing information about the application (Release Notes) in English and in Russian.
• File containing information about third-party code (legal_notices.txt) in English.

After you unpack the archive, the "legal" directory will contain a text file named license_en.txt in which you can view the End User License Agreement. The End User License Agreement specifies the terms of use of the application.

[Topic 247961]

Hardware and software requirements

The hardware requirements for each protected facility must be adjusted considering the model being used, the number of processed tags and events, the average speed of data acquisition (number of observations per second), and the volume of stored data. The more data is processed and the more sophisticated the used ML model is, the more hardware resources are required for installing the server part of Kaspersky MLAD.

Requirements for Kaspersky MLAD server

To ensure proper operation of the application, the Kaspersky MLAD server must meet the following minimum requirements.

List of supported processors:

• Intel Xeon E3 v3, v4, v5, v6
• Intel Xeon E5 v3, v4
• Intel Xeon E7 v3, v4
• Intel Xeon Scalable processors
• The 2nd and 3rd generation Intel Xeon Scalable processors
• Intel Xeon E
• Intel Xeon W
• Intel Xeon D
• The 4th generation and later Intel Core i5, i7
• Intel Core i9 processor
• Intel Core M

Minimum hardware requirements:

• 8 cores
• 32 GB of RAM
• 200 GB of free space on the hard drive (SSD recommended)

  If Kaspersky MLAD receives a large data stream, increase the amount of free space on the hard drive.

You can install Kaspersky MLAD on a server with another x86 64-bit processor released in 2013 or later. The processor must meet the minimum hardware requirements listed above and support the following extensions required for the TensorFlow 2.15.1 library:

• Advanced Vector Extensions (avx)
• Advanced Vector Extensions 2 (avx2)

Supported operating systems:

• Ubuntu 22.04 LTS or later

The following software must be installed prior to deployment of Kaspersky MLAD:

• docker 24.0.9 or later
• docker compose 2.12.2 or later

Use the official Docker repository for installation of the software on the Kaspersky MLAD server.

To update and back up the application, the jq utility must be installed. You can install the jq utility by using the apt package manager.

User computer requirements

To work with the web interface of Kaspersky MLAD, the user's computer must meet the following minimum requirements:

• Intel Core i5 CPU;
• 8 GB of RAM;
• 64-bit operating system;
• Google Chrome browser version 107 or later
• The minimum screen resolution to display the web interface properly is 1600x900.

[Topic 247962]

Security recommendations

To ensure secure operation of Kaspersky MLAD at an enterprise, it is recommended to restrict and control access to equipment on which the application is running.

Physical security of equipment

When deploying Kaspersky MLAD, it is recommended to take the following measures to ensure secure operations:

• Restrict access to the room housing the server with Kaspersky MLAD installed, and to the equipment of the dedicated network. Access to the room must be granted only to trusted persons, such as personnel who are authorized to install and configure the application.
• Employ technical resources or a security service to monitor physical access to equipment on which the application is running.
• Use security alarm equipment to monitor access to restricted rooms.
• Conduct video surveillance in restricted rooms.

Information security

The ML model settings directly affect anomaly detection, so only system administrators and users in the Manage ML models group are allowed to edit these. The change history is available only in application logs, which are saved for only a limited amount of time.

When using the web interface, it is recommended to take the following measures to ensure the data security of the intranet system:

• Provide users with access to the application through the web interface only.
• Install certificates to users' computers for authorization of the Kaspersky MLAD server with their browser. To use a trusted certificate, you need to contact a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.
• Ensure protection of traffic within the intranet system.
• Ensure protection of connections to external networks.
• Use a secure TLS connection for data transfer.
• Change the name and password of the first application user with the system administrator role when installing the application.
• Change the account password when it expires. The password expiration date is defined in the application security settings. The default password expiration is set to 180 days.
• For connections through the web interface, use passwords that meet the following requirements:
  • Must not match previously used account passwords. The specific number of most recently used passwords that must not be reused is defined when configuring the application security settings. The password must be different from the five previous passwords by default.
  • Must contain at least 8 characters.
  • Must contain one or more uppercase letters of the English alphabet.
  • Must contain one or more lowercase letters of the English alphabet.
  • Must contain one or more numerals.
  • Must contain one or more of the following special characters: _ ! @ # $ % ^ & *.
• Ensure that passwords are confidential and unique. If the password has been possibly compromised, change the password.
• Set a time limit for a user web session.
• After you are finished working in the browser, manually terminate the application connection session by using the Sign out option in the web interface.
• Periodically install updates for the operating system on the server where Kaspersky MLAD is deployed.
• Use access permission control to restrict user access to application functions.

Data security

While working with Kaspersky MLAD, it is recommended to take the following measures to ensure data security:

• Configure the operating system and provide the necessary access to files of the server where Kaspersky MLAD is installed in accordance with the Recommendations on secure configuration of Linux operating systems issued by the Federal Service for Technical and Export Control (FSTEC) of Russia.
• Perform periodic data backups of the server that has Kaspersky MLAD installed in accordance with the internal company procedure.
• Periodically test the performance of the interface and services of the application. Special attention should be directed to the notification service and logging system.
• Check communication channels to make sure they are secure and working properly.
• Periodically test the performance of the server:
  • SMART disk check
  • Availability of sufficient free space and memory
  • RAM utilization
• Use the monitoring system to make sure that there are no problems with the server protocols.
• Store sensitive data in a secure storage location.

[Topic 247974]

Fixing vulnerabilities and installing critical updates

Kaspersky may release application updates aimed at eliminating vulnerabilities and security flaws (critical updates). Urgent update packages are supplied and installed in accordance with the current Technical Support Agreement. Notifications regarding the release of critical updates are sent to the email addresses specified in the current Technical Support Agreement.

It is recommended that the personnel responsible for application operation also periodically (at least once every three months) verify the absence of detected vulnerabilities in the application by referring to the Kaspersky website.

You can report security flaws or program vulnerabilities with a PGP-encrypted message to vulnerability@kaspersky.com. Please provide the following information in your email:

• Your contact details.
• The product name, version, and type of operating system installed on the asset where the vulnerability was found.
• A detailed description of the vulnerability.
• Any plans to share information about the vulnerability with a third party.

  Do not publish any information about the vulnerability until fixed by Kaspersky.

[Topic 254374]

Managing access to application functions

In Kaspersky MLAD, you can use roles to restrict users' access to application functions depending on the tasks performed by users. A role is a set of rights to access application functions that you can assign to a user.

Depending on the assigned role, users may have access to the following functions of Kaspersky MLAD:

Accessible functions of the application

All application users have the following default rights:

• Viewing summary data in the Dashboard section
• View primary and operational data by tags in the History and Monitoring sections
• Viewing the values of the process parameters received from the monitored asset's sensors at a certain point in time in the Time slice section.
• Working with events and patterns:
  • Configuring attention settings and display of event parameters
  • Creating and deleting monitors
  • Viewing the event and pattern history
• Working with incidents and groups of incidents:
  • Viewing incidents and incident groups
  • Adding a status, cause, expert opinion or note to an incident or incident group
  • Exporting incidents to a file
• The following actions in the Models section:
  • Creating, modifying, and deleting markups
  • Starting and stopping ML model inference
  • Viewing the data flow graph of an ML model
• Manage presets:
  • View presets
  • Create, modify, and delete models
  • Load a preset configuration from a file
  • Save a preset configuration to a file
• Change your own password

You can also create a role with a Rights to all actions permission. Users with this role have access to system administrator functions.

You can view the available user roles and their access rights to application functions in the Roles section of the administrator menu.

You can view application functionality access rights for specific users in the Users section of the administrator menu.

[Topic 247964]

What's new

Kaspersky Machine Learning for Anomaly Detection 5.0 has the following new capabilities and improvements:

• Model builder: added support for elliptic envelope-based ML models. Added functionality that lets you log incidents when observing anomalous behavior for a certain interval of time. Added functionality that lets you clone elements of ML models and markups. Added display of statuses and states of ML models and their elements in the asset tree. Added functionality that lets you search and filter by elements of the asset tree.
• Presets: added functionality that lets you combine preset tags into graphic areas and control the settings for displaying tag charts in a graphic area.
• Monitoring and History sections: added support for displaying charts of several tags within the same graphic area. Graphic areas and the tags within them are managed in the Presets section.
• Licensing: added functionality that lets you add license keys for different types of licenses depending on the required set of functions.
• Application installation, update and backup scripts: improved algorithms for application installation and update scripts in accordance with information security requirements. Added functionality that lets you switch between Kaspersky MLAD state control modes by using the installation script. The backup script provides the functionality for backing up the application and rolling back the application to a previously installed version.
• Starting and stopping the application: added functionality that lets you start and stop the application by using the systemctl utility.
• User accounts: added capability to change email addresses for user accounts in the web interface.
• Incident notifications: added capability to specify additional email addresses for sending incident notifications in the web interface. Added functionality that lets you send notifications when registering certain types of incidents: incidents registered by certain types of ML model elements or registered by the Limit Detector and/or Stream Processor service. Added functionality that lets you prevent forwarding of notifications about incidents registered by elements of unpublished ML models.
• Event Processor service: expanded functionality of the attention mechanism. Added functionality that lets you track generalized events and patterns. Improved display of monitors.
• Mail Notifier Service: Added new settings for configuring the Mail Notifier service.
• HTTP Connector and OPC UA Connector: added new settings for configuring the HTTP Connector and OPC UA Connector.
• MQTT Connectors, AMQP Connector and CEF Connector - added support for TLS connections by default, and added functionality that lets you use the recommended TLS connection settings.
• WebSocket Connector: added functionality that lets you use the recommended TLS connection settings.
• Push messages: added functionality that lets you transfer messages between Kaspersky MLAD services.

[Topic 247981]

Kaspersky MLAD architecture

Kaspersky MLAD is installed on a server that meets the hardware and software requirements. The Kaspersky MLAD Server centrally stores information about application services and connectors and provides a single web user interface for managing them.

Access to individual services or application connectors is not provided.

When installing Kaspersky MLAD, all application connectors and services are hosted on the same server and interact with each other through an internal virtual network that is isolated from external systems.

Kaspersky MLAD includes specially prepared ML models, and the following services and connectors:

ML model

An ML model is a model created for a specific facility based on machine learning algorithms and/or diagnostic rules using telemetry data from this facility. The ML model detects anomalies.

An ML model can be created with a model builder or provided under Kaspersky MLAD Model-building and Deployment Service.

Kaspersky MLAD services

Kaspersky MLAD services comprise a set of core application services supplied to each monitored asset. Kaspersky MLAD includes the following services:

• Anomaly Detector. Uses an ML model to process data and detect anomalies.
• Event Processor. Uses machine learning methods based on a semantic neural network to identify patterns and anomalous sequences of events.
• Stream Processor. Processes telemetry data received from the monitored asset at arbitrary real-time moments and converts this data to a uniform temporal grid.
• Trainer. Performs training of an ML model based on the telemetry data obtained by Kaspersky MLAD for a specific monitored asset.
• Similar Anomaly. Identifies and groups together similar incidents.
• Message Broker. Exchanges data between Kaspersky MLAD services.
• Time Series Database. Stores time series of observed tag values, artifacts associated with tags, and ML model element artifacts.
• Keeper. Performs routing of the telemetry data that should be saved in the database.
• Database. Stores all configuration settings of Kaspersky MLAD.
• API Server. Supports operation of the internal interfaces of Kaspersky MLAD.
• Web Server. Supports operation of the Kaspersky MLAD web interface.
• Logger. Stores Kaspersky MLAD operation logs.
• Mail Notifier. Sends emails with incident registration notifications.
• Docker API Server. Supports interaction with Docker.
• Migrations. Updates information about the Kaspersky MLAD settings in the Database.
• Push Server. Sends push messages to Kaspersky MLAD.

Connectors

Connectors are services that facilitate the exchange of data with external systems. For each protection object, you must select one of the following connectors:

• KICS Connector. Supports interaction with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.
• OPC UA Connector. Receives tags from industrial process control systems (ICS) according to the protocol described in the OPC Unified Architecture specification.
• CEF Connector. Receives events from external sources (Industrial Internet of Things, network devices and applications) and returns messages in CEF (Common Event Format) registered by event analysis monitors.
• MQTT Connector. Receives tags from ICS and sends messages about incidents via the MQTT (Message Queuing Telemetry Transport) protocol.
• AMQP Connector. Receives tags from ICS and sends messages about incidents via AMQP (Advanced Message Queuing Protocol).
• WebSocket Connector. Receives tags from ICS and sends messages about incidents via the WebSocket protocol.
• HTTP Connector. Receives telemetry data from ICS in CSV files via HTTP/HTTPS POST requests.

The figure below shows a diagram of interaction between Kaspersky MLAD services.

Diagram of interaction between Kaspersky MLAD services

[Topic 247982]

Common deployment scenarios

This section provides a description of the standard scenarios for deploying Kaspersky MLAD in the network of a monitored asset, and provides special considerations when integrating Kaspersky MLAD with other applications.

Kaspersky MLAD supports the following installation options:

• Standalone installation.
• Installation with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.
  

Standalone installation of Kaspersky MLAD

You can install only Kaspersky MLAD if you plan to use the following connectors as a data provider:

• OPC UA Connector
• MQTT Connector
• AMQP Connector
• CEF Connector
• WebSocket Connector
• HTTP Connector

The figures below show example scenarios for standalone installation of Kaspersky MLAD using the above connectors. You can use any configurations of connectors that are suitable for your monitored asset.

Standalone installation of Kaspersky MLAD using connectors: OPC UA Connector, MQTT Connector, AMQP Connector, HTTP Connector, WebSocket Connector, CEF Connector

Standalone installation of Kaspersky MLAD using connectors: MQTT Connector, AMQP Connector, HTTP Connector, WebSocket Connector, CEF Connector

Installation of Kaspersky MLAD with Kaspersky Industrial CyberSecurity for Networks

You can install Kaspersky MLAD and Kaspersky Industrial CyberSecurity for Networks if you are planning to use Kaspersky Industrial CyberSecurity for Networks as a data provider (see the figure below).

Kaspersky Machine Learning for Anomaly Detection is compatible with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.

Installation of Kaspersky MLAD with Kaspersky Industrial CyberSecurity for Networks

To use this installation option, first install Kaspersky Industrial CyberSecurity for Networks and add a Generic connector. Create a communication data package for the added connector and specify the settings for connecting Kaspersky Industrial CyberSecurity for Networks to Kaspersky MLAD. Upload the obtained communication data package to Kaspersky MLAD when configuring the KICS Connector. For detailed information about creating and adding a connector, please refer to the Adding a connector section of Kaspersky Industrial CyberSecurity for Networks Help Guide.

Computers with Kaspersky MLAD and Kaspersky Industrial CyberSecurity for Networks installed must belong to the same network.

[Topic 247983]

Telemetry and event data flow diagram

In Kaspersky MLAD, data exchange with the external systems is provided by connectors. To receive telemetry data (tags) and/or events from the external systems, you need to configure the HTTP Connector, MQTT Connector, AMQP Connector, OPC UA Connector, KICS Connector, CEF Connector, and WebSocket Connector.

If transmission of events and incidents to recipient systems is configured in the application, the application sends registered events and incidents to recipient systems chosen by the system administrator. The application system administrator independently selects the recipient systems and the types of events and incidents to transmit to the recipient systems. The recipient system processes and stores the received data according to its functionality and purpose.

The Stream Processor service performs the initial processing of the telemetry data of the monitored asset, converting the received tags to a uniform temporal grid (UTG). When Stream Processor service detects interruptions in the telemetry data stream or observations received by Kaspersky MLAD too early or too late, it registers incidents.

The Stream Processor service transfers the UTG-converted data to the ML model of the Anomaly Detector service. If the elements of the ML models detect deviations from the normal behavior of the monitored asset while processing the received data, the Anomaly Detector service registers incidents. When similar incidents are detected, the Similar Anomaly service generates groups of incidents.

You can view registered incidents and groups of incidents in the Incidents section. Kaspersky MLAD also sends incident notifications to the specified email addresses and to external systems using connectors.

Events received by Kaspersky MLAD are processed by the Event Processor service. The Event Processor can also process incidents registered by the Anomaly Detector service. In the stream of events, the Event Processor detects regularities – recurring events and patterns – as well as new events and patterns. When monitors are activated, the Event Processor service sends alerts to external systems about the detection of events, patterns, and event parameter values according to the specified monitoring criteria using the CEF Connector. You can also view information about events, patterns, and monitors in the Event Processor section.

The figure below shows the telemetry and event data stream in Kaspersky MLAD.

The telemetry and event data stream in Kaspersky MLAD

[Topic 247984]

Ports used by Kaspersky MLAD

The table below lists the ports that must be opened on the servers where Kaspersky MLAD is installed.

[Topic 251713]

Installing and removing the application

This section contains step-by-step instructions on installing and removing Kaspersky MLAD.

[Topic 247986]

Installing the application

This section contains a step-by-step description of Kaspersky MLAD installation. During installation, Kaspersky MLAD creates the first application user with the system administrator role.

Prior to installation, you must make sure that the required amount of free space is available on the hard drive where the application will be installed. Docker service volumes must be stored on the drive where the application is installed. If the Docker volumes are stored on a different drive, you must move them and use the Docker configuration file to specify the path to the storage location of the volumes on the hard drive where the application is installed.

To install the application, each server must have a user account with root privileges that will be used to perform the installation. The directory for installing Kaspersky MLAD must be empty.

Installation of Kaspersky MLAD is performed by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

The Kaspersky MLAD server and the software installed on the server must meet the hardware and software requirements.

Kaspersky MLAD is installed according to the described procedure for application installation. Installation and use of Kaspersky MLAD is possible only on one server. Installation and use of different services and connectors on multiple servers is not possible.

Installation of Kaspersky MLAD will be interrupted if the integrity of the application archive has been breached. To obtain the correct archive of the application, please contact Kaspersky experts.

To install Kaspersky MLAD:

1. Unpack the archive named Kaspersky_MLAD_5.0.0.-<build number>_ru-RU_en-US.tar.xz that is included in the distribution kit:

   tar xf Kaspersky_MLAD_5.0.0.< build number >_ru-RU_en-US.tar.xz

   The mlad-release-5.0.0-<build number> directory appears after the archive is unpacked.

2. Navigate to the directory named mlad-release-5.0.0-<build number>:

   cd mlad-release-5.0.0-<build number>

3. Run the setup.sh installation script:

   sudo ./setup.sh

4. Follow the instructions of the Application Setup Wizard.

   Read the License Agreement carefully during installation. You must accept the terms of the End User License Agreement to install the application. If you do not accept the terms of the End User License Agreement, the installation process will be interrupted.

   Using the Application Setup Wizard, you can change the name and password of the first application user with the system administrator role.

   The application is installed in /opt/kaspersky/mlad by default. You can specify a different directory during installation.

To install Kaspersky MLAD in non-interactive mode:

1. Unpack the archive named Kaspersky_MLAD_5.0.0.-<build number>_ru-RU_en-US.tar.xz that is included in the distribution kit:

   tar xf Kaspersky_MLAD_5.0.0.< build number >_ru-RU_en-US.tar.xz

2. Navigate to the directory named mlad-release-5.0.0-<build number>:

   cd mlad-release-5.0.0-<build number>

3. Run the setup.sh installation script with the following switches:

   sudo ./setup.sh -q -e accept -f <full path to installation directory>

   where:

   -q means that the application is installed in non-interactive mode. When installing the application in non-interactive mode, Kaspersky MLAD creates the first application user with the system administrator role and assigns it a default user name and password. To obtain the default user name and password, contact a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

   -e accept means that you accept the terms of the End User License Agreement. You must accept the terms of the End User License Agreement to install the application. If you do not add the -e accept switch, installation of the application will not continue.

   You can read the text of the End User License Agreement in the text file named license_en.txt located in the 'legal' directory.

   -f <full path to installation directory> means the application will be installed in the specified directory. Skipping the -f switch will cause the application to be installed in the default directory /opt/kaspersky/mlad.

The application will be installed on the server. After installing the application, start it.

Some features will be unavailable until you add a license key.

[Topic 247987]

Updating the application

The application is updated using the upgrade.sh upgrade script. When Kaspersky MLAD is updated, all of the following data that was uploaded, received, or processed by the previous version of Kaspersky MLAD will be saved: tag configurations, presets, ML models, and settings of Kaspersky MLAD.

You can back up the previous version when updating the application, if needed.

A user account in the Kaspersky MLAD server operating system must have root access to update the application.

Prior to starting the update, make sure that there is free space on the hard drive:

• If the application is being updated without performing a backup, the hard drive must have enough free space required to install Kaspersky MLAD.
• If a backup is performed simultaneously with the application update and the backup copy is saved on the same drive, at least 50% of the total hard drive volume must be free.
• If a backup copy is performed simultaneously with the application update and the backup copy is saved on another drive, the application installation drive must have free space in the amount required to install Kaspersky MLAD, and the drive for storing the backup copy must have free space equaling at least the amount of occupied disk space on the drive where the application is installed.

Updating Kaspersky MLAD is possible starting with application version 5.0.0-001.

The application will shut down while it updates. Kaspersky MLAD will not accept data from data sources or process it.

The Kaspersky MLAD server and the software installed on the server must meet the hardware and software requirements.

Kaspersky MLAD is updated to fix security flaws and application vulnerabilities or when new versions of the application are released under the current Technical Support Agreement. The application update is performed by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

The Kaspersky MLAD update will be interrupted if the integrity of the application archive has been breached. To obtain the correct archive of the application, please contact Kaspersky experts.

To update Kaspersky MLAD:

1. Unpack the archive named mlad-5.0.0-<new build number>.tar.xz that is included in the distribution kit:

   tar xf mlad-5.0.0-<new build number>.tar.xz

2. Go to the folder with the new application build:

   cd mlad-release-5.0.0-<new build number>

3. Run the upgrade.sh script using one of the following methods:
   • If you need to back up a previous version and save the backup copy in the directory where Kaspersky MLAD is installed, run the following command:

     sudo ./upgrade.sh -f <full path to the application build to be updated>

     The backup copy will be created in a directory named mlad_backup-<version number>-<build number>. The directory will be created within the directory where the application is installed.

   • If you need to back up a previous version and save the backup copy in a different directory, run the following command:

     sudo ./upgrade.sh -b <full path to backup directory> -f <full path to application build to be updated>

   • To skip backup when updating the application, run:

     sudo ./upgrade.sh -b nobackup -f <full path to the application build to be updated>

   You can run the upgrade.sh script with the -h switch if you want to display the brief description of the script in the Kaspersky MLAD update interface:

   sudo ./upgrade.sh -h

4. Follow the instructions of the Application Upgrade Wizard.

   Accept the terms of the End User License Agreement while running the Application Update Wizard. You must accept the terms of the End User License Agreement to update the application. If you do not accept the terms of the End User License Agreement, the update process will be interrupted.

   You can read the text of the End User License Agreement in the text file named license_en.txt located in the 'legal' directory.

To update Kaspersky MLAD in non-interactive mode:

1. Unpack the archive named mlad-5.0.0-<new build number>.tar.xz that is included in the distribution kit:

   tar xf mlad-5.0.0-<new build number>.tar.xz

2. Go to the folder with the new application build:

   cd mlad-release-5.0.0-<new build number>

3. Run the upgrade script using one of the following methods:
   • If you need to back up a previous version and save the backup copy in the directory where Kaspersky MLAD is installed, run the following command:

     sudo ./upgrade.sh -q -e accept -f <full path to the application build to be updated>

     The backup copy will be created in a directory named mlad_backup-<version number>-<build number>. The directory will be created within the directory where the application is installed.

   • If you need to back up a previous version and save the backup copy in a different directory, run the following command:

     sudo ./upgrade.sh -q -e accept -b <full path to the backup directory> -f <full path to the application build to be updated>

   • To skip backup when updating the application, run:

     sudo ./upgrade.sh -q -e accept -b nobackup -f <full path to the application build to be updated>

   where:

   -q means that the application is updated in non-interactive mode.

   -e accept means that you accept the terms of the End User License Agreement. You must accept the terms of the End User License Agreement to update the application. If you do not add the -e accept switch, application updating will be interrupted.

   You can read the text of the End User License Agreement in the text file named license_en.txt located in the 'legal' directory.

   -b <full path to the backup directory> means Kaspersky MLAD will back up the current application version and save the backup to the specified directory.

   -b nobackup means that Kaspersky MLAD will update the application without backing up the current version.

   -f <full path to the application build to be updated> means the application installed in the specified directory will be updated.

Kaspersky MLAD will be updated to the version specified in the build number. All application files will be located in the directory where Kaspersky MLAD is installed (/opt/kaspersky/mlad by default).

[Topic 291566]

Checking the integrity of Kaspersky MLAD archive files

You can check the integrity of files in the Kaspersky MLAD archive to make sure that there have been no changes to its contents before beginning installation or upgrading the application.

Integrity checks are performed using the integrity.sh script. When the script is running, it sequentially verifies the checksums of files from the application archive.

To check the integrity of Kaspersky MLAD archive files:

1. Unpack the archive named Kaspersky_MLAD_5.0.0.-<build number>_ru-RU_en-US.tar.xz that is included in the distribution kit:

   tar xf Kaspersky_MLAD_5.0.0.< build number >_ru-RU_en-US.tar.xz

   The mlad-release-5.0.0-<build number> directory appears after the archive is unpacked.

2. Navigate to the directory named mlad-release-5.0.0-<build number>:

   cd mlad-release-5.0.0-<build number>

3. Run the script for checking the integrity of the Kaspersky MLAD archive:

   ./integrity.sh

The results of checking the integrity of the application archive files on the computer are considered successful if the integrity.sh script ends with the SUCCEEDED message.

[Topic 247988]

Backing up the application

You can back up the application in accordance with your company regulations. You can back up Kaspersky MLAD when updating the application, if needed.

The application is backed up with the help of the backup.sh script. The Kaspersky MLAD backup procedure saves all of the following data that was uploaded, received, or processed by Kaspersky MLAD: tag configurations, presets, ML models, and settings of Kaspersky MLAD.

A user account in the Kaspersky MLAD server operating system must have root access to back up the application.

Prior to starting the backup, you must make sure that at least 50% of the hard drive space is free if you are saving the backup copy to the hard drive where the application is installed. If the backup copy is saved to another drive, you must make sure that this drive has enough free space necessary for installing Kaspersky MLAD.

Kaspersky MLAD backup capabilities are available starting with application version 5.0.0-001.

To back up Kaspersky MLAD:

1. Go to the directory where Kaspersky MLAD is installed:

   cd mlad-release-5.0.0-<build number>

2. Run the backup.sh script using one of the following methods:
   • If you want to save a backup copy in the directory where the application is installed, run the following command:

     sudo ./backup.sh -f <full path to application directory>

     The backup copy will be created in a directory named mlad_backup-<version number>-<build number>. The directory will be created within the directory where the application is installed.

   • If you need to save the backup copy to another directory, run the following command:

     sudo ./backup.sh -b <full path to backup directory> -f <full path to application directory>

3. Follow the instructions of the backup wizard.

To back up Kaspersky MLAD in non-interactive mode:

1. Go to the directory where Kaspersky MLAD is installed:

   cd mlad-release-5.0.0-<build number>

2. Run the backup.sh script by doing one of the following:
   • If you want to save a backup copy in the directory where the application is installed, run the following command:

     sudo ./backup.sh -q -f <full path to application directory>

     The backup copy will be created in a directory named mlad_backup-<version number>-<build number>. The directory will be created within the directory where the application is installed.

   • If you need to save the backup copy to another directory, run the following command:

     sudo ./backup.sh -q -b <full path to backup directory> -f <full path to application directory>

   where:

   -q means that the application will be backed up in non-interactive mode.

   -b <full path to the backup directory> means Kaspersky MLAD will save the backup in that directory.

   -f <full path to application directory> means that the application installed in that directory will be backed up.

[Topic 247989]

Rolling back the application to the previous installed version

The application can be rolled back to a previously installed version by using the backup.sh script.

A user account in the Kaspersky MLAD server operating system must have root access to roll back the application to a previous version.

Kaspersky MLAD rollback capabilities are available starting with application version 5.0.0-001.

The application will shut down while it rolls back to the previous version. Kaspersky MLAD will not accept data from data sources or process it.

When rolling back Kaspersky MLAD to the previous installed version, all data received and processed by Kaspersky MLAD from the moment the application was upgraded to the moment of the rollback to the previous version will be lost. You are advised to verify that you have a full backup copy of all Kaspersky MLAD data.

To roll back Kaspersky MLAD to the previous installed version:

1. Go to the directory containing the relevant backup copy of Kaspersky MLAD that the application rollback should restore:

   cd <directory containing the application backup copy>

2. To roll back the application to the previous version, run the backup script named backup.sh with the -r switch:

   sudo ./backup.sh -r -f <full path to application directory>

3. Follow the instructions of the backup wizard.

Kaspersky MLAD will be rolled back to the previous installed version.

[Topic 247990]

Scenario for restoring Kaspersky MLAD from a backup

If necessary, for example, if the server hosting Kaspersky MLAD malfunctions, you can restore the application from a backup copy of Kaspersky MLAD by using the backup.sh script.

A user account in the Kaspersky MLAD server operating system must have root access to restore the application.

The scenario for restoring the application from a backup copy consists of the following steps:

1. Moving a backup copy of the application to the Kaspersky MLAD server

   Copy the directory containing the backup copy of the application to the server where the application is being restored.

2. Restoring Kaspersky MLAD

   Go to the directory containing the backup copy of Kaspersky MLAD by running the following command:

   cd <directory containing the application backup copy>

   To restore the application from a backup copy, run the application backup script named backup.sh with the -r switch:

   sudo ./backup.sh -r -f <full path to the directory in which you need to restore the application>

   Follow the instructions of the backup wizard.

[Topic 247991]

Getting started

Before starting to work with Kaspersky MLAD, you must make sure that the following conditions are fulfilled:

1. Descriptions of tags of received telemetry and assets of the hierarchical structure are prepared as a XLSX file to be imported into Kaspersky MLAD. This file is created by a qualified technical specialist of the Customer, a Kaspersky expert or a certified integrator.
2. A set of presets has been prepared to monitor data flow and evaluate the performance of Kaspersky MLAD. A description of the presets is supplied in the form of a file in JSON format. This file is created by a qualified technical specialist of the Customer, a Kaspersky expert or a certified integrator.
3. The telemetry data source is enabled and configured to send data to Kaspersky MLAD.
4. The data transfer network is prepared to deliver telemetry data from the data source to the Kaspersky MLAD server, the network equipment is properly configured, and data transfer is allowed.
5. Configuration settings and/or configuration files are prepared for the connector that will be used in Kaspersky MLAD to receive telemetry data or events from external systems. The connector must be configured and activated after Kaspersky MLAD is started.
6. If ML models are provided as part of the Kaspersky MLAD Model-building and Deployment Service, the ML models are created and trained based on historical telemetry data by a Kaspersky expert or a certified integrator. The ML models have been prepared for import into Kaspersky MLAD as TAR files. The Kaspersky MLAD system administrator has been sent the codes for activating ML models. The ML model activation codes are stored in a secure storage location.

[Topic 247992]

Starting and stopping Kaspersky MLAD

By default, Kaspersky MLAD uses the systemctl utility to start or stop the application. If there is an unexpected restart of the server where the application is installed, the systemctl utility automatically starts Kaspersky MLAD.

If necessary, you can use scripts to start and stop the application. To do so, you must switch the application state control mode.

We recommend the systemctl utility for controlling the application state.

Starting or stopping the application with the systemctl utility

The user account must have root access to start or stop the application.

To start the application using the systemctl utility:

In the command line, run the following command:

sudo systemctl start mlad

Kaspersky MLAD will be started.

To stop the application using the systemctl utility:

In the command line, run the following command:

sudo systemctl stop mlad

Kaspersky MLAD will be stopped.

When stopping, the application saves service statuses. When the application starts again, the services will be restored to their previous status.

An error message is displayed if you attempt to run the start and stop scripts in control mode by using the systemctl utility.

Starting or stopping the application with the start and stop scripts

To start or stop the application using the start and stop scripts, first switch the application state control mode.

To start the application:

1. Go to the folder where Kaspersky MLAD is installed (/opt/kaspersky/mlad by default).
2. In the command line, run the following command:

   ./mlad-start.sh

Kaspersky MLAD will be started.

To stop the application:

1. Go to the folder where Kaspersky MLAD is installed (/opt/kaspersky/mlad by default).
2. In the command line, run the following command:

   ./mlad-stop.sh

Kaspersky MLAD will be stopped.

When stopping, the application saves service statuses. When the application starts again, the services will be restored to their previous status.

If you try to use the systemctl utility in control mode via start and stop scripts, an error message is displayed.

[Topic 287614]

Switching between Kaspersky MLAD state control modes

Kaspersky MLAD supports application state management in the following ways:

• Using the systemctl utility (by default). If there is an unexpected restart of the server where the application is installed, the utility automatically starts Kaspersky MLAD.

  We recommend the systemctl utility for controlling the application state.

• Using start and stop scripts.

If necessary, you can switch between different application state control modes by using the setup.sh script.

A user account in the Kaspersky MLAD server operating system must have root access to switch between modes.

To change the application state control mode:

1. Go to the folder where Kaspersky MLAD is installed (/opt/kaspersky/mlad by default).
2. To switch between application state control modes, run the installation script with an -s switch:

   sudo ./setup.sh -s

Kaspersky MLAD will change the application state control mode. When attempting to run start and stop scripts in application state control mode using the systemctl utility, or when attempting to use the systemctl utility with start and stop scripts while in application state control mode, an error message will be displayed.

[Topic 247993]

Updating Kaspersky MLAD certificates

The following certificates are used in Kaspersky MLAD:

• Certificates for connecting to Kaspersky MLAD using the web interface.
• Certificates for connecting connectors and services.

It is recommended to update certificates in the following cases:

• Current certificates have been compromised.
• Certificates have expired.
• Certificates need to be updated in accordance with the enterprise information security requirements.

Updating a certificate for connecting to Kaspersky MLAD using the web interface

By default, Kaspersky MLAD uses a self-signed certificate that is automatically generated during the application installation to connect to the web interface. When using a self-signed certificate to connect to the Kaspersky MLAD web interface, the browser displays a warning that the security certificate or the established connection is not trusted.

To use trusted certificates to connect to the Kaspersky MLAD web interface, you can replace the self-signed certificate with a certificate received from a recognized certification authority or with a custom certificate that complies with the security standards of your organization.

Kaspersky MLAD store certificates for connecting to the web interface at <installation directory>/ssl/nginx/.

The certificate for connecting to Kaspersky MLAD using the web interface can be updated by a qualified technical specialist of the Customer, a Kaspersky employee or a certified integrator.

To update certificates for connecting to Kaspersky MLAD using the web interface:

1. Obtain a trusted certificate and a key for this certificate to connect to the Kaspersky MLAD web interface.

   A certificate must be received for the IP address and domain name of the server on which Kaspersky MLAD is installed.

2. Go to the directory containing the trusted certificate and the key to this certificate.
3. In the command line, run the following commands:

   sudo chown root:root <new certificate.crt> <new certificate key.key>
sudo chmod 640 <new certificate.crt> <new certificate key.key>
sudo cp <new certificate.crt> <installation directory>/ssl/nginx/mlad_nginx.crt
sudo cp <new certificate key.key> <installation directory>/ssl/nginx/mlad_nginx.key

   The new certificate and its key are saved at <installation directory>/ssl/nginx/ as mlad_nginx.crt and mlad_nginx.key, respectively.

4. Go to the directory where Kaspersky MLAD is installed, and restart it.

After restarting, Kaspersky MLAD uses the new certificate to connect to the web interface.

Updating a certificate for connecting connectors and services

In Kaspersky MLAD, you can use a secure connection for OPC UA Connector, MQTT Connector, AMQP Connector, HTTP Connector, WebSocket Connector, and the Mail Notifier service. You can update certificates for connecting these connectors and the Mail Notifier service using a secure connection in the System parameters section of the administrator menu.

To connect the OPC UA Connector, MQTT Connector, AMQP Connector, HTTP Connector, and WebSocket Connector as well as the Mail Notifier service over a secure connection, it is recommended to use certificates created according to the X.509 standard with a certificate key length of at least 4,096 bits.

The certificate for connecting the KICS Connector is contained in the communication data package, which you can update in Kaspersky Industrial CyberSecurity for Networks. You can upload the updated communication data package to Kaspersky MLAD when configuring the KICS Connector. For detailed information about creating a communication data package, please refer to the Kaspersky Industrial CyberSecurity for Networks Help Guide.

Kaspersky Machine Learning for Anomaly Detection is compatible with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.

[Topic 247994]

First startup of Kaspersky MLAD

This section describes the sequence of application configuration steps that must be performed by the system administrator when Kaspersky MLAD is started for the first time.

The first startup of Kaspersky MLAD consists of the following steps:

1. Starting Kaspersky MLAD

   Start Kaspersky MLAD. The following Kaspersky MLAD prerequisite services will run automatically:

   • API Server
   • Web Server
   • Message Broker
   • Keeper
   • Time Series Database
   • Database
   • Logger
   • Docker API Server
   • Migrations
   • Push server
2. Connecting to the Kaspersky MLAD web interface

   Open the application web interface in a supported browser and enter the user name and password of the first Kaspersky MLAD user with the system administrator role defined during installation of the application. Change the password for your user account. For a secure connection to the Kaspersky MLAD web interface, you are advised to install a trusted certificate.

   In the System parameters section, in the administrator menu, specify the name of the monitored asset.

3. Uploading a configuration of tags and assets of the hierarchical structure to Kaspersky MLAD

   For subsequent operation, upload tag and asset configuration to Kaspersky MLAD. Tag and asset configuration is described in a XLSX file. For an example of a tag and asset description, see the Appendix.

4. Configuring connectors

   To work with data, configure the connectors used at your monitored asset. You can configure the following connectors:

   • KICS Connector.
   • OPC UA Connector.
   • CEF Connector.
   • HTTP Connector.
   • MQTT Connector.
   • AMQP Connector.
   • WebSocket Connector.
5. Configuring services

   In the System parameters section of the administrator menu, configure the services that you need to use for your monitored asset. In the Services section, check the statuses of the services and start them, if necessary. For example, the necessary connectors must be running to receive data, and the Anomaly Detector service must be running to correctly detect anomalies.

6. Connecting to a data source

   When the connectors are configured, start the connectors used for your monitored asset. Go to the Dashboard section and make sure that data is being received by Kaspersky MLAD in online mode.

7. Creating user accounts

   Create accounts for users of the application and assign the necessary roles to them. Create incident notifications for users.

Kaspersky Machine Learning for Anomaly Detection is prepared for operation, and the application is receiving and processing data.

Users can start working with Kaspersky MLAD using the web interface.

[Topic 248049]

Removing the application

A user account in the Kaspersky MLAD server operating system must have root access to uninstall the application.

Removal of Kaspersky MLAD must be performed by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

When Kaspersky MLAD is removed, all Kaspersky MLAD data that was received, uploaded, and processed since the application was installed will be lost. You are advised to verify that you have a full backup copy of all Kaspersky MLAD data. You can perform a backup when updating the application or with the help of the backup.sh script.

To remove Kaspersky MLAD:

1. Go to the folder where Kaspersky MLAD is installed (/opt/kaspersky/mlad by default).

   cd mlad-release-5.0.0-<build number>

2. Run the setup.sh installation script with the -u switch:

   sudo ./setup.sh -u

3. Follow the instructions of the Application Removal Wizard.

   When deletion of the installed certificates is confirmed, the Wizard will delete the directory in which the backup copies are stored.

Kaspersky MLAD will be removed.

[Topic 248053]

Kaspersky MLAD web interface

Kaspersky MLAD is managed through a web interface. This section provides a description of the main elements of the Kaspersky MLAD web interface.

The main window of the application web interface contains the following items:

• Main menu in the left part of the application web interface window.
• Workspace in the central part of the application web interface window.

Sections of the main menu are available to users with access rights to the corresponding functions of the application. Access to application functions is determined by the list of rights assigned to the user role.

System administrators have access to a menu that allows them to manage license keys, configure application settings, manage user roles and accounts, configure incident notifications, and manage assets and tags.

The user menu, located at the bottom of the main and administrator menus, allows users to: select the web interface language, change their password, log out, view system logs, and navigate between menus. To switch between the main menu and the administrator menu, click one of the following buttons:

• to go to the administrator menu.
• to go to the main menu.

If necessary, you can collapse or expand the menu by clicking  or , respectively, in the upper-left corner of the page.

Main menu

The table below describes the sections of the main menu of Kaspersky MLAD.

Main menu sections

Administrator menu

The table below describes the sections of the Kaspersky MLAD administrator menu.

Administrator menu sections

User menu

The table below describes the elements of the Kaspersky MLAD user menu.

User menu elements

[Topic 248050]

Connecting to Kaspersky MLAD and terminating a user session

Use a supported browser to connect to Kaspersky MLAD web interface.

If an authorized user does not use the application for a time period exceeding the User inactivity period (min), Kaspersky MLAD automatically terminates the connection session for this user. To continue working in the application, user authorization must be completed again. A user session is considered active in the following cases:

• The user interacts with elements of the application interface (for example, clicks buttons or navigates to sections of the application menu).
• The user enters parameter values using the keyboard.

Performing any of the above actions prolongs the user session for the time specified in the User inactivity period (min) parameter.

The user can terminate their user session ahead of time by logging out of their user account.

If necessary, the system administrator can revoke authentication tokens for a user account. When a token is revoked for a user, their work sessions in the application are terminated simultaneously on all devices where they are authorized.

The web address, user name and password for signing in to the application must be requested from the Kaspersky MLAD system administrator.

[Topic 248051]

Connecting to the web interface

To connect to Kaspersky MLAD using a browser:

1. Open a supported browser on your computer.
2. In the browser address bar, enter the Kaspersky MLAD server web address received from the Kaspersky MLAD system administrator.
3. On the login page that opens, enter your email as the user name and your password.

   When connecting to the web interface as the system administrator for the first time, use the user name and password of the first user with the system administrator role that were specified during installation of the application.

4. Click the Sign in button or press ENTER.

The Dashboard is displayed in the browser window.

When a user connects to Kaspersky MLAD for the first time, the password change window opens in the browser. If the password change was made optional in the security settings, you can skip changing the password by clicking the Skip button and change it later. The change password window also opens in your browser upon expiration of the password that was set when configuring the security settings.

If you close the browser window without terminating the connection session, the session remains active until the time limit that was set by the administrator in the User inactivity period (min) parameter when configuring the security settings. During this time, the application continues to grant access to the Kaspersky MLAD web interface without prompting for user account credentials, provided that the connection is used by the same computer, browser, and operating system user account. If the application user is inactive for longer than the time limit that was specified in the User inactivity period (min) parameter, Kaspersky MLAD terminates the user session.

In case of multiple unsuccessful authorization attempts, Kaspersky MLAD will block your account when the maximum number of unsuccessful authorization attempts is reached for a certain period. The maximum number of unsuccessful authorization attempts and the account blocking period are set when configuring the security settings of Kaspersky MLAD.

Page for entering the account credentials for Kaspersky MLAD

[Topic 248052]

Terminating a Kaspersky MLAD connection session

When you are done working with Kaspersky MLAD in a browser, you must terminate the connection session.

To terminate the application connection session:

in the browser window, in the lower-left corner of the Kaspersky MLAD web interface, click the button  and select Sign out of Kaspersky MLAD.

After the application connection session is terminated, the browser window shows the page for entering account credentials.

[Topic 248062]

Changing a user account password

You are advised to change the password in the following cases:

• You are connecting to Kaspersky MLAD for the first time after the user account was created in the application.
• The current password has been compromised.
• The password is expiring in accordance with the information security requirements at the enterprise.

To change the password of your own user account:

1. In the lower-left corner of the Kaspersky MLAD web interface page, click the button and select Change password.

   The Changing password window opens in the browser.

2. In the Current password field, enter your current password.
3. In the New password and Confirm password fields, enter the new password.

   The new password must meet the following requirements:

   • Must not match previously used passwords. The specific number of most recently used passwords that must not be reused is defined when configuring the security settings.
   • Must contain the minimum number of characters defined when configuring the security settings.
   • Must contain letters of the English alphabet, numerals and/or special characters in accordance with the password policy that was set when configuring the security settings.
4. Click the Edit button.

[Topic 248061]

Selecting the localization language for the Kaspersky MLAD web interface

Kaspersky MLAD provides the option to use English or Russian for the application web interface.

To change the localization language of the application web interface:

1. In the lower-left corner of the Kaspersky MLAD web interface page, click the Language button.
2. Select the required localization language: Russian or English.

[Topic 248054]

Licensing the application

This section provides information about general concepts related to licensing of Kaspersky MLAD.

[Topic 248055]

About the End User License Agreement

The End User License Agreement (EULA) is a binding agreement between you and AO Kaspersky Lab that stipulates the terms on which you may use the application.

Please carefully read the terms of the End User License Agreement before using the application.

You can review the terms of the End User License Agreement in the following ways:

• During installation and update of Kaspersky MLAD.
• By reading the license_en.txt file. This file is included in the application distribution kit.

You accept the terms of the End User License Agreement when you confirm your consent to the End User License Agreement during the installation or update of the application. If you do not accept the terms of the End User License Agreement, please stop the installation or update of the application and do not use the application.

[Topic 248056]

About the license

A license is a time-limited right to use the application as granted under the End User License Agreement.

The available functionality and application usage period depend on the type of license under which the application is being used.

The following types of licenses are available:

• Basic is a free license.

  This type of license does not have a time limit. You can use the basic functions of the application before adding a license key or after expiration of the commercial license.

• Trial is a free evaluation license.

  When the trial license expires, the application continues to operate but the following application functions become unavailable:

  • Update the application.
  • Select an ML model element.
  • Work with markups, ML models, and ML model templates.
  • Work with events and patterns.
  • Work with incidents and groups of incidents.
  • Manage the statuses of the Anomaly Detector, Trainer, Similar Anomaly, Event Processor, and Stream Processor services.

  You will need to purchase a commercial license to continue using the application.

  A trial license has a short validity period. You can use the application under a trial license only for one trial usage period.

  If you add a commercial license key without the model builder after the trial license expires, the ML models and ML model elements that were created manually during the trial period will become unavailable for editing, cloning, and deletion. When you add a license key for a valid commercial license that includes the model builder, you can continue managing the ML models and ML model elements that you created manually during the trial period.

• A commercial license is a paid license.

  This type of license has a time limit.

  To activate application functionality, you need to add a license key for a valid commercial license. The following types of commercial license are available for Kaspersky MLAD:

  • Commercial license without the model builder.

    If you require all application functions except for managing manually created ML models, cloning and deleting ML model elements, you will need to purchase a commercial license that does not include the model builder.

  • Commercial license including the model builder.

    If you need all application functions, you will need to purchase a commercial license that includes the model builder.

  After the commercial license expires, only the basic functions of the application will remain available. To continue using Kaspersky MLAD, you need to renew the commercial license.

  You are advised to renew the license no later than its expiration date to ensure continuous use of Kaspersky MLAD.

Technical support services are provided if you have an active Technical Support Agreement. The scope of provided technical support services is determined by the current Technical Support Agreement.

[Topic 256669]

About the license certificate

The license certificate is a document that is handed over to you along with the key file.

The license certificate contains the following information about the license provided:

• License key or order number
• Information about the user who is granted the license
• Information about the application that can be activated under the provided license
• Limitation on the number of licensing units (for example, tags by which the application can receive telemetry data)
• Start date of the license term
• License expiration date or license term
• License type

[Topic 256626]

About the license key

A license key is a sequence of bits that lets you activate and start to use the application according to the terms of the License Agreement. The license key is generated by Kaspersky experts.

You can add a license key to the application by using a license key file. After you add a license key to the application, the license key is displayed in the application interface as a unique alphanumeric sequence.

Kaspersky can block a license key over violations of the End User License Agreement. If the license key is blocked, you need to add another license key to work with the application.

A license key may be active or reserve.

An active license key is the one currently in use. A license key can be added as active to a trial or commercial license. The application cannot have more than one active license key.

A reserve license key is a license key that confirms the right to use the application but is not currently in use. A reserve license key is activated automatically when the license associated with the currently active license key expires or the active license key is removed. A reserve license key can only be added if there is an active license key.

A license key for a trial license can only be added as the active license key. A license key for a trial license cannot be added as a reserve license key.

[Topic 256628]

About the license key file

A license key file is a file with the KEY extension that you receive from Kaspersky. The key file is used to add a license key that activates the application.

You receive a license key with your Kaspersky MLAD purchase or trial. The method used to receive a license key file is determined by the Kaspersky distributor from whom you purchased the application (for example, the license key file may be sent to the email address you specify).

Alternatively, you can add a license key you received when purchasing the previous version of Kaspersky MLAD. A license key can be added to the application before its expiration date.

No connection to Kaspersky activation servers is required to activate the application with a key file.

You can restore a key file if it has been accidentally lost. Contact the party you bought the license from to restore the key.

[Topic 283362]

Available functionality of Kaspersky MLAD depending on the specific license

The table below shows the set of available functions of Kaspersky MLAD depending on the selected license.

[Topic 256641]

Adding a license key

You can add a license key to Kaspersky MLAD when connecting to the application via the web interface.

Only a system administrator can add a license key.

To add a license key:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select Licensing.
3. Click the Add license key button.

   The button is unavailable if the active and reserve license keys were previously added. If necessary, you can delete a license key.

   The Adding a license key panel appears on the right.

4. Select a license key file in KEY format.

   After you select the license key file, the details of the added keyAdding a license key Adding license key panel.

   If the application did not have any license keys and the validity period of the new license key has already started, it will be added as the active key automatically. If the validity period of the new license key has not yet begun and it does not overlap with the validity period of your current active license key, the new key will be added as a reserve key.

5. If a license key was previously added to the application, do one of the following (if necessary):
   • To download a key as active when the application already has an active license key, select Active license key under License key status.

     The previous active license key will be replaced and removed.

   • To download a key as an active key when its validity period overlaps with the validity period of a previously uploaded reserve key, select Active license key under License key status, and select one of the following options for using the reserve key under Apply reserve key:
     • When active key expires. The reserve license key will become active after the active license key expires.
     • When reserve key becomes valid. The reserve key will become active at the beginning of its validity period. Previous active license key will be removed from the application. You can use the removed license key on another monitored asset until this key expires.
   • To upload a key as a reserve key when its validity period overlaps with the validity period of a previously uploaded active key, select Reserve license key under License key status, and select one of the following options for using the reserve key under Apply reserve key:
     • When active key expires. The reserve license key will become active after the currently active license key expires.
     • When reserve key becomes valid. The reserve key will become active at the beginning of its validity period. Previous active license key will be removed from the application.

       You cannot add a license key as a reserve if it is set to expire before the currently active license key.

6. Click the Add button.

The license key will be loaded.

[Topic 256658]

Viewing information about an added license key

You can view information about the added license key when connected to Kaspersky MLAD. 30 days before the license key expires, the application web interface will display a notification informing you about the number of days remaining until the key expiration date.

To view information about the license key:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select Licensing.

The following information is displayed for an added license key:

• Days remaining until license expiration.
• Application name—the application that will be activated after adding the license key;
• License key status – key status: active or reserve.
• License number – order ID.
• Key – unique alphanumeric sequence.
• Company name—the name of the company for which the license was purchased;
• Activation date – date when the license key was first added to the application.
• Key is valid until – license key expiration date.
• Functionality—information about the number of available tags, as well as the ability to use ML models and/or manage ML models and their elements.

[Topic 256652]

Removing a license key

When connected to the application through the web interface, you can remove an added license key from the application (for example, if you need to replace this license key with a different key). After removing the license key, only the basic functions of the application will be available to you.

After removing the license key, you will continue to receive data on tags using the connectors, and you will also be able to view data on tags in the Monitoring and History sections. In turn, ML models will stop processing data on tags, and will stop generating incidents and artifacts. You will no longer be able to view previously generated artifacts. You will also not be able to use previously created ML models.

Unavailable functionality will be re-activated the next time you add a license key.

We recommend adding a reserve license key to the application before removing the active license key. When removing the active license key, the previously added reserve license key will be activated. The license period will be extended to match the validity period of the added license key.

If you have removed a license key before it was due to expire, you can add it to the application again and retain its original license expiration date.

Only a system administrator can remove a license key.

To remove a license key:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select Licensing.
3. In the upper right corner of the license key card, click .

   A window with a confirmation prompt opens.

4. Confirm deletion of the license key.

The license key will be removed from the application.

[Topic 248057]

Processing and storing data in Kaspersky MLAD

This section contains information about data provision and directories for storing data.

[Topic 248058]

About data provision

The application does not transfer users' personal data to Kaspersky. Users' personal data is processed locally on the computers where the application is installed.

Data transferred to external systems

Data is transmitted to external systems over encrypted communication channels.

If sending email notifications about incident logging is enabled, the application transfers the following data to the SMTP server:

• Incident

  

  An identified deviation from the expected (normal) behavior of a monitored asset.

  ID
• Date and time of the logging of the incident
• ML model

  

  Algorithm based on machine learning methods tasked with analyzing the telemetry of the monitored asset and detecting anomalies.

  name whose element registered the incident
• Name of the ML model element that registered the incident
• Registered incident status
• the reason for the registered incident
• Expert opinion on the registered incident 
• Top tag

  

  The process parameter that had the greatest impact on incident registration.

  name
• Top tag description
• Value of the top tag at the time the incident is registered and its measurement unit
• Name of the
  detector

  

  Component in the ML model that identifies anomalies and registers incidents.

  that logged the incident
• Value of the ML model
  artifact

  

  A sequence of numerical values (time series) generated as a result of ML model inference. An ML model can generate artifacts associated with tag values received from the monitored asset or ML model element artifacts.

  at the time the incident is registered
• Blocking threshold value exceeded at the time the incident was registered
• Link to the History section at the time of the start of the incident.

If sending notifications about incident logging through the MQTT Connector, AMQP Connector, WebSocket Connector, and/or KICS Connector is enabled, the application transfers the following data to the MQTT broker, AMQP broker, WebSocket server, and/or to Kaspersky Industrial CyberSecurity for Networks:

• Incident ID
• Date and time of the logging of the incident
• Date and time of the incident completion
• Name and unique ID (UUID) of the ML model that logged the incident
• Unique ID (UUID) of the ML model element
• Top tag ID and description
• Name of the detector that logged the incident
• Link to the History section at the time of the start of the incident
• Value of the ML model element artifact at the time the incident is registered (if any)
• Blocking threshold value exceeded at the time the incident is logged (if any)
• Top tag value at the time the incident is logged
• Incident status
• Incident comment (if any)
• Incident group ID (if any)
• Incident group name (if any)
• Expert opinion (if any)
• IDs of the relevant tags
• Reason for the incident (if any)

If notifications about the logged incidents are configured to be sent via the CEF connector, the application transfers the following data to the SIEM system:

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• Date and time of the logging of the incident
• Date and time of the incident completion
• Name of the detector that logged the incident
• Name of the ML model that logged the incident
• Link to the History section at the time of the start of the incident
• Top tag description
• Incident comment (if any)
• Incident group name (if any)
• Top tag value at the time the incident is logged
• Incident group ID (if any)
• Incident ID
• Top tag ID.

If the logged

events

A set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment

A set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment

A set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment

A set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment

connector

Service that facilitates the exchange of data with external systems.

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• Date and time when the event was logged
• Name of the
  monitor

  

  Source of notifications about patterns, events, or values of event parameters detected by the Event Processor according to the defined monitoring criteria. The monitoring criteria define the attention head, additional filters for event parameter values, a sliding time window, and the number of consecutive monitor activations within that window.

  that logged the event
• Monitor ID
• Type of the element that caused the monitor activation
• Name of the attention head (if any)
• Name of the daughter attention head (if any)
• Sliding window of the monitor used to track the number of activations
• Threshold of activations that, when reached, cause the monitor to send an alert to an external system
• Number of activations on the sliding window
• Indication of whether the detected element is new to the application
• Contents of the element that triggered the last monitor activation
• ID of the element that triggered the monitor activation

If sending information security event logs is enabled, the application transfers the following data to the Syslog server:

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• ID of the information security event
• Date and time when the information security event occurred
• Information security event type
• Information security event subtype
• Information security event severity level
• Name of the user whose actions resulted in the information security event entry
• IP address of the computer from which the user performed the actions logged into the information security event log
• Information security event outcome
• Brief summary of the information security event
• Detailed description of the information security event.

Data processed locally on the Kaspersky MLAD server

To perform its main functions the application can receive, store and process the following information:

• Information about the full backup copies of the application, if the application has been backed up or updated. The Kaspersky MLAD server stores information about full application backups until they are deleted by the user.
• Information about the backup copies of the Docker volumes that are created during uninstallation of the application. The Kaspersky MLAD server stores information about Docker volume backups until they are deleted by the user.
• Files containing the text of the End User License Agreement of the currently installed application version.
• File named legal_notices.txt containing information about third-party code.
• Certificates for connecting to the application using the web interface.
• Certificates and certificate keys for encrypting the connection between Kaspersky MLAD connectors and services and the external systems.
• Public keys for verifying the digital signature of the distribution package. The Kaspersky MLAD server stores public keys until they are deleted by the user.
• User account data: account ID, last name, first name, middle name, email address, account status (active or blocked), password.

  Values that do not personally identify the user (for example, shop and job title) can be entered in place of the last name, first name and middle name of a user. The information specified in the Last name, Name and Middle name fields for users when creating user accounts is stored in plain text and is not processed by the application.

  The email addresses that are specified when creating accounts are used for the user names when users connect to the web interface of the application. User names are indicated in the information security event logs. Email addresses are used to send notifications about registered incidents.

  Users' email addresses are stored in plain text.

  Kaspersky MLAD does not store user passwords in plain text. The scrypt hash sum calculation algorithm is used to store passwords. Kaspersky MLAD adds salt to the password to prevent decoding. User passwords are not written to application logs.

  The system administrator enters information about user accounts in the administrator menu.

• Data about roles and the rights assigned to these roles: role ID, role name, role status (active or inactive), list of assigned rights, date and time of role creation, date and time of role modification.

  The system administrator enters information about roles in the administrator menu.

• Details of incident
  notifications

  

  A message with information about an incident (or incidents), which is sent by the application via notification delivery systems (for example, via email) to the specified addresses.

  : notification ID, notification name, whether incident notifications are enabled for published ML models only, notification state (active or inactive), notification language, email addresses to notify, types of incidents to send notifications for.

  The system administrator enters information about notifications in the administrator menu.

• Information about the license keys uploaded to Kaspersky MLAD.
• Data about Kaspersky MLAD settings:
  • Main application settings: monitored asset name, URLs and IP addresses for generating links to incidents in incident notifications, interval for receiving data from the Message Broker service, interval for receiving statistical data about incidents from the database, and the monitored asset time zone.
  • Application security settings: number of authorization attempts, user blocking period, user inactivity period, information on whether the password must be changed upon the first connection, number of user passwords stored in the history, password validity period, minimum password length, information on whether uppercase, lowercase Latin letters, numbers and/or special characters (_! @ # $% ^ & *) must be used in the password, size and storage time of the information security event logs.
  • Anomaly Detector settings: information on whether to use the Limit Detector, Forecaster, XGBoost, and/or Rule Detector, information on whether to skip data gaps, the maximum number of records requested from the Message Broker service, the number of messages sent in one block to the Message Broker.
  • Keeper service settings: information indicating whether the values of all
    tags

    

    Variable that contains the value of a specific process parameter such as temperature.

    

    Variable that contains the value of a specific process parameter such as temperature.

    must be stored, and the timeout for receiving tag values, incidents, and metrics.
  • Mail Notifier service settings: notification sender email address, SMTP server address and port, user name and password for connecting to the SMTP server, information indicating whether to use a TLS connection, SMTP server certificate and certificate key.
  • Similar Anomaly settings: minimum and maximum number of incidents for the group, maximum interval between similar incidents.
  • Stream Processor settings: uniform grid step, configuration file with Stream Processor settings.

    The Stream Processor configuration file stores the IDs of the tags processed by the service and the values of tag processing settings.

    The values of the tag processing settings are set by Kaspersky experts individually for each monitored asset.

  • HTTP Connector settings: size of the written block, maximum size of the uploaded file, information indicating whether TLS connection and the recommended TLS connection settings must be used, HTTPS server certificate and certificate key, root certificate to verify the signature of the client certificate, and information indicating whether the received tag values need to be scaled.
  • MQTT Connector settings: information indicating whether to use a TLS connection and the recommended TLS connection settings, address and port of the MQTT broker, user name and password to connect to the MQTT broker, root certificate, client certificate and client certificate key, list of MQTT subscriptions to receive tags,
    MQTT topic

    

    A hierarchical path to the data source used for sending messages via the MQTT protocol.

    for publishing messages, format for processing incoming data, connector configuration file, and information indicating whether to scale the received tag values.

    The MQTT Connector configuration file stores IDs, names, descriptions, types, and measurement units for tags.

  • AMQP Connector settings: information indicating whether to use a TLS connection and the recommended TLS connection settings, address and port of the AMQP broker, user name and password to connect to the AMQP broker, root certificate, client certificate and client certificate key, AMQP virtual node, names of AMQP exchange points for receiving tag values and publishing messages, list of subscriptions and the queue for receiving tag values,
    AMQP topic

    

    A hierarchical path to the data source used for sending messages via the AMQP protocol.

    for publishing messages, format for processing incoming data, connector configuration file, and information indicating whether to scale the received tag values.

    The AMQP Connector configuration file stores IDs, names, descriptions, types, and measurement units for tags.

  • OPC UA Connector settings: connection address, timeout for connection to the OPC UA server, connector configuration file, information indicating whether the received tag values need to be scaled, connection security policy, message security mode, user name and password for connecting to the server, client application certificate, private key of the client application certificate, password for the private key of the client application certificate, root certificate, historical data interval, beginning and end of the historical data period, size of the historical data block sent by the OPC UA server, and size of the historical data block sent to the Message Broker service.
  • KICS Connector settings: communication data package for the KICS Connector, password for the KICS Connector, information on whether to send messages to Kaspersky Industrial CyberSecurity for Networks, the tag
    sampling

    

    A method for adjusting the training set with reference to the time scale steps in the original dataset.

    

    A method for adjusting the training set with reference to the time scale steps in the original dataset.

    frequency, information on whether to scale the received tag values.
  • CEF Connector settings: information indicating whether to receive events for the Event Processor service, information indicating whether to send registered incidents and/or events to a SIEM system, IP address and port for sending events and incidents to SIEM systems, information indicating whether to send the information security event logs to the Syslog server, transport protocol for sending information security events to the Syslog server, address and port of the Syslog server for sending information security events, information indicating whether to use a TLS connection and the recommended TLS connection settings, server certificate and certificate key, root certificate for verifying the signature of the client certificate, client certificate and certificate key, and root certificate for verifying the signature of the server certificate.
  • WebSocket Connector settings: WebSocket server URL address, root certificate, client application certificate and client application certificate key, incoming data processing format, connector configuration file, information indicating whether to scale the received tag values, information indicating whether to send incidents, and information indicating whether to use the recommended TLS connection settings.
  • Event Processor settings: service configuration file, information on whether to process incidents as events, the maximum number of network layers, the coefficient defining the permitted dispersion of the pattern duration, the interval for receiving epoch events, the epoch size in online mode, the mechanism for saving the Event Processor status, component backup frequency, the backup copy of the Event Processor status, epoch size in sleep mode, alert mode when the monitor is activated in sleep mode, sleep mode frequency and duration, event history interval for processing in sleep mode.
  • Incident status settings: incident status ID, incident status names in Russian and English, sorting sequence number, information on whether to display the registered incidents with this status.
  • Incident cause settings: incident cause ID, incident cause name, sorting sequence number.
  • Logging service settings: logging levels of the services and application connectors.
  • Settings of the time intervals for charts in the Monitoring, History, and Time slice sections: time interval ID, time interval name in Russian and English, sorting sequence number, ID of the user who created the time interval, ID of the user who last changed the time interval, time interval value.
  • Settings for displaying the items of the main menu and administrator menu: information on whether to display the items of the main menu and administrator menu in the application web interface.

  The system administrator defines Kaspersky MLAD settings in the administrator menu.

• Asset

  

  A section of a hierarchical structure representing, for example, a plant, a shop, or a separate unit of a monitored asset.

  

  A section of a hierarchical structure representing, for example, a plant, a shop, or a separate unit of a monitored asset.

  

  A section of a hierarchical structure representing, for example, a plant, a shop, or a separate unit of a monitored asset.

  and tag data: asset name, asset ID, asset icon, parent asset ID, asset description and type, asset type ID and name, names and values of special parameters of the asset type, asset type description, tag ID and name, tag alternative name, tag icon, tag description, tag type, tag unit of measurement, upper and lower thresholds for blocking, alarms and measurement reliability, comment to the tag, spatial location coordinates of the monitored asset sensor in space along the abscissa, ordinate and applicate axes, name of the device from which the tags from the external system originated, and the offset and multiplier parameters that are used to recalculate the tag values received from the connectors.

  The system administrator enters information about assets and tags in the administrator menu.

• Preset

  

  Set of tags generated by a user in arbitrary order or created automatically when an incident is registered. A set of tags in a custom preset can correspond to a certain aspect of the technological process or a section of the monitored asset.

  data: preset name, preset ID, preset icon, names and IDs of tags included in the preset, name and description of the
  graphic area

  

  A collection of tags whose data is displayed together by overlapping on a single graph in History and Monitoring sections. A graphic area can display data for one or more tags in a preset.

  , axis scaling mode, upper and lower bounds for displaying tag values, additional threshold lines, information about tags included in the graphic area, information indicating whether you need to customize the expression for the Time slice, labels of the abscissa and ordinate axes, name of the expression for calculating tag values, expressions for calculating tag values, and the color of the graph for the preset in the Time slice.

  Any user can enter data in the Presets section.

• Information about the number of tag observations and events received per second. The application calculates the data based on the data received from external systems.
• Information about the values of tags and events received by the system. Data is received from external systems for which data receipt is configured.
• Information about the generated artifacts. The application calculates the data based on the data received from external systems.
• Information about the application service statuses: the name and current status of the service. The application displays the service status derived from the corresponding components.
• Data on registered incidents and groups of incidents: incident ID, date and time when the incident was registered, top tag name and ID, incident cause, name of the detector that registered the incident, incident group name, incident status, ML model name, ML model element, ML model element artifact value, threshold value, top tag value, blocking thresholds, tag description and measurement units, incident type, date and time when the observation was generated, amount of time by which observation generation is ahead or behind the receipt of this observation by the application, expert opinion on the incident and on the group, incident comment, incident group name and ID, number of incidents in the group, date and time when the incident group was created, status of the registered incidents in the group, IDs of the relevant tags, and the blocking threshold reached when the incident was registered.

  The application generates this data as a result of analysis of the received data and on the basis of the settings specified by the user.

• Settings for displaying charts in the Monitoring and History sections: chart height, preset for going to the History section (only when configuring the chart display settings in the Monitoring section), information on whether to display the observation chart with the selected color, the observation chart color, information on whether to display the prediction chart with the selected color, prediction chart color, information on whether to display the names and descriptions of tags on the charts, the predicted value of the tag and/or an individual tag error, information on whether to display indicators for all incidents on the charts, information on whether to display blocking thresholds and/or additional threshold lines on the charts, ML model element used to generate predicted values, presets, time intervals, date and time for displaying charts.

  Any user can enter data in the Monitoring and History sections.

• Chart display settings in the Time slice section: chart height, ML model element used to generate predicted values, presets, time intervals, date and time for displaying charts.

  Any user can enter data in the Time slice section.

• Settings for processing and displaying data for the Event Processor: ID, name and state of the attention head, attention subject parameters (individual for each monitored asset), information indicating whether to generalize the parameters of conditions, and the parameters of attention head conditions (individual for each monitored asset).

  If the Process incidents as events option is enabled in the Event Processor settings, the application stores and processes the following data:

  • Name of the detector
  • Name of the ML model being used
  • Top tag name and ID
  • Name of the incident group to which the registered incident belongs
  • Top tag value
  • Incident ID.

  Any user can enter the event processor data in the Event Processor section.

• Data on monitoring events and patterns in the Event Processor: monitor name and ID, monitor state, number of registered activations on the sliding window, date and time of the last activation, activation stack limit, parameter that determines what is tracked by the monitor, sliding window, activation threshold, attention head, attention subject parameter, information indicating whether the monitor tracks events or patterns for a generalized attention subject, activation type, names of event parameters whose values are tracked by the monitor, types of filters, types of values tracked by the monitor, values of event parameters tracked by the monitor, ID of the event parameter value, event or pattern whose detection triggered activation of the monitor, date and time of event detection in the event stream, time interval between the current event and the previous event in the event stream on the sliding window, number of event repetitions in the event stream on the sliding window, number of event parameters whose values were received from the monitored asset, date and time of the last event detection in the stream of events on the sliding window, attention subject parameter and its value that triggered activation of the monitor, date and time of monitor activation, parameters of the event received from the monitored asset, number of events included in the pattern that triggered monitor activation, total number of pattern repetitions in the stream of events, generalized event ID, generalized pattern ID, number of monitor activations by the generalized event or pattern, number of events in the generalized pattern, number of values of the attention subject parameter whose detection triggered activation of the monitor, time interval between the first and the last event in the detected generalized pattern, detected generalized event, detected generalized pattern, and the values of attention subject parameters whose detection triggered activation of the monitor.

  The application generates data by analyzing the received data and the settings specified in the Event Processor section.

• Data on registered patterns in the Event Processor: pattern ID, date and time of the last pattern detection in the interval, number of pattern detections in the event stream of the monitored asset for the given period, number of events in the pattern, date and time of the last pattern detection in the event stream or in sleep mode, date and time of the beginning and end of the pattern loading period, type of pattern, attention head, values of the event parameters for which the patterns are registered, template parameters for which the patterns are registered (individual for each monitored asset), ID of the subpattern, end date and time of the subpattern in the sequence of patterns, number of detections of the subpattern, number of events in the subpattern, time interval between the subpattern and the pattern detected in the sequence of patterns in the current layer before the subpattern, date and time of the last detection of the subpattern in the sequence of patterns in the current layer, IDs of events included in the pattern, date and time of event detection in the pattern structure, time interval between the selected event and the previous event, number of event repetitions in the structure of the selected pattern, number of event parameters whose values were received from the monitored asset, and the date and time of the last event detection in the event stream.

  The application generates data by analyzing the data and the settings specified in the Event Processor section.

• Information about ML models and their parameters: ID and unique ID (UUID) of the ML model, name, description, status and state of the ML model, name of the user who last modified the ML model, date and time when the ML model was last modified, name of the user who created the ML model, date and time when the ML model was created or loaded, the names and IDs of its elements, the time interval, and
  markup

  

  Tool for selecting time intervals. Markups are used to generate learning indicators and inference of the ML model. A markup may utilize two types of criteria: conditions on the behavior of specific tags (time intervals are selected where these conditions are met) and a time filter (time intervals are selected independently of tag behavior).

  for the
  inference

  

  The ML model works with telemetry data to detect anomalous behavior.

  

  The ML model works with telemetry data to detect anomalous behavior.

  .

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information about the ML model elements and their parameters:
  • Parameters common for all types of ML model elements: ID, name and description of the ML model element, status and state of the ML model element, time interval after which a repeated incident is generated, time interval during which repeated incidents are not registered, anomaly observation interval, anomaly duration share in the interval, incident cause and status, color of the incident indicator points, and expert opinion.
  • Main parameters of predictive ML model elements: element architecture, grid step in seconds, names and IDs of input tags, names and IDs of output tags, incident registration threshold, cumulative prediction error power, cumulative prediction error smoothing factor, number of steps in the input window for the input values, number of steps by which the beginning of the output window is shifted relative to the beginning of the input window, and the number of steps in the output window.
  • Parameters of a neural network element with a Dense architecture: multipliers for calculating the number of neurons on layers, activation on layers, and the regularization coefficient to prevent overfitting of the ML model element.
  • Parameters of a neural network element with an RNN architecture: number of
    GRU

    

    A cell of the layer with a recurrent architecture.

    neurons on layers, number of neurons distributed over time on the layers of the decoder, information indicating whether to restore the data received as input to the network, and the regularization factor to prevent overfitting of the ML model element.
  • Parameters of a neural network element with a CNN architecture: size of filters on the layers, number of filters on the layers, regularization factor to prevent overfitting of the ML model element, size of the maximum sampling window, number of neurons on the layers of the decoder, information whether it is necessary to restore the data received as network input.
  • Parameters of a neural network element with a TCN architecture: regularization factor to prevent overfitting of the ML model element, filter size, number of layers in the residual block, number of filters on layers, extensions on layers, type of layer before the output, packet size, and the activation function.
  • Parameters of a neural network element with a Transformer architecture: regularization factor in the encoder, number of attention heads, number of coding blocks, and multipliers for calculating the number of neurons on layers of the decoder.
  • Training settings of a predictive element: training time interval, names and IDs of the training markups, maximum training duration, ratio between the training and the validation sample, maximum number of epochs for training, number of epochs during which there must be no validation losses when training is stopped early, chart resolution to display the training results, size of the dataset for training, number of blocks, inference mode, training mode, automatic data division into blocks, memory size used for training, information indicating whether to initialize the model weights with values from the previous training results and/or shuffle the data, value for pseudo-random number generator initialization, learning rate coefficient, training optimization algorithm, and the loss optimization algorithm.
  • Information about the training results of the predictive element: training queue (IDs and names of ML model elements that are waiting in the queue for training), training status, names and IDs of the elements being trained, number of blocks into which the training data is divided, name of the user who started the training of the element, training duration, date and time of the training beginning and end, duration of the data time intervals in the training set, number of
    UTG

    

    An infinite sequence of points in time separated by equal intervals, to which the stream of incoming telemetry data is converted.

    nodes included in the training set, training and validation errors, and the prediction made by the trained ML model on the training set.
  • Settings for elements based on diagnostic rules: information indicating whether to interpret the impossibility of evaluating a condition as rule fulfillment, time filtering settings: interval type, years, days, days of the week, and the time interval during which to validate the input data in accordance with the specified rule; tag behavior condition settings: tag for which the condition is added, tag behavior, rule fulfillment condition, number of UTG steps, tag threshold value, minimum number of times a rule is triggered before logging an incident, trend slope value, time interval between adjacent trend estimates, change threshold value, direction of the tag value change, tag value, maximum tag deviation from the specified value, direction of change in the tag value spread, indicator of whether the rule uses a pause and the pause settings: minimum and maximum timeouts, and the utilized group and logical operators.
  • Parameters of elements based on an elliptic envelope: incident registration threshold, grid step in seconds, and the names and IDs of input tags that must be included in the ML model.
  • Parameters for training an element based on an elliptic envelope: time interval for training, names and IDs of markups for training, sample fraction for estimating the mean and covariance, fraction of outliers in the sample, value for initializing the pseudo-random number generator, resolution of graphs for displaying training results, and information indicating whether to assume that the tag values are centered.
  • Information about the results of training an element based on an elliptic envelope: training queue (IDs and names of ML model elements that are waiting in the queue for training), training status, name and IDs of the elements being trained, name of the user who started the training of the element, training duration, date and time of the training beginning and end, duration of the data time intervals in the training set, number of UTG nodes included in the training set, tag deviation, tag values, tag value distribution and tag correlation.

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information about markups: ID, name and description of the markup, interval used to calculate data on UTG, markup color, method used for the markup to appear in the application, information indicating whether the markup is used as the main inference indicator, time filtering settings: interval type, years, days, days of the week, and the time interval during which the input data should be validated in accordance with the specified markup conditions; tag behavior condition settings: tag for which the condition is added, tag behavior, rule fulfillment condition, number of UTG steps, tag threshold value, minimum number of times a rule is triggered before logging an incident, trend slope value, time interval between adjacent trend estimates, change threshold value, direction of the tag value change, tag value, maximum tag deviation from the specified value, direction of change in tag value spread, indicator of whether the rule uses a pause and the pause settings: minimum and maximum timeout intervals, and the utilized group and logical operators.

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information security event logs: information security event ID, date and time of the information security event, type of information security event, subtype of information security event, severity level of the information security event, the name of the user whose actions resulted in registration of the information security event, the IP address of the computer from which the user performed the actions logged into the information security event log, the result of the information security event, a brief summary of the information security event, a detailed description of the information security event.

  The IP addresses of computers that established a connection to the web interface of the application are indicated in the information security event logs.

  The data is generated by Kaspersky MLAD automatically.

  Kaspersky MLAD stores information security event logs for the time period specified in the Retention time for information security event logs (days) when configuring security settings. The program deletes early entries in the information security event log when exceeding the space allocated for storing information security events set in Volume of information security event logs (MB).

• Kaspersky MLAD container logs: event date and time, event severity level, name of the container for which the event is registered, event description.

  The data is generated by Kaspersky MLAD automatically.

  Kaspersky MLAD stores container logs for two days.

The logging system (Grafana) does not transmit users' data to Kaspersky or any third-party servers. You can read the procedure for storing and processing data in the logging system in the Grafana Logging System User Guide.

Data processed on users' computers

When working with the Kaspersky MLAD web interface, the following data is stored in the browser cookie files:

• Individual JSON Web Tokens to support a user session for connecting to the application web interface. An individualized token is stored in the user's browser cookie files for the user inactivity period defined when configuring the security settings.
• ID of the running Grafana session, if the user views the application logs. The Grafana session ID is stored in the user's browser cookie files for 30 days.

The user browser stores data that is used to display the web interface: the last used localization language of the application web interface, the last used option for displaying the main menu (hidden or maximized display), the last used values of the time interval, preset, date and time, ML model element, and the chart display settings in the Monitoring, History, and Time slice sections, the last used page numbering settings, the last set filters for displaying data in the Event Processor section, the last used values of the incident status and cause in the Incidents section, information about the Tags for incident #<incident ID> presets, generated for a registered incident, information about the current installed version of Kaspersky MLAD. This data is stored in the browser indefinitely. You can delete this data from the browser local storage yourself.

When exporting incidents, the application saves an XLSX file with the following data to the user computer:

• Name of monitored asset
• Period during which incidents were uploaded
• ID of the registered incidents
• Date and time when the incidents were registered
• Registered incidents statuses
• Names of the groups that include the registered incidents
• Names and IDs of the top tags that have the greatest impact on the registration of incidents
• Top tag values
• Top tags measurement units
• Top tags descriptions
• Name of the ML models that registered the incidents
• Name of the detectors that registered the incidents.

When exporting information security event logs from the Grafana logging system, the application saves a CSV file with the following data to the user computer:

• IDs of the information security events
• Date and time when the information security events occurred
• Information security events types
• Information security events subtypes
• Information security events severity levels
• Names of the users whose actions resulted in the registration of the information security events
• IP addresses of the computers from which the users performed the actions stored in the information security event log
• Information security event outcomes
• Brief summaries of the information security events
• Detailed descriptions of the information security events.

When exporting container logs from the Grafana logging system, the application saves a CSV file with the following data to the user computer:

• Date and time when the events occurred
• Event severity levels
• Name of the container for which the events are registered
• Event description.

When exporting asset and tag configuration, the application saves an XLSX file with the following data to the user computer:

• Asset type ID
• Unique name of the asset type
• Names of the special asset type settings (if any)
• Asset type description (if any)
• Asset ID
• Asset name
• Unique name of an asset within its parent asset
• Asset description (if any)
• Name of the parent asset to which the asset belongs (if any)
• Parent asset ID (if any)
• Names of the special asset settings (if any)
• Values of the special asset settings (if any)
• Tag ID
• Unique name of the tag
• Unique alternative name of the tag (if any)
• Tag description
• Name of the parent asset to which the tag belongs (if any)
• Parent asset ID
• Tag type (if any)
• Tag measurement units
• Lower and upper blocking thresholds (if any)
• Lower and upper signaling thresholds (if any)
• Lower and upper measurement confidence thresholds (if any)
• Lower and upper boundaries for displaying the tag values on charts (if any)
• The expression used to calculate the tag value from the value passed to Kaspersky MLAD
• Tag comment
• Location coordinates of the monitored asset sensor along the abscissa, ordinate, and applicate axes (if any)
• Offset value that must be added to the tag value received from the connector
• Multiplier value by which the tag value received from the connector must be multiplied

When exporting presets, the application saves a JSON file with the following data to the user computer:

• Preset name
• Preset ID
• Sequence number for displaying the preset in the Presets section
• List of IDs of tags included in the preset
• Name of the preset icon
• Name of the CSS class for displaying the preset icon
• Information indicating whether the preset should be displayed in the Time slice section
• Graphic area parameters within a preset:
  • Graphic area name
  • Graphic area description
  • Sequence number for displaying the graphic area in the preset under Monitoring, History, and Presets
  • Upper and lower bounds for displaying tag values in the graphic area
  • Parameters of additional threshold lines:
    • ID of the additional threshold line
    • Threshold value
    • Color of the additional threshold line
  • Axis scale mode
  • Method of scaling the chart in single axis mode
  • List of IDs of tags included in the graphic area
  • ID of graphic area
  • ID of the preset to which the graphic area belongs
• When using a preset to display data in the Time slice section, the application saves the following data:
  • Text on the abscissa axis of the chart in the Time slice section
  • Name of the expression used to calculate the tag values
  • Text on the ordinate axis of the chart in the Time slice section
  • Expression used to calculate the tag values
  • Preset chart color in the Time slice section.

When exporting Kaspersky MLAD settings, the application saves configuration files with the following data to the user's computer:

• A file with the settings of the incident statuses, which contains the following data:
  • Incident status ID
  • Name of the incident status in Russian
  • Name of the incident status in English
  • Ordinal number of the incident status for sorting
  • Information on whether to display registered incidents with this status.
• A file with the settings of the incident causes, which contains the following data:
  • Incident cause ID
  • Name of the cause of the incident
  • Sequential number of the cause of the incident to be sorted.
• A file with the settings of the time intervals for displaying data on the Monitoring, History, and Time slice charts, which contains the following data:
  • Time interval ID
  • Name of the time interval in Russian
  • Name of the time interval in English
  • Ordinal number of the time interval for sorting
  • ID of the user who created the time interval
  • ID of the user who last changed the time interval
  • Time interval value in milliseconds.
• Settings of Kaspersky MLAD services and connectors:
  • Settings IDs
  • Names of the settings in the Kaspersky MLAD database
  • Types of the entered values
  • Entered or selected values
  • Name of the group to which the current setting belongs
  • Serial number of the setting displayed in the current section
  • Requirements for the setting value.
• The Stream Processor configuration file containing the following data:
  • IDs of tags processed by Stream Processor
  • Values of the tag processing settings.

    The values of the tag processing settings are set by Kaspersky experts individually for each monitored asset.

• Configuration files of the MQTT Connector, AMQP Connector, and WebSocket Connector containing the following data:
  • Tag IDs obtained from the MQTT Connector, AMQP Connector, or WebSocket Connector
  • Tag timestamp measurement units
  • Type of the received data
  • Template format for decoding the received data type.
• The OPC UA Connector configuration file containing the following data:
  • Tag ID
  • Name of the asset to which the tag belongs
  • Data type passed to the tag value.
• The Event Processor configuration file containing the following data:
  • Rules for mapping event parameters received by the CEF Connector to the names of event parameters to be processed in the Event Processor service
  • List of event parameters to be processed
  • Time and time scale for event processing
  • Order and relationship of the event parameters for display on the relationship graph in the Event history section.
• The communication data package for the KICS Connector containing the following data:
  • Encrypted public key of the Kaspersky Industrial CyberSecurity for Networks server certificate, and the certificate issued by the Kaspersky Industrial CyberSecurity for Networks server for the KICS Connector (with the private key).

    The contents of the file are encrypted with the password that was set when the KICS Connector was added or when a new communication data package was created for this connector.

  • KICS Connector configuration data: the name of the Kaspersky MLAD user for connecting to the Kaspersky Industrial CyberSecurity for Networks server, the KICS Connector ID, and the address of the Kaspersky Industrial CyberSecurity for Networks server for connection.

[Topic 248059]

Folders for storing application data

Kaspersky MLAD uses the following directories and subdirectories for storing data:

• Application directories (/opt/kaspersky/mlad by default):
  • . – root directory of the application. It is used to store configuration files, Kaspersky MLAD installation and update logs, scripts for installing, updating, starting, and stopping Kaspersky MLAD, and the distribution package signatures. The root directory of the application contains notes on the current release of Kaspersky MLAD (Release Notes).
  • ./configs – directory for storing configuration files of Kaspersky MLAD. The directory contains the logger subdirectory, which stores the configuration files of the Logger service.
  • ./data – directory for storing data that is loaded using the HTTP Connector.
  • ./legal – directory for storing the text of the End User License Agreement, the date of its acceptance by the user, and the legal_notices.txt file, which contains information about third-party code.
  • ./ssl – directory for storing the script for generating a self-signed certificate that provides an HTTPS connection to the Kaspersky MLAD user's browser.
  • ./ssl/tokens – directory for storing a JWT (JSON Web Token) key.
  • ./ssl/nginx – directory for storing certificates supporting an HTTPS connection with the browser of the Kaspersky MLAD user.
  • ./ssl/public_cert – directory for storing public keys used to verify the digital signature of the distribution package.
  • ./mlad_backup-<version number>-<build number> – default directory for storing backup copies of Kaspersky MLAD. A backup copy of Kaspersky MLAD can be created by using the backup.sh script or during the application upgrade process by using the upgrade.sh script. When performing a backup of the application, you can specify a different directory for storing the backup copy. The contents repeat the structure of the root directory where Kaspersky MLAD is installed, and they contain the following subdirectories:
    • ./containers_backup – directory for storing an archive containing a backup copy of containers for Kaspersky MLAD services.
    • ./volumes_backup – directory for storing an archive containing a backup copy of Docker volumes.
  • ./volumes_backup_<date of deletion> – directory for storing backup copies of Docker volumes that are created during removal of Kaspersky MLAD.
• Directory /var/lib/docker/volumes/:
  • ./<application directory name>_postgres-volume – directory for storing Postgres database files.
  • ./<application directory name>_inflxdb-volume – directory for storing Time Series Database service files.
  • ./<application directory name>_logger-volume – directory for storing files of the logging subsystem.
  • ./<application directory name>_webstatic-volume – directory for storing static data of the application web interface.
• /etc/hosts – service file describing the mapping between IP addresses and host names of the external servers.

Application files can be modified by an administrator or by the user who unpacked the archive containing the installation script and all the files required for installation of Kaspersky MLAD.

Deleting or modifying any file of Kaspersky MLAD can negatively impact the performance of the application.

[Topic 247985]

System administrator tasks

This section contains a description of the system administrator tasks performed in the administrator menu of the application.

[Topic 248038]

Managing user accounts

To ensure that users securely work with Kaspersky MLAD, create an account for each user.

Kaspersky MLAD user accounts can be managed only by system administrators.

All created user accounts and information about them are displayed in the table tn the Users section of the administrator menu.

When installing the application, a special User System account is created. This account is not intended for use by personnel when working with Kaspersky MLAD. This account cannot be used to connect to the application web interface. To clarify whether or not you can change its settings, you are advised to consult with Kaspersky experts or a certified integrator.

You can modify user accounts as needed. Kaspersky MLAD does not allow you to delete user accounts. To prevent a specific account from accessing Kaspersky MLAD web interface, it is recommended to block this account. You can unblock this user account later if necessary. If an account was locked when the number of unsuccessful login attempts for that user was reached, you can unblock this account before the blocking period expires. You can specify the number of unsuccessful authorization attempts and the account blocking period when configuring the security settings of Kaspersky MLAD.

Next to each account, there is a vertical menu  that lets you revoke authentication tokens or view the list of rights for the specific user account.

Users section

[Topic 248039]

Creating a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

To create a user account:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Users section.
3. Click the Add user button.

   The Add user panel appears on the right.

4. In the Last name field, enter the last name of the user.
5. In the Name field, enter the first name of the user.
6. If necessary, enter the middle name of the user in the Middle name field.
7. In the Email address field, enter the email address of the user.
8. In the Password field, enter a password for the user account.

   The password must meet the following requirements:

   • Must contain the minimum number of characters defined in the Minimum password length setting.
   • Must contain letters of the English alphabet, numerals and/or special characters in accordance with the password policy that was set when configuring the security settings.
9. In the Confirm password field, type the password again to confirm the password for the user account.
10. Click the Save button.

Information about the new user will be displayed in the table. If necessary, you can modify user accounts and revoke their authentication tokens

When creating an account, you cannot assign a role to a user. You can assign a role to a user only when editing the user account.

[Topic 248040]

Editing a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

When you edit a user account, you can assign the desired role to the user. You can also block or unblock a user account.

When a user is blocked in Kaspersky MLAD, their authentication tokens are automatically revoked, and their user sessions are terminated. A blocked user cannot log in to Kaspersky MLAD to use the application.

If the password for a user account is changed, Kaspersky MLAD also revokes authentication tokens automatically and terminates the user session of the user account whose password was changed. A user whose password has been changed can log in to the web interface with the updated password.

To edit a user account:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Users section.
3. Click the Edit button in the row of the user account that you want to edit.

   The Edit user pane appears on the right.

4. Enter the user's new last name, first name, and/or middle name, if needed.
5. In the Roles field, assign a role for the user account by selecting the corresponding check box.
6. If required, enter the user's new email address.
7. If you need to change the password, enter the new password in the Password and Confirm password fields.

   The new password must meet the following requirements:

   • Must not match previously used passwords. The specific number of most recently used passwords that must not be reused is defined by the value of the Number of user passwords stored in history setting.
   • Must contain the minimum number of characters defined in the Minimum password length setting.
   • Must contain letters of the English alphabet, numerals and/or special characters in accordance with the password policy that was set when configuring the security settings.
8. If you want to block or unblock a user account, perform one of the following actions:
   • If you want to unblock a user account, set the State toggle switch to the Active position.
   • If you want to block a user account, set the State toggle switch to the Inactive position.

   Kaspersky MLAD does not allow you to delete user accounts. If you want to prevent a specific user account from accessing Kaspersky MLAD, it is recommended to block this user account.

9. Click the Save button.

The updated information about the user will be displayed in the table.

[Topic 248042]

Revoking authentication tokens for a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

After a user connects to the Kaspersky MLAD web interface, an individualized token is created so that the user authorization in the application can be saved between connection sessions to the application web interface, including when the browser is restarted. If a user is authorized on multiple assets, a token is created for each user session.

If necessary, you can revoke tokens for a user account at any time. For the user whose tokens are revoked, the connection session is terminated simultaneously on all assets where they were authorized. Revoking tokens may be useful if you need to immediately terminate application connection sessions for a specific user. After the tokens are revoked, the user can log in again and continue using Kaspersky MLAD.

To revoke tokens for a user account:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Users section.
3. Open the vertical menu  next to the account you want to revoke tokens from, and select Revoke tokens.
4. In the window that opens, confirm that you want to revoke the authentication tokens.

The user account tokens are revoked, and the user session is terminated.

[Topic 248043]

Viewing access rights for a user account

Kaspersky MLAD user accounts can be managed only by system administrators.

In the Users section, you can view the list of rights for a specific user account.

To view the access rights for a user account:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Users section.
3. Open the vertical menu  next to the account you want to view the list of permissions for, and select List of rights.

The page displays a window containing information about the role and access rights of the selected user account.

[Topic 251420]

Manage roles

In Kaspersky MLAD, you can use common roles to restrict user access to application functions depending on the tasks performed by specific users.

Role management is available to system administrators.

A role is a set of rights to access application functions that you can assign to a user.

Accounts with the following roles can be used to access application functions:

• The system administrator role is created automatically during installation of the application. The system administrator role is automatically assigned to the first user created during installation of Kaspersky MLAD. A user with the system administrator role has access to all functions of the application. The system administrator role cannot be modified or removed.
• A custom role is created manually in the Roles section. Access to application functions depends on the list of rights granted to the custom role. The number of user roles is unlimited.

The Roles section displays a table with information about all created roles.

[Topic 251532]

Creating role

Role management is available to system administrators.

You can create custom roles and select the access rights to application functions for them. After an active role is created, it will become available for assignment to application users.

To create a role:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Click the Create button.

   The Creating role pane appears on the right.

4. In the Role name field, specify the required role name.

   You can enter up to 30 characters.

5. If necessary, enter a new description for the tag in the Role description field.
6. To grant access rights to a role, do the following:
   1. Click the Select rights button.

      The Grant rights to role pane appears on the right.

   2. In the list of rights, select the access rights to application functions that you want to grant to the role.

      When you select Rights to all actions, all system administrator functions will be available to the role.

   3. Click the Save button.
7. Perform one of the following actions:
   • If you need to use a role for application users, set the State switch to the Active position.
   • If you need to disable the use of a role for application users, set the State toggle switch to the Inactive position.

     If a role is inactive, the features associated with the role's permissions are unavailable to the user assigned to that role.

8. Click the Save button.

[Topic 251534]

Editing role

Role management is available to system administrators.

To change a role:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Check the box next to the role you want to edit.
4. Click the Edit button.

   The Editing role pane appears on the right.

5. Edit the role settings. For a description of the settings, see the instructions on creating a role.
6. Click the Save button.

[Topic 251535]

Deleting role

Role management is available to system administrators.

When a user role assigned to Kaspersky MLAD users is deleted, those users will lose access to the features associated with that role.

System administrator role cannot be deleted.

To delete a role:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Select the check boxes next to the names of the roles that you want to remove.
4. Click the Delete button.
5. In the window that opens, confirm that you want to delete the roles.

[Topic 251536]

Viewing access rights for a role

Role management is available to system administrators.

In the Roles section, you can view a list of access rights to application functions for users with a specific role.

To view the access rights for a role:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Roles section.
3. Click the List of rights button next to the role for which you want to view the list of rights.

   A window opens on the page with information about access rights to application functions for the selected role.

[Topic 248044]

Managing incident notifications

You can set up notifications for Kaspersky MLAD to send to users about incidents identified through the analysis of telemetry data or from ML model output. Notifications are sent to the email addresses specified in the notifications. You can edit and delete notifications regarding incidents for Kaspersky MLAD users.

Only system administrators can manage incident notifications.

The Mail Notifier service must be configured and started in advance.

All created notifications about incidents and information about them are displayed in the Notifications section in the administrator menu. If necessary, you can change the number of notifications displayed on one page.

Notifications section

[Topic 248045]

Creating an incident notification

Only system administrators can manage incident notifications.

You can create notifications about incidents recorded during telemetry data processing and/or as a result of ML model operation.

To create an incident notification for a user:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Notifications section.
3. On the opened page, click the Create button.

   The Create notification window opens.

4. Specify the name of the notification in the Name field.
5. To enable sending of notifications, set the State toggle switch to the Activated position.
6. In the Notification language field, select the language of the delivered incident notifications.

   By default, the current localization language of the Kaspersky MLAD web interface is used for incident notifications. It is available in English and Russian.

7. In the Users email addresses drop-down list, select the email addresses of the application users to send notifications to.
8. In the Additional email addresses field, specify additional email addresses to send incident notifications to, separated with a semicolon.
9. To enable notifications about incidents registered by ML models, do the following:
   1. To configure notifications about incidents registered by predictive elements of ML models, select Predictive elements.
   2. To configure notifications about incidents registered by ML model diagnostic rules, select Rules.
   3. To configure notifications about incidents registered by elliptic envelopes of ML models, select the Elliptic envelopes check box.
   4. Select one or more ML models to send notifications for.

      To select all ML models within an asset, check the box next to the asset name.

10. To enable notifications about incidents registered only by published ML models, set Send incident notifications for published models only to Activated.
11. To enable incident notifications for tags:
    1. To configure notifications for when a tag has reached an upper or lower blocking threshold, select Limit Detector.
    2. If you want to configure sending of the notifications about the termination or interruption of the input data stream for a specific tag, or about the detection of observations that arrived too soon or too late, select the Stream Processor check box.
    3. Select one or more tags you want to send notifications for.

       To select all tags within an asset, check the box next to the asset name.

12. Click the Save button.

Information about the new notification will be displayed in the table. If necessary, you can edit or delete notifications.

A separate notification will be sent to the specified email addresses for each incident registered for selected ML models and/or tags.

[Topic 248046]

Editing an incident notification

Only system administrators can manage incident notifications.

To edit an incident notification:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Notifications section.
3. Click the button next to the notification that you want to edit.
4. Adjust the incident notification settings, if needed. For a description of the settings, see the instructions on setting up an incident notification.
5. Click the Save button to save the changes.

A separate notification will be sent to the specified email addresses for each incident registered for selected ML models and/or tags.

The updated information about the notification will be displayed in the table. If necessary, you can delete notifications.

[Topic 248048]

Deleting an incident notification

Only system administrators can manage incident notifications.

To delete an incident notification:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Notifications section.
3. Click the button next to the notification that you want to delete.
4. In the window that opens, confirm the deletion of the notification.

Information about the notification will be deleted from the table.

Kaspersky MLAD allows you to temporarily disable sending of notifications instead of deleting their configuration. Information about notifications is saved in the Notifications section. You can enable sending of notifications at any time. You can enable or disable notifications by editing the corresponding incident notification.

[Topic 247995]

Configuring Kaspersky MLAD

This section contains instructions on configuring the settings of Kaspersky MLAD services and connectors, as well as on configuring security settings, logging levels for application services, settings for displaying the application menu, and on managing typical statuses and causes of incidents.

[Topic 247996]

Configuring the main settings of Kaspersky MLAD

Kaspersky MLAD lets you specify the name of the monitored asset, web address and IP address for connecting users to the application web interface, and the frequency of receiving new data from the monitored asset. The name of the monitored asset will be displayed in the upper right corner of each section of the Kaspersky MLAD web interface.

System administrators can configure the main settings of Kaspersky MLAD.

To configure the main settings of Kaspersky MLAD:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the System parameters → Main section.

   A list of options appears on the right.

3. In the Name of monitored asset field, specify the name of the monitored asset.
4. In URL address for incident notifications, specify a URL for generating a link to incidents in email incident alerts.

   If IP address for incident notifications is set, this is used for generating the link.

5. In IP address for incident notifications, specify an IP for generating a link to incidents in email incident alerts.
6. In the Interval for receiving data from the Message Broker service (ms) field, specify the interval for updating telemetry data in the application web interface.

   The higher the specified parameter value, the less frequently the data is updated. The default value of this parameter is 500.

7. In the Interval for receiving incident statistics from the database (ms) field, indicate how frequently data on incidents registered by the application should be updated in the application web interface.

   The default value of this parameter is 5000.

8. In the Monitored asset time zone drop-down list, select the time zone of the computer where Kaspersky MLAD is installed

   The graphs in the application show data in the time zone you select.

9. Click the Save button.

[Topic 247997]

Configuring the security settings of Kaspersky MLAD

Kaspersky MLAD lets you specify the conditions for temporarily blocking user accounts, the user inactivity period in accordance with the enterprise security policy, and the settings for storing information security event logs in the Kaspersky MLAD database. Information security event logs are automatically written to the database. If necessary, you can specify the settings of an external system to which the information security event logs should be sent.

System administrators may be responsible for configuring the security settings of Kaspersky MLAD.

To configure the main settings of Kaspersky MLAD:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the System parameters → Security section.

   A list of options appears on the right.

3. In the Authorization parameters block, do the following:
   1. In the Number of authentication attempts field, specify the number of unsuccessful authorization attempts. When this number is reached, Kaspersky MLAD temporarily blocks the corresponding user account.

      The default value of this parameter is 3.

   2. In the User lock duration (sec) field, specify the time period (in seconds) to block a user account after reaching the specified number of unsuccessful authorization attempts.

      The default value of this parameter is 120.

   3. In the User inactivity period (min) field, specify the permissible duration of an inactive user session (in minutes).

      When the specified time period is reached, Kaspersky MLAD automatically terminates the inactive user session. The default value of this parameter is 1440.

   4. If you need to prevent users from ignoring the password change recommendation when they connect to the application web interface for the first time, turn on the Require password change on first login toggle switch.

      This switch is disabled by default.

4. In the Password policy settings block, do the following:
   1. In the Number of user passwords stored in history field, specify the number of most recent user passwords that are stored in the application.

      You can specify a value starting with 1. The default value of this parameter is 5.

      When the user password is changed, the new password must not match any passwords stored in Kaspersky MLAD. The application stores passwords in encrypted form.

   2. In the Password expiration period (days) field, specify the number of days during which the user can use their current password to connect to the application without changing it.

      The default value of this parameter is 180.

   3. In the Minimum password length field, specify the minimum number of characters for user passwords.

      You can specify a value in the range of 8 to 128. The default value of this parameter is 8.

   4. If your security policy stipulates that user passwords must contain uppercase letters of the English alphabet, turn on the Require to use uppercase letters of the English alphabet (A-Z) toggle switch.

      This switch is enabled by default.

   5. If your security policy stipulates that user passwords must contain lowercase letters of the English alphabet, turn on the Require to use lowercase letters of the English alphabet (a-z) toggle switch.

      This switch is enabled by default.

   6. If your security policy stipulates that user passwords must contain numerals, turn on the Require to use numerals (0-9) toggle switch.

      This switch is enabled by default.

   7. If your security policy stipulates that user passwords must contain special characters, turn on the Require to use special characters (_!@#$%^&*) toggle switch.

      This switch is enabled by default.

5. In the Retention settings for information security event logs block, do the following:
   1. In the Volume of information security event logs (MB) field, specify the volume limit (in megabytes) for storing information security event logs in the database.

      If the field is blank, Kaspersky MLAD stores all information security event logs for the time period specified in the Retention time for information security event logs (days) setting. This setting has no value by default.

      If the specified volume of information security event logs in the database is exceeded, Kaspersky MLAD deletes the oldest entries.

   2. In the Retention time for information security event logs (days) field, specify the number of days to store information security event logs in the database.

      The default value of this parameter is 100.

6. Click the Save button.

[Topic 247998]

Configuring the Anomaly Detector service

You can configure the procedure for detecting anomalies based on the specific features of your monitored asset by enabling or disabling specific anomaly detection in the Anomaly Detector service settings.

System administrators can configure the Anomaly Detector service.

To configure the settings of the Anomaly Detector service:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → Anomaly Detector.

   A list of options appears on the right.

3. Enable or disable the Limit Detector using the Use Limit Detector toggle switch.

   Limit Detector logs incidents when the upper or lower blocking thresholds set for the tag are exceeded.

4. Use the Use Forecaster detector toggle switch to enable or disable anomaly detection with ML model predictive elements.

   ML model predictive elements register incidents when detecting discrepancies between observed and predicted tag values.

5. Enable or disable the XGBoost detector using the Use XGBoost detector toggle switch.
6. Use the Use Rule Detector toggle switch to enable or disable anomaly detection with ML model elements based on diagnostic rules.

   Diagnostic rules register incidents when the output of a diagnostic rule exceeds a predetermined limit.

7. Enable or disable the function for skipping gaps in the incoming data stream using the Skip gaps in data toggle switch.

   If the toggle switch is on, during ML model inference, its components do not generate any artifacts when no data is received for the ML model element tags for a period longer than the UTG period as specified in Grid step (sec) for that element.

8. In the Maximum number of records requested from the Message Broker service field, enter the number of records that must be requested from the Message Broker service for subsequent processing in the Anomaly Detector.

   The higher the value, the less frequently Anomaly Detector requests records from Message Broker. The value depends on the amount of telemetry data received by Kaspersky MLAD in real time.

9. In the Number of messages sent in one block to the Message Broker service field, enter the number of incidents that must be sent to the Message Broker service at one time.
10. Click the Save button.

[Topic 247999]

Configuring the Keeper service

Kaspersky MLAD uses the Keeper service to route telemetry data that should be saved in the database. You can configure the settings that define the rate of incoming data received from connectors and external sources, and the volume of data to be saved in the Kaspersky MLAD database.

System administrators can configure the data routing settings in Kaspersky MLAD.

To configure the Keeper service:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the System parameters → Keeper section.

   A list of options appears on the right.

3. Perform one of the following actions:
   • To save both known and unknown tags values from external sources to the database, turn on the Save values of all tags toggle.
   • To save only the tags values that are known to the application, turn off the Save values of all tags toggle.
4. In the Timeout for receiving tag values (ms) field, enter the maximum timeout (in milliseconds) for receiving the values of tags.

   The higher the value, the less frequently Keeper receives tag values and writes these to the database. We recommend setting a value that matches the frequency of receiving telemetry data from the monitored asset.

5. In the Timeout for receiving incidents (ms) field, enter the maximum timeout in milliseconds for receiving incidents.

   The higher the value, the less frequently Keeper receives incident data and writes these to the database. We recommend setting a value that matches the incident frequency.

6. In the Timeout for receiving metrics (ms) field, enter the maximum timeout in milliseconds for receiving metrics.

   The higher the specified value, the less often Keeper receives metrics (the number of received observations for tags, the number of events, and the number of generated artifacts) and writes these to the database. We recommend setting a value that matches the frequency of receiving metrics from CEF Connector.

7. Click the Save button.

[Topic 248000]

Configuring the Mail Notifier service

Kaspersky MLAD uses the Mail Notifier service to notify users when incidents are registered by the application.

System administrators can configure the Mail Notifier service.

Setting up Mail Notifier is optional and only required for receiving email notifications about new registered incidents. First, you need to configure an SMTP server on the network where the monitored object is located.

To configure the Mail Notifier service:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → Mail Notifier.

   A list of options appears on the right.

3. In the Notification sender email field, specify the email address that will send incident notifications.
4. In the SMTP server address field, enter the IP address of the SMTP server.
5. In the SMTP server port field, enter the port of the SMTP server.
6. In the SMTP server user name field, enter the user name for connecting to the SMTP server.
7. In the SMTP server password field, enter the password for connecting to the SMTP server.
8. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

   By default, use of a secure TLS connection is disabled.

   To avoid compromising the sent data, it is recommended to enable the use of a secure TLS connection. It is recommended to use a secure TLS connection via the TLS-1.2 or TLS-1.3 protocol using a cipher suite from the list of recommended ciphers.

9. If you are using a secure TLS connection, do the following:
   1. Upload the SMTP server certificate using the Browse button under SMTP server certificate.
   2. Upload the key to the SMTP server certificate file using the Browse button under the Key to SMTP server certificate setting.

   It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
   Certificates and certificate keys can be uploaded only as files in DER or PEM format.

   To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

10. Click the Save button.

[Topic 248001]

Configuring the Similar Anomaly service

Kaspersky MLAD uses the Similar Anomaly service to identify similar incidents and combine them into groups. In groups, you can view similar incidents that were registered at different times.

System administrators can configure the Similar Anomaly service.

To configure the Similar Anomaly service:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → Similar Anomaly.

   A list of service settings appears on the right.

3. In the Minimum number of incidents in group field, enter the minimum number of similar incidents for forming a group.
4. In the Maximum number of incidents in group field, enter the maximum number of incidents that can be put into one group.

   The larger the specified value, the more incidents the application can assign to one group.

5. In the Maximum distance between similar incidents field, enter the maximum distance that similar incidents can lag behind each other.

   You can specify a value in the range of 0 to 1.

6. Click the Save button.

[Topic 248002]

Configuring the Stream Processor service

The Stream Processor service gathers real-time telemetry data (input stream) received from the monitored asset at arbitrary points in time and converts this data to a UTG (output stream). Based on the accumulated data, the Stream Processor service determines the values of tags in the output data stream. After converting data into an output stream, the Stream Processor service forwards this data to the ML model for processing.

When converting incoming telemetry data, the Stream Processor service accounts for potential data losses (for example, if the network of the monitored asset temporarily goes down) and processes observations that were received in Kaspersky MLAD too early or too late. In these cases, the Stream Processor service generates default incidents and/or forwards default tag values to the output data stream.

The Stream Processor service can also compute derivative tags based on incoming telemetry data (for example, to calculate the moving average or average value of a group of tags).

The Stream Processor service configuration file for uploading is provided by Kaspersky specialists or a certified integrator.

System administrators can configure the Stream Processor service.

To configure the Stream Processor service:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → Stream Processor.
3. In the Uniform temporal grid period (sec) field, specify the period (in seconds) for which the Stream Processor service will process incoming telemetry data.

4. Using the Browse button under the Configuration file setting, add a file that contains configuration settings for the Stream Processor service.

   If you need to delete the configuration file for the Stream Processor service, click the button. To save the configuration file on your computer, click the button.

5. Click the Save button.

[Topic 248003]

Configuring the HTTP Connector

Kaspersky MLAD uses the HTTP Connector to receive data from CSV files by uploading data using the POST method. You can download data over port 4999 via HTTP or HTTPS by specifying the relevant protocol in a request.

In Kaspersky MLAD, certificate files and key files can be uploaded only in DER or PEM format. If necessary, you can use the OpenSSL utility to change the format of certificate files and the certificate key. Thus, to change the format of a certificate file from P12 to PEM, run the following command in the console:

openssl pkcs12 -in <certificate name>.p12 -clcerts -nokeys -out <certificate name>.pem

System administrators can configure the HTTP Connector.

To configure the HTTP Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → HTTP Connector.

   A list of options appears on the right.

3. In the Size of written block (tag count) field, specify the number of tags values that are written to the Message Broker service at one time.

   The specified value affects the number of iterations for writing tag values from the CSV file to Message Broker according to the total number of observations for tags retrieved via HTTP Connector.

4. In the Maximum size of uploaded file (MB) field, specify the maximum size in megabytes of a file transmitted to the HTTP Connector.

   If you try to download a larger CSV file, the file would not be passed to the HTTP Connector.

5. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

   By default, use of a secure TLS connection is enabled.

   To avoid compromising the received and/or sent data, it is recommended to keep the use of a secure TLS connection enabled.

6. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

   By default, use of the recommended TLS connection settings is enabled.

   When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

7. If you are using a secure TLS connection, do the following:
   1. Add the HTTPS server certificate and the certificate key by using the Browse button under the HTTPS server certificate and Private key to HTTPS server certificate settings.

      It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

   2. If you are using client certificates, add the root certificate to verify the signature of the client certificate by using the Browse button under the CA certificate for verifying the client certificate signature setting.

   Certificates and certificate keys can be uploaded only as files in DER or PEM format.

   To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

8. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

   Conversion of received tag values is disabled by default.

9. Click the Save button.

Kaspersky MLAD will receive data from CSV files using the HTTP Connector.

The following is an example of sending a CSV file to the HTTP Connector via cURL over HTTP using the POST method to port 4999 of the Kaspersky MLAD server:

The HTTP Connector accepts CSV files with the following fields:

timestamp;tag_name;value

where:

• timestamp is the time stamp in the format %Y-%m-%dT%H:%M:%S.
• tag_name is the name of the tag.
• value is the tag value.

  If a tag value contains a fractional portion, use a dot to separate the integer from the fractional portion.

[Topic 248004]

Configuring the MQTT Connector

Kaspersky MLAD uses the MQTT Connector to receive data and send messages about incident registration via the MQTT (Message Queuing Telemetry Transport) protocol.

System administrators can configure the MQTT Connector.

To configure the MQTT Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → MQTT Connector.

   A list of options appears on the right.

3. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

   By default, use of a secure TLS connection is enabled.

   To avoid compromising the received and/or sent data, you are advised to keep the use of a secure TLS connection enabled.

4. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

   By default, use of the recommended TLS connection settings is enabled.

   When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

5. In the MQTT broker (address:port) field, specify the host name and port of the external MQTT broker that the MQTT Connector will interact with.

   The default value of this parameter is mqtt_broker:1883.

6. In the User name for MQTT connection field, enter the user name to connect to the MQTT broker.
7. In Password for MQTT connection, enter the user password for connecting to the MQTT broker.
8. If you are using a secure TLS connection and a self-signed certificate is installed on the MQTT broker, add the root certificate for the MQTT broker by using the Browse button under the CA certificate setting.

   To delete the certificate file, click the button. To save the certificate file on your computer, click the button.

9. If you are using a secure TLS connection and client authentication is enabled on the MQTT broker, do the following:
   1. Add the client certificate by using the Browse button under the Client certificate setting.
   2. Add the key for the client certificate by using the Browse button under the Key to client certificate setting.

   It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
   Certificates and certificate keys can be uploaded only as files in DER or PEM format.

   To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

10. In the List of MQTT subscriptions for receiving tags field, enter the name of the list of MQTT subscriptions from which the MQTT Connector will receive tag values.

    The default value of this parameter is tags.

11. In the MQTT topic for publishing messages field, specify the name of the topic where the MQTT Connector will publish messages about incident registration.

    If no value is defined for this setting, messages are not sent.

    This setting has no value by default.

12. In the Data format drop-down list, select the format to receive data from external systems and send messages about incidents.

    The following options are available: JSONBatch, Topic, SmartHome, KISG.

    The default value of this parameter is JSONBatch.

    If you are having difficulty selecting a data format, consult Kaspersky or a certified integrator.

    If none of the incident data and message formats suits you, you can contact Kaspersky Lab experts to add the required format.

13. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

    To delete the certificate file, click the button. To save the certificate file on your computer, click the button.

14. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

15. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the MQTT protocol.

[Topic 248005]

Configuring the AMQP Connector

Kaspersky MLAD uses the AMQP Connector to receive data and send messages about incident registration via AMQP (Advanced Message Queuing Protocol).

System administrators can configure the AMQP Connector.

To configure the AMQP Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → AMQP Connector.

   A list of options appears on the right.

3. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

   By default, use of a secure TLS connection is enabled.

   To avoid compromising the received and/or sent data, you are advised to keep the use of a secure TLS connection enabled.

4. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

   By default, use of the recommended TLS connection settings is enabled.

   When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

5. In the AMQP broker (address:port) field, specify the host name and port of the external AMQP broker that the AMQP Connector will interact with.

   The default value of this parameter is rabbitmq:5672.

6. In the User name for AMQP connection field, enter the user name to connect to the AMQP broker.
7. In Password for AMQP connection, enter the user password for connecting to the AMQP broker.
8. If you are using a secure TLS connection and a self-signed certificate is installed on the AMQP broker, add the root certificate for the AMQP broker by using the Browse button under the CA certificate setting.

   A certificate can be downloaded as a DER or PEM file only.

   To delete the certificate file, click the button. To save the certificate file on your computer, click the button.

9. If you are using a secure TLS connection and client authentication is enabled on the AMQP broker, do the following:
   1. Add the client certificate by using the Browse button under the Client certificate setting.
   2. Add the key for the client certificate by using the Browse button under the Key to client certificate setting.

   It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
   A certificate and certificate key can be uploaded only as a file in DER or PEM format.

   To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

10. In the AMQP virtual host field, specify the virtual host for establishing a connection between the AMQP Connector and the external AMQP broker.

    The default value of this parameter is /.

11. In the AMQP exchange point name for receiving tag values field, specify the name of the exchange point to receive tags values from an external AMQP broker.

    If a value is not defined for this parameter, tags values will not be received via the AMQP Connector.

    This setting has no value by default.

12. In the List of AMQP subscriptions for receiving tag values field, specify the name of the list of subscriptions from which the AMQP Connector will receive tag values.

    The default value of this parameter is #.

13. In the AMQP queue for receiving tag values field, specify the name of the queue for the AMQP connector.
14. In the AMQP exchange point name for publishing messages field, specify the name of the exchange point for sending incident registration messages.

    If no value is defined for this parameter, messages will not be sent. You can specify the same name that you indicated in step 10 of these instructions.

    This setting has no value by default.

15. In the AMQP topic for publishing messages field, specify the name of the topic where the AMQP Connector will publish messages about incident registration.

    The default value of this parameter is alert.

16. In the Data format drop-down list, select the format to receive data from external systems and send messages about incidents.

    The following options are available: JSONBatch, Topic, SmartHome, KISG.

    The default value of this parameter is JSONBatch.

    If you are having difficulty selecting a data format, consult Kaspersky or a certified integrator.

    If none of the incident data and message formats suits you, you can contact Kaspersky Lab experts to add the required format.

17. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

    To delete the connector configuration file, click the button. To save the connector configuration file on your computer, click the button.

18. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

19. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the AMQP protocol.

[Topic 248006]

Configuring the OPC UA Connector

Kaspersky MLAD uses the OPC UA Connector to receive data over a protocol described by the OPC Unified Architecture specification.

System administrators can configure the OPC UA Connector.

To configure the OPC UA Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → OPC UA Connector.

   A list of options appears on the right.

3. In the Connection point field, specify the connection address.

   For example: opc.tcp://10.0.0.0:8001/freeopcua/server/.

4. In the OPC UA server connection timeout (sec) field, specify the time period (in seconds) that the OPC UA Connector will attempt to establish a connection with the OPC UA server.
5. Using the Browse button under the Configuration file setting, add a file containing settings for the OPC UA Connector.

   To delete the connector configuration file, click the button. To save the connector configuration file on your computer, click the button.

6. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

   Conversion of received tag values is disabled by default.

7. Select a message encryption algorithm from the Connection security policy drop-down list.

   The following options can be selected: None, Basic256, Basic128Rsa15, Basic256Sha256, Aes128Sha256RsaOaep.

8. In the Secure messaging mode drop-down list, select one of the following values:
   1. If you do not want to sign or encrypt messages, select None.
   2. If you want to sign messages, select Sign messages.
   3. If you want to sign and encrypt messages, select Sign and encrypt messages.
9. In User name, enter the user name for connecting to the OPC UA server.
10. In Password, enter the password for connecting to the OPC UA server.
11. If it is necessary to use a secure connection and client authentication is enabled on the OPC UA server, do the following:
    1. Add the client application certificate by using the Browse button under the Client certificate setting.
    2. Add the private key to the client application certificate by using the Browse button under the Client private key setting.
    3. In Client private key password, specify the password to use for unlocking the private key.

    It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
    A certificate and certificate key can be uploaded only as a file in DER or PEM format.

    To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

12. If it is necessary to use a secure connection and a self-signed certificate is installed on the OPC UA server, add the root certificate for the OPC UA server using the Browse button under the OPC UA server CA certificate setting.

    To delete the certificate file, click the button. To save the certificate file on your computer, click the button.

13. In the Historical data interval (sec) field, specify the time interval (in seconds) for which the OPC UA Connector requests historical data stored on the OPC UA server.

    Enter 0 if you do not need to download historical data. Enter -1 if you need to download all historical data.

    If Start of the historical data period and End of the historical data period are set, historical data is loaded for the specified period.

14. In the Start of the historical data period field, select the start date and time of the period for which you want to download data from the OPC UA server.
15. In the End of the historical data period field, select the end date and time of the period for which you want to download data from the OPC UA server.
16. In the Size of historical data block sent by OPC UA server (numvalues parameter) field, specify the number of tags values that will be transmitted in the historical data block sent to the OPC UA Connector from the OPC UA server.

    The specified value affects the number of iterations for sending historical data to OPC UA Connector according to the total number of observations for tags received from the OPC UA server.

17. In the Size of historical data block sent to Message Broker service field, specify the number of tags that will be transmitted in the historical data block sent from the OPC UA Connector to the Message Broker service.

    The specified value affects the number of iterations for sending historical data to Message Broker according to the total number of observations for tags recieved via OPC UA Connector.

18. Click the Save button.

[Topic 248007]

Configuring the KICS Connector

Kaspersky MLAD uses the KICS Connector to receive data from Kaspersky Industrial CyberSecurity for Networks 4.0 and later and to send back incident registration messages.

The connector for integration with Kaspersky MLAD must be created and added to Kaspersky Industrial CyberSecurity for Networks in advance. For detailed information about creating and adding a connector, please refer to the Adding a connector section of Kaspersky Industrial CyberSecurity for Networks Help Guide.

System administrators can perform integration with Kaspersky Industrial CyberSecurity for Networks version 4.0 or higher.

To configure the KICS Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → KICS Connector.

   A list of options appears on the right.

3. Using the Browse button under the setting Communication data package for KICS Connector (zip) field, add the file containing the settings for configuring interaction between Kaspersky MLAD and Kaspersky Industrial CyberSecurity for Networks.

   For detailed information about creating a communication data package, please refer to the Kaspersky Industrial CyberSecurity for Networks Help Guide. The created communication data package must be saved on the computer where Kaspersky MLAD is installed.

   If you need to delete a communication data package, click the button in the Communication data package for KICS Connector (zip) field. To save the communication data package on your computer, click the button.

4. In the Password for KICS Connector field, enter the password that you specified when adding the connector to Kaspersky Industrial CyberSecurity for Networks.
5. Toggle Send messages to Kaspersky Industrial CyberSecurity for Networks switch to enable or disable forwarding of messages about registered incidents to Kaspersky Industrial CyberSecurity for Networks.
6. In the Tag value sampling frequency (Hz) field, specify the frequency in Hz at which you need to receive tag values from Kaspersky Industrial CyberSecurity for Networks.

   Indicate 0 in this field if data sampling is not required.

7. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

   Conversion of received tag values is disabled by default.

8. Click the Save button.

Kaspersky MLAD receives data from Kaspersky Industrial CyberSecurity for Networks and sends back messages about incident registration.

[Topic 248008]

Configuring the CEF Connector

Kaspersky MLAD uses the CEF Connector to receive data from external sources of events (such as the Industrial Internet of Things, network devices and applications) and to send incident registration messages to an external system.

You can also use the CEF Connector to send information security event logs of Kaspersky MLAD to an external system. Information security event logs are automatically written to the Kaspersky MLAD database.

To receive events from external sources using the CEF Connector, configure the Event Processor service.
Before configuring the CEF Connector settings in the Kaspersky MLAD web interface, the IP address and port number to be used for connecting the external event source to the CEF Connector must be specified in the .env file. The settings of the configuration file can be changed only by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

System administrators can configure the CEF Connector.

To configure the CEF Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → CEF Connector.

   A list of options appears on the right.

3. Use the Receive events for the Event Processor service toggle switch to enable or disable use of the CEF Connector for receiving events from an external system.
4. Toggle Send registered incidents to SIEM system switch to enable or disable forwarding of messages about incidents registered by the application to the external system.
5. Toggle Send registered events to SIEM system switch to enable or disable forwarding of messages about events registered by Event Processor service to the external system.
6. In the IP address for sending events and incidents to SIEM system field, specify the IP address for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
7. In the Port for sending events and incidents to SIEM system field, specify the port number for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
8. If you need to send information security event logs of Kaspersky MLAD to an external system, turn on the Send information security event logs to a Syslog server toggle switch and do the following:
   1. In the Transport protocol for sending information security events to a Syslog server drop-down list, select the protocol that you want to use for sending information security event logs.

      Kaspersky MLAD supports the TCP and UDP protocols for sending information security event logs to an external system.

   2. In the Syslog server address for sending information security events field, specify the IP address or host name of the external system to which the information security event logs must be sent.
   3. In the Syslog server port for sending information security events field, specify the port number of the external system to which the information security event logs must be sent.
9. Use the Use TLS connection toggle switch to enable or disable the use of a secure TLS connection when using Kaspersky MLAD as a client.

   By default, use of a secure TLS connection is enabled.

   To avoid compromising the received and/or sent data, it is recommended to keep the use of a secure TLS connection enabled.

10. If you have enabled the use of a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

11. If you need to use a secure TLS connection for the server side of the CEF Connector, do the following:
    1. Add the server certificate and the certificate key by using the Browse button under the Server certificate and Private key to the server certificate settings.

       It is recommended to use a certificate with a certificate key length of at least 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    2. If you are using client certificates, add the root certificate to verify the signature of the client certificate by using the Browse button under the CA certificate for verifying the client certificate signature setting.

    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

12. If you need to use a secure TLS connection for the server side of the CEF Connector, do the following (if necessary):
    1. Add the client certificate and the certificate key by using the Browse button under the Client certificate and Private key to the client certificate settings.

       It is recommended to use a certificate with a certificate key length of at least 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    2. If you are using server certificates, add the root certificate to verify the signature of the server certificate by using the Browse button under the CA certificate for verifying the server certificate signature setting.

    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

13. Click the Save button.

[Topic 248009]

Configuring the WebSocket Connector

Kaspersky MLAD uses the WebSocket Connector to receive data and send messages about incident registration via the WebSocket protocol.

System administrators can configure the WebSocket Connector. The instructions in this section are provided for information purposes.

To configure the WebSocket Connector:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → WebSocket Connector.

   A list of options appears on the right.

3. In the WebSocket server URL address field, specify the web address of the WebSocket server that the WebSocket Connector will interact with.

   Enter the web address in the format: WebSocket protocol://address:port/.

4. If it is necessary to use a secure connection and a self-signed certificate is installed on the WebSocket server, add the root certificate for the WebSocket server using the Browse button under the CA certificate setting.

   To delete the certificate file, click the button. To save the certificate file on your computer, click the button.

5. If it is necessary to use a secure connection and client authentication is enabled on the WebSocket server, do the following:
   1. Add the WebSocket client application certificate by using the Browse button under the Client certificate setting.
   2. Add the key to the WebSocket client application certificate by using the Browse button under the Key to client certificate setting.

   It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

   To delete the certificate file or certificate key, click the button in the corresponding field. To save the certificate file or certificate key on your computer, click the button in the corresponding field.

6. In the Data format drop-down list, select the format to receive data from external systems and send messages about incidents.

   The following options are available: JSONBatch, Topic, SmartHome, KISG.

   The default value of this parameter is JSONBatch.

   If you are having difficulty selecting a data format, consult Kaspersky or a certified integrator.

   If none of the incident data and message formats suits you, you can contact Kaspersky Lab experts to add the required format.

7. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

   To delete the connector configuration file, click the button. To save the connector configuration file on your computer, click the button.

8. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

   Conversion of received tag values is disabled by default.

9. Toggle Submit incidents switch to enable or disable the forwarding of messages about incidents registered in Kaspersky MLAD to a WebSocket server.
10. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    By default, use of the recommended TLS connection settings is enabled.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

11. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the WebSocket protocol.

[Topic 248010]

Configuring the Event Processor service

Kaspersky MLAD uses the Event Processor service to identify patterns and anomalous sequences of events and patterns. You can configure the settings of the Event Processor service.

If Kaspersky MLAD is restarted, you do not need to re-configure the Event Processor service settings. Kaspersky MLAD restores the Event Processor service state from the database or file in bit format. This restoration process may take several minutes if there is a significantly large number of processed events or registered patterns. Until the state of the Event Processor service is restored in the Event Processor section, requests will not be fulfilled, data will not be updated, and data received from the CEF Connector will not be processed. This data is temporarily stored in the system message queue and is processed after the state of the Event Processor service is restored.

The Event Processor service may require a large amount of RAM on the server where Kaspersky MLAD is installed. The amount of RAM usage depends on the rate of the event stream and the volume of events history that is processed. The specific configuration of the Event Processor service also has an effect on the amount of RAM usage.

System administrators can configure the Event Processor service.

To configure the Event Processor service:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters → Event Processor.

   A list of service settings appears on the right.

3. In the Online mode section, do the following:
   1. Using the Browse button under the setting Event processor configuration file field, add the file containing the configuration settings for the Event Processor service.

      The Configuration file is created by a qualified technical specialist of the Customer, a Kaspersky Lab employee or a certified integrator.

      If you need to delete the configuration file for the Event Processor service, click the button. To save the configuration file on your computer, click the button.

      Changing the configuration file of the Event Processor service results in a complete loss of the service's data.

   2. If you need to process incidents registered by the Anomaly Detector service, turn on the Process incidents as events toggle switch.
   3. In the Maximum number of network layers field, specify the number of layers of the semantic neural network that will be used.

      The default number of network layers for event data that is based on a specific structure is ten layers. In most cases, ten layers are enough for the hierarchical presentation of data in the semantic neural network at the core of the Event Processor. To identify patterns of periodic processes that span an extended period of time, you may need to increase the value of the Maximum number of network layers parameter.

   4. In the Coefficient defining the permitted dispersion of the pattern duration field, specify the coefficient used to determine the permissible dispersion of intervals between elements in the same pattern.

      If the actual dispersion value is less than or equal to one that is specified, the identified sequences of events will be registered as one pattern.

   5. In the Interval for receiving batch events (sec.) field, specify the time interval (in seconds) for which the Event Processor service forms an episode from incoming events received for processing.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate this value as the interval for receiving new events so that you receive a number of events close to the value indicated in the Batch size in online mode (number of events) field during the specified period. If the rate of incoming events is a lot lower than this value, you should adjust the interval for receiving new events to ensure an optimal frequency of event processing.

   6. In the Batch size in online mode (number of events) field, specify the maximum number of events per episode to be subsequently processed by the Event Processor service.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate a value equal to 4096 in this field.

   7. In the Method of saving the state of the Event Processor service drop-down list, select one of the following options for saving the Event Processor service state:
      • Database table – Kaspersky MLAD saves the results from processing each episode in the database table.
      • File in bit format – Kaspersky MLAD saves the state of the Event Processor service according to the frequency defined in the Component backup frequency field. The application saves the state of the service to the file specified in the File containing a backup copy of the component state field.

        Saving the Event Processor service state to a file in bit format is recommended for debugging and configuring the application settings by Kaspersky employees during the deployment of Kaspersky MLAD.

      By default, the Event Processor service saves the results of event stream processing in a database table.

      Changing the way of saving the Event Processor service state results in a complete loss of the service's data.

   8. If you select to store the Event Processor service state in a file in bit format, in the Component backup frequency field, specify how often (in days, hours, and minutes) to perform a backup of the Event Processor service.
   9. If you chose to store the status of the Event Processor service as a bitmap file, add the file that contains a backup copy of the Event Processor service via the Browse button under the File containing a backup copy of the component state setting.

      This file will be used if you ever need to restore the state of the Event Processor service. The state of the Event Processor service can be restored by Kaspersky experts as part of their extended technical support.

      If you need to delete the file containing the backup copy of the Event Processor service, click the button. To save the file containing a backup copy of the service on your computer, click the button.

4. In the Sleep mode section, do the following:
   1. In the Batch size in sleep mode (number of events) field, specify the number of events for forming an episode in sleep mode.

      The Event Processor service generates episodes based on the history of events received for reprocessing during the time interval specified in the Events history interval for processing in sleep mode field.

   2. In the Send alerts when the monitor is activated in sleep mode field, select one of the following values:
      • Send alerts when the monitor is activated by any pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if the patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Do not send alerts when the monitor is activated – Kaspersky MLAD does not send alerts when the monitor is activated in the sleep mode.
      • Send alerts when the monitor is activated by a new pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if new patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Send alerts when the monitor is activated by a previously registered pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if stable patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
   3. In the Sleep mode frequency field, specify how often (in days) and at what time (according to the UTC standard) the Event Processor service goes to the sleep mode to reprocess events.

      It is recommended to specify the time when the event stream is the least intensive as the start time for the sleep mode.

      If the specified sleep time has not yet come on the current day, the Event Processor will go to the sleep mode on that day. If the sleep time has already been missed on the current day, the Event Processor will go to the sleep mode at the specified time after the specified number of days.

   4. In the Sleep mode duration (HH:MM) field, specify the time period (in hours and minutes) during which the Event Processor service processes events in the sleep mode.
   5. In the Events history interval for processing in sleep mode field, specify the time interval (in days, hours, and minutes) during which the analyzed events must be forwarded for reprocessing in the sleep mode to the Event Processor service.
5. Click the Save button.

[Topic 248011]

Configuring the statuses and causes of incidents

Kaspersky MLAD lets you specify the causes of incidents and the statuses of incidents and groups of incidents.

The status of an incident or a group of incidents is a mark about the status of incident analysis performed by an expert. After installation of Kaspersky MLAD, the following statuses of incidents and incident groups are available by default: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore and False positive. For the Problem closed and Ignore statuses, the Notify about an incident check box is cleared by default. If during registration, incidents are automatically assigned one of these statuses, no email alerts will be sent, and no incident dot indicators will be displayed under Monitoring or History. An incident status can be assigned automatically in one of the following cases:

• If the incident was automatically assigned to a group with that status.
• If the incident is registered by an ML model element that sets that incident status by default.

The incident cause is a mark of the cause of the incident added by an expert based on the results of the incident analysis.

You can add causes and statuses for incidents. The created causes and statuses of incidents will become available for selection in the Incidents section. You can also change and delete statuses and causes of incidents.

System administrators can configure the causes and statuses of incidents.

To add an incident status:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the System parameters → Incidents section.
3. In the Statuses of incidents section, click the Create button.

   The Create element pane appears on the right.

4. In the Value, in Russian field, specify the name of the incident status in Russian.
5. In the Value, in English field, specify the name of the incident status in English.
6. In the Sort field, indicate the sequence number for which the incident status will be sorted in the Incident status drop-down list in the Incidents section.

   The statuses of incidents will be sorted by their names if the sequence numbers of incident statuses coincide.

7. To send incident registration notifications together with the added status and display its indicator in the prediction error subsection of the Monitoring and History sections, select the Notify about an incident check box.

   If you remove the checkbox, no email alerts about incidents that receive the status automatically will be sent, and no incident dot indicators will be displayed under Monitoring or History.

8. Click the Save button.

To add a cause for incidents:

1. In the administrator menu, select System parameters → Incidents.
2. In the Causes of incidents section, click the Create button.

   The Create element pane appears on the right.

3. In the Incident cause field, specify the name of the incident cause.
4. In the Sort field, indicate the sequence number for which the incident cause will be sorted in the Incident cause drop-down list in the Incidents section.

   The causes of incidents will be sorted by their names if the sequence numbers of incident causes coincide.

5. Click the Save button.

To change the statuses or causes of incidents:

1. In the administrator menu, select System parameters → Incidents.
2. To change the parameters of incidents, do one of the following:
   • If you need to change the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Edit button.
   • If you need to change the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Edit button.
3. Make the necessary changes.
4. Click the Save button.

To remove statuses or causes of incidents:

1. In the administrator menu, select System parameters → Incidents.
2. To remove parameters of incidents, do one of the following:
   • If you need to delete the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Delete button.
   • If you need to delete the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Delete button.
3. In the window that opens, confirm the deletion.

Kaspersky MLAD will remove information about the incident statuses and causes from the corresponding tables and will remove them from the information about incidents and incident groups in the Incidents section for which these incident causes or statuses were selected.

[Topic 248012]

Configuring logging for Kaspersky MLAD services

You can configure the log level for Kaspersky MLAD services to write specific information about the state of the application and display it in the logging system (Grafana). To view how Kaspersky MLAD services are mapped to the names of Docker containers and images, see the Appendix.

System administrators can configure the logging of Kaspersky MLAD services.

To configure the log levels of Kaspersky MLAD services:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the System parameters → Logging section.

   The list of Kaspersky MLAD services will be displayed on the right.

3. If necessary, use the drop-down list next to the name of the relevant service to change the log level of the service.

   The following log levels are available in Kaspersky MLAD:

   • Debug – log all information in the application.
   • Info – log basic information about application operations.
   • General – log important information about application operations.
   • Warning – log errors that occur during operation of the application and log events that could lead to errors in application operations.
   • Error – log errors that occur in application operations.
   • Critical – log critical errors that occur in application operations.

   The General log level is used for most services by default. The Info log level is used for the API Server service by default.

4. Click the Save button.

[Topic 248013]

Configuring time intervals for displaying data

Kaspersky MLAD lets you specify the time interval (scale) for displaying data on graphs in the Monitoring, History and Time slice sections. After installation of Kaspersky MLAD, the following time intervals are available by default:

• 1, 5, 10, 15, and 30 minutes
• 1, 3, 6, and 12 hours
• 1, 2, 15, and 30 days
• 3 and 6 months
• 1, 2, and 3 years

You can add time intervals for displaying data on graphs. The created time intervals will become available for selection in the Monitoring, History and Time slice sections. You can also edit and delete time intervals.

System administrators can configure the time intervals for displaying data on charts.

To add a time interval for displaying data:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the System parameters → Graphs section.
3. In the Time intervals settings group, click the Create button.

   The Create element pane appears on the right.

4. In the Time interval (sec.) field, specify the time interval for which you want to display data on graphs.

   When a time interval is entered, Kaspersky MLAD automatically breaks down the time interval into specific units of time (years, months, weeks, days, hours, minutes, and seconds) in the Value, in Russian and Value, in English fields.

5. If necessary, change the Russian name of the time interval in the Value, in Russian field.
6. If necessary, change the English name of the time interval in the Value, in English field.

7. In the Sort field, indicate the sequence number for which the time interval will be sorted in the drop-down lists in the Monitoring, History and Time slice section.
8. Click the Save button.

To change the time intervals for displaying data:

1. In the administrator menu, select System parameters → Graphs.
2. In the Time intervals settings group, select one or more time intervals and click the Edit button.
3. Make the necessary changes.
4. Click the Save button.

To delete time intervals for displaying data:

1. In the administrator menu, select System parameters → Graphs.
2. In the Time intervals settings group, select one or more time intervals and click the Delete button.
3. In the window that opens, confirm the deletion.

Information about the time intervals will be deleted from the table.

[Topic 248014]

Configuring how the Kaspersky MLAD menu items are displayed

System administrators can configure settings for displaying the menu items of Kaspersky MLAD.

To configure the way Kaspersky MLAD menu items are displayed:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. On the opened page, in the menu on the left, select System parameters → Menu.

   A list of options appears on the right.

3. In the Availability of main menu items settings group, use the toggle switch to enable or disable the display of a specific section in the main menu.
4. In the Availability of administrator menu items settings group, use the toggle switch to enable or disable the display of a specific section in the administrator menu.
5. Click the Save button.

[Topic 248015]

Export and import of Kaspersky MLAD settings

Kaspersky MLAD allows you to export and import configuration files that contain the settings of application services and connectors, as well as security settings, application service logging levels, settings for displaying the application menu and settings for typical statuses and causes of incidents, which are configured through the web interface. This could substantially reduce the time spent on configuring Kaspersky MLAD if you have to re-deploy the application.

When exporting settings, Kaspersky MLAD does not save to the archive file the passwords specified in the System parameters section, as well as the certificate files and certificate file keys uploaded in this section.

Only system administrators are allowed to export and import configuration files for Kaspersky MLAD services.

To export configuration files from Kaspersky MLAD:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select System parameters.
3. Click the Export button in the upper part of the opened page.

Kaspersky MLAD configuration files will be saved in an archive named mlad-settings.tar.gz on the local computer.

To upload configuration files to Kaspersky MLAD:

1. In the administrator menu, select System parameters.
2. Click the Import button in the upper part of the opened page.
3. In the opened window, select the archive file containing the necessary configuration of Kaspersky MLAD parameters.

Kaspersky MLAD configuration files will be uploaded to the application.

[Topic 248017]

Managing assets and tags

System administrators can manage assets and tags.

Assets and tags are the primary elements of the monitored asset hierarchical structure. The hierarchical structure is displayed as an asset tree.

Observations of the monitored asset are transmitted to Kaspersky MLAD as tags. Based on the obtained tag values you can perform training and inference of ML models.

In the Assets section of the administrator menu, you can view assets and tags that have been created or uploaded to Kaspersky MLAD. Using the and buttons to the left of the asset names, you can display or hide the asset tree data. You can create assets and tags, and edit tag settings, such as tag blocking thresholds.

Kaspersky MLAD uses connectors to receive telemetry data according to tags from devices of the monitored asset. Tag values, defined within the asset tree and fed into the application, along with their corresponding tag IDs, are stored in Time Series Database. When saving of all tags values is enabled, the Time Series Database service also saves IDs and values of unknown tags (not listed in the asset tree). You can compare the current asset tree structure with the structure in the Time Series Database service and add missing tags to the asset tree, if necessary.

If Kaspersky MLAD detects unknown tags received from external devices through KICS Connector, these tags will be automatically created in the KICS section of the asset tree. The application automatically assigns IDs to tags and fills in the following information received from Kaspersky Industrial CyberSecurity for Networks:

• IDs of the tags
• Names of the tags
• Descriptions of the tags
• Units of measure for the tags
• Names of the assets for which the tags are received

Kaspersky MLAD is compatible with Kaspersky Industrial CyberSecurity for Networks version 4.0 and later.

You can also delete existing tags, import tags and assets from an XLSX file, or export them to a an XLSX file.

[Topic 252447]

About monitored asset hierarchical structure

Monitored asset hierarchical structure (hierarchical structure) is a way of representing the monitored asset as a tree, where the leaf nodes correspond to the tags from which telemetry data is received.

Monitored asset tags are organized as a hierarchy of assets representing, for example, units, plants, shops, and factories. The specific way assets are organized, their types and quantity are decided by the customer and depend on the structure of the asset being monitored. Each asset has only one parent element. This element can be another asset (parent asset) or a head element of the hierarchical structure (Root) that corresponds to the monitored asset as a whole.

Tags and assets are the primary elements of a hierarchical structure. You can import or export an asset tree as an XLSX file, and create and manage them in the Assets section.

In addition to primary elements, the following functional elements can be added to the hierarchical structure in the process of or as a result of the operations of Kaspersky MLAD:

• Markups
• ML models
• Templates for ML models

[Topic 247966]

About tags

Expand all | Collapse all

Tags are the main objects of observation in Kaspersky MLAD. A tag is a process parameter transmitted in the industrial network (temperature, for example). Measurements of physical parameters, as well as setpoints, commands, or states of control systems can be transmitted as tags. The values of tags are transmitted and received by the assets over specific protocols. The values of tags are displayed on graphs in the History and Monitoring sections and are also used to detect incidents.

Kaspersky MLAD supports several methods for obtaining telemetry data (tags). Depending on the monitored asset attributes and the tag transmission capabilities, you can select one of the following methods for receiving tag values in real time:

• Use the connectors of Kaspersky Industrial CyberSecurity for Networks that analyze mirrored traffic and send tags to Kaspersky MLAD in online mode. Kaspersky MLAD sends back information about detected incidents.
• Use the OPC UA Connector if the monitored asset provides the capability to transmit tags from ICS over the OPC UA protocol in the online mode.
• Use the MQTT Connector if the monitored asset provides the capability to transmit tags over the MQTT protocol and receive messages about incident registration in the online mode.
• Use the AMQP Connector if the monitored asset has the capability to transmit tags over the AMQP protocol and receive messages about incident registration in online mode.
• Use the WebSocket Connector if the monitored asset provides the capability to transmit tags over the WebSocket protocol and receive messages about incident registration in the online mode.
• Use the CEF Connector if the monitored asset provides the capability to transmit tags using the CEF Connector technology and receive messages about incident registration in the online mode.
• If the above methods of tag transmission are not available, you can write a tag export script for using the HTTP Connector to configure a periodic export of tags as CSV files over HTTP or HTTPS (for example, once per hour or once per minute).

You can also retrieve tag values for a specific historical period with one of the following methods:

• Using OPC UA Connector if the monitored asset supports access to historical data according to the OPC UA HDA standard
• Using HTTP Connector by uploading CSV files containing historical data

[Topic 248020]

Create asset

System administrators can manage assets and tags.

In Kaspersky MLAD, you can create assets and categorize tags by asset as you see fit. For example, you can create assets to align with the production structure of the monitored asset, right down to the devices that send telemetry data.

To create a new asset:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the upper part of the page, click the Create button.
4. In the panel that opens, in the Element type drop-down list, select the Asset value.
5. If necessary, click the Choose icon button and select an icon for the asset in the opened window.

   You can upload an asset icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the asset icon, click the tag icon and then click Delete in the opened window.

6. In the Asset drop-down list, select the section of the asset tree within which you want to create the asset.
7. Specify the asset name in the Name field.

   Asset names must be unique within a single asset tree section.

8. Enter a description for the asset in the Description field.
9. Select the type of asset from the Asset type drop-down list.

   If you have uploaded the configuration of assets and tags to Kaspersky MLAD, you can select one of the asset types defined in the configuration file. Asset types are specified in the directory_types tab of the configuration file. If you have not loaded an asset and tag configuration, select System asset.

10. If you have selected one of the asset types defined in the imported configuration file, specify values for the special parameters of the assets, if necessary.

    The names of special parameters are specified in the directory_types tab of the configuration file.

11. Click the Save button.

The asset will be created. If necessary, you can change the position of an asset in the tree.

You can also create nested assets using the asset tree. To do that, next to the name of the section to which you want to add the asset, open the vertical menu and select Add asset.

[Topic 248022]

Change asset settings

System administrators can manage assets and tags.

You can edit the settings of previously created assets.

To edit the settings of an asset in the asset tree:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, next to the name of the asset whose settings you want to change, open the vertical menu  and select Edit asset.

   The Edit asset pane opens on the right.

4. Adjust the following settings in the panel that opens, if needed:
   • Asset icon
   • The section of the asset tree you want to assign the asset to

     The asset subsections and their tags are moved to the new asset.

   • Asset name.
   • Asset description
   • Asset type
   • Values for custom asset settings
5. Click the Save button.

The asset will be modified. If necessary, you can change the position of an asset in the tree.

[Topic 248018]

Create tag

System administrators can manage assets and tags.

In Kaspersky MLAD, you can create new tags to describe data received from the monitored asset (source tags) or from the Stream Processor service.

To create a new tag:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the upper part of the page, click the Create button.
4. In the panel that opens inside the Element type drop-down list, select Tag.
5. If necessary, click the Choose icon button and select an icon for the tag in the opened window.

   You can upload the tag icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the tag icon, click the tag icon and then click Delete in the opened window.

6. In the Asset drop-down list, select the section of the asset tree to which you want to assign the created tag.

   Assets in the asset tree must be preloaded or created manually.

7. Specify the unique tag name in the Name field. If you want to receive tag values from an external system, specify the tag name in the external system.
8. If necessary, enter a description for the tag in the Description field.
9. If necessary, specify an alternative name for the tag in the Alternative name field.
10. Enter the unique numerical identifier of the tag in the ID field.

    You can specify a value in the range of 1 to 1,000,000.

11. If necessary, in the Dimension field, specify the measurement units for the tag (for example % or mPa).
12. Optionally, in the Lower and Upper fields under Blocking threshold, enter the lower and upper thresholds for acceptable tag values.

    These settings are required for the Limit Detector to operate correctly. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.

    If Always display blocking threshold is enabled, the vertical scale of the graph will be defined by threshold lines drawn at the lower and upper boundaries of the graphic area that the tag belongs to, provided that the tag values are within the specified range. If the tag values go beyond the specified thresholds, the vertical scale will be automatically changed to display the tag values exceeding the limits.

13. If necessary, in the Alarm threshold, in the Lower and Upper fields, specify the lower and upper thresholds of the tag values, upon reaching which it is necessary for the ICS to take emergency response measures.
14. Optionally, enter the minimum and maximum physically possible tag values in the Lower and Upper fields under Measurement confidence thresholds. Be sure to consider any limitations of the measuring equipment.
15. Optionally, in the Bias and Multiplier fields under Value conversion, enter the value to add to the tag value and the value to multiply the tag value obtained via connectors by.

    The application convert the tag values according to the formula: a * x + b, where:

    • a is the value of the multiplier specified in Multiplier.
    • x: the received tag value
    • b is the value of the offset specified in Bias.

    The application performs conversion when Scale obtained tag values in the connector settings is enabled. Value conversion is possible for tags obtained with the help of MQTT Connector, AMQP Connector, OPC UA Connector, WebSocket Connector, or KICS Connector.

    Value conversion is required when obtaining tag values in a unit of measurement that differs from the one specified in the Dimension field.

16. If the application receives tag values via KICS Connector, optionally, in the External system asset field, specify the name of the device created in the external system that you want to receive tags for.
17. If necessary, in the X, Y, and Z fields, specify the spatial coordinates for the location of the monitored asset's sensor.

    You can use an arbitrary point as the origin of the coordinate system.

    You can use sensor coordinates to calculate tag values when creating a preset and displaying them on the graph in the Time slice section.

18. If necessary, in the Comment field, enter a brief comment for the tag.
19. Click the Save button.

The new tag appears in the Tags group of the asset tree. The Tags group is created automatically and displayed as part of the selected section of the asset tree. If necessary, you can change the position of tags in the tree.

[Topic 255478]

Adding a tag to an asset

System administrators can manage assets and tags.

In Kaspersky MLAD, you can add tags to created assets.

To add a tag to an asset:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, next to the section to which you want to add a tag, open the vertical menu and select Add tag.

   The Create tag pane opens on the right.

4. If necessary, click the Choose icon button and select an icon for the tag in the opened window.

   You can upload the tag icon by clicking the Load icon button. Images of any format larger than 128x128 pixels are shrunk to 128x128 while maintaining the aspect ratio. The size of the uploaded image in SVG format must not exceed 200 KB.

   If you need to delete the tag icon, click the tag icon and then click Delete in the opened window.

5. Specify the unique tag name in the Name field. If you want to receive tag values from an external system, specify the tag name in the external system.
6. If necessary, enter a description for the tag in the Description field.
7. If necessary, specify an alternative name for the tag in the Alternative name field.
8. Enter the unique numerical identifier of the tag in the ID field.
9. If necessary, in the Dimension field, specify the measurement units for the tag (for example % or mPa).
10. Optionally, in the Lower and Upper fields under Blocking threshold, enter the lower and upper thresholds for acceptable tag values.

    These settings are required for the Limit Detector to operate correctly. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.

    If Always display blocking threshold is enabled, the vertical scale of the graph will be defined by threshold lines drawn at the lower and upper boundaries of the graphic area that the tag belongs to, provided that the tag values are within the specified range. If the tag values go beyond the specified thresholds, the vertical scale will be automatically changed to display the tag values exceeding the limits.

11. If necessary, in the Alarm threshold, in the Lower and Upper fields, specify the lower and upper thresholds of the tag values, upon reaching which it is necessary for the ICS to take emergency response measures.
12. Optionally, enter the minimum and maximum physically possible tag values in the Lower and Upper fields under Measurement confidence thresholds. Be sure to consider any limitations of the measuring equipment.
13. Optionally, in the Bias and Multiplier fields under Value conversion, enter the value to add to the tag value and the value to multiply the tag value obtained via connectors by.

    The application convert the tag values according to the formula: a * x + b, where:

    • a is the value of the multiplier specified in Multiplier.
    • x: the received tag value
    • b is the value of the offset specified in Bias.

    The application performs conversion when Scale obtained tag values in the connector settings is enabled. Value conversion is possible for tags obtained with the help of MQTT Connector, AMQP Connector, OPC UA Connector, WebSocket Connector, or KICS Connector.

    Value conversion is required when obtaining tag values in a unit of measurement that differs from the one specified in the Dimension field.

14. If the application receives tag values via KICS Connector, optionally, in the External system asset field, specify the name of the device created in the external system that you want to receive tags for.
15. If necessary, in the X, Y, and Z fields, specify the spatial coordinates for the location of the monitored asset's sensor.

    You can use an arbitrary point as the origin of the coordinate system.

    You can use sensor coordinates to calculate tag values when creating a preset and displaying them on the graph in the Time slice section.

16. If necessary, in the Comment field, enter a brief comment for the tag.
17. Click the Save button.

The new tag appears in the Tags group of the asset tree. The Tags group is created automatically and displayed as part of the selected section of the asset tree. If necessary, you can change the position of tags in the tree.

[Topic 248021]

Editing a tag

System administrators can manage assets and tags.

You can edit previously created tags.

To edit a tag:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, next to the name of the tag that you want to change, open the vertical menu and select Edit tag.

   You can show or hide the data in the asset tree by using the and buttons to the left of the asset names.

   The Edit tag pane opens on the right. In the upper part of the pane that opens, the number of ML models that use the selected tag is displayed.

4. Adjust the tag settings, if needed. For a description of the settings, see the instructions on creating a tag.

   Kaspersky MLAD periodically verifies information about tags received from Kaspersky Industrial CyberSecurity for Networks. If a tag name and/or information about the tag asset were changed manually, the application automatically updates the tag name and/or information about the asset according to the tag and asset names in Kaspersky Industrial CyberSecurity for Networks after the next scan.

5. Click the Save button.

If necessary, you can change the position of tags in the tree.

[Topic 255479]

Moving assets and tags

System administrators can manage assets and tags.

You can move assets and/or tags within the asset tree. All assets and tags that are part of the selected asset will be moved.

To move an asset and/or tag:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, select the check boxes next to the names of the assets and/or tags that you want to move.
4. In the upper part of the page, click the Move button.
5. In the panel that opens, in the Asset drop-down list, select the asset to which you want to transfer the selected assets and/or tags.
6. Click the Save button.

The modified asset tree appears in the Assets section.

You can also change the location of assets and tags in the tree using the dots () to the left of the name of the required asset or tag. To do this, click and hold the dots () to the left of the relevant asset or tag and drag the relevant asset or tag up or down in the tree.

[Topic 248023]

Deleting an asset or tag

System administrators can manage assets and tags.

You can delete assets and/or tags from the asset tree if the selected tags or tags associated with the selected asset are not used by ML models.

Removing a tag from the application does not remove it from the monitored asset. Kaspersky MLAD will continue to receive telemetry data on the tag and, if saving of all tags values is enabled, the data will be stored in Time Series Database.

The tag must be removed from the connector configuration file before deletion.

To delete a tag:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Perform one of the following actions:
   • In the asset tree, select the check box next to the name of the tag that you want to delete and click the Delete button at the top of the page.
   • In the vertical menu  to the right of the relevant tag, select Delete tag.
4. In the window that opens, confirm the deletion of the tag.

To delete an asset:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Perform one of the following actions:
   • In the asset tree, select the check box next to the name of the asset that you want to delete and click the Delete button at the top of the page.
   • In the vertical menu  to the right of the relevant asset, select Delete asset.
4. In the window that opens, confirm the deletion of the asset.

To remove one or more assets and/or tags:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the asset tree, select the check boxes next to the names of the assets and/or tags.

   If you need to remove one or more tags from an asset, expand the corresponding section of the asset tree by clicking the plus sign (), and select the relevant tags.

4. Click the Delete button in the upper part of the page.
5. In the window that opens, confirm the removal of assets and/or tags.

If the selected assets and/or tags are not used by ML models, the icon is displayed in the window opposite the line Checking links between tags and added models. The selected tags will be permanently deleted from Kaspersky MLAD.

If the selected assets and/or tags are used by ML models, the icon is displayed in the window opposite the line Checking links between tags and added models. In this case, you cannot delete the selected assets and/or tags. To delete assets and/or tags, you must delete the ML models in which they are used.

[Topic 248024]

Checking the current structure of tags

System administrators can manage assets and tags.

Kaspersky MLAD receives telemetry data from monitored devices via connectors and stores tag IDs and values as defined in the asset tree, in Time Series Database. When saving of all tags values is enabled, the Time Series Database service also saves IDs and values of unknown tags (not listed in the asset tree).

Kaspersky MLAD allows you to compare the current tag structure displayed in the asset tree and used for a monitored asset to the one saved for this monitored asset in the Time Series Database service. Kaspersky MLAD detects tags that were received from external assets, but are missing in the current tag structure and are not used for the monitored asset. If necessary, you can add these tags to the current tag structure.

When receiving telemetry data on unknown tags via KICS Connector, the application also automatically creates these tags in the kics asset tree section.

To compare the current tag structure with the structure in the Time Series Database service:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. In the upper part of the page, click the Check tags button.

   The current tag structure used for the monitored asset is compared with the tag structure stored in the Time Series Database service. The comparison result is displayed in the upper part of the page.

   If missing tags are detected, Kaspersky MLAD displays a list of these tags with the names in the Tag <tag ID> format.

4. To add missing tags, do the following:
   1. For each detected tag, in the Asset field select the asset to which you want to assign the tag.
   2. Click the Add button.

   Kaspersky MLAD will add tags to the asset tree. Only the IDs, names in the Tag <tag ID> format, and the assets to which the tags are assigned are specified for these tags. If necessary, you can change the added tags.

[Topic 248025]

Uploading tag and asset configuration to the system

Tag and asset configuration is created while deploying Kaspersky MLAD and building an ML model. Tag and asset configuration is provided in XLSX file format.

System administrators can manage assets and tags.

To upload tag and asset configuration to Kaspersky MLAD:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Click the Import button.

   The Hierarchical structure import pane opens on the right.

4. In the File import field, add an XLSX file containing the required configuration of assets and hierarchical structure tags.

   If you need to edit the asset and tag configuration file, click and select a new file.

5. In the Asset drop-down list, select the section of the asset tree to which you want to load the configuration of assets and tags from a file.

   For configuration files with top-level assets, designate the Root of the hierarchy as the target.

6. In the Import mode drop-down list, select one of the following values:
   • Add and update. Kaspersky MLAD will add new assets and tags from the configuration file and update information about previously created and/or imported assets and tags within the selected section.
   • Only update. Kaspersky MLAD will update information about previously created and/or imported assets and tags within the selected section.

     Any new assets or tags defined in the configuration file will not be incorporated into the hierarchy.

   • Overwrite. Kaspersky MLAD will delete previously created and/or imported assets and tags from the selected section and create new assets and tags from the configuration file.
7. If you want all assets and tags from the configuration file to be treated as new occurrences, enable the Treat all elements as new check box.

   You can use this toggle switch to upload nested assets repeated in different sections of the asset tree. To do this, load the nested asset configuration in Add and update import mode multiple times, and specify different parent assets each time you upload. However, you cannot load tags with names that match the names of previously created and/or loaded tags.

8. Click the Save button.

Tag and asset configuration will be uploaded to Kaspersky MLAD. The assets and tags are displayed as an asset tree.

[Topic 248026]

Saving tag and asset configuration to a file

System administrators can manage assets and tags.

You can save the structure of tags and assets to a file in XLSX format for subsequent use. For instance, you can edit existing asset and/or tag settings, or introduce new ones to the hierarchy. Then, upload the revised configuration file to the application again.

To save tag and asset configuration to a XLSX file:

1. In the lower-left corner of the window, click .

   You will be taken to the administrator menu.

2. Select the Assets section.
3. Click the Export button.

The asset and tag configuration will be saved to a file named mlad_structure.xlsx (see the example in the Appendix).

[Topic 248060]

Working with the main menu

This section contains a description of user tasks performed in the main menu of the application.

Access to application functions in the main menu depends on the role assigned to the user account. Users with the system administrator role have access to all functions of the application.

[Topic 248063]

Scenario: working with Kaspersky MLAD

This section describes the actions that can be taken by a user when working in the main menu of Kaspersky MLAD.

The scenario for working with the application consists of the following steps:

1. Creating presets to monitor the section of the protected facility

   For quick access to data, upload a preset configuration to Kaspersky MLAD. A preset configuration is created by a Kaspersky employee or certified integrator. A preset configuration is described in a JSON file. For an example of a preset configuration description, see the Appendix.

   You can create presets that include tags corresponding to industrial units, in the application web interface. If necessary, you can modify existing presets.

2. Preparing an ML model

   To analyze the telemetry on the monitoring object and detect anomalies, prepare ML models. Add ML models and markups to Kaspersky MLAD. Train the ML model elements and check the training results. Should adjustments be required, modify the training parameters and retrain the relevant elements. Start ML model inference to register incidents. If required, deploy the ML model to register incidents.

3. Viewing historical data

   Go to the History section. Choose the appropriate preset and define the date and time range to view historical data on process parameters and the results of their processing by ML models: generated artifacts and/or registered incidents. You can use navigation when viewing the historical data.

4. Monitoring in online mode

   To view the received values of process parameters and the results of their processing by ML models, go to Monitoring. Select the relevant preset and time interval to display the incoming data.

5. Viewing data in the Time slice section

   To view the values of the process parameters received from the monitored asset's sensors at a certain point in time, go to the Time slice section. Select the relevant preset and specify the date and time interval for viewing the data. You can use navigation when viewing the data.

6. Working with incidents

   Go to the Incidents section and view information about the registered incidents. Analyze the incidents and add expert opinions or comments where you can indicate if the registered incidents are anomalies.

   If you are subscribed to incident notifications, you will receive an email message when an abnormal situation arises. The message will indicate the date and time when the incident began and will provide a link you can use to go to the History section.

7. Working with events and patterns

   To work with events and patterns, configure attention settings and display of event parameters. Navigate to Event Processor and create monitors to track specific events, patterns, or event parameters. View the events and patterns detected by the Event Processor.

[Topic 248064]

Viewing summary data in the Dashboard section

The Dashboard section provides summary information on the number of events and observations for tags received by Kaspersky MLAD, registered incidents, and the status of services.

The information on the page is divided into the following blocks:

• Incoming data is a graph that displays the number of events and observations for tags received by Kaspersky MLAD. You can enable or disable the display of incoming events and observations for tags on the graph by clicking the corresponding data signature legend under the graph. The left scale of the graph displays the range for the number of observations for tags per second. The right scale of the graph displays the range for the number of incoming events per second.
• Latest incidents is a table that contains information about the latest registered incidents.
  • ID refers to the ID of the registered incident.
  • Date and time refers to the date and time when the incident occurred.
  • Model name refers to the name of the ML model whose element registered the incident.
  • Model element refers to the name of the ML model element that registered the incident.
  • Detector refers to the type of incident registered.
  • Status refers to the status of the registered incident as entered by an expert following an incident analysis or assigned automatically according to the incident status defined for the ML model element that registered the incident

  Clicking the button near an incident in the incidents table opens a window containing the technical attributes of the selected incident and tag:

  • Incident is a section containing information about the incident:
    • Model name refers to the name of the ML model whose element registered the incident.
    • Model element refers to the name of the ML model element that registered the incident.
    • Detector refers to the type of incident registered.
    • ML model element artifact value refers to deviation of the monitored asset's behavior from normal at the time of incident registration. This is absent if the incident is registered by Limit Detector or Stream Processor.
    • Threshold value refers to the threshold value for registering an incident by an ML model element. For any incident detected by Limit Detector, the specific threshold (upper or lower) reached by the tag is recorded.
  • Top tag is a section that contains information about the tag that had the greatest impact on incident registration:
    • Top tag name (top tag ID) is the name and ID of the tag that had the greatest impact on incident registration.
    • Top tag value is the value of the top tag registered when the incident occurred.
    • Blocking threshold refers to maximum permissible top tag values. Limit Detector requires these settings to function correctly. Whenever the tag value reaches its upper or lower blocking threshold, the Limit Detector registers an incident.
    • Description refers to a description of the top tag.
    • Measurement units refer to the units for measuring the top tag values.
• Data processing refers to a table that displays the statuses of services used for processing events and observations according to tags received by Kaspersky MLAD, training and inferencing ML models, and registering incidents.
• Status of services is a table that displays the status of each service.

You can proceed to the History section from the Dashboard section by clicking the date and time of an incident in the Latest incidents table. The History section displays detailed information about the incidents registered by Kaspersky MLAD.

Dashboard section

[Topic 248065]

Viewing incoming data in the Monitoring section

In the Monitoring section, you can view the real-time values of the tags included in the preset and their predicted values.

The central part of the Monitoring section consists of a set of horizontal segments designed to display graphs. Each such segment is called a graphic area. The graphic areas for the selected preset are displayed first. A single graphic area of a preset can display a graph of one tag or graphs of multiple tags superimposed over each other. The composition of tags whose data is shown in the graphic area can be determined when you create a preset. The graphs display the values of preset tags received by Kaspersky MLAD from the monitored object. You can choose ML model elements and customize graph display for the graphs for individual graphic areas to show artifacts linked to the tags associated with those areas and generated by the ML model elements that use these tags.

Graphic areas for each selected ML model element are displayed after the preset graphic areas. These graphical areas display graphs of ML model element artifacts. The value of an ML model element artifact depends on the analytical algorithms used by the element. It is displayed as a colored line. The color of the line corresponds to the color selected for the Color of incident dot indicators setting when the corresponding element was created. Graphs also display an orange line that represents the threshold. When a value exceeds this threshold, the ML model element registers an incident.

At the bottom of the section, there is a graphic area that displays a graph of the ML model element artifact selected in the ML model element artifact graph display settings panel. The red line on the graph corresponds to the value of the ML model element artifact, while the orange line represents a threshold. When the value crosses this threshold, Kaspersky MLAD registers an incident. The area on the graph where the value of the ML model element artifact exceeds the specified threshold is colored red. Below the graph, color-coded dots that represent recorded incidents are displayed.

Depending on the selected time scale and the density of incidents, one dot indicator may correspond to one or multiple closely-spaced incidents that were registered by one or multiple ML model elements. The color of the indicator points relating to incidents recorded by a single ML model element is assigned when that element is created. Purple is reserved for indicator points that correspond to a group of incidents recorded by different elements. Red is reserved for indicator points that correspond to incidents recorded by Limit Detector.

Monitoring section

[Topic 248066]

Viewing data for a specific preset in the Monitoring section

Kaspersky MLAD allows you to select presets for which real-time data is displayed.

To view incoming data for a specific preset in real time:

1. In the main menu, select the Monitoring section.
2. On the opened page, select the relevant preset from the Preset drop-down list.

The page will display graphs for the tags included in the selected preset, according to the graphic area settings specified when that preset was created.

You can change the time interval for data display, customize graph display, or select a specific ML model element to view their output. You can also change which tags are displayed by editing the preset.

[Topic 248067]

Selecting elements of the ML models in the Monitoring section

Under Monitoring, you can view real-time values of tags included in the preset, artifacts generated by selected ML model elements, and the number of registered incidents.

When multiple ML models are applied to processing data for a monitored object, Kaspersky MLAD gives you the option to select several components of these models to visualize their inference results: An ML model element is not created for the Limit Detector. The dot indicators of incidents registered using this detector are displayed if use of the Limit Detector is enabled and the display of indicators for all incidents is enabled.

The functionality is available after a license key is added.

To view the inference results of an ML model element:

1. In the main menu, select the Monitoring section.
2. On the opened page, select one or several elements of the ML model from the Model element drop-down list.

   Element names are displayed as <ML model name>  <element name>.

   Graphic areas for the selected preset will display the values of tags received by Kaspersky MLAD within the selected time interval. When you customize graph display, graphs for individual graphic areas will show artifacts linked to the tags associated with those areas and generated by the ML model elements that use these tags.

   The central part of the section will display graphs for artifacts from the selected ML model elements. The values shown on the graphs depend on the analytical algorithms used by the elements to identify anomalies.

   To hide the artifacts for a selected ML model element, click next to the element.

3. To display a graph of a specific ML model element's artifact at the bottom of the section, do the following:
   1. Click the button below the tag graphs on the left side of the page.

      The ML model element artifact graph display settings pane appears on the right.

   2. From the Model element drop-down list, select the ML model element. You can select only one ML model element from the list.
   3. Click the Close button.

   The graph will show the value of the ML model element's artifact as a red line. The graph area above the orange threshold line is highlighted in red to indicate above-threshold artifact values.

The lower part of the graph displays the dot indicators of incidents that were registered by the selected ML model elements. If the display of indicators for all incidents is enabled, dot indicators for incidents that were registered by all ML models and Limit Detector will be displayed.

[Topic 248068]

Selecting a time interval in the Monitoring section

Kaspersky MLAD lets you select the time interval (scale) for displaying incoming data.

To select a time interval:

1. In the main menu, select the Monitoring section.
2. On the opened page, select the necessary time interval from the drop-down list. The following values are available by default:
   • 1, 5, 10, 15, and 30 minutes
   • 1, 3, 6, and 12 hours
   • 1, 2, 15, and 30 days
   • 3 and 6 months
   • 1, 2, and 3 years

   If necessary, the system administrator can create, edit, or delete time intervals.

The graphs for the selected preset will display the tag values and inference results for the selected ML model elements, for the chosen time interval.

[Topic 248069]

Configuring how graphs are displayed in the Monitoring section

Kaspersky MLAD lets you configure how the graphic areas of presets are displayed in the Monitoring section.

To customize the appearance of preset graphic areas:

1. In the main menu, select the Monitoring section.
2. On the opened page, click the button in the upper part of the screen.

   The Graph display settings pane appears on the right.

3. In the Graph height drop-down list, select one of the following values: 55 px, 110 px, 145 px, 190 px.

   By default, the Graph height parameter is set to 55 px.

4. In the To go to the History section, use drop-down list, select the preset whose graphs should be displayed by default when you navigate to the History section.
5. Turn on the Show observation graphs in selected color toggle switch, and select a color in the Color of observation graphs field as needed.
6. Turn on the Show prediction graphs in selected color toggle switch, and select a color in the Prediction graph color field as needed.
7. Use the Tag name and description toggle switch to enable or disable display of the tags descriptions and names on the left of the graphs.
8. Use the Predicted tag value toggle switch to enable or disable display of the predicted tags values on graphs.
9. Use the Individual tag error toggle switch to turn on or off the display of individual tag value prediction errors on graphs.
10. Use the Display indicators for all incidents toggle switch to enable or disable display of the dot indicators for incidents registered by all ML models or Limit Detector.

    If this switch is disabled, only the dot indicators for incidents that were registered by the selected ML model elements will be shown.

11. If you need the graphs to display the defined technical limits for tags:
    1. Turn on the Blocking threshold toggle switch.
    2. If you need to always display the defined technical limits, turn on the Always display blocking threshold toggle switch.

       If this switch is disabled, the technical limits will be displayed only if a tag value is approaching the corresponding limit in the graph area displayed on the screen.

12. Use the Additional threshold lines toggle switch to enable or disable the display of additional threshold lines on the graph.
13. Click the Close button to return to viewing graphs in the Monitoring section.

The defined settings for displaying graphic areas of presets in the Monitoring section will be applied.

[Topic 248070]

Viewing data in the History section

The History section provides access to the history of incoming data, the results of data processing by Kaspersky MLAD, generated ML model artifacts, and registered incidents information.

The central part of the History section consists of a set of horizontal segments designed to display graphs. Each such segment is called a graphic area. The graphic areas for the selected preset are displayed first. A single graphic area of a preset can display a graph of one tag or graphs of multiple tags superimposed over each other. The composition of tags whose data is shown in the graphic area can be determined when you create a preset. The graphs display the values of preset tags received by Kaspersky MLAD from the monitoring object during the selected time interval. You can choose ML model elements and customize graph display for the graphs for individual graphic areas to show artifacts linked to the tags associated with those areas and generated by the ML model elements that use these tags.

Graphic areas for each selected ML model element are displayed after the preset graphic areas. These graphic areas display graphs for ML model element artifacts. The value of an ML model element artifact depends on the analytical algorithms used by the element. It is displayed as a colored line. The color of the line corresponds to the color selected for the Color of incident dot indicators setting when the corresponding element was created. Graphs also display an orange line that represents the threshold. When a value exceeds this threshold, the ML model element registers an incident.

At the bottom of the section, there is a graphic area that displays a graph of the ML model element artifact selected in the ML model element artifact graph display settings panel. The red line on the graph corresponds to the value of the ML model element artifact, while the orange line represents a threshold. When the value crosses this threshold, Kaspersky MLAD registers an incident. The area on the graph where the value of the ML model element artifact exceeds the specified threshold is colored red. Below the graph, color-coded dots that represent recorded incidents are displayed.

Depending on the selected time scale and the density of incidents, one dot indicator may correspond to one or multiple closely-spaced incidents that were registered by one or multiple ML model elements. The color of the indicator points relating to incidents recorded by a single ML model element is assigned when that element is created. Purple is reserved for indicator points that correspond to a group of incidents recorded by different elements. Red is reserved for indicator points that correspond to incidents recorded by Limit Detector.

History section

[Topic 248071]

Viewing historical data for a specific preset

Kaspersky MLAD allows you to select custom presets for which historical data is displayed. If you want to view historical data for tags in the Tags for incident #<incident ID> dynamic preset, click the incident registration date under Incidents. The Tags for incident #<incident ID> dynamic preset contains tags that had the greatest influence on the generation of a registered incident.

To view historical data for a specific preset:

1. In the main menu, select the History section.
2. On the opened page, select the relevant preset from the Preset drop-down list.

The page will display graphs for the tags included in the selected preset, according to the graphic areas settings specified when that preset was created.

You can use the time navigation function to view the entire history of data. You can edit the date and time interval or select ML model elements to view their output, if needed. You can also change which tags are displayed by editing the preset.

[Topic 248072]

Selecting elements of the ML model in the History section

History provides the history of incoming data, the results of its processing by Kaspersky MLAD, artifacts generated by selected ML model elements, and registered incidents.

When multiple ML models are applied to processing data for a monitored object, Kaspersky MLAD gives you the option to select several components of these models to visualize their inference results: An ML model element is not created for the Limit Detector. The dot indicators of incidents registered using this detector are displayed if use of the Limit Detector is enabled and the display of indicators for all incidents is enabled.

The functionality is available after a license key is added.

To view the inference results of an ML model element:

1. In the main menu, select the History section.
2. On the opened page, select one or several elements of the ML model from the Model element drop-down list.

   Element names are displayed as <ML model name>  <element name>.

   Graphic areas for the selected preset will display the values of tags received by Kaspersky MLAD for the selected time interval. When you customize graph display, graphs for individual graphic areas will show artifacts linked to the tags associated with those areas and generated by the ML model elements that use these tags.

   The central part of the section will display graphs for artifacts from the selected ML model elements. The values shown on the graphs depend on the analytical algorithms used by the elements to identify anomalies.

   To hide the artifacts for a selected ML model element, click next to the element.

3. To display a graph of a specific ML model element's artifact at the bottom of the section, do the following:
   1. Click the button below the tag graphs on the left side of the page.

      The ML model element artifact graph display settings pane appears on the right.

   2. From the Model element drop-down list, select the ML model element. You can select only one ML model element from the list.
   3. Click the Close button.

   The graph will show the value of the selected ML model element's artifact as a red line. The graph area above the orange threshold line is highlighted in red to indicate above-threshold artifact values.

The lower part of the graph displays the dot indicators of incidents that were registered by the selected ML model elements. If the display of indicators for all incidents is enabled, dot indicators for incidents that were registered by all ML models and Limit Detector will be displayed.

[Topic 248073]

Selecting a date and time interval in the History section

Kaspersky MLAD lets you choose the date and a fixed time interval (scale) for displaying historical data or a user-defined time interval (for example, when an incident was detected).

To select the date for displaying historical data:

1. In the main menu, select the History section.
2. Click the button. In the opened window, select the date and time for which you need to display historical data on graphs.
3. Click the Apply button.

   The vertical blue line on graphs will indicate the selected date and time (in the center of the graph).

4. If you need to select other date and time (point) on the graph, click the button on the left of the time axis and select the relevant point.

   The selected point will become the new center of the graph. The vertical blue dashed line will indicate the selected date and time.

To select a time interval for displaying historical data:

1. In the main menu, select the History section.
2. On the opened page, do one of the following:
   • If you need to display data for a fixed time interval, select the relevant time interval from the drop-down list. The following time intervals are available by default:
     • 1, 5, 10, 15, and 30 minutes
     • 1, 3, 6, and 12 hours
     • 1, 2, 15, and 30 days
     • 3 and 6 months
     • 1, 2, and 3 years

     If necessary, the system administrator can create, edit, or delete time intervals.

   • To display data for a custom time interval, click on the left of the time axis, select an interval on the time axis, and click . If you need to change the scale again, repeat this step.

The graphs for the selected preset will display the tag values and inference results for the selected ML model elements, for the chosen time interval.

[Topic 248074]

Navigating through time in the History section

Kaspersky MLAD provides the capability to navigate through time for convenient viewing of historical data.

To use time navigation when viewing data:

1. In the main menu, select the History section.
2. On the opened page, select the time interval for the data that you want to view.
3. Use the and buttons in the upper part of the page to move along the time axis to the right or left.

The time axis for viewing historical data on the graph will shift to the selected time interval.

Navigating through time

On graphs, a vertical blue dashed line indicates the midpoint of the selected time interval and matches the selected date and time. If an interval of 1 day is selected, the graph displays historical data for the 12-hour periods before and after the selected date and time relative to the dashed line. If necessary, you can change the time interval.

[Topic 248075]

Configuring how graphs are displayed in the History section

Kaspersky MLAD lets you configure the settings for displaying graphic areas of presets in the History section.

To customize the appearance of graphic areas:

1. In the main menu, select the History section.
2. On the opened page, click the button in the upper part of the screen.

   The Graph display settings pane appears on the right.

3. In the Graph height drop-down list, select one of the following values: 55 px, 110 px, 145 px, 190 px.

   By default, the Graph height parameter is set to 55 px.

4. Turn on the Show observation graphs in selected color toggle switch, and select a color in the Color of observation graphs field as needed.
5. Turn on the Show prediction graphs in selected color toggle switch, and select a color in the Prediction graph color field as needed.
6. Use the Tag name and description toggle switch to enable or disable display of the tags descriptions and names on the left of the graphs.
7. Use the Predicted tag value toggle switch to enable or disable display of the predicted tags values on graphs.
8. Use the Individual tag error toggle switch to turn on or off the display of individual tag value prediction errors on graphs.
9. Use the Display indicators for all incidents toggle switch to enable or disable display of the dot indicators for incidents registered by all ML models or Limit Detector.

   If this switch is disabled, only the dot indicators for incidents that were registered by the selected ML model elements will be shown.

10. If you need the graphs to display the defined technical limits for tags:
    1. Turn on the Blocking threshold toggle switch.
    2. If you need to always display the defined technical limits, turn on the Always display blocking threshold toggle switch.

       If this switch is disabled, the technical limits will be displayed only if a tag value is approaching the corresponding limit in the graph area displayed on the screen.

11. Use the Additional threshold lines toggle switch to enable or disable the display of additional threshold lines on the graph.
12. Click the Close button to return to viewing graphs in the History section.

The defined settings for displaying graphic areas of presets in the History section will be applied.

[Topic 248076]

Viewing data in the Time slice section

In the Time slice section, you can view the values of process parameters received from sensors of the monitored asset at the same point in time. The sensors must be of the same type (have the same dimension) and must be positioned linearly, like pressure sensors in an oil pipeline, for example.

Data is presented in the form of graphs that display whether an incident was detected at the selected time and where the likely source of the incident is located.

The lower part of the page contains a section displaying the individual errors of tags. The data is presented as a bar graph. The error value for each tag is displayed when the mouse cursor hovers over the relevant column. The prediction error graph is located on the right of the preset tag graphs.

In the Time slice section, you can use the drop-down list to select a preset and the date and time when data was received. This list includes special presets that can be created in the Presets section. A special preset should contain only tags of the same type that have defined x-axis coordinates. You can additionally specify expressions dynamically calculated for each tag based on actual and predicted tag values, individual prediction errors, and tag coordinate values and constants defined in expressions.

You can also customize the display of graphs, select a time interval for viewing data, and select a specific element of the ML model to view the individual errors of preset tags obtained as a result of data processing by the selected element of the ML model.

Data processing results can be displayed only for predictive ML model elements.

Time slice section

[Topic 248077]

Viewing data for a specific preset in the Time slice section

To view data for a specific preset:

1. In the main menu, select the Time slice section.
2. On the opened page, select the relevant preset from the Preset drop-down list.

The page displays graphs for tags that are included in the selected preset.

If necessary, you can change the time interval for displaying data, customize the display of a graph, or select a specific element of the ML model. You can also change which tags are displayed by editing the preset.

[Topic 248078]

Selecting a specific element of the ML model in the Time slice section

If the ML model used for a monitored asset has several elements for processing and predicting data, Kaspersky MLAD lets you select a specific element of the ML model to display the individual tag errors obtained as a result of this element in the Time slice section.

The functionality is available after a license key is added.

Data processing results can be displayed only for predictive ML model elements.

To view the individual tag errors resulting from data processing by a specific ML model element:

1. In the main menu, select the Time slice section.
2. On the opened page, select the relevant element of the ML model from the Model element drop-down list.

   Element names are displayed as <ML model name>  <element name>.

The bottom of the section displays the individual tag errors resulting from data processing by the selected element of the ML model.

[Topic 248079]

Selecting a date and time interval in the Time slice section

Kaspersky MLAD lets you select a date and time interval (scale) for displaying incoming data.

To select the date for displaying incoming data:

1. In the main menu, select the Time slice section.
2. Click the button. In the opened window, select the date and time for which you need to display data.
3. Click the Apply button.

   The graphs will display the tag values for the selected date and time.

To select a time interval for displaying incoming data:

1. In the main menu, select the Time slice section.
2. Select the required time interval from the drop-down list in the upper part of the opened page. The following time intervals are available by default:
   • 1, 5, 10, 15, and 30 minutes
   • 1, 3, 6, and 12 hours
   • 1, 2, 15, and 30 days
   • 3 and 6 months
   • 1, 2, and 3 years

   If necessary, the system administrator can create, edit, or delete time intervals.

The page will display graphs of the defined preset for the selected time interval.

[Topic 248080]

Navigating through time in the Time slice section

Kaspersky MLAD provides the capability to navigate through time for convenient viewing of data.

To use time navigation when viewing data:

1. In the main menu, select the Time slice section.
2. On the opened page, select the time interval for the data that you want to view.
3. Use the and buttons in the upper part of the page to move along the time axis to the right or left.

The time axis for viewing data on the graph will shift to the selected time interval.

Navigating through time

[Topic 248081]

Configuring how graphs are displayed in the Time slice section

Kaspersky MLAD lets you configure the settings for displaying preset graphs in the Time slice section.

To configure the display settings for preset graphs:

1. In the main menu, select the Time slice section.
2. On the opened page, click the button located in the upper part of the screen.

   The Graph display settings pane appears on the right.

3. In the Graph height drop-down list, select one of the following values: 55 px, 110 px, 145 px, 190 px.

   By default, the Graph height parameter is set to 55 px.

4. Click the Close button to return to viewing the graphs.

The graph display settings will be applied.

[Topic 248082]

Working with events and patterns

The Event Processor section provides data on events and the structure of

patterns

Sequence of events or other patterns identified within the stream of events from the monitored asset.

Sequence of events or other patterns identified within the stream of events from the monitored asset.

Sequence of events or other patterns identified within the stream of events from the monitored asset.

In the Event Processor section, you can view the history of received events and the registration history of new and/or persistently recurring patterns. You can also configure the display of event parameters and can configure pattern registration settings. On the Monitoring tab, you can monitor specific events, patterns, or values of event parameters, and generalized events and patterns received by the Event Processor within the data stream from monitored assets.

The functionality is available after a license key is added.

If restarted, Kaspersky MLAD restores the state of the Event Processor service and pauses the processing of data received from the CEF Connector. This data is temporarily stored in the internal queue of the application message broker. Until the Event Processor service is restored, the Event Processor section tabs will display a notification informing you that the Event Processor service has stopped. This service restoration process may take several minutes if there is a significantly large number of processed events or registered patterns.

Event Processor section

[Topic 247975]

About Event Processor

The Kaspersky MLAD Event Processor is designed to detect regularities in the form of recurring events and patterns in the stream of events received from monitored assets and to detect new events and patterns. New events and patterns may indicate an anomaly in the monitored asset operation.

You can also focus the event processor attention on the overall behavior of the monitored asset. The event processor will register generalized events and patterns that lack generalized event parameters.

[Topic 247976]

About events

Data received from monitored assets and from the Anomaly Detector service are processed as events by the Event Processor service. Event is a set of values taken from a predetermined list of parameters and indicating what happened on a monitored asset at a given moment. The set of event parameters depends on the monitored asset and is defined in the configuration file for the Event Processor service.

The Event Processor is designed to work only with categorical values of the event parameters. Event parameter values are converted to string type. Kaspersky MLAD uses the Anomaly Detector service to work with numeric values of telemetry data when processing the event stream. The system administrator can enable the processing of incidents received from the Anomaly Detector service when configuring the Event Processor service settings.

An event is a phenomenon distinct from other events. There may also be intervals of time during which no events have occurred. Event registration may be affected by such factors as the actions of personnel, changes in the asset operating mode at the facility, or the execution of ICS commands by a specialist.

Examples of situations that may lead to event registration in Kaspersky MLAD

An event is registered once by the Event Processor service. When an event stream is received, the Event Processor recognizes previously detected events. If events are found that do not match those previously detected, the Event Processor registers new events.

You can view the received events as a graph or a table. To view events, you need to upload them to Event Processor → Event history. Event parameters specified in the configuration file for the Event Processor service may not appear in all events received from the monitored asset. Thus, some parameters may be missing when you view the received events.

[Topic 247977]

About patterns

The Event Processor detects regularities in the stream of events arriving from the monitored asset. These regularities are detected as a hierarchy of stable (persistently recurring) patterns, which can be either simple patterns (sequences of events) or composite patterns (sequences of patterns). The patterns that form a composite pattern are called subpatterns.

A sequence of events or patterns is considered recurrent if its constituent elements follow the same order, and the time intervals between similar elements in different sequences differ from each other by no more than a specific maximum range. The allowable range of intervals between the pattern elements is calculated considering the value of the Coefficient defining the permitted dispersion of the pattern duration parameter. Patterns are the result of the specific facility's adopted practices, prescribed procedures, or technical specifics of the industrial process.

The Event Processor presents the detected regularities as a layered hierarchy of nested elements (pattern structure) down to the event level. Events are the first layer elements, simple patterns are the second layer elements, and composite patterns are the third and higher layer elements. Event parameter values are elements of the null layer.

A pattern is registered once by the Event Processor service. When an event stream is received, the Event Processor recognizes previously detected patterns. If patterns are found that do not match previously detected regularities, the Event Processor registers new patterns.

New patterns also include the sequences of events or patterns with a deviation in the order or composition of subpatterns (for example, turning on an industrial unit before the operator has arrived at the workstation) or with significant changes in the intervals between events or subpatterns even though their sequence is preserved (for example, turning on an industrial unit immediately after or a lot later than the operator arrived at the workstation). Thus, the Event Processor registers patterns with a new structure.

New patterns may indicate an anomaly in the monitored asset operation. You can view the structure of the new pattern and examine its deviations from the structure of previously detected patterns.

If a newly identified sequence of events or patterns begins to repeat in a persistent manner, this sequence is converted to a stable pattern.

Event Processor can register patterns where the values of one or more event parameters, such as the name of the employee who turned on the machine, are irrelevant. These patterns are referred to as generalized. To register generalized patterns, set Generalized attention as the attention type when configuring attention. You can also specify Generalized parameter as the condition type when configuring attention subject conditions. Generalized attention subject and condition parameters will not be displayed when viewing the structure of generalized patterns on the Patterns history tab.

[Topic 247978]

About attention

The event stream from the monitored asset usually contains many unrelated events. The Event Processor service supports an attention mechanism to detect patterns based on a specific subset of events from the entire stream.

Attention is a special event processor configuration intended to track events and patterns for specific subsets of event history, and to detect commonalities in the behavior of the monitored asset.

Attention heads form the foundation of attention configuration. They define the attention subject parameter and attention subject condition parameters. The attention subject corresponds to the main event parameter that the event processor will use to register events and patterns. The conditions correspond to additional criteria for registering events and patterns for other event parameters. An attention head processes only those events in the entire incoming event stream that satisfy the specified attention subject and conditions. The event processor can process event streams for multiple attention heads simultaneously.

The event processor can register generalized events and patterns to track general behavior for different attention subject values. To do this, set Generalized attention as the attention type when configuring the attention subject. You can also specify Generalized parameter as the condition type when configuring attention subject conditions. Generalized attention subject and condition parameters will not be displayed when viewing generalized events or patterns. They will, however, influence the rules for extracting these generalized events and patterns from the stream.

You can configure attention in the Event Processor section.

[Topic 247979]

About Event Processor operating modes

Kaspersky MLAD has the following operating modes of the Event Processor service:

• Online mode. In the online mode, the Event Processor processes the incoming stream as episodes. An episode is a sequence of events from the entire stream that is limited by a specific time period and/or the number of events. An episode is formed when one of the following conditions is fulfilled:
  • The episode accumulation time reached the limit defined by the Interval for receiving batch events (sec.) parameter of the Event Processor service.
  • The number of accumulated events reached the limit defined by the Batch size in online mode (number of events) parameter of the Event Processor service.

  Based on an episode received in the event stream, the Event Processor service detects new and/or repeated (stable) events and patterns for each of the defined attention heads. You can configure attention heads in the Event Processor section.

  When an event with the timestamp belonging to a previously processed episode is received, the Event Processor service does not revise the structure of patterns detected during the processing of that episode. The Event Processor service takes into account the events received by Kaspersky MLAD with a delay when detecting patterns during the event history reprocessing in the sleep mode.

• Sleep mode. To improve the quality and structure of the identified patterns, the Event Processor can switch to sleep mode according to the specified schedule. Processing of the event stream in the online mode is paused, and Kaspersky MLAD accumulates incoming events in the internal limited buffer on the server for subsequent processing after the application switches from the sleep mode back to online mode.

  In sleep mode, the Event Processor re-analyzes sequences of events that were previously processed in online mode. To detect more complex pattern structures in the sleep mode, the Event Processor processes sequences of events during longer time intervals than the episode accumulation time in the online mode.

  In the Event Processor service settings, you can configure a schedule for the sleep mode (for example, at the time when the event stream is least intense) and define a time interval for the events analyzed in the online mode to be forwarded for reprocessing in the sleep mode.

[Topic 247980]

About monitors

A monitor is the source of notifications about patterns, events, or values of event parameters detected by the Event Processor according to the defined monitoring criteria. The monitoring criteria define the attention head, additional filters for event parameter values, a sliding time window, and the number of consecutive monitor activations within that window.

You can create monitors for alerts about the following detections in the event stream:

• Values of event parameters. You can create a monitor for alerts about the identification of new or previously encountered values of a specific event parameter. For example, to track new users on a monitored asset, create a monitor with the Parameter values subscription type and configure it to detect new values for the User parameter.
• Events. You can create a monitor for alerts about the identification of new or previously encountered events. You can also focus the attention of the Event Processor on a specific parameter of events. For example, to track new actions of a specific user at the monitored asset, you need to create a monitor with the Events subscription type and specify the name of the user whose actions you want to track in the User event parameter.
• Patterns. You can create a monitor for alerts about the identification of new or previously encountered patterns. For example, to track regularities in the actions of a specific user at the monitored asset, create a monitor with the Patterns subscription type, focus the attention of the Event Processor on the User parameter, and set this parameter to the name of the user whose actions you want to track.
• Similar generalized events or patterns. You can create a monitor to receive alerts about similar generalized events or patterns. If you want to track overall patterns in the actions of different users on a monitored asset, then when creating a monitor, you need to select the Similar generalized subscription type, choose the generalized attention head for User, and select Subscription to patterns for Subscription to events or patterns.
• Unique generalized events or patterns. You can create a monitor to receive alerts about unique generalized events or patterns. For example, to track new overall patterns in the actions of any user, select the Unique generalized subscription type when creating a monitor. For User, select a generalized attention head with conditions for additional parameters that match your expectations of different users' behavior. Select Subscription to patterns for Subscription to events or patterns. For Sliding window (sec.), specify a time interval for the event processor to wait for a similar generalized pattern for other users. If the event processor does not detect such a pattern, the monitor will send an activation alert.

You can set fuzzy filters in the monitoring criteria. For example, you can create a monitor to track situations when a user (monitoring all values of the User parameter) accessed the accounting server (the value of the Server parameter) more than ten times (the value of the Activation threshold field) in the last five minutes (the value of the sliding time interval).

When events, patterns and event parameter values matching the monitoring criteria are detected in the stream of incoming data, the Event Processor activates the monitor. Kaspersky MLAD displays information about the number of monitor activations when viewing a monitor, and sends to the external system alerts about the activation of monitors when the specified threshold is reached for a sliding window using the CEF Connector.

The custom monitors are displayed in the Event Processor section on the Monitoring tab.

[Topic 284059]

Configure display of event parameters

Before the Event Processor service can process events, you need to configure the way event parameters are displayed.

The functionality is available after a license key is added.

To configure how event settings are displayed:

1. In the main menu, select the Event Processor → Monitoring section.
2. On the page that opens, click Configure filter display.

   The Configure display of event parameter filters panel will appear on the right.

3. To configure the display of filters for the event parameters, in the Filters section on the Event history and Patterns history tabs, select the check boxes next to the names of the desired event parameters.

   By default, the pane displays the event parameters from the Anomaly Detector service. To display custom event parameters, load the Event Processor service configuration file. All available event parameters are selected by default.

   If the Process incidents as events function is enabled, the Event Processor receives events with the following parameters:

   • incident_detection_system refers to the type of incident registered.
   • incident_model_name – the name of the ML model used.
   • incident_tag_name – the name of the tag whose behavior invoked registration of the incident.
   • incident_group_name – the name of the incident group to which the registered incident belongs.
   • incident_triggered_tag_value – the value of the tag whose behavior invoked registration of the incident.
   • incident_id – the ID of the registered incident.
   • incident_tag_id – the ID of the tag whose behavior invoked registration of the incident.

   If necessary, in the Filters section you can change the display order for the event parameters. To do so, drag the event parameter to the required place in the Configure display of event parameter filters panel by holding the dots () on the left of the event parameter name.

4. Click the Save button.

[Topic 248037]

Configure attention settings

Before events are processed by the Event Processor service, attention settings must be configured.

Attention heads form the foundation of attention configuration. They define the attention subject parameter and attention subject condition parameters. The attention subject corresponds to the main event parameter that the event processor will use to register events and patterns. The conditions correspond to criteria for registering events and patterns for other event parameters. An attention head processes only those events in the entire incoming event stream that satisfy the specified attention subject and conditions.

The event processor can register generalized events and patterns to track general behavior for different attention subject values. To do this, set Generalized attention as the attention type when configuring the attention subject. You can also specify Generalized parameter as the condition type when configuring attention subject conditions. Generalized attention subject and condition parameters will not be displayed within registered events or patterns. They will, however, influence the rules for extracting these generalized events and patterns from the stream.

All created attention heads and information about these are displayed in the Attention heads panel. To view information about attention heads in the Attention heads panel, click Configure attention.

[Topic 290575]

Adding an attention head

You can create multiple attention heads and use different attention heads for different monitors simultaneously.

The functionality is available after a license key is added.

A large number of attention heads can lead to reduced event processor performance and slow down the core Kaspersky MLAD services, such as data reception, anomaly detection, and the web interface. To clarify the number of attention heads, it is recommended to consult with Kaspersky experts or a certified integrator.

To add an attention head:

1. In the main menu, select the Event Processor → Monitoring section.
2. On the page that opens, click Configure attention.

   The Attention heads panel appears on the right.

3. To add an attention head, click Add attention head.

   The Add attention head panel appears on the right.

4. In the Name field, specify the attention head name.
5. To use the attention head when processing an event flow, set the State toggle switch to Active.
6. Under Attention subject, do the following:
   1. From the Event parameter drop-down list, select the primary event parameter you want to register events and patterns for.
   2. In the Attention type drop-down list, select one of the following values:
      • Attention. When registering events and patterns, the event processor's attention will be directed to the selected event parameter based on selected value.
      • Generalized attention. When registering events and patterns, the event processor will aggregate the selected values by selected event parameter.

        When this attention type is selected, the event processor will register generic patterns that will not display the selected event parameter with the selected value when viewed. The Event Processor will track each specified event parameter value separately.

   3. Perform one of the following actions:
      • To include or generalize all values of an event parameter in attention, select All values from the Value type drop-down list.

        Selecting All values causes the event processor to track events and patterns for each specific event parameter value separately. To ensure stable event processor performance, we recommend defining specific values for the event subject.

      • To include or generalize specific event parameter values in attention, select Specific values from the Value type drop-down list and enter the relevant value in the Value field. As you start typing a value, all matching parameter values are displayed in the list.

        If you selected Generalized attention as the attention type, select at least two values for the event parameter.

      • To include or generalize event parameter values according to a template in attention, from the Value type drop-down list, select Regular expression and enter the value template using a regular expression in Value.

        You can use special characters of regular expressions to search for events and patterns based on regular expressions.

7. If you need to generalize other event parameters, set the Generalize condition parameters toggle switch to Enabled.

   If generalized attention was selected as the attention type, then, when the switch is on, the event processor will generalize the remaining event parameters across all their values. In this case, the event processor will not register any event or pattern. To enable the Event Processor to generate events or patterns, you must define at least one event parameter in the Conditions block without generalization based on its values.

8. To refine the criteria for registering patterns using additional event parameters, do the following under Conditions:
   1. Click the Add condition button.
   2. From the Event parameter drop-down list, select an additional event parameter to refine the data sample for events and patterns registration.
   3. In the Condition type drop-down list, select one of the following values:
      • Parameter. When registering events and patterns, the event processor will consider the values of the selected event parameter while taking into account the data sample obtained for the main event parameter.
      • Generalized parameter. When registering events and patterns, the event processor will aggregate the values of the selected parameter while considering the data sample obtained for the primary event parameter.

        When this condition type is selected, the event processor will register patterns that, when viewed, will not display the selected event parameter with the selected value.

        This value is available if the Generalized attention type is selected for the attention subject.

   4. Perform one of the following actions:
      • To include or generalize the new values of an event parameter in attention, select New values from the Value type drop-down list.

        New values is available in the following cases:

        • The condition type is set to Parameter.
        • The attention type is set to Attention, the Generalize condition parameters toggle switch is off, and the condition type is set to Generalized parameter.
      • To include or generalize all values of an event parameter in attention, select All values from the Value type drop-down list.

        All values is available in the following cases:

        • The Generalize condition parameters toggle switch is on, and the condition type is set to Parameter.
        • The Generalize condition parameters toggle switch is off, and the condition type is set to Generalized parameter.
      • To include or generalize specific event parameter values in attention, select Specific values from the Value type drop-down list and enter the relevant value in the Value field. As you start typing a value, all matching parameter values are displayed in the list.
      • To include or generalize event parameter values according to a template in attention, from the Value type drop-down list, select Regular expression and enter the value template using a regular expression in Value.

        You can use special characters of regular expressions to search for events and patterns based on regular expressions.

   You can set more than one condition for additional event parameters. You can delete a previously added condition by clicking next to the condition.

   The conditions will be additionally applied to the data sample obtained for the main event parameter set under Attention subject. For example, if the Generalized attention type is selected and the Generalize condition parameters toggle switch is on, the Event Processor will register patterns that will display only those event parameters that were specified under Conditions while considering their selected values. If the toggle switch is off, the event processor will register patterns that will not display the generalized parameter specified under Attention subject. In this case, the values of the event parameters specified under Conditions will be considered.

9. Click the Save button.