Kaspersky Machine Learning for Anomaly Detection
5.0
English

Contents

[Topic 247995]

Configuring the main settings of Kaspersky MLAD

Kaspersky MLAD lets you specify the name of the monitored asset, web address and IP address for connecting users to the application web interface, and the frequency of receiving new data from the monitored asset. The name of the monitored asset will be displayed in the upper right corner of each section of the Kaspersky MLAD web interface.

System administrators can configure the main settings of Kaspersky MLAD.

To configure the main settings of Kaspersky MLAD:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select the System parametersMain section.

    A list of options appears on the right.

  3. In the Name of monitored asset field, specify the name of the monitored asset.
  4. In URL address for incident notifications, specify a URL for generating a link to incidents in email incident alerts.

    If IP address for incident notifications is set, this is used for generating the link.

  5. In IP address for incident notifications, specify an IP for generating a link to incidents in email incident alerts.
  6. In the Interval for receiving data from the Message Broker service (ms) field, specify the interval for updating telemetry data in the application web interface.

    The higher the specified parameter value, the less frequently the data is updated. The default value of this parameter is 500.

  7. In the Interval for receiving incident statistics from the database (ms) field, indicate how frequently data on incidents registered by the application should be updated in the application web interface.

    The default value of this parameter is 5000.

  8. In the Monitored asset time zone drop-down list, select the time zone of the computer where Kaspersky MLAD is installed

    The graphs in the application show data in the time zone you select.

  9. Click the Save button.
Page top
[Topic 247996]

Configuring the security settings of Kaspersky MLAD

Kaspersky MLAD lets you specify the conditions for temporarily blocking user accounts, the user inactivity period in accordance with the enterprise security policy, and the settings for storing information security event logs in the Kaspersky MLAD database. Information security event logs are automatically written to the database. If necessary, you can specify the settings of an external system to which the information security event logs should be sent.

System administrators may be responsible for configuring the security settings of Kaspersky MLAD.

To configure the main settings of Kaspersky MLAD:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select the System parametersSecurity section.

    A list of options appears on the right.

  3. In the Authorization parameters block, do the following:
    1. In the Number of authentication attempts field, specify the number of unsuccessful authorization attempts. When this number is reached, Kaspersky MLAD temporarily blocks the corresponding user account.

      The default value of this parameter is 3.

    2. In the User lock duration (sec) field, specify the time period (in seconds) to block a user account after reaching the specified number of unsuccessful authorization attempts.

      The default value of this parameter is 120.

    3. In the User inactivity period (min) field, specify the permissible duration of an inactive user session (in minutes).

      When the specified time period is reached, Kaspersky MLAD automatically terminates the inactive user session. The default value of this parameter is 1440.

    4. If you need to prevent users from ignoring the password change recommendation when they connect to the application web interface for the first time, turn on the Require password change on first login toggle switch.

      This switch is disabled by default.

  4. In the Password policy settings block, do the following:
    1. In the Number of user passwords stored in history field, specify the number of most recent user passwords that are stored in the application.

      You can specify a value starting with 1. The default value of this parameter is 5.

      When the user password is changed, the new password must not match any passwords stored in Kaspersky MLAD. The application stores passwords in encrypted form.

    2. In the Password expiration period (days) field, specify the number of days during which the user can use their current password to connect to the application without changing it.

      The default value of this parameter is 180.

    3. In the Minimum password length field, specify the minimum number of characters for user passwords.

      You can specify a value in the range of 8 to 128. The default value of this parameter is 8.

    4. If your security policy stipulates that user passwords must contain uppercase letters of the English alphabet, turn on the Require to use uppercase letters of the English alphabet (A-Z) toggle switch.

      This switch is enabled by default.

    5. If your security policy stipulates that user passwords must contain lowercase letters of the English alphabet, turn on the Require to use lowercase letters of the English alphabet (a-z) toggle switch.

      This switch is enabled by default.

    6. If your security policy stipulates that user passwords must contain numerals, turn on the Require to use numerals (0-9) toggle switch.

      This switch is enabled by default.

    7. If your security policy stipulates that user passwords must contain special characters, turn on the Require to use special characters (_!@#$%^&*) toggle switch.

      This switch is enabled by default.

  5. In the Retention settings for information security event logs block, do the following:
    1. In the Volume of information security event logs (MB) field, specify the volume limit (in megabytes) for storing information security event logs in the database.

      If the field is blank, Kaspersky MLAD stores all information security event logs for the time period specified in the Retention time for information security event logs (days) setting. This setting has no value by default.

      If the specified volume of information security event logs in the database is exceeded, Kaspersky MLAD deletes the oldest entries.

    2. In the Retention time for information security event logs (days) field, specify the number of days to store information security event logs in the database.

      The default value of this parameter is 100.

  6. Click the Save button.
Page top
[Topic 247997]

Configuring the Anomaly Detector service

You can configure the procedure for detecting anomalies based on the specific features of your monitored asset by enabling or disabling specific anomaly detection in the Anomaly Detector service settings.

System administrators can configure the Anomaly Detector service.

To configure the settings of the Anomaly Detector service:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersAnomaly Detector.

    A list of options appears on the right.

  3. Enable or disable the Limit Detector using the Use Limit Detector toggle switch.

    Limit Detector logs incidents when the upper or lower blocking thresholds set for the tag are exceeded.

  4. Use the Use Forecaster detector toggle switch to enable or disable anomaly detection with ML model predictive elements.

    ML model predictive elements register incidents when detecting discrepancies between observed and predicted tag values.

  5. Enable or disable the XGBoost detector using the Use XGBoost detector toggle switch.
  6. Use the Use Rule Detector toggle switch to enable or disable anomaly detection with ML model elements based on diagnostic rules.

    Diagnostic rules register incidents when the output of a diagnostic rule exceeds a predetermined limit.

  7. Enable or disable the function for skipping gaps in the incoming data stream using the Skip gaps in data toggle switch.

    If the toggle switch is on, during ML model inference, its components do not generate any artifacts when no data is received for the ML model element tags for a period longer than the UTG period as specified in Grid step (sec) for that element.

  8. In the Maximum number of records requested from the Message Broker service field, enter the number of records that must be requested from the Message Broker service for subsequent processing in the Anomaly Detector.

    The higher the value, the less frequently Anomaly Detector requests records from Message Broker. The value depends on the amount of telemetry data received by Kaspersky MLAD in real time.

  9. In the Number of messages sent in one block to the Message Broker service field, enter the number of incidents that must be sent to the Message Broker service at one time.
  10. Click the Save button.
Page top
[Topic 247998]

Configuring the Keeper service

Kaspersky MLAD uses the Keeper service to route telemetry data that should be saved in the database. You can configure the settings that define the rate of incoming data received from connectors and external sources, and the volume of data to be saved in the Kaspersky MLAD database.

System administrators can configure the data routing settings in Kaspersky MLAD.

To configure the Keeper service:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select the System parametersKeeper section.

    A list of options appears on the right.

  3. Perform one of the following actions:
    • To save both known and unknown tags values from external sources to the database, turn on the Save values of all tags toggle.
    • To save only the tags values that are known to the application, turn off the Save values of all tags toggle.
  4. In the Timeout for receiving tag values (ms) field, enter the maximum timeout (in milliseconds) for receiving the values of tags.

    The higher the value, the less frequently Keeper receives tag values and writes these to the database. We recommend setting a value that matches the frequency of receiving telemetry data from the monitored asset.

  5. In the Timeout for receiving incidents (ms) field, enter the maximum timeout in milliseconds for receiving incidents.

    The higher the value, the less frequently Keeper receives incident data and writes these to the database. We recommend setting a value that matches the incident frequency.

  6. In the Timeout for receiving metrics (ms) field, enter the maximum timeout in milliseconds for receiving metrics.

    The higher the specified value, the less often Keeper receives metrics (the number of received observations for tags, the number of events, and the number of generated artifacts) and writes these to the database. We recommend setting a value that matches the frequency of receiving metrics from CEF Connector.

  7. Click the Save button.
Page top
[Topic 247999]

Configuring the Mail Notifier service

Kaspersky MLAD uses the Mail Notifier service to notify users when incidents are registered by the application.

System administrators can configure the Mail Notifier service.

Setting up Mail Notifier is optional and only required for receiving email notifications about new registered incidents. First, you need to configure an SMTP server on the network where the monitored object is located.

To configure the Mail Notifier service:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersMail Notifier.

    A list of options appears on the right.

  3. In the Notification sender email field, specify the email address that will send incident notifications.
  4. In the SMTP server address field, enter the IP address of the SMTP server.
  5. In the SMTP server port field, enter the port of the SMTP server.
  6. In the SMTP server user name field, enter the user name for connecting to the SMTP server.
  7. In the SMTP server password field, enter the password for connecting to the SMTP server.
  8. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

    By default, use of a secure TLS connection is disabled.

    To avoid compromising the sent data, it is recommended to enable the use of a secure TLS connection. It is recommended to use a secure TLS connection via the TLS-1.2 or TLS-1.3 protocol using a cipher suite from the list of recommended ciphers.

  9. If you are using a secure TLS connection, do the following:
    1. Upload the SMTP server certificate using the Browse button under SMTP server certificate.
    2. Upload the key to the SMTP server certificate file using the Browse button under the Key to SMTP server certificate setting.

    It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  10. Click the Save button.
Page top
[Topic 248000]

Configuring the Similar Anomaly service

Kaspersky MLAD uses the Similar Anomaly service to identify similar incidents and combine them into groups. In groups, you can view similar incidents that were registered at different times.

System administrators can configure the Similar Anomaly service.

To configure the Similar Anomaly service:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersSimilar Anomaly.

    A list of service settings appears on the right.

  3. In the Minimum number of incidents in group field, enter the minimum number of similar incidents for forming a group.
  4. In the Maximum number of incidents in group field, enter the maximum number of incidents that can be put into one group.

    The larger the specified value, the more incidents the application can assign to one group.

  5. In the Maximum distance between similar incidents field, enter the maximum distance that similar incidents can lag behind each other.

    You can specify a value in the range of 0 to 1.

  6. Click the Save button.
Page top
[Topic 248001]

Configuring the Stream Processor service

The Stream Processor service gathers real-time telemetry data (input stream) received from the monitored asset at arbitrary points in time and converts this data to a UTG (output stream). Based on the accumulated data, the Stream Processor service determines the values of tags in the output data stream. After converting data into an output stream, the Stream Processor service forwards this data to the ML model for processing.

When converting incoming telemetry data, the Stream Processor service accounts for potential data losses (for example, if the network of the monitored asset temporarily goes down) and processes observations that were received in Kaspersky MLAD too early or too late. In these cases, the Stream Processor service generates default incidents and/or forwards default tag values to the output data stream.

The Stream Processor service can also compute derivative tags based on incoming telemetry data (for example, to calculate the moving average or average value of a group of tags).

The Stream Processor service configuration file for uploading is provided by Kaspersky specialists or a certified integrator.

System administrators can configure the Stream Processor service.

To configure the Stream Processor service:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersStream Processor.
  3. In the Uniform temporal grid period (sec) field, specify the period (in seconds) for which the Stream Processor service will process incoming telemetry data.

  4. Using the Browse button under the Configuration file setting, add a file that contains configuration settings for the Stream Processor service.

    If you need to delete the configuration file for the Stream Processor service, click the A basket icon. button. To save the configuration file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  5. Click the Save button.
Page top
[Topic 248002]

Configuring the HTTP Connector

Kaspersky MLAD uses the HTTP Connector to receive data from CSV files by uploading data using the POST method. You can download data over port 4999 via HTTP or HTTPS by specifying the relevant protocol in a request.

In Kaspersky MLAD, certificate files and key files can be uploaded only in DER or PEM format. If necessary, you can use the OpenSSL utility to change the format of certificate files and the certificate key. Thus, to change the format of a certificate file from P12 to PEM, run the following command in the console:

openssl pkcs12 -in <certificate name>.p12 -clcerts -nokeys -out <certificate name>.pem

System administrators can configure the HTTP Connector.

To configure the HTTP Connector:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersHTTP Connector.

    A list of options appears on the right.

  3. In the Size of written block (tag count) field, specify the number of tags values that are written to the Message Broker service at one time.

    The specified value affects the number of iterations for writing tag values from the CSV file to Message Broker according to the total number of observations for tags retrieved via HTTP Connector.

  4. In the Maximum size of uploaded file (MB) field, specify the maximum size in megabytes of a file transmitted to the HTTP Connector.

    If you try to download a larger CSV file, the file would not be passed to the HTTP Connector.

  5. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

    By default, use of a secure TLS connection is enabled.

    To avoid compromising the received and/or sent data, it is recommended to keep the use of a secure TLS connection enabled.

  6. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    By default, use of the recommended TLS connection settings is enabled.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

  7. If you are using a secure TLS connection, do the following:
    1. Add the HTTPS server certificate and the certificate key by using the Browse button under the HTTPS server certificate and Private key to HTTPS server certificate settings.

      It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    2. If you are using client certificates, add the root certificate to verify the signature of the client certificate by using the Browse button under the CA certificate for verifying the client certificate signature setting.

    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  8. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

  9. Click the Save button.

Kaspersky MLAD will receive data from CSV files using the HTTP Connector.

The following is an example of sending a CSV file to the HTTP Connector via cURL over HTTP using the POST method to port 4999 of the Kaspersky MLAD server:

curl -F "file=@<file name>.csv" -X POST "http://<Kaspersky MLAD server IP address or domain name>:4999/upload"

The HTTP Connector accepts CSV files with the following fields:

timestamp;tag_name;value

where:

  • timestamp is the time stamp in the format %Y-%m-%dT%H:%M:%S.
  • tag_name is the name of the tag.
  • value is the tag value.

    If a tag value contains a fractional portion, use a dot to separate the integer from the fractional portion.

Page top
[Topic 248003]

Configuring the MQTT Connector

Kaspersky MLAD uses the MQTT Connector to receive data and send messages about incident registration via the MQTT (Message Queuing Telemetry Transport) protocol.

System administrators can configure the MQTT Connector.

To configure the MQTT Connector:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersMQTT Connector.

    A list of options appears on the right.

  3. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

    By default, use of a secure TLS connection is enabled.

    To avoid compromising the received and/or sent data, you are advised to keep the use of a secure TLS connection enabled.

  4. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    By default, use of the recommended TLS connection settings is enabled.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

  5. In the MQTT broker (address:port) field, specify the host name and port of the external MQTT broker that the MQTT Connector will interact with.

    The default value of this parameter is mqtt_broker:1883.

  6. In the User name for MQTT connection field, enter the user name to connect to the MQTT broker.
  7. In Password for MQTT connection, enter the user password for connecting to the MQTT broker.
  8. If you are using a secure TLS connection and a self-signed certificate is installed on the MQTT broker, add the root certificate for the MQTT broker by using the Browse button under the CA certificate setting.

    To delete the certificate file, click the A basket icon. button. To save the certificate file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  9. If you are using a secure TLS connection and client authentication is enabled on the MQTT broker, do the following:
    1. Add the client certificate by using the Browse button under the Client certificate setting.
    2. Add the key for the client certificate by using the Browse button under the Key to client certificate setting.

    It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  10. In the List of MQTT subscriptions for receiving tags field, enter the name of the list of MQTT subscriptions from which the MQTT Connector will receive tag values.

    The default value of this parameter is tags.

  11. In the MQTT topic for publishing messages field, specify the name of the topic where the MQTT Connector will publish messages about incident registration.

    If no value is defined for this setting, messages are not sent.

    This setting has no value by default.

  12. In the Data format drop-down list, select the format to receive data from external systems and send messages about incidents.

    The following options are available: JSONBatch, Topic, SmartHome, KISG.

    The default value of this parameter is JSONBatch.

    If you are having difficulty selecting a data format, consult Kaspersky or a certified integrator.

    If none of the incident data and message formats suits you, you can contact Kaspersky Lab experts to add the required format.

  13. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

    To delete the certificate file, click the A basket icon. button. To save the certificate file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  14. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

  15. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the MQTT protocol.

Page top
[Topic 248004]

Configuring the AMQP Connector

Kaspersky MLAD uses the AMQP Connector to receive data and send messages about incident registration via AMQP (Advanced Message Queuing Protocol).

System administrators can configure the AMQP Connector.

To configure the AMQP Connector:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersAMQP Connector.

    A list of options appears on the right.

  3. Use the Use TLS connection toggle switch to enable or disable secure TLS connection.

    By default, use of a secure TLS connection is enabled.

    To avoid compromising the received and/or sent data, you are advised to keep the use of a secure TLS connection enabled.

  4. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    By default, use of the recommended TLS connection settings is enabled.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

  5. In the AMQP broker (address:port) field, specify the host name and port of the external AMQP broker that the AMQP Connector will interact with.

    The default value of this parameter is rabbitmq:5672.

  6. In the User name for AMQP connection field, enter the user name to connect to the AMQP broker.
  7. In Password for AMQP connection, enter the user password for connecting to the AMQP broker.
  8. If you are using a secure TLS connection and a self-signed certificate is installed on the AMQP broker, add the root certificate for the AMQP broker by using the Browse button under the CA certificate setting.

    A certificate can be downloaded as a DER or PEM file only.

    To delete the certificate file, click the A basket icon. button. To save the certificate file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  9. If you are using a secure TLS connection and client authentication is enabled on the AMQP broker, do the following:
    1. Add the client certificate by using the Browse button under the Client certificate setting.
    2. Add the key for the client certificate by using the Browse button under the Key to client certificate setting.

    It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
    A certificate and certificate key can be uploaded only as a file in DER or PEM format.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  10. In the AMQP virtual host field, specify the virtual host for establishing a connection between the AMQP Connector and the external AMQP broker.

    The default value of this parameter is /.

  11. In the AMQP exchange point name for receiving tag values field, specify the name of the exchange point to receive tags values from an external AMQP broker.

    If a value is not defined for this parameter, tags values will not be received via the AMQP Connector.

    This setting has no value by default.

  12. In the List of AMQP subscriptions for receiving tag values field, specify the name of the list of subscriptions from which the AMQP Connector will receive tag values.

    The default value of this parameter is #.

  13. In the AMQP queue for receiving tag values field, specify the name of the queue for the AMQP connector.
  14. In the AMQP exchange point name for publishing messages field, specify the name of the exchange point for sending incident registration messages.

    If no value is defined for this parameter, messages will not be sent. You can specify the same name that you indicated in step 10 of these instructions.

    This setting has no value by default.

  15. In the AMQP topic for publishing messages field, specify the name of the topic where the AMQP Connector will publish messages about incident registration.

    The default value of this parameter is alert.

  16. In the Data format drop-down list, select the format to receive data from external systems and send messages about incidents.

    The following options are available: JSONBatch, Topic, SmartHome, KISG.

    The default value of this parameter is JSONBatch.

    If you are having difficulty selecting a data format, consult Kaspersky or a certified integrator.

    If none of the incident data and message formats suits you, you can contact Kaspersky Lab experts to add the required format.

  17. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

    To delete the connector configuration file, click the A basket icon. button. To save the connector configuration file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  18. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

  19. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the AMQP protocol.

Page top
[Topic 248005]

Configuring the OPC UA Connector

Kaspersky MLAD uses the OPC UA Connector to receive data over a protocol described by the OPC Unified Architecture specification.

System administrators can configure the OPC UA Connector.

To configure the OPC UA Connector:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersOPC UA Connector.

    A list of options appears on the right.

  3. In the Connection point field, specify the connection address.

    For example: opc.tcp://10.0.0.0:8001/freeopcua/server/.

  4. In the OPC UA server connection timeout (sec) field, specify the time period (in seconds) that the OPC UA Connector will attempt to establish a connection with the OPC UA server.
  5. Using the Browse button under the Configuration file setting, add a file containing settings for the OPC UA Connector.

    To delete the connector configuration file, click the A basket icon. button. To save the connector configuration file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  6. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

  7. Select a message encryption algorithm from the Connection security policy drop-down list.

    The following options can be selected: None, Basic256, Basic128Rsa15, Basic256Sha256, Aes128Sha256RsaOaep.

  8. In the Secure messaging mode drop-down list, select one of the following values:
    1. If you do not want to sign or encrypt messages, select None.
    2. If you want to sign messages, select Sign messages.
    3. If you want to sign and encrypt messages, select Sign and encrypt messages.
  9. In User name, enter the user name for connecting to the OPC UA server.
  10. In Password, enter the password for connecting to the OPC UA server.
  11. If it is necessary to use a secure connection and client authentication is enabled on the OPC UA server, do the following:
    1. Add the client application certificate by using the Browse button under the Client certificate setting.
    2. Add the private key to the client application certificate by using the Browse button under the Client private key setting.
    3. In Client private key password, specify the password to use for unlocking the private key.

    It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.
    A certificate and certificate key can be uploaded only as a file in DER or PEM format.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  12. If it is necessary to use a secure connection and a self-signed certificate is installed on the OPC UA server, add the root certificate for the OPC UA server using the Browse button under the OPC UA server CA certificate setting.

    To delete the certificate file, click the A basket icon. button. To save the certificate file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  13. In the Historical data interval (sec) field, specify the time interval (in seconds) for which the OPC UA Connector requests historical data stored on the OPC UA server.

    Enter 0 if you do not need to download historical data. Enter -1 if you need to download all historical data.

    If Start of the historical data period and End of the historical data period are set, historical data is loaded for the specified period.

  14. In the Start of the historical data period field, select the start date and time of the period for which you want to download data from the OPC UA server.
  15. In the End of the historical data period field, select the end date and time of the period for which you want to download data from the OPC UA server.
  16. In the Size of historical data block sent by OPC UA server (numvalues parameter) field, specify the number of tags values that will be transmitted in the historical data block sent to the OPC UA Connector from the OPC UA server.

    The specified value affects the number of iterations for sending historical data to OPC UA Connector according to the total number of observations for tags received from the OPC UA server.

  17. In the Size of historical data block sent to Message Broker service field, specify the number of tags that will be transmitted in the historical data block sent from the OPC UA Connector to the Message Broker service.

    The specified value affects the number of iterations for sending historical data to Message Broker according to the total number of observations for tags recieved via OPC UA Connector.

  18. Click the Save button.
Page top
[Topic 248006]

Configuring the KICS Connector

Kaspersky MLAD uses the KICS Connector to receive data from Kaspersky Industrial CyberSecurity for Networks 4.0 and later and to send back incident registration messages.

The connector for integration with Kaspersky MLAD must be created and added to Kaspersky Industrial CyberSecurity for Networks in advance. For detailed information about creating and adding a connector, please refer to the Adding a connector section of Kaspersky Industrial CyberSecurity for Networks Help Guide.

System administrators can perform integration with Kaspersky Industrial CyberSecurity for Networks version 4.0 or higher.

To configure the KICS Connector:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersKICS Connector.

    A list of options appears on the right.

  3. Using the Browse button under the setting Communication data package for KICS Connector (zip) field, add the file containing the settings for configuring interaction between Kaspersky MLAD and Kaspersky Industrial CyberSecurity for Networks.

    For detailed information about creating a communication data package, please refer to the Kaspersky Industrial CyberSecurity for Networks Help Guide. The created communication data package must be saved on the computer where Kaspersky MLAD is installed.

    If you need to delete a communication data package, click the A basket icon. button in the Communication data package for KICS Connector (zip) field. To save the communication data package on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  4. In the Password for KICS Connector field, enter the password that you specified when adding the connector to Kaspersky Industrial CyberSecurity for Networks.
  5. Toggle Send messages to Kaspersky Industrial CyberSecurity for Networks switch to enable or disable forwarding of messages about registered incidents to Kaspersky Industrial CyberSecurity for Networks.
  6. In the Tag value sampling frequency (Hz) field, specify the frequency in Hz at which you need to receive tag values from Kaspersky Industrial CyberSecurity for Networks.

    Indicate 0 in this field if

    data sampling
    is not required.

  7. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

  8. Click the Save button.

Kaspersky MLAD receives data from Kaspersky Industrial CyberSecurity for Networks and sends back messages about incident registration.

Page top
[Topic 248007]

Configuring the CEF Connector

Kaspersky MLAD uses the CEF Connector to receive data from external sources of events (such as the Industrial Internet of Things, network devices and applications) and to send incident registration messages to an external system.

You can also use the CEF Connector to send information security event logs of Kaspersky MLAD to an external system. Information security event logs are automatically written to the Kaspersky MLAD database.

To receive events from external sources using the CEF Connector, configure the Event Processor service.
Before configuring the CEF Connector settings in the Kaspersky MLAD web interface, the IP address and port number to be used for connecting the external event source to the CEF Connector must be specified in the .env file. The settings of the configuration file can be changed only by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator.

System administrators can configure the CEF Connector.

To configure the CEF Connector:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersCEF Connector.

    A list of options appears on the right.

  3. Use the Receive events for the Event Processor service toggle switch to enable or disable use of the CEF Connector for receiving events from an external system.
  4. Toggle Send registered incidents to SIEM system switch to enable or disable forwarding of messages about incidents registered by the application to the external system.
  5. Toggle Send registered events to SIEM system switch to enable or disable forwarding of messages about events registered by Event Processor service to the external system.
  6. In the IP address for sending events and incidents to SIEM system field, specify the IP address for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
  7. In the Port for sending events and incidents to SIEM system field, specify the port number for connecting an external system to the CEF Connector and forwarding events processed by the Event Processor service and incidents.
  8. If you need to send information security event logs of Kaspersky MLAD to an external system, turn on the Send information security event logs to a Syslog server toggle switch and do the following:
    1. In the Transport protocol for sending information security events to a Syslog server drop-down list, select the protocol that you want to use for sending information security event logs.

      Kaspersky MLAD supports the TCP and UDP protocols for sending information security event logs to an external system.

    2. In the Syslog server address for sending information security events field, specify the IP address or host name of the external system to which the information security event logs must be sent.
    3. In the Syslog server port for sending information security events field, specify the port number of the external system to which the information security event logs must be sent.
  9. Use the Use TLS connection toggle switch to enable or disable the use of a secure TLS connection when using Kaspersky MLAD as a client.

    By default, use of a secure TLS connection is enabled.

    To avoid compromising the received and/or sent data, it is recommended to keep the use of a secure TLS connection enabled.

  10. If you have enabled the use of a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

  11. If you need to use a secure TLS connection for the server side of the CEF Connector, do the following:
    1. Add the server certificate and the certificate key by using the Browse button under the Server certificate and Private key to the server certificate settings.

      It is recommended to use a certificate with a certificate key length of at least 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    2. If you are using client certificates, add the root certificate to verify the signature of the client certificate by using the Browse button under the CA certificate for verifying the client certificate signature setting.

    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  12. If you need to use a secure TLS connection for the server side of the CEF Connector, do the following (if necessary):
    1. Add the client certificate and the certificate key by using the Browse button under the Client certificate and Private key to the client certificate settings.

      It is recommended to use a certificate with a certificate key length of at least 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    2. If you are using server certificates, add the root certificate to verify the signature of the server certificate by using the Browse button under the CA certificate for verifying the server certificate signature setting.

    Certificates and certificate keys can be uploaded only as files in DER or PEM format.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  13. Click the Save button.
Page top
[Topic 248008]

Configuring the WebSocket Connector

Kaspersky MLAD uses the WebSocket Connector to receive data and send messages about incident registration via the WebSocket protocol.

System administrators can configure the WebSocket Connector. The instructions in this section are provided for information purposes.

To configure the WebSocket Connector:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersWebSocket Connector.

    A list of options appears on the right.

  3. In the WebSocket server URL address field, specify the web address of the WebSocket server that the WebSocket Connector will interact with.

    Enter the web address in the format: WebSocket protocol://address:port/.

  4. If it is necessary to use a secure connection and a self-signed certificate is installed on the WebSocket server, add the root certificate for the WebSocket server using the Browse button under the CA certificate setting.

    To delete the certificate file, click the A basket icon. button. To save the certificate file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  5. If it is necessary to use a secure connection and client authentication is enabled on the WebSocket server, do the following:
    1. Add the WebSocket client application certificate by using the Browse button under the Client certificate setting.
    2. Add the key to the WebSocket client application certificate by using the Browse button under the Key to client certificate setting.

    It is recommended to use a certificate with a certificate key length of 4096 bits when using the RSA algorithm, or 256 bits when using the ECDH algorithm.

    To delete the certificate file or certificate key, click the A basket icon. button in the corresponding field. To save the certificate file or certificate key on your computer, click the An icon in the form of an arrow pointing into a tray. button in the corresponding field.

  6. In the Data format drop-down list, select the format to receive data from external systems and send messages about incidents.

    The following options are available: JSONBatch, Topic, SmartHome, KISG.

    The default value of this parameter is JSONBatch.

    If you are having difficulty selecting a data format, consult Kaspersky or a certified integrator.

    If none of the incident data and message formats suits you, you can contact Kaspersky Lab experts to add the required format.

  7. If you have selected the Topic data format, add a configuration file containing the connector settings for this data format using the Browse button under the Connector configuration file setting.

    To delete the connector configuration file, click the A basket icon. button. To save the connector configuration file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  8. Toggle Scale obtained tag values switch to enable or disable the conversion of tag values according to the Bias and Multiplier settings that were set when creating the tag.

    Conversion of received tag values is disabled by default.

  9. Toggle Submit incidents switch to enable or disable the forwarding of messages about incidents registered in Kaspersky MLAD to a WebSocket server.
  10. If you are using a secure TLS connection, use the Use the recommended TLS connection settings toggle switch to enable or disable use of the recommended TLS connection settings.

    By default, use of the recommended TLS connection settings is enabled.

    When the toggle switch is on, a secure TLS connection is used via the TLS-1.2 or TLS-1.3 protocol with a cipher suite from the list of recommended ciphers.

  11. Click the Save button.

Kaspersky MLAD will receive data and send messages about incident registration via the WebSocket protocol.

Page top
[Topic 248009]

Configuring the Event Processor service

Kaspersky MLAD uses the Event Processor service to identify patterns and anomalous sequences of events and patterns. You can configure the settings of the Event Processor service.

If Kaspersky MLAD is restarted, you do not need to re-configure the Event Processor service settings. Kaspersky MLAD restores the Event Processor service state from the database or file in bit format. This restoration process may take several minutes if there is a significantly large number of processed events or registered patterns. Until the state of the Event Processor service is restored in the Event Processor section, requests will not be fulfilled, data will not be updated, and data received from the CEF Connector will not be processed. This data is temporarily stored in the system message queue and is processed after the state of the Event Processor service is restored.

The Event Processor service may require a large amount of RAM on the server where Kaspersky MLAD is installed. The amount of RAM usage depends on the rate of the event stream and the volume of events history that is processed. The specific configuration of the Event Processor service also has an effect on the amount of RAM usage.

System administrators can configure the Event Processor service.

To configure the Event Processor service:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parametersEvent Processor.

    A list of service settings appears on the right.

  3. In the Online mode section, do the following:
    1. Using the Browse button under the setting Event processor configuration file field, add the file containing the configuration settings for the Event Processor service.

      The Configuration file is created by a qualified technical specialist of the Customer, a Kaspersky Lab employee or a certified integrator.

      If you need to delete the configuration file for the Event Processor service, click the A basket icon. button. To save the configuration file on your computer, click the An icon in the form of an arrow pointing into a tray. button.

      Changing the configuration file of the Event Processor service results in a complete loss of the service's data.

    2. If you need to process incidents registered by the Anomaly Detector service, turn on the Process incidents as events toggle switch.
    3. In the Maximum number of network layers field, specify the number of layers of the semantic neural network that will be used.

      The default number of network layers for event data that is based on a specific structure is ten layers. In most cases, ten layers are enough for the hierarchical presentation of data in the semantic neural network at the core of the Event Processor. To identify patterns of periodic processes that span an extended period of time, you may need to increase the value of the Maximum number of network layers parameter.

    4. In the Coefficient defining the permitted dispersion of the pattern duration field, specify the coefficient used to determine the permissible dispersion of intervals between elements in the same pattern.

      If the actual dispersion value is less than or equal to one that is specified, the identified sequences of events will be registered as one pattern.

    5. In the Interval for receiving batch events (sec.) field, specify the time interval (in seconds) for which the Event Processor service forms an episode from incoming events received for processing.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate this value as the interval for receiving new events so that you receive a number of events close to the value indicated in the Batch size in online mode (number of events) field during the specified period. If the rate of incoming events is a lot lower than this value, you should adjust the interval for receiving new events to ensure an optimal frequency of event processing.

    6. In the Batch size in online mode (number of events) field, specify the maximum number of events per episode to be subsequently processed by the Event Processor service.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate a value equal to 4096 in this field.

    7. In the Method of saving the state of the Event Processor service drop-down list, select one of the following options for saving the Event Processor service state:
      • Database table – Kaspersky MLAD saves the results from processing each episode in the database table.
      • File in bit format – Kaspersky MLAD saves the state of the Event Processor service according to the frequency defined in the Component backup frequency field. The application saves the state of the service to the file specified in the File containing a backup copy of the component state field.

        Saving the Event Processor service state to a file in bit format is recommended for debugging and configuring the application settings by Kaspersky employees during the deployment of Kaspersky MLAD.

      By default, the Event Processor service saves the results of event stream processing in a database table.

      Changing the way of saving the Event Processor service state results in a complete loss of the service's data.

    8. If you select to store the Event Processor service state in a file in bit format, in the Component backup frequency field, specify how often (in days, hours, and minutes) to perform a backup of the Event Processor service.
    9. If you chose to store the status of the Event Processor service as a bitmap file, add the file that contains a backup copy of the Event Processor service via the Browse button under the File containing a backup copy of the component state setting.

      This file will be used if you ever need to restore the state of the Event Processor service. The state of the Event Processor service can be restored by Kaspersky experts as part of their extended technical support.

      If you need to delete the file containing the backup copy of the Event Processor service, click the A basket icon. button. To save the file containing a backup copy of the service on your computer, click the An icon in the form of an arrow pointing into a tray. button.

  4. In the Sleep mode section, do the following:
    1. In the Batch size in sleep mode (number of events) field, specify the number of events for forming an episode in sleep mode.

      The Event Processor service generates episodes based on the history of events received for reprocessing during the time interval specified in the Events history interval for processing in sleep mode field.

    2. In the Send alerts when the monitor is activated in sleep mode field, select one of the following values:
      • Send alerts when the monitor is activated by any pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if the patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Do not send alerts when the monitor is activated – Kaspersky MLAD does not send alerts when the monitor is activated in the sleep mode.
      • Send alerts when the monitor is activated by a new pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if new patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Send alerts when the monitor is activated by a previously registered pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if stable patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
    3. In the Sleep mode frequency field, specify how often (in days) and at what time (according to the UTC standard) the Event Processor service goes to the sleep mode to reprocess events.

      It is recommended to specify the time when the event stream is the least intensive as the start time for the sleep mode.

      If the specified sleep time has not yet come on the current day, the Event Processor will go to the sleep mode on that day. If the sleep time has already been missed on the current day, the Event Processor will go to the sleep mode at the specified time after the specified number of days.

    4. In the Sleep mode duration (HH:MM) field, specify the time period (in hours and minutes) during which the Event Processor service processes events in the sleep mode.
    5. In the Events history interval for processing in sleep mode field, specify the time interval (in days, hours, and minutes) during which the analyzed events must be forwarded for reprocessing in the sleep mode to the Event Processor service.
  5. Click the Save button.
Page top
[Topic 248010]

Configuring the statuses and causes of incidents

Kaspersky MLAD lets you specify the causes of incidents and the statuses of incidents and groups of incidents.

The status of an incident or a group of incidents is a mark about the status of incident analysis performed by an expert. After installation of Kaspersky MLAD, the following statuses of incidents and incident groups are available by default: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore and False positive. For the Problem closed and Ignore statuses, the Notify about an incident check box is cleared by default. If during registration, incidents are automatically assigned one of these statuses, no email alerts will be sent, and no incident dot indicators will be displayed under Monitoring or History. An incident status can be assigned automatically in one of the following cases:

  • If the incident was automatically assigned to a group with that status.
  • If the incident is registered by an ML model element that sets that incident status by default.

The incident cause is a mark of the cause of the incident added by an expert based on the results of the incident analysis.

You can add causes and statuses for incidents. The created causes and statuses of incidents will become available for selection in the Incidents section. You can also change and delete statuses and causes of incidents.

System administrators can configure the causes and statuses of incidents.

To add an incident status:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select the System parametersIncidents section.
  3. In the Statuses of incidents section, click the Create button.

    The Create element pane appears on the right.

  4. In the Value, in Russian field, specify the name of the incident status in Russian.
  5. In the Value, in English field, specify the name of the incident status in English.
  6. In the Sort field, indicate the sequence number for which the incident status will be sorted in the Incident status drop-down list in the Incidents section.

    The statuses of incidents will be sorted by their names if the sequence numbers of incident statuses coincide.

  7. To send incident registration notifications together with the added status and display its indicator in the prediction error subsection of the Monitoring and History sections, select the Notify about an incident check box.

    If you remove the checkbox, no email alerts about incidents that receive the status automatically will be sent, and no incident dot indicators will be displayed under Monitoring or History.

  8. Click the Save button.

To add a cause for incidents:

  1. In the administrator menu, select System parametersIncidents.
  2. In the Causes of incidents section, click the Create button.

    The Create element pane appears on the right.

  3. In the Incident cause field, specify the name of the incident cause.
  4. In the Sort field, indicate the sequence number for which the incident cause will be sorted in the Incident cause drop-down list in the Incidents section.

    The causes of incidents will be sorted by their names if the sequence numbers of incident causes coincide.

  5. Click the Save button.

To change the statuses or causes of incidents:

  1. In the administrator menu, select System parametersIncidents.
  2. To change the parameters of incidents, do one of the following:
    • If you need to change the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Edit button.
    • If you need to change the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Edit button.
  3. Make the necessary changes.
  4. Click the Save button.

To remove statuses or causes of incidents:

  1. In the administrator menu, select System parametersIncidents.
  2. To remove parameters of incidents, do one of the following:
    • If you need to delete the statuses of incidents or groups of incidents, use the Statuses of incidents settings group to select one or more incident statuses and click the Delete button.
    • If you need to delete the causes of incidents, use the Causes of incidents settings group to select one or more incident causes and click the Delete button.
  3. In the window that opens, confirm the deletion.

Kaspersky MLAD will remove information about the incident statuses and causes from the corresponding tables and will remove them from the information about incidents and incident groups in the Incidents section for which these incident causes or statuses were selected.

Page top
[Topic 248011]

Configuring logging for Kaspersky MLAD services

You can configure the log level for Kaspersky MLAD services to write specific information about the state of the application and display it in the logging system (Grafana). To view how Kaspersky MLAD services are mapped to the names of Docker containers and images, see the Appendix.

System administrators can configure the logging of Kaspersky MLAD services.

To configure the log levels of Kaspersky MLAD services:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select the System parametersLogging section.

    The list of Kaspersky MLAD services will be displayed on the right.

  3. If necessary, use the drop-down list next to the name of the relevant service to change the log level of the service.

    The following log levels are available in Kaspersky MLAD:

    • Debug – log all information in the application.
    • Info – log basic information about application operations.
    • General – log important information about application operations.
    • Warning – log errors that occur during operation of the application and log events that could lead to errors in application operations.
    • Error – log errors that occur in application operations.
    • Critical – log critical errors that occur in application operations.

    The General log level is used for most services by default. The Info log level is used for the API Server service by default.

  4. Click the Save button.

Page top
[Topic 248012]

Configuring time intervals for displaying data

Kaspersky MLAD lets you specify the time interval (scale) for displaying data on graphs in the Monitoring, History and Time slice sections. After installation of Kaspersky MLAD, the following time intervals are available by default:

  • 1, 5, 10, 15, and 30 minutes
  • 1, 3, 6, and 12 hours
  • 1, 2, 15, and 30 days
  • 3 and 6 months
  • 1, 2, and 3 years

You can add time intervals for displaying data on graphs. The created time intervals will become available for selection in the Monitoring, History and Time slice sections. You can also edit and delete time intervals.

System administrators can configure the time intervals for displaying data on charts.

To add a time interval for displaying data:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select the System parametersGraphs section.
  3. In the Time intervals settings group, click the Create button.

    The Create element pane appears on the right.

  4. In the Time interval (sec.) field, specify the time interval for which you want to display data on graphs.

    When a time interval is entered, Kaspersky MLAD automatically breaks down the time interval into specific units of time (years, months, weeks, days, hours, minutes, and seconds) in the Value, in Russian and Value, in English fields.

  5. If necessary, change the Russian name of the time interval in the Value, in Russian field.
  6. If necessary, change the English name of the time interval in the Value, in English field.

  7. In the Sort field, indicate the sequence number for which the time interval will be sorted in the drop-down lists in the Monitoring, History and Time slice section.
  8. Click the Save button.

To change the time intervals for displaying data:

  1. In the administrator menu, select System parametersGraphs.
  2. In the Time intervals settings group, select one or more time intervals and click the Edit button.
  3. Make the necessary changes.
  4. Click the Save button.

To delete time intervals for displaying data:

  1. In the administrator menu, select System parametersGraphs.
  2. In the Time intervals settings group, select one or more time intervals and click the Delete button.
  3. In the window that opens, confirm the deletion.

Information about the time intervals will be deleted from the table.

Page top
[Topic 248013]

Configuring how the Kaspersky MLAD menu items are displayed

System administrators can configure settings for displaying the menu items of Kaspersky MLAD.

To configure the way Kaspersky MLAD menu items are displayed:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. On the opened page, in the menu on the left, select System parametersMenu.

    A list of options appears on the right.

  3. In the Availability of main menu items settings group, use the toggle switch to enable or disable the display of a specific section in the main menu.
  4. In the Availability of administrator menu items settings group, use the toggle switch to enable or disable the display of a specific section in the administrator menu.
  5. Click the Save button.
Page top
[Topic 248014]

Export and import of Kaspersky MLAD settings

Kaspersky MLAD allows you to export and import configuration files that contain the settings of application services and connectors, as well as security settings, application service logging levels, settings for displaying the application menu and settings for typical statuses and causes of incidents, which are configured through the web interface. This could substantially reduce the time spent on configuring Kaspersky MLAD if you have to re-deploy the application.

When exporting settings, Kaspersky MLAD does not save to the archive file the passwords specified in the System parameters section, as well as the certificate files and certificate file keys uploaded in this section.

Only system administrators are allowed to export and import configuration files for Kaspersky MLAD services.

To export configuration files from Kaspersky MLAD:

  1. In the lower-left corner of the window, click An icon in the form of two horizontal equalizer sliders..

    You will be taken to the administrator menu.

  2. Select System parameters.
  3. Click the Export button in the upper part of the opened page.

Kaspersky MLAD configuration files will be saved in an archive named mlad-settings.tar.gz on the local computer.

To upload configuration files to Kaspersky MLAD:

  1. In the administrator menu, select System parameters.
  2. Click the Import button in the upper part of the opened page.
  3. In the opened window, select the archive file containing the necessary configuration of Kaspersky MLAD parameters.

Kaspersky MLAD configuration files will be uploaded to the application.

Page top
[Topic 248015]