Configure attention settings

Before events are processed by the Event Processor service, attention settings must be configured.

Attention heads form the foundation of attention configuration. They define the attention subject parameter and attention subject condition parameters. The attention subject corresponds to the main event parameter that the event processor will use to register events and patterns. The conditions correspond to criteria for registering events and patterns for other event parameters. An attention head processes only those events in the entire incoming event stream that satisfy the specified attention subject and conditions.

The event processor can register generalized events and patterns to track general behavior for different attention subject values. To do this, set Generalized attention as the attention type when configuring the attention subject. You can also specify Generalized parameter as the condition type when configuring attention subject conditions. Generalized attention subject and condition parameters will not be displayed within registered events or patterns. They will, however, influence the rules for extracting these generalized events and patterns from the stream.

All created attention heads and information about these are displayed in the Attention heads panel. To view information about attention heads in the Attention heads panel, click Configure attention.

Adding an attention head

You can create multiple attention heads and use different attention heads for different monitors simultaneously.

The functionality is available after a license key is added.

A large number of attention heads can lead to reduced event processor performance and slow down the core Kaspersky MLAD services, such as data reception, anomaly detection, and the web interface. To clarify the number of attention heads, it is recommended to consult with Kaspersky experts or a certified integrator.

To add an attention head:

1. In the main menu, select the Event Processor → Monitoring section.
2. On the page that opens, click Configure attention.

   The Attention heads panel appears on the right.

3. To add an attention head, click Add attention head.

   The Add attention head panel appears on the right.

4. In the Name field, specify the attention head name.
5. To use the attention head when processing an event flow, set the State toggle switch to Active.
6. Under Attention subject, do the following:
   1. From the Event parameter drop-down list, select the primary event parameter you want to register events and patterns for.
   2. In the Attention type drop-down list, select one of the following values:
      • Attention. When registering events and patterns, the event processor's attention will be directed to the selected event parameter based on selected value.
      • Generalized attention. When registering events and patterns, the event processor will aggregate the selected values by selected event parameter.

        When this attention type is selected, the event processor will register generic patterns that will not display the selected event parameter with the selected value when viewed. The Event Processor will track each specified event parameter value separately.

   3. Perform one of the following actions:
      • To include or generalize all values of an event parameter in attention, select All values from the Value type drop-down list.

        Selecting All values causes the event processor to track events and patterns for each specific event parameter value separately. To ensure stable event processor performance, we recommend defining specific values for the event subject.

      • To include or generalize specific event parameter values in attention, select Specific values from the Value type drop-down list and enter the relevant value in the Value field. As you start typing a value, all matching parameter values are displayed in the list.

        If you selected Generalized attention as the attention type, select at least two values for the event parameter.

      • To include or generalize event parameter values according to a template in attention, from the Value type drop-down list, select Regular expression and enter the value template using a regular expression in Value.

        You can use special characters of regular expressions to search for events and patterns based on regular expressions.

7. If you need to generalize other event parameters, set the Generalize condition parameters toggle switch to Enabled.

   If generalized attention was selected as the attention type, then, when the switch is on, the event processor will generalize the remaining event parameters across all their values. In this case, the event processor will not register any event or pattern. To enable the Event Processor to generate events or patterns, you must define at least one event parameter in the Conditions block without generalization based on its values.

8. To refine the criteria for registering patterns using additional event parameters, do the following under Conditions:
   1. Click the Add condition button.
   2. From the Event parameter drop-down list, select an additional event parameter to refine the data sample for events and patterns registration.
   3. In the Condition type drop-down list, select one of the following values:
      • Parameter. When registering events and patterns, the event processor will consider the values of the selected event parameter while taking into account the data sample obtained for the main event parameter.
      • Generalized parameter. When registering events and patterns, the event processor will aggregate the values of the selected parameter while considering the data sample obtained for the primary event parameter.

        When this condition type is selected, the event processor will register patterns that, when viewed, will not display the selected event parameter with the selected value.

        This value is available if the Generalized attention type is selected for the attention subject.

   4. Perform one of the following actions:
      • To include or generalize the new values of an event parameter in attention, select New values from the Value type drop-down list.

        New values is available in the following cases:

        • The condition type is set to Parameter.
        • The attention type is set to Attention, the Generalize condition parameters toggle switch is off, and the condition type is set to Generalized parameter.
      • To include or generalize all values of an event parameter in attention, select All values from the Value type drop-down list.

        All values is available in the following cases:

        • The Generalize condition parameters toggle switch is on, and the condition type is set to Parameter.
        • The Generalize condition parameters toggle switch is off, and the condition type is set to Generalized parameter.
      • To include or generalize specific event parameter values in attention, select Specific values from the Value type drop-down list and enter the relevant value in the Value field. As you start typing a value, all matching parameter values are displayed in the list.
      • To include or generalize event parameter values according to a template in attention, from the Value type drop-down list, select Regular expression and enter the value template using a regular expression in Value.

        You can use special characters of regular expressions to search for events and patterns based on regular expressions.

   You can set more than one condition for additional event parameters. You can delete a previously added condition by clicking next to the condition.

   The conditions will be additionally applied to the data sample obtained for the main event parameter set under Attention subject. For example, if the Generalized attention type is selected and the Generalize condition parameters toggle switch is on, the Event Processor will register patterns that will display only those event parameters that were specified under Conditions while considering their selected values. If the toggle switch is off, the event processor will register patterns that will not display the generalized parameter specified under Attention subject. In this case, the values of the event parameters specified under Conditions will be considered.

9. Click the Save button.

Information about the new attention head will be displayed in the table, in the Attention heads panel. You can rename the attention head, and enable or disable the use of the attention head for event processing.

Editing an attention head

You can enable or disable the use of the attention head when processing the flow of events.

You cannot modify attention subject or condition parameters. You can remove attention heads or create new ones if needed.

The functionality is available after a license key is added.

To edit an attention head:

1. In the main menu, select the Event Processor → Monitoring section.
2. On the page that opens, click Configure attention.

   The Attention heads panel appears on the right.

3. Click next to the attention head you want to edit.

   The Edit attention head panel appears on the right.

4. Rename the attention head as needed.
5. Perform one of the following actions:
   • To use the attention head when processing an event flow, set State to Active.
   • To disable the use of the attention head when processing an event flow, set State to Inactive.
6. Click the Save button.

Removing an attention head

The functionality is available after a license key is added.

To delete an attention head:

1. In the main menu, select the Event Processor → Monitoring section.
2. On the page that opens, click Configure attention.

   The Attention heads panel appears on the right.

3. Click next to the attention head you want to delete.
4. In the window that opens, confirm that you want to delete the attention head.

Information about the attention head will be deleted from the table in the Attention heads panel. Patterns detected according to this attention head will also be removed from Kaspersky MLAD.