Kaspersky Machine Learning for Anomaly Detection
5.0
English

Contents

Managing monitors

The functionality is available after a license key is added.

Under Event Processor → Monitoring, you can manage monitors to track specific events, patterns, event parameter values, and generalized events or patterns. You can view a summary of registered activations by monitor as a histogram.

You can manage monitors on the Monitors tab. To navigate to the tab, click An icon in the form of four rectangles of different sizes with rounded corners. in the upper right corner of the section.

The tab displays all monitors created in the application, with the following brief information:

  • Monitor name.
  • Number of monitor activations on the sliding window.
  • Monitor subscription type. The following values can be displayed for each monitor:
    • Parameter values. The monitor tracks the occurrence of certain event parameter values.
    • Events. The monitor tracks the occurrence of certain events.
    • Patterns. The monitor tracks the occurrence of patterns in the behavior of the monitored asset.
    • Unique generalized. The monitor tracks the occurrence of unique generalized events or patterns.
    • Similar generalized. The monitor tracks the occurrence of similar generalized events or patterns.
  • Activation threshold: the number of monitor activations on the sliding window that causes the application to send monitor activation alert to the external system when reached.
  • Period: the sliding window during which the number of monitor activations is tracked.

You can view detailed information about each monitor if needed. To do so, click the monitor tile.

  • Name: name of the monitor being viewed.
  • State: parameter that determines the monitor state.
  • Monitor ID: unique identifier of the monitor being viewed.
  • Activations count is number of registered monitor activations on the sliding window.
  • Date and time of last activation: date and time when the monitor was last activated.
  • Activation stack size determines the number of most recent monitor activations displayed in the Activation stack table.
  • Subscription type indicates what is being tracked by the viewed monitor: event parameter values, events, or patterns.
  • Sliding window indicates the time interval from the current time back to the time sequence for which the number of activations is taken into account. This window shifts synchronously with the passage of time according to the timestamps in events.
  • Activation threshold indicates the number of activations that must be registered by the monitor on the sliding window before sending an alert about the monitor activation to the external system via the CEF Connector.
  • Attention head indicates the specific attention head that is the current focus of the Event Processor. This parameter is displayed only when the monitor is activated by a pattern, or unique or similar generalized event or pattern.
  • Attention subject parameter indicates the specific parameter of the attention subject that is the current focus of the Event Processor. This parameter is displayed only when the monitor is activated by a pattern, or unique or similar generalized event or pattern.
  • Subscription to events determines whether the monitor is tracking generalized events. This parameter is displayed only when the monitor is activated by a unique or similar generalized event or pattern.
  • Subscription to patterns determines whether the monitor is tracking generalized patterns. This parameter is displayed only when the monitor is activated by a unique or similar generalized event or pattern.
  • Activation type determines whether the monitor is tracking new values of event parameters, events, and patterns. This parameter is displayed only when the monitor is activated by an event parameter value, event or pattern.
  • Filters is a table containing information about filters for event parameters observed by the current monitor to track event parameter values, events, and patterns. The following data is displayed for each element:
    • Parameter name refers to the name of the event parameter whose values are being observed by the viewed monitor.

      Each monitored asset has its own specific incoming events and event parameters. The names of event parameters are defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a qualified technical specialist of the Customer, a Kaspersky employee, or a certified integrator during configuration of the Event Processor service.

    • Filter type determines the type of filter for event parameters that are observed by the current monitor to track event parameter values, events, and patterns.
    • Value type defines which types of values are being tracked by the viewed monitor: values based on a template, specific values, new values, or all values.
    • Values refers to the values of the event parameter that is being observed by the viewed monitor.

    This table is displayed only when the monitor is activated by an event parameter value, event, or pattern.

  • Activation stack is a table that contains information about the latest activations of the monitor:
    • Parameter value ID is the ID of the event parameter value whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event parameter value.
    • Event ID is the ID of the event whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by an event.
    • Pattern ID is the ID of the pattern whose detection caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
    • System parameters is a group of system settings containing the following information:
      • Event date and time is the date and time when the event is detected in the event stream.
      • Interval from previous item is the time interval between the current and the previous event in the event stream on the sliding window. Kaspersky MLAD displays the time intervals between events upon the first detection of the pattern containing the events. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for these events.
      • Total activations is the number of event occurrences in the event stream on the sliding window.
      • Parameter count is the number of event parameters for which the values were received from the monitored asset.
      • Last activation is the date and time when the event was last detected in the event stream on the sliding window.

      This group of parameters is displayed only when the monitor is activated by an event or an event parameter value.

    • Attention subject is the attention subject parameter and its value whose detection activated the monitor. This parameter is displayed only when the monitor is activated by a pattern.
    • Activation date and time is the date and time when the monitor was activated. This parameter is displayed only when the monitor is activated by a pattern.
    • Event parameter is the value of the event parameter received from the monitored asset. This parameter is displayed only when the monitor is activated by an event parameter value.
    • Event parameters are the values of the parameters of the event received from the monitored asset. This parameter is displayed only when the monitor is activated by an event.
    • Event count is the number of events included in the pattern that caused the monitor activation. This parameter is displayed only when the monitor is activated by a pattern.
    • Total activations: the number of pattern occurrences in the event stream on the sliding window. This parameter is displayed only when the monitor is activated by a pattern.
  • Statistics on generalized events is a table that contains information about generalized events:
    • Event ID is the ID of the generalized event.
    • Activations count is the number of registered monitor activations on the sliding window.
    • Number of attention subjects is the number of attention subject parameter values whose detection activated the monitor.
    • Event is the detected generalized event.
    • Attention subjects are the attention subject parameter values whose detection activated the monitor.

    This table is displayed only when the monitor is activated by generalized events.

  • Statistics on generalized patterns is a table that contains information about generalized patterns:
    • Pattern ID is the ID of the generalized pattern.
    • Activations count is the number of registered monitor activations on the sliding window.
    • Event count is the number of events in the generalized pattern.
    • Number of attention subjects is the number of attention subject parameter values whose detection activated the monitor.
    • Pattern duration is the time interval between the first and the last event in a detected pattern. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the events of a pattern.
    • Pattern is a detected generalized pattern.
    • Attention subjects are the attention subject parameter values whose detection activated the monitor.

    This table is displayed only when the monitor is activated by generalized patterns.

You can view the histogram with a summary of activations on the Histogram tab, in the upper right corner of the section.

In this section

Creating a monitor

Editing a monitor

Deleting a monitor
Page top
[Topic 248083]

Creating a monitor

The functionality is available after a license key is added.

To create a monitor:

  1. In the main menu, select the Event Processor → Monitoring section.
  2. Click the Create monitor button.

    The Create monitor pane appears on the right.

  3. Specify the name of the monitor in the Name field.
  4. To use the monitor to track parameter values, events, or patterns, set State to Active.
  5. In the Sliding window (sec.) field, specify the interval (in seconds) from the current point in time back to the time sequence for which the monitor will process incoming values of parameters, events or patterns.
  6. In the Activation stack size field, specify the number of monitor activations that must be displayed when viewing information about the monitor.
  7. Under Subscription type, select one of the following options:
    • To track the occurrence of certain event parameter values, select Parameter values.
    • To track the occurrence of certain events, select Events.
    • To track the occurrence of patterns in the behavior of the monitored asset, select Patterns.
    • To track unique generalized events or patterns, select Unique generalized.
    • To track similar generalized events or patterns, select Similar generalized.
  8. In the Activation parameters block, do the following:
    1. In the Activation threshold field, specify the number of monitor activations in the sliding window after which the monitor sends an alert to the external system.

      This parameter is displayed if Subscription type, Parameter values, or Events is selected in the Patterns settings block.

    2. To track new events, patterns, or event parameter values, set Activation type to Track only new.

      This parameter is displayed if Subscription type, Parameter values, or Events is selected in the Patterns settings block.

    3. In the Attention head drop-down list, select the attention head to focus the monitor's attention on the required directions in the behavior of the monitored asset.

      This parameter is displayed if Patterns, Unique generalized, or Similar generalized is selected under Subscription type.

    4. In the Subscription to events or patterns field, select one of the following options:
      • To track generalized events, select Subscription to events.
      • To track generalized patterns, select Subscription to patterns.

      This parameter is displayed if Unique generalized or Similar generalized is selected under Subscription type.

  9. To specify the conditions for activating the monitor when tracking event parameter values, events, or patterns, do the following under Filters:
    1. Perform one of the following actions:
      • To track events for all specified values within a single monitor, set the toggle switch to Track for all values simultaneously.
      • To create child monitors for each specified event parameter value selected from the Event parameter drop-down list, and track their occurrence separately, set the toggle switch to Track for each value.

      The check box is displayed if Events is selected under Subscription type.

    2. In the Event parameter drop-down list, select an event parameter to refine monitor activation conditions for.
    3. In the Filter type drop-down list, select one of the following values:
      • Parameter: to activate the monitor when tracking specific event parameter values.
      • Generalized parameter: to activate the monitor when tracking generalized event parameter values.

        This value can be selected if the monitor is tracking the occurrence of patterns.

      • Attention: to focus the attention of the event processor on a specific event parameter.

        This value can be selected if the monitor is tracking the occurrence of patterns.

      • Generalized attention: to focus the generalized attention of the event processor on the selected parameter.

        This value can be selected if the monitor is tracking the occurrence of patterns.

    4. Perform one of the following actions:
      • To include or generalize all values of an event parameter in attention, select All values from the Value type drop-down list.
      • To include or generalize a specific event parameter value in attention, select Specific values from the Value type drop-down list and enter the relevant value in the Value field. As you start typing a value, all matching parameter values are displayed in the list.
      • To include or generalize event parameter values according to a template in attention, from the Value type drop-down list, select Regular expression and enter the value template using a regular expression in Value.

        You can use special characters of regular expressions to search for events and patterns based on regular expressions.

      • To include or generalize the new values of an event parameter in attention, select New values from the Value type drop-down list.

        This value type is available if the Activation type toggle switch is set to Track only new.

      If necessary, you can specify more than one monitor activation condition. You can delete a previously added condition by clicking A basket icon. next to the condition.

  10. Click the Save button.

The new monitor is created and displayed on the Monitoring tab.

Page top
[Topic 248084]

Editing a monitor

You can enable or disable the use of the monitor to track event parameter values, events, or patterns.

The functionality is available after a license key is added.

To edit monitor:

  1. In the main menu, select the Event Processor → Monitoring section.
  2. In the vertical menu An icon in the form of three dots arranged vertically. of the monitor tile, select Edit.

    The Edit monitor panel appears on the right.

  3. Enter a new name for the monitor as needed.
  4. Perform one of the following actions:
    • To start using the monitor to track event parameter values, events, or patterns, set State to Active.
    • To stop using the monitor to track event parameter values, events, or patterns, set State to Inactive.
  5. Click the Save button.
Page top
[Topic 287424]

Deleting a monitor

The functionality is available after a license key is added.

To delete a monitor:

  1. In the main menu, select the Event Processor → Monitoring section.
  2. In the vertical menu An icon in the form of three dots arranged vertically. of the monitor tile, select Delete.
  3. Confirm monitor deletion.

The monitor will be deleted.

Page top
[Topic 248085]