Viewing the pattern history

Expand all | Collapse all

In the section Event Processor → Patterns history, you can find and view the structure of the new and/or persistently recurring patterns. The Event Processor generates patterns only for specific directions according to attention heads that are defined in the attention configuration.

The functionality is available after a license key is added.

You can also view the structure of the detected patterns down to the event level. The Event Processor represents patterns, events, and values of event parameters as a layered hierarchy of nested elements. For example, a fourth-layer pattern consists of subpatterns of the third layer. A third-layer pattern consists of second-layer patterns, and a second-layer pattern consists of events, which are first-layer elements. Event parameter values are elements of the null terminal layer.

Each monitored asset has its own specific incoming events and event parameters. The list of event parameters is defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a system administrator during configuration of the Event Processor service.

To view the registered patterns:

1. In the main menu, select the Event Processor → Patterns history section.
2. In the Filters section, configure the following settings for displaying patterns on the page:
   1. In the History interval drop-down list, click the button to select the start and end date and time of the period for which you want to load and view patterns.
   2. In the Pattern type drop-down list, select one of the following values:
      • Stable refers to patterns that were registered by the Event Processor service two or more times.
      • New refers to new patterns registered by the Event Processor service for the first time.
      • All includes all patterns that were registered by the Event Processor service.
   3. From the Attention head drop-down list, select the specific attention head to examine for registered patterns.

      You must select one of the attention heads that were defined when configuring the attention settings.

   4. To configure event parameters, do one of the following:
      • To view patterns based on specific values of the event parameters, select the event parameter values in the drop-down lists. As you start typing a value, all matching parameter values are displayed in the lists.
      • To view patterns based on a value template, click in the event parameter cells, use the drop-down lists to enter the value template with the help of a regular expression, and select specified value template.

        You can use special characters of regular expressions to perform a search based on regular expressions.

      For the request to be processed correctly, enter the values for the event parameter that is receiving focused attention from the model. If an event parameter that is receiving focused attention has multiple values defined, the Event Processor will generate patterns for each value of the parameter.

      Event parameters set as generalized in the selected attention head cannot be customized.

3. Click the Process request button.

   The central part of the page displays a table containing data on the registered patterns.

   • Pattern ID is the ID of the pattern. The number before the underscore at the beginning of a pattern identifier indicates the layer at which that pattern was detected.
   • Last detection in interval is the date and time when the pattern was last detected in the event stream of the monitored asset during the specified period.
   • Activations count in interval is the number of pattern detections in the event stream of the monitored asset during the specified period.
   • Event count is the number of events in the pattern.
   • Last activation is the date and time when the pattern was last detected in the event stream of the monitored asset or in the sleep mode.
4. To view the pattern structure, click the desired pattern row.

   The page with detailed information on the pattern opens.

   • Pattern ID is the ID of the selected pattern. The number before the underscore at the beginning of a pattern identifier indicates the layer at which that pattern was detected.
   • Total activations is the number of detections of the selected pattern in the event stream for the specified period.
   • Interval from previous item is the time interval between the selected pattern and the pattern detected in the pattern sequence on the current layer before the selected pattern. Kaspersky MLAD displays the time intervals between the elements of the selected pattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the elements of this pattern.
   • Event count is the number of events in the pattern.
   • Pattern end time is the end date and time of the selected pattern in the sequence of patterns on the current layer.
   • Last activation is the date and time when the pattern was last detected in the event stream or in the sleep mode.
   • Patterns is a tab that displays a table with information about the patterns included in the selected pattern. The following information is displayed on the Patterns tab:
     • Pattern ID is the ID of the subpattern. The number before the underscore at the beginning of a pattern identifier indicates the layer at which that pattern was detected.
     • Pattern end time is the end date and time of the subpattern in the sequence of patterns on the selected layer.
     • Total activations is the number of detections of the subpattern in the structure of the selected pattern.
     • Event count is the number of events in the subpattern.
     • Interval from previous item is the time interval between the subpattern and the previous pattern in the table. Kaspersky MLAD displays the time intervals between the elements of the subpattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the elements of this pattern.
     • Last activation is the date and time when the subpattern was last detected in the sequence of patterns on the selected layer or in the sleep mode.
   • Events is a tab that displays a table of events included in the selected pattern. The following data is displayed for each event:
     • Event ID is the ID of the event.
     • System parameters contain the following information about the event:
       • Event date and time is the date and time when the event is detected in the pattern structure.
       • Interval from previous item is the time interval between the current event and the previous event in the table. Kaspersky MLAD displays the time intervals between the events of the selected pattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the events of this pattern.
       • Total activations is the number of the event repeated occurrences in the structure of the selected pattern during the specified period.
       • Parameter count is the number of event parameters for which the values were received from the monitored asset.
       • Last activation is the date and time when the event was last detected in the event stream.
     • Event parameters are the values of the parameters of the event received from the monitored asset.
5. To view the structure of a pattern, do one of the following:
   • To view the structure of a particular subpattern, on the Patterns tab in the Nested elements section, click the desired pattern.

     You can return to viewing the top-level pattern structure by clicking the ID of the desired pattern above the Pattern info section.

   • To view the events included in the pattern at the second nesting level, click the Events tab.

   Kaspersky MLAD displays the pattern structure from the top nesting level.