When analyzing industrial network traffic, the application registers events and incidents.
An event in Kaspersky Industrial CyberSecurity for Networks is a record containing information about the detection of certain changes or conditions in industrial network traffic requiring the attention of an ICS security officer. Events are registered and transmitted to the Kaspersky Industrial CyberSecurity for Networks Server. The Server processes received events and saves them in a database.
An incident is a special type of event that is registered when a certain sequence of events is received. Incidents group events that have certain common traits or that are associated with the same process.
The application registers incidents based on event correlation rules. An event correlation rule describes the conditions for checking the sequences of events. When the application detects a sequence of events matching the rule conditions, it registers an incident that indicates the name of the triggered rule. Incidents are registered using system event types that are assigned the codes 8000000000, 8000000001, 8000000002 and 8000000003.
Event correlation rules are embedded in the application and are applied regardless of the security policy loaded in the Console or applied on the Server.
After installation, the application uses the default event correlation rules. To improve the effectiveness of rules, Kaspersky experts regularly update the databases containing the sets of rules. You can update correlation rules by installing updates.
The Kaspersky Industrial CyberSecurity for Networks Server registers events and incidents and relays information about them to external systems according to the settings defined for registering event types. You can configure these settings in the Console on the Configure events tab. For configuration information, please refer to the Configuring events section.
The settings for storing events and incidents are configured in the Manage logs window of the Application Console. By default, the database will store 100000 records for 365 days. If the number of records or the retention period exceed the specified maximum values, the oldest records are deleted. When necessary, you can change the number of stored records as well as their retention period.
The application saves events and incidents in the database on the Server.
Deleting or modifying any file in DBMS folders can disrupt the operation of the application.
You can view information about events and incidents in the following sections of the Kaspersky Industrial CyberSecurity for Networks web interface: