In the Incidents section, you can view the technical specifications of registered incidents. To do so, click the right arrow () next to the relevant incident in the incidents table. The following technical specifications will be displayed for the selected incident:
Model name refers to the name of the utilized ML model.
Model branch is the name of the ML model branch. This is absent if the ML model has no branches.
Detector refers to the name of the detector that identified an anomaly and registered the incident: Forecaster, Limit Detector, Rule Detector, Stream Processor.
MSE value is the value of the individual mean square error.
Threshold value refers to the MSE threshold value for the ML model branch in use at the time of incident registration.
Top tag name (top tag ID) is the name and ID of the tag whose behavior invoked registration of the incident.
If an incident was registered by the Forecaster Detector, the name of the most anomalous tag that influenced the registration of the incident more than the other tags will be displayed. For the Rule Detector, the value of this parameter shows a value obtained as a result of the work of the diagnostic rule. For the Limit Detector, the tag whose value exceeded the blocking threshold defined for this tag will be displayed.
Top tag value is the value of the top tag registered when the incident occurred.
Blocking threshold refer to the thresholds of the top tag values, upon reaching which it is necessary for the ICS to take emergency response measures.
Description refers to a description of the top tag.
Measurement units refer to the units for measuring the top tag values.
Incident type is the type of incident registered by the Stream Processor service. The Stream Processor service registers incidents when it detects observations that were received by Kaspersky MLAD too early or too late, or if the incoming data stream from a certain tag is terminated or interrupted.
Data date and time is the date and time when the observation was generated according to the monitored asset time. This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
Lag / Lead is the amount of time by which the observation generation time lags behind or is ahead of the time the observation was received in Kaspersky MLAD. If data is received too early, the parameter value is displayed with a plus sign (+). If data is received too late, the parameter value is displayed with a minus sign (-). This parameter is displayed only for the Late receipt of observation and Clock malfunction incident types.
Expert opinion is the field for adding an expert opinion based on an analysis of the registered incident. This field is completed by an expert (process engineer or ICS specialist).