Monitoring events and incidents

When analyzing industrial network traffic, the application registers events and incidents.

An event in Kaspersky Industrial CyberSecurity for Networks is a record containing information about the detection of certain changes or conditions in industrial network traffic requiring the attention of an ICS security officer. Events are registered and transmitted to the Kaspersky Industrial CyberSecurity for Networks Server. The Server processes received events and saves them in a database.

An incident is a special type of event that is registered when a certain sequence of events is received. Incidents group events that have certain common traits or that are associated with the same process.

The application registers incidents based on event correlation rules. An event correlation rule describes the conditions for checking the sequences of events. When the application detects a sequence of events matching the rule conditions, it registers an incident that indicates the name of the triggered rule. Incidents are registered using the system event type that is assigned the code 8000000001.

Event correlation rules are embedded in the application and are applied regardless of the security policy.

After installation, the application uses the default event correlation rules. To improve the effectiveness of rules, Kaspersky experts regularly update the databases containing the sets of rules. You can update correlation rules by installing updates.

The Kaspersky Industrial CyberSecurity for Networks Server registers events and incidents according to the settings defined for registering event types. You can configure these settings in the Event types section (for all event types) and when configuring Process Control rules (only for events that are registered when Process Control rules are triggered).

To reduce the number of frequently recurring events that do not require attention from the operator, you can create allow rules for events. Events that satisfy allow rules are not registered. For example, you can use an allow rule to temporarily disable registration of all events from a specific monitoring point. You can view allow rules for events in the Allow rules section. The EVT type is indicated for these rules.

The application saves events and incidents in the database on the Server. The total volume of saved entries cannot exceed the defined limit. If the volume exceeds the defined limit, the application automatically deletes 10% of the oldest entries. If the minimum storage time limit is enabled and the application deletes entries whose storage time is less than the defined limit, a corresponding message will appear in the application message log. You can configure the settings for storing events and incidents.

Database files are saved on the Server in the DBMS folders. Deleting or modifying any file in these folders may cause a disruption in application performance.

You can view information about events and incidents in the following sections of the Kaspersky Industrial CyberSecurity for Networks web interface:

• The Dashboard section displays general information about the latest events and incidents registered by the application.
• The Events section displays detailed information about events and incidents and provides the capability to download information from the Server database for any period.