Configuring settings in the Event Processor section

Before events are processed by the Event Processor service, attention settings and display of event parameters must be configured.

System administrators can manage the attention settings and display of event parameters.

A large number of attention directions can slow down the operation of Kaspersky MLAD main services (data reception, anomaly detection, web interface). To clarify the number of attention directions, it is recommended to consult with Kaspersky experts or a certified integrator.

To configure attention settings and display of event parameters:

1. In the main menu, select the Event Processor → Monitoring section.
2. On the opened page, click the Settings button.

   The Event Processor settings pane will appear on the right.

3. In the Configure attention section, do one of the following for each event parameter:
   • If you need to register patterns for all values of an event parameter, use the drop-down list to select All parameter values.
   • To register patterns for a specific event parameter value, select the event parameter value in the drop-down list. As you start typing a value, all matching parameter values are displayed in the list.

     If the parameter value is not listed, enter the required value and select Create Value: <event parameter value>.

   • If you need to register patterns based on an event parameter value template, turn on the Regular expression toggle switch for the relevant event parameter, use the drop-down list to enter the value template with a regular expression, and select Regular expression: <value template>.

     You can use special characters of regular expressions to search for patterns based on regular expressions.

   Each attention direction is defined by the parameter value that must be present in all events of this direction. When configuring attention directions, you can indicate specific values or templates of values of one or more parameters or define attention directions for all possible values of one or more parameters.

4. To configure the display of filters for the event parameters, in the Filters section on the Event history and Patterns history tabs, in the Configure display of event parameter filters section, select the check boxes next to the names of the desired event parameters.

   By default, the Configure display of event parameter filters section displays the event parameters from the Anomaly Detector service. To display custom event parameters, load the Event Processor service configuration file. All available event parameters are selected by default.

   If the Process incidents as events function is enabled, the Event Processor receives events with the following parameters:

   • incident_detection_system – the name of the detector that registered the incident.
   • incident_model_name – the name of the ML model used.
   • incident_tag_name – the name of the tag whose behavior invoked registration of the incident.
   • incident_group_name – the name of the incident group to which the registered incident belongs.
   • incident_triggered_tag_value – the value of the tag whose behavior invoked registration of the incident.
   • incident_id – the ID of the registered incident.
   • incident_tag_id – the ID of the tag whose behavior invoked registration of the incident.

   If necessary, in the Filters section you can change the display order for the event parameters. For this purpose, drag the required event parameter up or down in the Configure display of event parameter filters section.

5. To save your changes, click the Apply button.