Viewing the pattern history

Expand all | Collapse all

In the section Event Processor → Patterns history, you can find and view the structure of the new and/or persistently recurring patterns. The Event Processor generates patterns only for specific directions that are defined in the attention configuration by the system administrator.

Viewing the pattern history is available to system administrators.

You can also view the structure of the detected patterns down to the event level. The Event Processor represents patterns, events, and values of event parameters as a layered hierarchy of nested elements. For example, a fourth-layer pattern consists of subpatterns of the third layer. A third-layer pattern consists of second-layer patterns, and a second-layer pattern consists of events, which are first-layer elements. Event parameter values are elements of the null terminal layer.

Each monitored asset has its own specific incoming events and event parameters. The list of event parameters is defined in the configuration file for the Event Processor service. The configuration file is created and uploaded by a system administrator during configuration of the Event Processor service.

To view the registered patterns:

1. In the main menu, select the Event Processor → Patterns history section.
2. In the Filters section, configure the following settings for displaying patterns on the page:
   1. In the Start of period field, click the calendar icon () and select the starting date and time of the period for which you want to view the patterns.
   2. In the End of period field, click the calendar icon () and select the end date and time of the period for which you want to view the patterns.
   3. In the Pattern type drop-down list, select one of the following values:
      • Stable refers to patterns that were registered by the Event Processor service two or more times.
      • New refers to new patterns registered by the Event Processor service for the first time.
      • All includes all patterns that were registered by the Event Processor service.
   4. To view patterns for a specific attention direction, select Attention for the relevant event parameter.

      You must select one of the attention directions that were defined when configuring the attention settings.

   5. To configure event parameters, do one of the following:
      • To view patterns based on specific values of the event parameters, select the event parameter values in the drop-down lists. As you start typing a value, all matching parameter values are displayed in the lists.
      • If you need to view patterns based on a value template, turn on the Regular expression toggle switch for the relevant event parameters, use the drop-down lists to enter the value template with a regular expression, and select Regular expression: <value template>.

        You can use special characters of regular expressions to perform a search based on regular expressions.

      For the request to be processed correctly, enter the values for the event parameter that is receiving focused attention from the model. If an event parameter that is receiving focused attention has multiple values defined, the Event Processor will generate patterns for each value of the parameter.

3. Click the Process request button.

   The central part of the page displays a table containing data on the registered patterns.

   • Pattern ID is the ID of the pattern. The first digit of the pattern ID corresponds to the number of the layer where this pattern was detected.
   • Last detection in interval is the date and time when the pattern was last detected in the event stream of the monitored asset during the specified period.
   • Detections count in interval is the number of pattern detections in the event stream of the monitored asset during the specified period.
   • Event count is the number of events in the pattern.
   • Last activation is the date and time when the pattern was last detected in the event stream of the monitored asset or in the sleep mode.
4. To view the pattern structure, click the desired pattern row.

   The page with detailed information on the pattern opens.

   • Pattern ID is the ID of the selected pattern. The first digit of the pattern ID corresponds to the number of the layer where this pattern was detected.
   • Event count is the number of events in the pattern.
   • Interval from previous item is the time interval between the selected pattern and the pattern detected in the pattern sequence on the current layer before the selected pattern. Kaspersky MLAD displays the time intervals between the elements of the selected pattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the elements of this pattern.
   • Total activations is the number of detections of the selected pattern in the event stream for the specified period.
   • Pattern end time is the end date and time of the selected pattern in the sequence of patterns on the current layer.
   • Last activation is the date and time when the pattern was last detected in the event stream or in the sleep mode.
   • Patterns is a tab that displays a table with information about the patterns included in the selected pattern. The following information is displayed on the Patterns tab:
     • <layer number> layer is a set of tabs for viewing information on the patterns included in the selected pattern on different layers of its structure. The tabs are displayed if you select a pattern detected on the fourth layer or higher. You can view patterns up to the second nesting level.
     • Pattern ID is the ID of the subpattern. The first digit of the pattern ID corresponds to the number of the layer where this pattern was detected.
     • Pattern end time is the end date and time of the subpattern in the sequence of patterns on the selected layer.
     • Total activations is the number of detections of the subpattern in the structure of the selected pattern.
     • Event count is the number of events in the subpattern.
     • Interval from previous item is the time interval between the subpattern and the previous pattern in the table. Kaspersky MLAD displays the time intervals between the elements of the subpattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the elements of this pattern.
     • Last activation is the date and time when the subpattern was last detected in the sequence of patterns on the selected layer or in the sleep mode.
   • Events is a tab that displays a table of events included in the selected pattern. The following data is displayed for each event:
     • Event ID is the ID of the event.
     • System parameters contain the following information about the event:
       • Event time is the date and time when the event is detected in the pattern structure.
       • Interval from previous item is the time interval between the current event and the previous event in the table. Kaspersky MLAD displays the time intervals between the events of the selected pattern when it is first detected. When a pattern is detected again, the Event Processor takes into account the coefficient of allowed intervals dispersion specified by the administrator for the events of this pattern.
       • Total activations is the number of the event repeated occurrences in the structure of the selected pattern during the specified period.
       • Parameter count is the number of event parameters for which the values were received from the monitored asset.
       • Last activation is the date and time when the event was last detected in the event stream.
     • Event parameters are the values of the parameters of the event received from the monitored asset.
5. To view the structure of a pattern, do one of the following:
   • To view the structure of a particular subpattern, on the Patterns tab in the Nested elements section, click the desired pattern.

     You can return to viewing the top-level pattern structure by clicking the ID of the desired pattern above the Pattern info section.

   • To view the table of subpatterns at a certain nesting level, select the desired layer on the Patterns tab of the Nested elements section.
   • To view the events included in the pattern at the current nesting level, click the Events tab.

   Kaspersky MLAD displays the pattern structure from the top nesting level.