Scenario: analysis of incidents

This section describes the sequence of actions required when analyzing incidents registered by Kaspersky MLAD.

The incident analysis scenario described in this section is not a precisely regulated procedure. The specific scope and sequence of actions taken to investigate an incident and identify its cause depend on the particular subject area, the knowledge level of the process engineer or ICS expert investigating the incident, and the availability of additional information on the monitored asset.

The incident analysis scenario consists of the following steps:

1. Viewing information about a registered incident

   The Incidents section displays all incidents registered by Kaspersky MLAD, and provides detailed information about their registration time, the detector that registered the incident, and an expert opinion if one was added. You can proceed to view incident information in one of the following ways:

   • Viewing the latest incidents in the Dashboard section

     If you want to view a recently detected incident, in the Dashboard section, click the date and time of the relevant incident in the Latest incidents table. In the History section that opens, in the lower part of the page, click the dot indicator in the MSE section to view a specific incident. The Incidents section opens showing only the incidents that were registered in the specific time interval represented by the selected dot indicator (the interval is displayed above the incidents table).

   • Viewing incidents in the Incidents section

     If you know the date and time when an incident was registered, select the corresponding incident in the Incidents section. You can change the time interval for the displayed incidents by using the bar graph or the date selection field in the upper part of the page.

   • Navigating from an incident notification received by email

     If an incident notification was created for you, you will receive the notification by email when an incident is registered. The email message contains the time when the incident began, the most anomalous tag, and a link to proceed to the History section in the Kaspersky MLAD web interface. You can use this link to proceed to the start of the incident in the History section. At the bottom of the History page, click on the dot indicator in the MSE section according to the incident start time. The Incidents section opens showing only the incidents that were registered in the specific time interval represented by the selected dot indicator (the interval is displayed above the incidents table).

   When you find a record about the required incident, click the right arrow () to view detailed information about the incident.

2. Viewing information about similar incidents

   When two or more similar incidents are detected, Kaspersky MLAD automatically combines them into a group. In the incidents table in the Incidents section, the group associated with the incident is displayed in the Group column. If nothing is indicated for the selected incident in this column, this means that Kaspersky MLAD has not yet detected incidents similar to this particular incident.

   To view all incidents in a group, select the Groups tab and click the right arrow () next to the relevant group. The table displays information about the incidents assigned to the selected group, as well as an expert opinion if it was added. Read the expert opinions for individual incidents and for the group.

3. Studying the behavior of the monitored asset at the moment when an incident was detected

   Study the behavior of the monitored asset at the moment when the incident was detected.

4. Analyzing the incident

   Analyze the incident while considering the specific details of incident registration depending on the type of detector that registered the incident:

   • Forecaster. The neural network element of the ML model registers incidents when deviations in the behavior of the monitored asset are detected. Based on information obtained when viewing the automatically generated Tags for event #N preset and considering the available expert knowledge on the monitored asset, form a hypothesis regarding which tags could have caused the incident and select the appropriate preset after studying their behavior. Analyze the MSE graph, move back in time from the moment the MSE threshold was reached, and examine the behavior of tags at the moment when the MSE values started to grow.
   • Rule Detector. For each incident registered by elements of the ML model on the basis of a diagnostic rule, the Tags for event #N preset is automatically generated, which includes the value obtained as a result of the diagnostic rule operation and which caused the incident registration.
   • Limit Detector. For each incident that was registered by the Limit Detector, the application automatically creates the Tags for event #N preset, which includes a single causal tag for the incident.
   • Stream Processor. The Stream Processor service registers incidents up until telemetry data is transmitted to the ML model for processing. Incidents are registered if data loss is detected or if observations are received by Kaspersky MLAD too early or too late.
5. Adding a status, cause, expert opinion or note to an incident or its incident group

   For each incident, add an expert opinion or note in which you can specify whether the incident is an anomaly. An expert opinion and note for an incident are displayed only when viewing a specific incident. If necessary, you can specify the status and cause of an incident. The cause of an incident is displayed in the incidents table and when viewing a specific incident. You can also add or edit the status and expert opinion for a group of incidents.