About data provision

The application does not transfer users' personal data to Kaspersky. Users' personal data is processed locally on the computers where the application is installed.

Data transferred to external systems

If sending email notifications about incident logging is enabled, the application transfers the following data to the SMTP server:

• Date and time of the logging of the incident
  

  A deviation from the expected (normal) behavior of a monitored asset identified by the anomaly detector.

• Name of the ML model that logged the incident
  

  Algorithm based on machine learning methods tasked with analyzing the telemetry of the monitored asset and detecting anomalies.

• Top tag name
  

  Process parameter for which the largest deviation from the prediction was recorded at the time of incident registration.

• Top tag description
• Top tag value at the time the incident is logged
• Top tag measurement units
• Link to the History section at the time of the start of the incident
• Incident ID
• Name of the detector that logged the incident
  

  Component in the ML model that identifies anomalies and registers incidents.

• Cumulative mean square error (MSE) value at the time the incident was logged
• Blocking threshold value exceeded at the time the incident was logged.

If sending notifications about incident logging through the MQTT Connector, AMQP Connector, WebSocket Connector, and/or KICS Connector is enabled, the application transfers the following data to the MQTT broker, AMQP broker, WebSocket server, and/or to Kaspersky Industrial CyberSecurity for Networks:

• Incident ID
• Date and time of the logging of the incident
• Date and time of the incident completion
• Name and unique ID (UUID) of the ML model that logged the incident
• Unique ID (UUID) of the ML model element
• Top tag ID and description
• Name of the detector that logged the incident
• Link to the History section at the time of the start of the incident
• Cumulative mean square error (MSE) value at the time the incident is logged (if any)
• Blocking threshold value exceeded at the time the incident is logged (if any)
• Top tag value at the time the incident is logged
• Incident status
• Incident comment (if any)
• Incident group ID (if any)
• Incident group name (if any)
• Expert opinion (if any)
• IDs of the relevant tags
• Reason for the incident (if any).

If notifications about the logged incidents are configured to be sent via the CEF connector, the application transfers the following data to the SIEM system:

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• Date and time of the logging of the incident
• Date and time of the incident completion
• Name of the detector that logged the incident
• Name of the ML model that logged the incident
• Link to the History section at the time of the start of the incident
• Top tag description
• Incident comment (if any)
• Incident group name (if any)
• Top tag value at the time the incident is logged
• Incident group ID (if any)
• Incident ID
• Top tag ID.

If the logged events are configured to be sent via the CEF connector, the application transfers the following data to the SIEM system:

Service that facilitates the exchange of data with external systems.

Set of values describing a change in the state of a monitored asset based on a predefined list of parameters, with the timestamp of the change.

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• Name of the monitor that logged the event
  

  Source of notifications about patterns, events, or values of event parameters detected by the Event Processor according to the defined monitoring criteria. The monitoring criteria define a sliding time interval, the number of sequential detections, filters for event parameter values, and the condition for detecting new events, patterns, or event parameter values.

• Monitor ID
• Date and time when the event was logged
• Number of activations on the sliding window
• Type of the element that caused the monitor activation
• Information on whether the registered event is new to the application
• Last events or patterns that activated the monitor
  

  Sequence of events or other patterns identified within the stream of events from the monitored asset.

• Condition for the monitor filters
• Information on whether the monitor is activated only by new events or patterns.

If sending information security event logs is enabled, the application transfers the following data to the Syslog server:

• Application vendor name
• Application name
• Kaspersky MLAD version
• Application signature ID
• ID of the information security event
• Date and time when the information security event occurred
• Information security event type
• Information security event subtype
• Information security event severity level
• Name of the user whose actions resulted in the information security event entry
• IP address of the computer from which the user performed the actions logged into the information security event log
• Information security event outcome
• Brief summary of the information security event
• Detailed description of the information security event.

Data processed locally on the Kaspersky MLAD server

To perform its main functions the application can receive, store and process the following information:

• Information about the full backup copies of the application, if the application has been backed up or updated. The Kaspersky MLAD server stores information about full application backups until they are deleted by the user.
• Information about the backup copies of the Docker volumes that are created during uninstallation of the application. The Kaspersky MLAD server stores information about Docker volume backups until they are deleted by the user.
• Files containing the text of the End User License Agreement of the currently installed application version.
• Certificates for connecting to the application using the web interface.
• Certificates and certificate keys for encrypting the connection between Kaspersky MLAD connectors and services and the external systems.
• Public keys for verifying the digital signature of the distribution package. The Kaspersky MLAD server stores public keys until they are deleted by the user.
• User account data: account ID, last name, first name, middle name, email address, account status (active or blocked), password.

  Values that do not personally identify the user (for example, shop and job title) can be entered in place of the last name, first name and middle name of a user. The information specified in the Last name, First name and Middle name fields for users when creating user accounts is stored in plain text and is not processed by the application.

  The email addresses that are specified when creating accounts are used for the user names when users connect to the web interface of the application. User names are indicated in the information security event logs. Email addresses are used to send notifications about registered incidents.

  Users' email addresses are stored in plain text.

  Kaspersky MLAD does not store user passwords in plain text. The scrypt hash sum calculation algorithm is used to store passwords. Kaspersky MLAD adds salt to the password to prevent decoding. User passwords are not written to application logs.

  The system administrator enters information about user accounts in the administrator menu.

• Data about roles and the rights assigned to these roles: role ID, role name, role status (active or inactive), list of assigned rights, date and time of role creation, date and time of role modification.

  The system administrator enters information about roles in the administrator menu.

• Data about incident notifications: notification ID, email address for sending the notification, incident type, user to whom the notification is sent, notification status (active or inactive).
  

  A message containing information about an incident (or incidents) that is sent by the application via notification delivery systems (for example, by email) to the specified addresses.

  The system administrator enters information about notifications in the administrator menu.

• Data about Kaspersky MLAD settings:
  • Main application settings: monitored asset name, application web address, IP address for connecting to the program, interval for receiving data from the Message Broker service, interval for receiving statistical data about incidents from the database, monitored asset time zone.
  • Application security settings: number of authorization attempts, user blocking period, user inactivity period, information on whether the password must be changed upon the first connection, number of user passwords stored in the history, password validity period, minimum password length, information on whether uppercase, lowercase Latin letters, numbers and/or special characters (_! @ # $% ^ & *) must be used in the password, size and storage time of the information security event logs.
  • Anomaly Detector settings: information on whether to use the Limit Detector, Forecaster, XGBoost, and/or Rule Detector, information on whether to skip data gaps, the maximum number of records requested from the Message Broker service, the number of messages sent in one block to the Message Broker, the number of simultaneously running ML models.
  • Keeper settings: information on whether all tags must be stored, waiting time to receive tags, incidents, and metrics.
    

    Variable that contains the value of a specific process parameter such as temperature.

  • Mail Notifier settings: SMTP server address and port, user name and password for connecting to the SMTP server, information on whether to use a TLS connection, SMTP server certificate and certificate key.
  • Similar Anomaly settings: minimum and maximum number of incidents for the group, maximum interval between similar incidents.
  • Stream Processor settings: frequency of the uniform sequence, configuration file with Stream Processor settings.

    The Stream Processor configuration file stores the IDs of the tags processed by the service and the values of tag processing settings.

    The values of the tag processing settings are set by Kaspersky experts individually for each monitored asset.

  • HTTP Connector settings: information on whether to write data to the Message Broker, information on whether to save the received file, the size of the block to be written, the maximum size of the uploaded file.
  • MQTT Connector settings: information on whether to use a TLS connection, address and port of the MQTT broker, user name and password to connect to the MQTT broker, root certificate, client application certificate and key to the client application certificate, list of MQTT subscriptions to receive tags, MQTT topic for publishing messages, format for processing incoming data, connector configuration file, information on whether to scale the received tag values.
    

    A hierarchical path to the data source used for sending messages via the MQTT protocol.

    The MQTT Connector configuration file stores IDs, names, descriptions, types, and measurement units for tags.

  • AMQP Connector settings: information on whether to use a TLS connection, address and port of the AMQP broker, user name and password to connect to the AMQP broker, root certificate, client application certificate and key to the client application certificate, AMQP virtual node, names of AMQP exchange points for receiving tags and publishing messages, AMQP topic for publishing messages, format for processing incoming data, connector configuration file, information on whether to scale the received tag values.
    

    A hierarchical path to the data source used for sending messages via the AMQP protocol.

    The AMQP Connector configuration file stores IDs, names, descriptions, types, and measurement units for tags.

  • OPC UA Connector settings: connection point name, OPC UA server connection timeout, connector configuration file, historical data interval, start and end of the historical data period, size of the historical data block sent by the OPC UA server, size of the historical data block sent to Message Broker.
  • KICS Connector settings: communication data package for the KICS Connector, password for the KICS Connector, information on whether to send messages to Kaspersky Industrial CyberSecurity for Networks, the tag sampling frequency, information on whether to scale the received tag values.
    

    A method for adjusting the training set with reference to the time scale steps in the original dataset.

  • CEF Connector settings: information on whether to receive events for the Event Processor, information on whether to send registered incidents and/or events to the SIEM system, the IP address and port for sending events and incidents to SIEM systems, information on whether to send the information security event logs to the Syslog server, the transport protocol for sending information security events to the Syslog server, the address and port of the Syslog server for sending information security events.
  • WebSocket Connector settings: WebSocket server web address, root certificate, client application certificate and client application certificate key, incoming data processing format, connector configuration file, information on whether to scale the received tag values, information on whether to send incidents.
  • Event Processor settings: service configuration file, information on whether to process incidents as events, the maximum number of network layers, the coefficient defining the permitted dispersion of the pattern duration, the interval for receiving epoch events, the epoch size in online mode, the mechanism for saving the Event Processor status, component backup frequency, the backup copy of the Event Processor status, epoch size in sleep mode, alert mode when the monitor is activated in sleep mode, sleep mode frequency and duration, event history interval for processing in sleep mode.
  • Incident status settings: incident status ID, incident status names in Russian and English, sorting sequence number, information on whether to display the registered incidents with this status.
  • Incident cause settings: incident cause ID, incident cause name, sorting sequence number.
  • Logging service settings: logging levels of the services and application connectors.
  • Settings of the time intervals for charts in the Monitoring, History, and Time slice sections: time interval ID, time interval name in Russian and English, sorting sequence number, ID of the user who created the time interval, ID of the user who last changed the time interval, time interval value.
  • Settings for displaying the items of the main menu and administrator menu: information on whether to display the items of the main menu and administrator menu in the application web interface.

  The system administrator defines Kaspersky MLAD settings in the administrator menu.

• Asset and tag data: asset name, asset ID, asset icon, parent asset ID, asset description and type, asset type ID and name, asset type custom parameters names and values, asset type description, tag ID and name, tag alternative name, tag icon, tag description, tag type, tag measurement unit, upper and lower thresholds for blocking, signaling, and measurement confidence, upper and lower limits for displaying tags, an expression by which the tag value must be calculated based on the value transmitted to the application, tag comment, location coordinates of the monitored asset sensor along the abscissa, ordinate, and applicate axes, the name of the device from which the tags are received from the external system, the color of the additional threshold lines.
  

  A section of a hierarchical structure representing, for example, a plant, a shop, or a separate unit of a monitored asset.

  The system administrator enters information about assets and tags in the administrator menu.

• Preset data: preset name, preset ID, preset icon, names and IDs of the tags included in the preset, information on whether to configure an expression for the Time slice section, labels on the abscissa and ordinate axes, the name of the expression for calculating tag values, expressions for calculating the tag values, the color of the chart for the preset in the Time slice section.
  

  Set of tags generated by a user in arbitrary order or created automatically when an incident is registered. A set of tags in a custom preset can correspond to a certain aspect of the technological process or a section of the monitored asset.

  Any user can enter data in the Presets section.

• Information about the number of tags and events received per second. The application calculates the data based on the data received from external systems.
• Information about the values of tags and events received by the system. Data is received from external systems for which data receipt is configured.
• Information about predicted tag values, cumulative mean square error (MSE), and individual tag error. The application calculates the data based on the data received from external systems.
• Information about the application service statuses: the name and current status of the service. The application displays the service status derived from the corresponding components.
• Data on registered incidents and groups of incidents: incident ID, date and time when the incident was registered, top tag name and ID, incident cause, name of the detector that registered the incident, incident group name, incident status, ML model name, ML model branch, cumulative mean square error (MSE) value, cumulative mean square error (MSE) threshold value, top tag value, blocking thresholds, tag description and measurement units, incident type, date and time when the observation was generated, time by which observation generation is ahead or behind the receipt of this observation by the application, an expert opinion on the incident and on the group, incident comment, incident group name and ID, the number of incidents in the group, the date and time when the incident group was created, the status of the registered incidents in the group, IDs of the relevant tags, blocking threshold reached when the incident was registered.

  The application generates this data as a result of analysis of the received data and on the basis of the settings specified by the user.

• Settings for displaying charts in the Monitoring and History sections: chart height, preset for going to the History section (only when configuring the chart display settings in the Monitoring section), information on whether to display the observation chart with the selected color, the observation chart color, information on whether to display the prediction chart with the selected color, prediction chart color, information on whether to display the names and descriptions of tags on the charts, the predicted value of the tag and/or a personal tag error, information on whether to display indicators for all incidents on the charts, information on whether to display blocking thresholds and/or additional threshold lines on the charts, ML model branch used to generate predicted values, presets, time intervals, date and time for displaying charts.
  

  Determines how the predicted tag value, personal tag error and MSE are calculated. For a complex model, the calculation may involve multiple ML model elements that have a different composition of tags and error calculation parameters.

  Any user can enter data in the Monitoring and History sections.

• Chart display settings in the Time slice section: chart height, ML model branch used to generate predicted values, presets, time intervals, date and time for displaying charts.

  Any user can enter data in the Time slice section.

• Settings for processing and displaying data for the event processor: events parameters used to register patterns (individual for each monitored asset), information on whether to register patterns by a template (regular expression), template settings (individual for each monitored asset).

  If the Process incidents as events option is enabled in the Event Processor settings, the application stores and processes the following data:

  • Name of the detector
  • Name of the ML model being used
  • Top tag name and ID
  • Name of the incident group to which the registered incident belongs
  • Top tag value
  • Incident ID.

  Any user can enter the event processor data in the Event Processor section.

• Data on events and patterns monitoring in the event processor: monitor name and ID, the number of registered activations based on the sliding window, date and time of the last activation, the type of element that caused the monitor activation, the setting determining what is monitored, sliding window, threshold, names of event parameters which values are monitored, monitored types of values, event parameters on which the model is focused, monitored event parameter values, stack (list of monitor activations arranged by time) limit, ID of the event parameter value that caused the monitor activation, ID of the event detection of which caused the monitor activation, the ID of the pattern detection of which caused the monitor activation, date and time when the event was detected in the event stream, the time interval between the current event and the previous event in the event flow determined by a sliding window, the number of event repetitions in the event flow determined by a sliding window, the date and time of the last event detection in the event flow determined by a sliding window, the parameter values of the event received by the monitored asset, the number of events included in the pattern that caused the monitor activation.
  

  A special configuration of the Event Processor intended to track events and patterns for specific subsets of event history (attention directions). An attention direction is defined by the event parameter value that is common for all events of this direction. The Event Processor detects events and patterns only for the attention directions defined in the attention settings.

  The application generates data by analyzing the received data and the settings specified in the Event Processor section.

• Data on registration of patterns in the event processor: pattern ID, date and time of the last pattern detection in the interval, the number of pattern detections in the event flow of the monitored asset during the specified period, the number of events n the pattern, date and time of the last pattern detection in the event flow or in sleep mode, date and time of the beginning and end of the pattern loading period, pattern type, attention direction, event parameter value, information on whether to register patterns based on a template (regular expression), template parameters (individual for each monitored asset), the time interval between the selected pattern and pattern detected in the sequence of patterns on the current layer before the selected pattern, the total number of activations, the pattern end date and time in the sequence of patterns on the current layer, the pattern layer number, IDs of events included in the pattern, the date and time when the event was detected in the pattern structure, the number of event parameters for which the values are received from the monitored asset.

  The application generates data by analyzing the data and the settings specified in the Event Processor section.

• Information about ML models and their parameters: ID and unique ID (UUID) of the ML model, name, description, status and state of the ML model, name of the user who last modified the ML model, date and time when the ML model was last modified, name of the user who created the ML model, date and time when the ML model was created or loaded, the names and IDs of its elements, the time interval, and markup for the inference.
  

  The ML model works with telemetry data to detect anomalous behavior.

  

  A set of time intervals specified for tags that allows you to generate learning indicators and inference for the ML model.

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information about the ML model elements and their parameters:
  • Parameters common for all types of ML model elements: ID, name and description of the ML model element, the time interval after which a repeated incident is generated, the time interval during which repeated incidents are not registered, the grid step in seconds, the incident cause and status, color of the incident indicator points, expert opinion.
  • Main parameters of ML model neural network elements: element architecture, names and IDs of the input tags, names and IDs of the output tags, incident registration threshold, cumulative mean square error (MSE) power, cumulative mean square error (MSE) smoothing degree, the number of steps in the input window for the input values, the number of steps by which the beginning of the output window is shifted relative to the beginning of the input window, the number of steps in the output window.
  • Parameters of a neural network element with the Dense architecture: multipliers for calculating the number of neurons on layers, activations on layers.
  • Parameters of a neural network element with the RNN architecture: the number of GRU neurons on layers, the number of time-distributed neurons on the layers of the decoding block.
    

    A cell of the layer with a recurrent architecture.

  • Parameters of a neural network element with CNN architecture: size of filters on layers, number of filters on layers, size of the maximum selection window, number of neurons on layers of the decoder.
  • Parameters of a neural network element with TCN architecture: regularization, filter size, extensions on layers, activation, number of encoders, type of layer before the output layer.
  • Parameters of the neural network element with the Transformer architecture: regularization in the encoder, the number of attention heads, the number of coding blocks, multipliers for calculating the number of neurons on the layers of encoder.
  • Training settings of a neural network element: training time interval, names and IDs of the training markups, maximum training duration, ratio between the training and the validation sample, maximum number of epochs for training, number of epochs during which there must be no validation losses when training is stopped early, chart resolution to display the training results, batch (dataset for training) size, number of blocks, inference mode, training mode, automatic data division into blocks, memory size used for training, information on whether to initialize the model weights with the values from the previous training results and/or shuffle the data.
  • Information about the training results of the neural network element: training queue (IDs and names of ML model elements that are waiting in the queue for training), training status, names and IDs of the training elements, the number of blocks into which the training dataset is divided, name of the user who started the training of the element, training duration, date and time of the training beginning and end, duration of the data time intervals in the training set, the number of UTG nodes included in the training set, training and validation errors, prediction of the trained ML model on the training set.
    

    An infinite sequence of points in time separated by equal intervals, to which the stream of incoming telemetry data is converted.

  • Settings for elements based on diagnostic rules: information on whether to interpret the impossibility to evaluate a condition as a rule execution, time filtering settings: interval type, years, days, days of the week, and the time interval during which to validate the input data in accordance with the specified rule; tag behavior condition settings: tag for which the condition is added, tag behavior, rule execution condition, number of UTG steps, tag threshold value, the minimum number of times a rule is triggered before logging an incident, value of the first level differential, time interval between the adjacent trend estimates, change threshold value, direction of the tag value change, tag value, maximum tag deviation from the specified value, the direction of change in tag value spread, indicator of whether the rule uses a pause and pause settings: minimum and maximum timeouts, group and logical operators used.

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information about markups: ID, name and description of the markup, interval used to calculate data on UTG, markup color, time filtering settings: interval type, years, days, days of the week, and the time interval during which to validate the input data in accordance with the specified markup conditions; tag behavior condition settings: tag for which the condition is added, tag behavior, rule execution condition, number of UTG steps, tag threshold value, the minimum number of times a rule is triggered before logging an incident, value of the first level differential, time interval between the adjacent trend estimates, change threshold value, direction of the tag value change, tag value, maximum tag deviation from the specified value, the direction of change in tag value spread, indicator of whether the rule uses a pause and pause settings: minimum and maximum timeouts, group and logical operators used.

  A system administrator or a user with the Manage ML models rights set in the Models section can enter and/or upload the data.

• Information security event logs: information security event ID, date and time of the information security event, type of information security event, subtype of information security event, severity level of the information security event, the name of the user whose actions resulted in registration of the information security event, the IP address of the computer from which the user performed the actions logged into the information security event log, the result of the information security event, a brief summary of the information security event, a detailed description of the information security event.

  The IP addresses of computers that established a connection to the web interface of the application are indicated in the information security event logs.

  The data is generated by Kaspersky MLAD automatically.

  Kaspersky MLAD stores information security event logs for the time period specified in the Storage time for information security event logs (days) when configuring security settings. The program also deletes early entries in the information security event log when exceeding the space allocated for storing information security events set in Volume of information security event logs (MB).

• Kaspersky MLAD container logs: event date and time, event severity level, name of the container for which the event is registered, event description.

  The data is generated by Kaspersky MLAD automatically.

  Kaspersky MLAD stores container logs for two days.

The logging system (Grafana) does not transmit users' data to Kaspersky or any third-party servers. You can read the procedure for storing and processing data in the logging system in the Grafana Logging System User Guide.

Data processed on users' computers

When working with the Kaspersky MLAD web interface, the following data is stored in the browser cookie files:

• Individual JSON Web Tokens to support a user session for connecting to the application web interface. An individualized token is stored in the user's browser cookie files for the user inactivity period defined when configuring the security settings.
• ID of the running Grafana session, if the user views the application logs. The Grafana session ID is stored in the user's browser cookie files for 30 days.

The user browser also stores data that is used to display the web interface: the last used localization language of the application web interface, the last used option for displaying the main menu (hidden or maximized display), the last used values of the time interval, preset, date and time, ML model branch, and the chart display settings in the Monitoring, History, and Time slice sections, the last used page numbering settings, the last set filters for displaying data in the Event Processor section, the last used values of the incident status and cause in the Incidents section, information about the "Tags for event presets #N" presets, generated for a registered incident, information about the current installed version of Kaspersky MLAD. This data is stored in the browser indefinitely. You can delete this data from the browser local storage yourself.

When exporting incidents, the application saves an XLSX file with the following data to the user computer:

• Name of monitored asset
• Period during which incidents were uploaded
• ID of the registered incidents
• Date and time when the incidents were registered
• Registered incidents statuses
• Names of the groups that include the registered incidents
• Names and IDs of the top tags having the greatest impact on the incidents registration
• Top tag values
• Top tags measurement units
• Top tags descriptions
• Name of the ML models that registered the incidents
• Name of the detectors that registered the incidents.

When exporting information security event logs from the Grafana logging system, the application saves a CSV file with the following data to the user computer:

• IDs of the information security events
• Date and time when the information security events occurred
• Information security events types
• Information security events subtypes
• Information security events severity levels
• Names of the users whose actions resulted in the registration of the information security events
• IP addresses of the computers from which the users performed the actions stored in the information security event log
• Information security event outcomes
• Brief summaries of the information security events
• Detailed descriptions of the information security events.

When exporting container logs from the Grafana logging system, the application saves a CSV file with the following data to the user computer:

• Date and time when the events occurred
• Event severity levels
• Name of the container for which the events are registered
• Event description.

When exporting asset and tag configuration, the application saves an XLSX file with the following data to the user computer:

• Asset type ID
• Unique name of the asset type
• Names of the special asset type settings (if any)
• Asset type description (if any)
• Asset ID
• Asset name
• Unique name of an asset within its parent asset
• Asset description (if any)
• Name of the parent asset to which the asset belongs (if any)
• Parent asset ID (if any)
• Names of the special asset settings (if any)
• Values of the special asset settings (if any)
• Tag ID
• Unique name of the tag
• Unique alternative name of the tag (if any)
• Tag description
• Name of the parent asset to which the tag belongs (if any)
• Parent asset ID
• Tag type (if any)
• Tag measurement units
• Lower and upper blocking thresholds (if any)
• Lower and upper signaling thresholds (if any)
• Lower and upper measurement confidence thresholds (if any)
• Lower and upper boundaries for displaying the tag values on charts (if any)
• The expression used to calculate the tag value from the value passed to Kaspersky MLAD
• Tag comment
• Location coordinates of the monitored asset sensor along the abscissa, ordinate, and applicate axes (if any).

When exporting presets, the application saves a JSON file with the following data to the user computer:

• Preset name
• Preset ID
• ID of the user who created the preset or uploaded it to the application
• IDs of the tags included in the preset
• Preset sequential number for sorting
• Preset icon.
• When using a preset to display data in the Time slice section, the application also saves the following data:
  • Text on the abscissa axis of the chart in the Time slice section
  • Name of the expression used to calculate the tag values
  • Text on the ordinate axis of the chart in the Time slice section
  • Expression used to calculate the tag values
  • Preset chart color in the Time slice section.

When exporting Kaspersky MLAD settings, the application saves configuration files with the following data to the user's computer:

• A file with the settings of the incident statuses, which contains the following data:
  • Incident status ID
  • Name of the incident status in Russian
  • Name of the incident status in English
  • Ordinal number of the incident status for sorting
  • Information on whether to display registered incidents with this status.
• A file with the settings of the incident causes, which contains the following data:
  • Incident cause ID
  • Name of the cause of the incident
  • Sequential number of the cause of the incident to be sorted.
• A file with the settings of the time intervals for displaying data on the Monitoring, History, and Time slice charts, which contains the following data:
  • Time interval ID
  • Name of the time interval in Russian
  • Name of the time interval in English
  • Ordinal number of the time interval for sorting
  • ID of the user who created the time interval
  • ID of the user who last changed the time interval
  • Time interval value in milliseconds.
• Settings of Kaspersky MLAD services and connectors:
  • Settings IDs
  • Names of the settings in the Kaspersky MLAD database
  • Types of the entered values
  • Entered or selected values
  • Name of the group to which the current setting belongs
  • Serial number of the setting displayed in the current section
  • Requirements for the setting value.
• The Stream Processor configuration file containing the following data:
  • IDs of tags processed by Stream Processor
  • Values of the tag processing settings.

    The values of the tag processing settings are set by Kaspersky experts individually for each monitored asset.

• Configuration files of the MQTT Connector, AMQP Connector, and WebSocket Connector containing the following data:
  • Tag IDs obtained from the MQTT Connector, AMQP Connector, or WebSocket Connector
  • Tag timestamp measurement units
  • Type of the received data
  • Template format for decoding the received data type.
• The OPC UA Connector configuration file containing the following data:
  • Tag ID
  • Name of the asset to which the tag belongs
  • Data type passed to the tag value.
• The Event Processor configuration file containing the following data:
  • List of event parameters to be processed
  • Time and time scale for event processing
  • Order and relationship of the event parameters for display on the relationship graph in the Event history section.
• The communication data package for the KICS Connector containing the following data:
  • Public key of the Kaspersky Industrial CyberSecurity for Networks server certificate in the encrypted form, as well as the certificate issued by the Kaspersky Industrial CyberSecurity for Networks server for the KICS Connector (with the private key).

    The contents of the file are encrypted with the password that was set when the KICS Connector was added or when a new communication data package was created for this connector.

  • KICS Connector configuration data: the name of the Kaspersky MLAD user for connecting to the Kaspersky Industrial CyberSecurity for Networks server, the KICS Connector ID, and the address of the Kaspersky Industrial CyberSecurity for Networks server for connection.