Viewing incident groups

When two or more similar incidents are detected, Kaspersky MLAD automatically combines them into a group (using the Similar Anomaly service). This lets you analyze incidents with consideration of prior history and expert opinions that were generated for similar incidents. In the incidents table in the Incidents section, the group associated with the incident is displayed in the Group column. If nothing is indicated for the incident in this column, this means that Kaspersky MLAD has not yet detected incidents similar to this particular incident. Incidents can be regrouped, and the expert opinions that were added to these incidents are migrated to the new group. The group name is automatically assigned in the format Group #N (N is replaced by the sequence number of the group). If necessary, you can edit a group name.

To view incident groups:

In the main menu, select the Incidents section and click Groups.

All incident groups for your monitored asset are displayed in the table located in the central part of the page.

The following information is displayed for each incident group in the table:

• ID is the incident group identifier.
• Group name refers to the name of the incident group.
• Expert opinion is a conclusion added by an expert (process engineer or ICS specialist) based on an analysis of the group of registered incidents.
• Incident count refers to the number of registered incidents included in the group.

  You can proceed to view incidents of the group by clicking Incident count.

• Date and time refers to the date and time when the incident group was created.
• Status refers to the status of registered incidents in a group specified by an expert (process engineer or ICS specialist) based on the results of the incident analysis.

  You can set the incident group status based on analysis results by selecting the appropriate value from the drop-down list. After installation of Kaspersky MLAD, the following statuses of incidents and incident groups are available by default: Under review, Decision pending, Instructions issued, Problem closed, Cause unknown, Ignore and False positive. If necessary, the system administrator can create, edit, or delete statuses of incidents.

To view detailed information about an incident group:

1. Click the right arrow () next to the incident group.

   A list of incidents in this group is displayed. The following technical specifications are displayed for each incident of the group:

   • Incident date is the date and time when the incident was registered.

     You can go to the History section by clicking the incident registration date.

   • Top tag name is the name of the process parameter that had the largest impact when the incident occurred.
   • Top tag value is the registered value of the tag that had the largest impact when the incident occurred.
   • Relevant tags refers to a table that contains the identifiers of tags that influenced the identification of similar incidents and merging of these incidents into a group.
2. If you need to view the degree of influence a tag had on the formation of similar incidents, click the Relevant tags table cell containing the identifier of the relevant tag.

   All table cells containing the selected tag ID are highlighted in green. The closer the green-highlighted cells containing the ID of the selected tag are to the first table column, the more impact that tag has when identifying and grouping similar incidents.

You can also add a status and expert opinion for the incident group.