Kaspersky Anti Targeted Attack Platform
7.0
English
Data provision  >  Service data of the application

Service data of the application

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the service data of Kaspersky Anti Targeted Attack Platform is provided in the table below.

Service data of Kaspersky Anti Targeted Attack Platform

Data type

Location and duration of storage
  • Data on user accounts.
  • Data of the Central Node component.
  • Data about tenants.
  • Information about computers connected to the Central Node component on which the Endpoint Agent component is installed.
  • Data about presets and prevention rules.
  • Information about tasks assigned to computers with the Endpoint Agent component.
  • Custom widget layout data.
  • Information about user-defined TAA (IOA) rules.
  • Information about user-defined IDS rules.
  • Information about user-defined IOC rules.
  • Data on network isolation rules.
  • Data about scan exclusions.
  • Information about reports and report templates.
  • Information about Endpoint Agent component certificates.

 

Data is stored indefinitely on the server hosting the Central Node component in the /data directory if the Central Node component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

System event log

OS log files are stored indefinitely in the /var/log directory on the server hosting the Central Node component.

Log with information about the application operation.

The log file is stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

File scan queue.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. The data is retained until the scan is completed.

Files received from computers with the Endpoint Agent component.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

Files with YARA and IDS rules (user-defined and from Kaspersky).

Files are stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

 

Files with data about detections sent to external systems.

Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

 

Artifacts of the Sandbox component.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

Files for which detections were created by the Sandbox component.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

Certificate files used for the authentication of application components.

Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

Encryption keys that are transmitted between application components.

Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

 

Copies of mirrored traffic from SPAN ports.

Files are stored in storage mounted on the server with the Sensor component. Data is deleted as disk space becomes full.

ICAP exclusion filters.

Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.
  • Information about network sessions.
  • Device information.
  • Telemetry when integrated with the Endpoint Agent component.
  • Network traffic events.
  • User account information.
  • Information about executable files.
  • Dumps of traffic relevant to registered events.
  • Dumps of traffic relevant to network sessions.

 

The data is stored on the Central Node server in the /data/storage/volumes/nta_database directory. Data is rotated as disk space becomes filled.
  • User account ID.
  • User account name.
  • Domain name of the user.
  • User account role.
  • User account status.
  • Date and time of the last password change for the user account.

Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.
  • Central Node server ID.
  • IP address of the Central Node server.
  • Central Node server name.
  • Central Node activity indicator.
  • Tenant ID.
  • Tenant name.
  • Names of servers with the Central Node component assigned to this tenant.
  • Tenant creation date.
  • ID of the Endpoint Agent computer assigned by Kaspersky Security Center.
  • Name of the Endpoint Agent computer.
  • IP address of the Endpoint Agent computer.
  • Operating system of the Endpoint Agent computer.
  • Version of the application that acts as the Endpoint Agent component.
  • Status of the Endpoint Agent self-defense mechanism.
  • Date and time when the first and last telemetry packet were sent to the Central Node component.
  • Date and time of the last IOC scan run.
  • Result of the last IOC scan run.
  • License key status of the application that acts as the Endpoint Agent component.
  • ID of the tenant on which the prevention rule was created.
  • Status of the prevention rule (enabled or disabled).
  • MD5 or SHA256 hash of the file that is prevented from running.
  • The account name of the user who created the prevention rule.
  • The account name of the user who changed the prevention rule.
  • List of computers on which the file is prevented from running.
  • Prevention rules change log.
  • Prevention rule creation date and time.
  • Name of the prevention rule.
  • Attribute indicating whether the user must be notified about file start being blocked.
  • Type of the task assigned to the Endpoint Agent computer.
  • Name of the computer to which the task is assigned.
  • IP address of the computer with the Endpoint Agent component.
  • Creation date and time of the task assigned to the Endpoint Agent computer.
  • ID of the tenant for which the task was created.
  • Task expiration date.
  • Name of the user account that created the task.
  • Task settings data.
  • Task report data.
  • Task comments.
  • User-defined TAA (IOA) rule name.
  • Source code of the request being scanned.
  • User-defined TAA (IOA) rule ID.
  • User-defined TAA (IOA) rule status.
  • Creation date and time of the user-defined TAA (IOA) rule.
  • Importance specified when adding the user-defined TAA (IOA) rule.
  • Level of confidence that depends on the likelihood of false alarms as defined by the user when the user-defined TAA (IOA) rule was added.
  • ID of the tenant for which the rule was created.

User name of the user account that uploaded the file with user-defined IDS rules.

  • Date and time when the file with user-defined IDS rules was uploaded.
  • Status of the user-defined IDS rule.
  • Importance specified in the user-defined IDS rule file.
  • User name of the user account that uploaded the file with user-defined IOC rules.
  • Name of the IOC file.
  • Contents of the IOC file.
  • Date and time when the IOC file was uploaded.
  • Status of the IOC rule.
  • Rule importance as specified in the IOC file.
  • Description of the IOC rule.
  • ID of the tenant for which the IOC file was uploaded.
  • User name of the user account that uploaded the file with user-defined YARA rules.
  • Contents of the YARA file.
  • Date and time when the YARA file was uploaded.
  • Name of the file containing YARA rules.
  • Importance.
  • Status of the YARA rule.
  • Account name of the user that enabled network isolation.
  • ID of the isolated computer.
  • Name of the network isolation rule.
  • Status of the network isolation rule.
  • List of resources excluded from network isolation.
  • Date and time when the network isolation rule was modified.
  • State of the network isolation rule.
  • Expiration date of the network isolation rule.
  • User name of the user that added the scan exclusion rule.
  • List of objects excluded from the scan.
  • Exclusion rule ID.
  • Name of the exclusion rule.
  • Creation date and time of the exclusion rule.
  • ID of the tenant for which the exclusion rule was created.
  • Names of components to which the exclusion rules apply.
  • ID of the user account that created or modified the report template.
  • Template creation date.
  • Date of last modification of the template.
  • Text of the template as HTML code.
  • Name of the template.
  • Tenant ID.
  • User name of the user account that uploaded the Endpoint Agent component certificate file.
  • Digest of the certificate.
  • Serial number of the certificate.
  • Public key.
  • Expiration date of the certificate.
  • State of the Sandbox component scan rule
  • Type of the rule
  • Masks of included objects
  • Masks of excluded objects
  • Size of scanned files
  • Rule creation date and time
  • ID of the virtual machine where the rule is assigned

Virtual machine configuration information:

  • IP address of the server hosting the Sandbox component
  • List of virtual machines

Data on user accounts:

  • User account ID.
  • User account name.
  • Name of the computer on which the user is authorized.

The data is stored on the Central Node server in the /data/storage/volumes/nta_database directory. Data is rotated as disk space becomes filled.

Network session information:

  • Names of the participants in the network communication.
  • IP and MAC addresses of the participants of the network communication.

Information about devices registered in the application:

  • Device names.
  • IP and MAC addresses of devices.

Data saved when integrated with the Endpoint Agent component as part of the NDR functionality:

  • IP and MAC addresses of the computer with the Endpoint Agent component.
  • Name of the computer with the Endpoint Agent component.
  • Name of the user account registered on the computer with the Endpoint Agent component.
  • The operating system that the computer is running.
  • User Agent.

Information about network traffic events: IP and MAC addresses of devices.

Information about executable files on Endpoint Agent computers connected as part of the NDR functionality:

  • File name.
  • Path to the file.
  • File version.
  • MD5 and SHA256 hash of the file.

Traffic dump data related to logged network sessions and events:

  • Names of the participants in the network communication.
  • IP and MAC addresses of the participants of the network communication.
  • Device names.
  • IP and MAC addresses of devices.
  • User account name.
  • User account ID.
  • The operating system that the computer is running.
  • User Agent.
  • Name of the executable file.
  • Path to the executable file.
  • Version of the executable file.
  • MD5 and SHA256 hash of the executable file.

Article ID: 242920, Last review: Apr 18, 2025
Page top