Kaspersky Anti Targeted Attack Platform
7.0
English
Data provision  >  Data transmitted between application components

Data transmitted between application components

Central Node and the Endpoint Agent component

Application used in the role of the Endpoint Agent component send the following to the Central Node component: task completion reports, information on events and alerts that occurred on computers with these applications, and information about terminal sessions.

If there is no connection with the Central Node component, all pending information is accumulated until it is sent to the Central Node component or until the application that is being used in the role of the Endpoint Agent is removed from the computer, but no longer than 21 days.

General information for all events

If an event occurred on the user's computer, the applications send the following data to the events database:

  • Event type.
  • Event time.
  • Event ID.
  • Version of the event schema.
  • Time when the event was processed by the Central Node server.
  • User account for which the event was generated.
  • Name of the host where the event occurred.
  • IP address of the host.
  • Type of the operating system installed on the host.
  • OS family.
  • OS name.
  • OS version.
  • The IP address of the network adapter that the application used in the role of the Endpoint Agent uses to connect to the Central Node or Sensor server.
  • The version of the application that is being used in the role of the Endpoint Agent component.
  • Date of the last update of the KBD databases.
  • Date of the last update of the SW databases.
  • Index date.
  • When marking up events in accordance with TAA (IOA) rules, the following information is transmitted:
    • ID of the triggered indicator of attack.
    • Decision of the triggered indicator of attack.
    • Source of the triggered indicator of attack.
    • Version of the triggered attack indicator.
    • MITRE technique code.
    • MITRE tactic code.
    • Alert importance depending on the security impact this alert may have on the computer or corporate LAN, based on Kaspersky experience.
    • Confidence of the detection depending on the likelihood of false alarms caused by the rule.

Central Node and Kaspersky Endpoint Agent for Windows

If an event occurred on the user's computer, the application sends the following data to the events database:

  1. File creation event.
    • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
    • File name.
    • Path to the file.
    • Full name of the file.
    • MD5- and SHA256 hash of the file.
    • Date of file creation and modification.
    • File size.
  2. Registry monitoring event.
    • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
    • Path to the registry key.
    • Registry value name.
    • Registry value data.
    • Registry value type.
    • Previous path to the registry key.
    • Previous registry value data.
    • Previous registry value type.
  3. Driver loading event.
    • File name.
    • Path to the file.
    • Full name of the file.
    • MD5- and SHA256 hash of the file.
    • File size.
    • Date of file creation and modification.
  4. Listening port opening event.
    • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
    • Port number.
    • Adapter IP address.
  5. Event in the operating system log.
    • Time of the event, host on which the event occurred, and user account name.
    • Event ID.
    • Channel/log name.
    • Event ID in the log.
    • Provider name.
    • Authentication event subtype.
    • Domain name.
    • Remote IP address.
    • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
    • Event body fields: AccessList, AccessFiles mask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
  6. Process start event.
    • Information about the process file: file name, file path, MD5 or SHA256 hash of the file, file size, creation and modification date, name of the organization that issued the digital certificate of the file, digital signature verification result.
    • UniquePID.
    • Process start options.
    • Process start time.
    • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
  7. Process stop event.
    • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
    • UniquePID.
    • Process start options.
    • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
  8. Module loading event.
    • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
    • DLL name.
    • Path to DLL.
    • DLL full name.
    • MD5 or SHA256 hash of the DLL.
    • DLL size.
    • Date of DLL creation and modification.
    • Name of the organization that issued the digital certificate of the DLL.
    • DLL digital signature verification result.
  9. Process startup blocking event.
    • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Command line parameters.
  10. File startup blocking event.
    • Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking (0 – MD5, !=0 – SHA256, not used for search).
    • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
  11. Detection event and the result of its processing (when Kaspersky Endpoint Agent for Windows is integrated with Kaspersky Endpoint Security for Windows).
    • Scan result.
    • Name of the detected object.
    • ID of the record in application databases.
    • Release time of the application databases with which the detection was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process start command line.
    • Reason for the error when processing the object.
    • Contents of the script scanned using AMSI.
  12. AMSI scan event.
    • Contents of the script scanned using AMSI.

Central Node and Kaspersky Endpoint Security for Windows

If an event occurred on the user's computer, the application sends the following data to the events database:

  1. File modification event.
    • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
    • Information about the created or modified file: name, path, full name, type, MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, zone ID, application name of the file, vendor, name of the organization that issued the digital certificate, description, digital signature verification result, time of the digital signature, original name, name before modification, path before modification, full name before modification.
    • Information about the file to which a link was created: MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, type, zone ID, application name of the file, original name, name of the organization that issued the digital certificate, description, subject of the signature, digital signature verification result, time of the digital signature, full name of the link file.
  2. Registry monitoring event.
    • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
    • Path to the registry key.
    • Registry value name.
    • Registry value data.
    • Registry value type.
    • Previous path to the registry key.
    • Previous registry value data.
    • Previous registry value type.
    • Type of the operation with the registry.
    • Path to the file where the registry key was saved.
  3. Driver loading event.
    • File name.
    • Original file name.
    • Path to the file.
    • Full name of the file.
    • MD5- and SHA256 hash of the file.
    • File size.
    • Date of file creation and modification.
    • File attribute modification date.
    • File size.
    • File type.
    • File attributes.
    • File zone ID.
    • File vendor.
    • File description.
    • Name of the organization that issued the digital certificate.
    • Signature subject.
    • Digital signature verification result.
    • Time of digital signature.
    • URL from which the file was retrieved.
    • Metadata of the message from which the file was retrieved.
  4. Listening port opening event.
    • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
    • Port number.
    • Adapter IP address.
    • Operation status.
  5. Remote connection event.
    • Information about the local computer: IP address, port number.
    • Information about the remote computer: IP address, port number, FQDN.
    • Information about TLS encryption of the connection: protocol version, SNI, encrypted SNI, MD5 hash of the certificate file, SHA1 hash of the certificate file, certificate issuer name, certificate serial number, certificate verification result, certificate expiration date, Ja3, Ja3s, MD5 hash of Ja3, MD5 hash of Ja3s, socket type.
    • LANA number.
    • HTTP method.
    • URL that was followed.
    • Process status.
    • Connection direction.
  6. DNS lookup event.
    • IPv4 address of the DNS server.
    • Binary mask of the DNS query being performed.
    • DNS response error code.
    • DNS query type ID.
    • Name of the domain for which the DNS record is to be resolved.
    • Date of the DNS response.
  7. LDAP event.
    • Search scope.
    • Search query filter.
    • Attributes specified in the query as attributes to be returned.
    • Path to the LDAP container to be searched.
  8. Process start event.

    Information about files of the parent and grandparent processes, loader processes, creator processes, running processes: name, path, full name, MD5 hash, SHA256 hash, creation date and time, modification date and time, attributes, attribute modification date and time, size, zone ID, vendor, name of the organization that issued the digital certificate, description, original name, digital signature subject, digital signature verification result, date and time of the digital signature, file version, logon type, login session ID, user account type, user name, user account ID, IP address of the computer from which the logon was made, integrity level, process ID, current directory.

  9. Process stop event.
    • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
    • Unique ID of the process.
    • Process start options.
    • Information about the parent process: file path, UniquePID, MD5 and SHA256 hash, command line options.
  10. Process access event.
    • Operation type.
    • Process access permissions.
    • Call stack.
    • Information about the file of the recipient process and the file of the process from which the handle was duplicated: name, path, full path, MD5 and SHA256 hash, creation date and time, modification date and time, attribute modification date and time, size, unique ID, system ID, command line options, URL from which the file was retrieved, metadata of the message from which the file was retrieved.
  11. Module loading event.
    • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
    • DLL name.
    • Path to DLL.
    • DLL full name.
    • MD5 or SHA256 hash of the DLL.
    • DLL size.
    • DLL attributes.
    • DLL zone ID.
    • DLL application name.
    • Original DLL name.
    • Date of DLL creation and modification.
    • Name of the organization that issued the digital certificate of the DLL.
    • DLL digital signature verification result.
    • DLL digital signature date.
    • Path to replaced DLL.
    • DLL file type.
    • URL from which the file was retrieved.
    • Metadata of the message from which the file was retrieved.
    • .NET assembly name.
    • .NET assembly flags.
    • .NET module flags.
  12. Process startup blocking event.
    • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Command line parameters.
  13. File startup blocking event.
    • Information about the file that was being opened: file name, file path, full file name, MD5 hash, SHA256 hash, type of checksum that triggered the blocking, (0 for MD5, !=0 for SHA256, not used for search), URL of the website from which the executable file was downloaded, metadata of the message to which the downloaded file was attached.
    • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
  14. Event of named pipe being opened and connected to.
    • File name of the process that created or connected to the named pipe.
    • Pipe operation type.
  15. Threat detection event and detection processing result.
    • Name of the detected object.
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Type of detected object.
    • Scan result.
    • ID of the record in application databases.
    • Version of the application databases used to generate the detection.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • Protocol.
    • IPv4 or IPv6 address of the local computer.
    • Local port number.
    • IPv4 or IPv6 address of the remote computer.
    • Remote port number.
    • URL from which the file was retrieved.
    • Email address of the sender if the file was obtained from an email message.
    • Full name, MD5 hash, SHA256 hash of the file loader.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process start command line.
    • Reason for the error when processing the object.
    • Contents and type of the script scanned using AMSI.
  16. WMI service start event.
    • Operation type.
    • Remote startup flag of the WMI service.
    • Name of the computer on which the WMI service was started.
    • Name of the user that started the WMI service.
    • WMI namespace.
    • Event consumer filter name.
    • Name of the created event consumer.
    • Event consumer source code.
  17. AMSI scan event.
    • Contents of the script scanned using AMSI.
    • Content type of the script sent for scanning.
    • Name of the script sent for scanning.
    • MD5 hash of the script file.
    • SHA256 hash of the script file.
  18. Code injection event.
    • Information about the recipient process: application name, full application name, path to the application, MD5 hash of the file, SHA256 hash of the file, URL from which the file was downloaded, metadata of the message to which the downloaded file was attached, unique ID of the application, system ID of the application, command line, name of the process DLL, path to the process DLL, address of the process in the address space.
    • Injection method.
    • Modified command line of the process.
    • System call parameters.
    • API call stack at the time of interception of the injection-related function.
  19. Interpreted file run event.

    Information about the interpreted file: name, path, full name, MD5, SHA256, file creation date and time, file modification date and time, size, type, attributes, attribute modification date and time, original name, description, zone ID, name of organization that issued the digital certificate, result of digital signature verification, date and time of the digital signature, subject of the digital signature, URL from which the file was obtained, metadata of the message to which the downloaded file was attached.

  20. Event in the operating system log.
    • Time of the event, host on which the event occurred, and user account name.
    • Event ID.
    • Channel/log name.
    • Event ID in the log.
    • Provider name.
    • Authentication event subtype.
    • Domain name.
    • Remote IP address.
    • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
    • Event body fields: AccessList, AccessFiles mask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName, System, SystemProvider, SystemProviderName, SystemProviderGuid, SystemProviderEventSourceName, SystemEventID, SystemEventIDQualifiers, SystemEventRecordID, SystemChannel, SystemTask, SystemOpcode, SystemVersion, SystemLevel, SystemKeywords, SystemTimeCreated, SystemTimeCreatedSystemTime, SystemCorrelation, SystemCorrelationActivityID, SystemExecution, SystemExecutionProcessID, SystemExecutionThreadID, SystemComputer, SystemSecurity, SystemSecurityUserID, UserData, UserDataEventProcessingFailure, UserDataEventProcessingFailureError, UserDataEventProcessingFailureErrorCode, UserDataEventProcessingFailureEventID, UserDataEventProcessingFailurePublisherID, UserDataLogFileCleared, UserDataLogFileClearedSubjectUserSid, UserDataLogFileClearedSubjectUserName, UserDataLogFileClearedSubjectDomainName, UserDataLogFileClearedSubjectLogonId, UserDataFileIsFull, UserDataOperationStartedOperationalProviderName, UserDataOperationStartedOperationalCode, UserDataOperationStartedOperationalHostProcess, UserDataOperationStartedOperationalProcessID, UserDataOperationStartedOperationalProviderPath, UserDataServiceShutdown, UserDataOperationClientFailure, UserDataOperationClientFailureId, UserDataOperationClientFailureClientMachine, UserDataOperationClientFailureUser, UserDataOperationClientFailureClientProcessId, UserDataOperationClientFailureComponent, UserDataOperationClientFailureOperation, UserDataOperationClientFailureResultCode, UserDataOperationClientFailurePossibleCause, EventData, EventDataData, EventDataDataTaskName, EventDataDataPrivilegeList, EventDataDataAttributeLDAPDisplayName, EventDataDataOperationType, EventDataDataObjectClass, EventDataDataAttributeValue, EventDataDataObjectDN, EventDataDataRelativeTargetName, EventDataDataWorkstationName, EventDataDataServiceName, EventDataDataAllowedToDelegateTo, EventDataDataUserAccountControl, EventDataDataProfileChanged, EventDataDataRuleId, EventDataDataRuleName, EventDataDataSubjectUserSid, EventDataDataSubjectUserName, EventDataDataSubjectDomainName, EventDataDataSubjectLogonId, EventDataDataPreviousTime, EventDataDataNewTime, EventDataDataProcessId, EventDataDataProcessName, EventDataDataObjectType, EventDataDataObjectName, EventDataDataAccessList, EventDataDataAccessMask, EventDataDataServiceFileName, EventDataDataServiceType, EventDataDataServiceStartType, EventDataDataServiceAccount, EventDataDataDomainName, EventDataDataDomainSid, EventDataDataTdoType, EventDataDataTdoDirection, EventDataDataTdoAttributes, EventDataDataSidFilteringEnabled, EventDataDataTargetSid, EventDataDataAccessGranted, EventDataDataTargetUserName, EventDataDataTargetDomainName, EventDataDataSamAccountName, EventDataDataSidHistory, EventDataDataDomainPolicyChanged, EventDataDataMinPasswordAge, EventDataDataMaxPasswordAge, EventDataDataForceLogoff, EventDataDataLockoutThreshold, EventDataDataLockoutObservationWindow, EventDataDataLockoutDuration, EventDataDataProperties, EventDataDataPasswordProperties, EventDataDataMinPasswordLength, EventDataDataPasswordHistoryLength, EventDataDataMachineAccountQuota, EventDataDataMixedDomainMode, EventDataDataDomainBehaviorVersion, EventDataDataOemInformation, EventDataDataGroupTypeChange, EventDataDataLogonGuid, EventDataDataTargetUserSid, EventDataDataTargetLogonId, EventDataDataTargetLogonGuid, EventDataDataSidList, EventDataDataWorkstation, EventDataDataStatus, EventDataDataCallerProcessId, EventDataDataCallerProcessName, EventDataDataForestRoot, EventDataDataForestRootSid, EventDataDataOperationId, EventDataDataEntryType, EventDataDataFlags, EventDataDataTopLevelName, EventDataDataDnsName, EventDataDataNetbiosName, EventDataDataAuditSourceName, EventDataDataEventSourceId, EventDataDataErrorCode, EventDataDataGPOList, EventDataDataDestinationDRA, EventDataDataSourceDRA, EventDataDataSourceAddr, EventDataDataNamingContext, EventDataDataOptions, EventDataDataStatusCode, EventDataDataSessionID, EventDataDataStartUSN, EventDataDataPackageName, EventDataDataAuthenticationPackageName, EventDataDataFailureReason, EventDataDataSubStatus, EventDataDataCategoryId, EventDataDataSubcategoryGuid, EventDataDataAuditPolicyChanges, EventDataDataUserPrincipalName, EventDataDataHomeDirectory, EventDataDataHomePath, EventDataDataScriptPath, EventDataDataProfilePath, EventDataDataUserWorkstations, EventDataDataPasswordLastSet, EventDataDataAccountExpires, EventDataDataPrimaryGroupId, EventDataDataOldUacValue, EventDataDataNewUacValue, EventDataDataUserParameters, EventDataDataLogonHours, EventDataDataMemberName, EventDataDataMemberSid, EventDataDataServiceSid, EventDataDataTicketOptions, EventDataDataTicketEncryptionType, EventDataDataPreAuthType, EventDataDataCertIssuerName, EventDataDataCertSerialNumber, EventDataDataCertThumbprint, EventDataDataSettingType, EventDataDataSettingValue, EventDataDataShareName, EventDataDataShareLocalPath, EventDataDataApplication, EventDataDataSourceAddress, EventDataDataSourcePort, EventDataDataProtocol, EventDataDataFilterRTID, EventDataDataLayerName, EventDataDataLayerRTID, EventDataDataLogonType, EventDataDataLogonProcessName, EventDataDataTransmittedServices, EventDataDataLmPackageName, EventDataDataKeyLength, EventDataDataIpAddress, EventDataDataIpPort, EventDataDataImpersonationLevel, EventDataDataRestrictedAdminMode, EventDataDataTargetOutboundUserName, EventDataDataTargetOutboundDomainName, EventDataDataVirtualAccount, EventDataDataTargetLinkedLogonId, EventDataDataElevatedToken, EventDataDataTaskContentNew, EventDataDataTaskContentNewTask, EventDataDataTaskContentNewTaskRegistrationInfo, EventDataDataTaskContentNewTaskRegistrationInfoDate, EventDataDataTaskContentNewTaskRegistrationInfoAuthor, EventDataDataTaskContentNewTaskTriggers, EventDataDataTaskContentNewTaskPrincipals, EventDataDataTaskContentNewTaskPrincipalsPrincipal, EventDataDataTaskContentNewTaskPrincipalsPrincipalid, EventDataDataTaskContentNewTaskPrincipalsPrincipalRunLevel, EventDataDataTaskContentNewTaskPrincipalsPrincipalUserId, EventDataDataTaskContentNewTaskPrincipalsPrincipalLogonType, EventDataDataTaskContentNewTaskSettings, EventDataDataTaskContentNewTaskSettingsMultipleInstancesPolicy, EventDataDataTaskContentNewTaskSettingsDisallowStartIfOnBatteries, EventDataDataTaskContentNewTaskSettingsStopIfGoingOnBatteries, EventDataDataTaskContentNewTaskSettingsAllowHardTerminate, EventDataDataTaskContentNewTaskSettingsStartWhenAvailable, EventDataDataTaskContentNewTaskSettingsRunOnlyIfNetworkAvailable, EventDataDataTaskContentNewTaskSettingsIdleSettings, EventDataDataTaskContentNewTaskSettingsIdleSettingsStopOnIdleEnd, EventDataDataTaskContentNewTaskSettingsIdleSettingsRestartOnIdle, EventDataDataTaskContentNewTaskSettingsAllowStartOnDemand, EventDataDataTaskContentNewTaskSettingsEnabled, EventDataDataTaskContentNewTaskSettingsHidden, EventDataDataTaskContentNewTaskSettingsRunOnlyIfIdle, EventDataDataTaskContentNewTaskSettingsWakeToRun, EventDataDataTaskContentNewTaskSettingsExecutionTimeLimit, EventDataDataTaskContentNewTaskSettingsPriority, EventDataDataTaskContentNewTaskActions, EventDataDataTaskContentNewTaskActionsContext, EventDataDataTaskContentNewTaskActionsExec, EventDataDataTaskContentNewTaskActionsExecCommand, EventDataDataOldSd, EventDataDataNewSd, EventDataDataNotificationPackageName, EventDataDataSecurityPackageName, EventDataDataStopTime, EventDataDataContextInfo, EventDataDataUserData, EventDataDataPayload, EventDataDataOpCorrelationID, EventDataDataAppCorrelationID, EventDataDataDSName, EventDataDataDSType, EventDataDataObjectGUID, EventDataDataFileName, EventDataDataLinkName, EventDataDataTransactionId, EventDataDataOldObjectDN, EventDataDataNewObjectDN, EventDataDatabcdCCID, EventDataDatabMaxSlotIndex, EventDataDatabVoltageSupport, EventDataDatadwProtocols, EventDataDatadwDefaultClock, EventDataDatadwMaximumClock, EventDataDatabNumClockSupported, EventDataDatadwDataRate, EventDataDatadwMaxDataRate, EventDataDatabNumDataRateSupported, EventDataDatadwMaxIFSD, EventDataDatadwSyncProtocols, EventDataDatadwMechanical, EventDataDatadwFeatures, EventDataDataObjectValueName, EventDataDataHandleId, EventDataDataOldValueType, EventDataDataOldValue, EventDataDataNewValueType, EventDataDataNewValue, EventDataDataSubjectUserDomainName, EventDataDataObjectCollectionName, EventDataDataObjectIdentifyingProperties, EventDataDataObjectProperties, EventDataDataparam, EventDataDataCVEID, EventDataDataAdditionalDetails, EventDataDataObjectServer, EventDataDataTaskContent, EventDataDataTaskContentTask, EventDataDataTaskContentTaskRegistrationInfo, EventDataDataTaskContentTaskRegistrationInfoDate, EventDataDataTaskContentTaskRegistrationInfoAuthor, EventDataDataTaskContentTaskTriggers, EventDataDataTaskContentTaskPrincipals, EventDataDataTaskContentTaskPrincipalsPrincipal, EventDataDataTaskContentTaskPrincipalsPrincipalid, EventDataDataTaskContentTaskPrincipalsPrincipalRunLevel, EventDataDataTaskContentTaskPrincipalsPrincipalUserId, EventDataDataTaskContentTaskPrincipalsPrincipalLogonType, EventDataDataTaskContentTaskSettings, EventDataDataTaskContentTaskSettingsMultipleInstancesPolicy, EventDataDataTaskContentTaskSettingsDisallowStartIfOnBatteries, EventDataDataTaskContentTaskSettingsStopIfGoingOnBatteries, EventDataDataTaskContentTaskSettingsAllowHardTerminate, EventDataDataTaskContentTaskSettingsStartWhenAvailable, EventDataDataTaskContentTaskSettingsRunOnlyIfNetworkAvailable, EventDataDataTaskContentTaskSettingsIdleSettings, EventDataDataTaskContentTaskSettingsIdleSettingsStopOnIdleEnd, EventDataDataTaskContentTaskSettingsIdleSettingsRestartOnIdle, EventDataDataTaskContentTaskSettingsAllowStartOnDemand, EventDataDataTaskContentTaskSettingsEnabled, EventDataDataTaskContentTaskSettingsHidden, EventDataDataTaskContentTaskSettingsRunOnlyIfIdle, EventDataDataTaskContentTaskSettingsWakeToRun, EventDataDataTaskContentTaskSettingsExecutionTimeLimit, EventDataDataTaskContentTaskSettingsPriority, EventDataDataTaskContentTaskActions, EventDataDataTaskContentTaskActionsContext, EventDataDataTaskContentTaskActionsExec, EventDataDataTaskContentTaskActionsExecCommand, EventDataDataOldTargetUserName, EventDataDataNewTargetUserName, EventDataDataDeviceId, EventDataDataDeviceDescription, EventDataDataClassId, EventDataDataClassName, EventDataDataVendorIds, EventDataDataCompatibleIds, EventDataDataLocationInformation, EventDataDataAccountName, EventDataDataAccountDomain, EventDataDataLogonID, EventDataDataSessionName, EventDataDataClientName, EventDataDataClientAddress, EventDataDataMajorVersion, EventDataDataMinorVersion, EventDataDataBuildVersion, EventDataDataQfeVersion, EventDataDataServiceVersion, EventDataDataBootMode, EventDataDataStartTime, EventDataDataOldRemark, EventDataDataNewRemark, EventDataDataOldMaxUsers, EventDataDataNewMaxUsers, EventDataDataOldShareFlags, EventDataDataNewShareFlags, EventDataDataOldSD, EventDataDataNewSD, EventDataDataTreeDelete, EventDataDataPuaCount, EventDataDataPuaPolicyId, EventDataDataResourceAttributes, EventDataDataModifiedObjectProperties, EventDataDataDisplayName, EventDataDataDnsHostName, EventDataDataServicePrincipalNames, EventDataDataAttributeSyntaxOID, EventDataDataDummy, EventDataDataComputerAccountChange, EventDataDataMessageNumber, EventDataDataMessageTotal, EventDataDataScriptBlockText, EventDataDataScriptBlockId, EventDataDataPath, EventDataDataImagePath, EventDataDataStartType, EventDataDataAppName, EventDataDataAppVersion, EventDataDataTerminationTime, EventDataDataExeFileName, EventDataDataReportId, EventDataDataPackageFullName, EventDataDataPackageRelativeAppId, EventDataDataHangType, EventDataDataAccessReason, EventDataDataTargetServerName, EventDataDataTargetInfo, EventDataDataTargetProcessId, EventDataDataTargetProcessName, EventDataDataKerberosPolicyChange, EventDataDataSubcategoryId, EventDataBinary.

Central Node and Kaspersky Endpoint Security for Linux

If an event occurred on the user's computer, the application sends the following data to the events database:

  1. File modification event.
    • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
    • Information about the created or modified file: name, path, full name, type, MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, zone ID, application name of the file, vendor, name of the organization that issued the digital certificate, description, digital signature verification result, time of the digital signature, original name, name before modification, path before modification, full name before modification.
    • Information about the file to which a link was created: MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, type, zone ID, application name of the file, original name, name of the organization that issued the digital certificate, description, subject of the signature, digital signature verification result, time of the digital signature, full name of the link file.
    • File type.
    • Owner ID.
    • Owner group ID.
    • Owner user name.
    • Owner group name.
    • URL from which the file was retrieved.
    • Metadata of the message from which the file was retrieved.
    • Requested access flags.
    • Indicator of file deletion after a restart.
    • File access flags.
  2. Event in the operating system log.
    • Event time.
    • Event type.
    • Event name.
    • Result of the operation.
    • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
  3. Process start event.

    Information about files of the parent and grandparent processes, loader processes, creator processes, running processes: name, path, full name, MD5 hash, SHA256 hash, creation date and time, modification date and time, attributes, attribute modification date and time, size, zone ID, vendor, name of the organization that issued the digital certificate, description, original name, digital signature subject, digital signature verification result, date and time of the digital signature, file version, logon type, login session ID, user account type, user name, user account ID, IP address of the computer from which the logon was made, integrity level, process ID, current directory, owner ID, owner group ID, owner user name, owner group name, real user name, real group name, effective group name, effective user name, file access permission flags, URL from which the file was downloaded, metadata of the message from which the file was obtained, process environment variables, command line options, process type.

  4. Process stop event.
    • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
    • UniquePID.
    • Process start options.
    • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
  5. Detection event and the result of its processing.
    • Scan result.
    • Name of the detected object.
    • ID of the record in application databases.
    • Release time of the application databases with which the detection was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • PID of the process.
    • Process start command line.
    • Reason for the error when processing the object.
  6. DNS lookup event.
    • IPv4 address of the DNS server.
    • Binary mask of the DNS query being performed.
    • DNS response error code.
    • DNS query type ID.
    • Name of the domain for which the DNS record is to be resolved.
    • Date of the DNS response.
  7. Code injection event.
    • Information about the recipient process: application name, full application name, path to the application, MD5 hash of the file, SHA256 hash of the file, URL from which the file was downloaded, metadata of the message to which the downloaded file was attached, unique ID of the application, system ID of the application, command line, name of the process DLL, path to the process DLL, address of the process in the address space.
    • Injection method.
    • Modified command line of the process.
    • System call parameters.
    • API call stack at the time of interception of the injection-related function.

Central Node and Kaspersky Endpoint Security for Mac

If an event occurred on the user's computer, the application sends the following data to the events database:

  1. File creation event.
    • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
    • File name.
    • Path to the file.
    • Full name of the file.
    • File type.
    • MD5- and SHA256 hash of the file.
    • Date of file creation and modification.
    • File size.
  2. Process start event.

    Information about files of the parent and grandparent processes, loader processes, creator processes, running processes: name, path, full name, MD5 hash, SHA256 hash, creation date and time, modification date and time, attributes, attribute modification date and time, size, zone ID, vendor, name of the organization that issued the digital certificate, description, original name, digital signature subject, digital signature verification result, date and time of the digital signature, file version, logon type, login session ID, user account type, user name, user account ID, IP address of the computer from which the logon was made, integrity level, process ID, current directory, owner ID, owner group ID, owner user name, owner group name, real user name, real group name, effective group name, effective user name, file access permission flags, URL from which the file was downloaded, metadata of the message from which the file was obtained, process environment variables, command line options, process type.

  3. Process stop event.
    • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
    • UniquePID.
    • Process start options.
    • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
  4. Threat detection event and detection processing result.
    • Scan result.
    • Name of the detected object.
    • ID of the record in application databases.
    • Release time of the application databases with which the detection was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • PID of the process.
    • Process start command line.
    • Reason for the error when processing the object.

Central Node and Sandbox

The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.

Central Node and Sensor

The application may transmit the following data between Central Node and Sensor components:

  • Files and email messages.
  • Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
  • License information.
  • List of data excluded from the scan.
  • Data of the Endpoint Sensors application, if integration with a proxy server has been configured.
  • Application databases, if receiving database updates from the Central Node component is configured.

Servers with PCN and SCN roles

If the application is running in distributed solution mode, data about the following things is transmitted between the PCN and connected SCNs:

  • Alerts.
  • Events.
  • Tasks.
  • Policies.
  • Scans using IOC, TAA (IOA), IDS, YARA user rules.
  • Files in Storage.
  • User accounts.
  • The license.
  • The list of computers with the Endpoint Agent component.
  • Objects placed in Storage.
  • Objects quarantined on computers with the Endpoint Agent component.
  • Files attached to detections.
  • IOC and YARA files.

See also

Service data of the application

Data of the Central Node and Sensor components

Sandbox component data

Data contained in application trace files

Data of Kaspersky Endpoint Agent for Windows

Data of Kaspersky Endpoint Security for Windows

Data of Kaspersky Endpoint Security for Linux

Data of Kaspersky Endpoint Security for Mac
Article ID: 247488, Last review: Apr 18, 2025
Page top