Kaspersky Anti Targeted Attack Platform
7.0
English

Contents

Data in detections

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the data that may be stored when creating

detections
is listed in the table below.

Data in Kaspersky Anti Targeted Attack Platform detections

Data type

Location and duration of storage

The following data is stored on the server for all detections:

  • Detection creation date and time.
  • Date and time of alert modification.
  • Category of the detected object.
  • Name of the detected file.
  • Type of the detected file.
  • Source of the detected object.
  • Detected URL.
  • MD5 and SHA256 hash of the detected file.
  • User comments added to the details of the
    alert
    associated with the detection.
  • ID of the TAA (IOA) rule by which the detection was created.
  • IP address and name of the computer on which the detection was generated.
  • ID of the computer on which the detection was generated.
  • User agent.
  • The user account to which the alert associated with the detection was assigned.
  • List of files.
  • Alert importance depending on the security impact this alert may have on the computer or corporate LAN, based on Kaspersky experience.
  • The technology that made the detection.
  • Status of the alert associated with the detection.
  • Name of the user to which the alert associated with the detection was assigned.
  • Event ID (when using the NDR functionality).
  • Device IDs (when using the NDR functionality).

If the Central Node is installed on a server, detection information is stored on the Central Node server in the /data directory. If Central Node is installed as a cluster, detection information is stored in a ceph storage.

Data is rotated when the number of detection records generated by an individual scanning technology reaches 1,000,000.

When the alert associated with the detection is modified, the following information is stored on the server:

  • The user account that modified the alert.
  • The user account to which the alert was assigned.
  • Date and time of alert modification.
  • Alert status.
  • User comment.

If the detection was created as a result of scanning a file, the following information may be stored on the server:

  • Full name of the detected file.
  • MD5 and SHA256 hash of the detected file.
  • Size of the detected file.
  • Information about the signature of the file.

If the detection was created as a result of scanning FTP traffic, the following information may be stored on the server:

  • URI of the FTP request.

If the detection was created as a result of scanning HTTP traffic, the following information may be stored on the server:

  • URI of the HTTP request.
  • URI of the request source.
  • User agent.
  • Information about the proxy server.

If the detection was created as a result of scanning by the Intrusion Detection technology, the following information may be stored on the server:

  • Name of the computer from which the data was sent.
  • Name of the computer that received the data.
  • The IP address of the computer from which the data was sent.
  • The IP address of the computer that received the data.
  • Transmitted data.
  • Data transfer time.
  • URL extracted from the file containing the traffic, User Agent, and method.
  • File containing the traffic where the detection occurred.
  • Object category based on the IDS database.
  • Name of the custom IDS rule that was used to generate the detection.
  • HTTP request body.
  • List of detected objects.

If the detection was created as a result of scanning by the URL Reputation technology, the following information may be stored on the server:

  • Name of the computer from which the data was sent.
  • Name of the computer that received the data.
  • The IP address of the computer from which the data was sent.
  • The IP address of the computer that received the data.
  • The URI of the transferred resource.
  • Information about the proxy server.
  • Unique ID of the email message.
  • Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
  • Subject of the email message.
  • Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
  • List of detected objects.
  • Time of network connection.
  • URL of network connection.
  • User agent.

If the detection was created as a result of scanning HTTP traffic, the following information may be stored on the server:

  • Version of the application databases used to generate the detection.
  • Category of the detected object.
  • Names of detected objects.
  • MD5 hashes of detected objects.
  • Information about detected objects.

If the detection was created as a result of scanning by the Anti-Malware technology, the following information may be stored on the server:

  • Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
  • Category of the detected object.
  • List of detected objects.
  • MD5 hash of detected objects.
  • Additional information about the detection.

If the detection was created as a result of a DNS activity detection, the following information may be stored on the server:

  • DNS query data.
  • Contents of the DNS server response to the query.
  • List of queried hosts.

If the detection was created as a result of scanning in accordance with user-defined IOC or TAA (IOA) rules, the following information may be stored on the server:

  • Date and time of scan completion.
  • IDs of the computers on which the detection was generated.
  • Name of TAA (IOA) rule.
  • Name of the IOC file.
  • Information about detected objects.
  • List of hosts with the Endpoint Agent component.

If the detection was created using YARA rules, the following information can be stored on the server:

  • Version of YARA rules that was used to generate the detection.
  • Category of the detected object.
  • Name of the detected object.
  • MD5 hash of the detected object.
  • Date and time when the object was detected.
  • Additional information about the alert.

If the detection was created as a result of scanning a file, the following information may be stored on the server:

  • Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message.
  • Subject of the email message.
  • Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
  • All service headers of the message (as they appear in the message).

If the Central Node is installed on a server, detection information is stored on the Central Node server in the /data directory. If Central Node is installed as a cluster, detection information is stored in a ceph storage.

The data is stored indefinitely.

If the detection was created as a result of a rescan, the following information may be stored on the server:

  • File name.

See also

Data of the Central Node and Sensor components

Traffic data of the Sensor component

Data in events

Data in reports

Data on objects in Storage and Quarantine
Page top
[Topic 247484]