Data in alerts

Alerts may contain user data. Information about alerts is stored on the server with the Central Node component in the directory /data/var/lib/kaspersky/storage/pgsql/10/data/ and is rotated as disk space is filled. Files whose scan results generated an alert are accumulated on the server hosting the Central Node component and rotated as disk space is filled up.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

The following information is stored in all alerts:

Alert time.
Date and time of alert modification.
Category of the detected object.
ID of the user to whom the alert is assigned.
User comments added to the alert information.
IP address and name of the computer on which the alert was generated.
Unique ID of the computer on which the alert was generated.

If a file is detected in network traffic or mail traffic, the following information may be stored on the server:

Name, size, and type of file.
MD5- and SHA256 hash of the file.
Category of the detected object (for example, name of the virus) and alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer security or corporate LAN security based on Kaspersky experience.
Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
For each virtual machine of the Sandbox component: virtual machine name, version of the Sandbox component database used to scan the file, and the file behavior analysis log.
Names of YARA rules that were used to generate the alert.
Object scan status by technology, and scan time for each technology.
IP address and type of integration of the server on which the alert was generated.
For IDS alerts: source address, destination address, URL, User Agent, and method.
If the file was received from the Endpoint Agent component (previously known as Endpoint Sensors): IP address, name, domain of the host (in FQDN format), full path to the file on the computer with the Endpoint Agent component, and the file name.
VIP group affiliation.
DNS request, response to the request, and list of hosts from the request.
URL of the FTP request.

If an email message was detected, the following information may be stored on the server:

Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
Subject of the email message.
Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
Unique ID of the email message.
All service headers of the message (as they appear in the message).
IP address, name, and integration type of the server on which the email message was detected.
URL extracted from the email message.

If the alert was generated by URL Reputation technology, the following information may be stored on the server:

URL queried by the corporate LAN computer, or the domain name from the DNS request.
URL extracted from the email message prior to normalization.
IP address of the data packet sender.
IP address of the data packet recipient.
Category of the detected object (for example, malicious or phishing URL), and the alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this event may have on computer security or corporate LAN security based on Kaspersky experience.
VIP group affiliation.
Information about the proxy server.
Unique ID of the email message.
Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
Subject of the email message.
Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
List of detected objects.
Time of network connection.
URL of network connection.

If the alert was generated by Intrusion Detection System technology, the following information may be stored on the server:

IDS rule ID.
Category of the detected object based on the Intrusion Detection System database version.
Category of the detected object according to the Kaspersky classification.
Version of the Intrusion Detection System databases used to generate the alert.
Alert importance for the Kaspersky Anti Targeted Attack Platform user depending on the impact this alert may have on computer security or corporate LAN security based on Kaspersky experience.
File containing the traffic where the alert occurred.
URL extracted from the file containing the traffic, User Agent, and method.
IP address and type of integration of the server on which the alert was generated.
VIP group affiliation.
Data transfer time.
IP address of the data packet sender.
IP address of the data packet recipient.

If the alert was generated using YARA rules, the following information can be stored on the server:

Version of YARA rules that was used to generate the alert.
Category of the detected object.
Names of detected objects.
MD5 hashes of detected objects.

If the alert was generated using the Sandbox component, the following information may be stored on the server:

Time of alert generation.
Version of the program databases used to generate the alert.
Category of the detected object.
Names of detected objects.
MD5 hashes of detected objects.
Additional information about the alert.

If the alert was generated by IOC or TAA (IOA) user rules, the following information can be stored on the server:

Date and time of scan completion.
IDs of the computers on which the alert was generated.
Name of the IOC file.
Contents of the IOC file.
Information about detected objects.