Events may contain user data. Information about events that have occurred is stored for 30 days on the server with the Central Node component in the directory /data/var/lib/kaspersky/storage/fastsearch/elasticsearch/data/.
Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.
Event data can contain information related to the following:
Name of the computer where the event occurred.
Name of the user account under which the event occurred.
Unique ID of the computer with Kaspersky Endpoint Agent (previously known as Endpoint Sensors).
Event type.
Event time.
Full paths to files on computers with Kaspersky Endpoint Agent.
Names of files on computers with Kaspersky Endpoint Agent.
Full names of folders on computers with Kaspersky Endpoint Agent.
MD5- and SHA256 hash of files.
File creation time.
File modification time.
Command-line parameters.
Local IP address of the adapter.
Local port.
Remote host name.
Remote host IP address.
Port on the remote host.
URLs and IP addresses of visited websites, and links from these websites.
Path to keys in the Windows registry.
Information about Windows registry variables: path to the variable, variable name, variable value.
Details of the process file: path to the file, full name of the file, file size, file creation date, file modification date, MD5- and SHA256 hash of the file.
Details of the parent process file: full name of the file, path to the file, unique ID of the file, MD5- and SHA256 hash of the file, ID of the Windows parent process.
Information about the interpreted file: full name of the file, path to the file, MD5- and SHA256 hash of the file.
Information about the file blocked from starting: full name of the file, path to the file, MD5- and SHA256 hash of the file.
Information about the DLL module: full name, path, size, DLL module creation date and modification date, MD5- and SHA256 hash of the DLL module.
Information related to the file creation event: full name of the created file, path, size, creation date and modification date, MD5- and SHA256 hash of the file.
Information about the driver file: full name of the file, path to the file, size, creation date and modification date, MD5- and SHA256 hash of the file.
New name and old name of the host, if the host name was changed.
Name of the detected object.
Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.
Information related to the Kaspersky Endpoint Security alert: full name of the detected object, MD5- and SHA256 hash of the file, unique ID of the process, Windows PID, command line parameters, type of detected object, threat name, record ID in the KES database, version of the KES database, scan mode, scan result, reason why the object cannot be disinfected.