Data on program settings
The values of program settings are stored indefinitely on the server with the Central Node component in the directory /data/var/lib/kaspersky/storage/pgsql/10/data/.
Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.
Data on policies and tasks are stored on the Central Node server in non-encrypted form.
Data on policies
Policy data may contain the following information:
- MD5-, SHA256 hash of the file that is prevented from running.
- Comment.
- Hosts on which the file is prevented from running.
- Status of the prevention.
Data on tasks
Based on the task results, a report is generated that is stored on the server hosting the Central Node component.
Task data may contain the following information:
- Task ID.
- Task creation time.
- Name and IP address of the host to which the task is assigned.
- Maximum task execution time.
- Task priority.
- Path to the file (for file download and deletion tasks, file placement in Storage, process termination).
- On whose behalf it is required to run the program.
- Task type (command execution or file run).
- Path to the file, arguments or command line.
- Working directory.
- Path to the registry key.
- Task report.
- User comments on the task.
- ID of the user account that created the task.
Data on user accounts
Program user account data may contain the following information:
- User ID.
- User account name and password.
- User role in the program.
- Information about user activity.
- Rights to access servers with the PCN role.
Information about Endpoint Agent components (previously known as Endpoint Sensors)
Information about Endpoint Agent components may contain the following:
- Unique ID of the computer with the Endpoint Agent component.
- Name of the computer with the Endpoint Agent component.
- Time when the first packet was received.
- Time when the last packet was received.
- Information about the Self-Defense status.
- Version of the Endpoint Agent component.
- Time and result of the last IOC scan on the computer with the Endpoint Agent component.
Information about parameters of IOC and TAA (IOA) user rules.
Information about parameters of IOC and TAA (IOA) user rules can contain the following:
- Name of the IOC file.
- Requests to scan using IOC and TAA (IOA) user rules.
- Time of last scan completion.
- State of the IOC file.
- Date when the IOC file was loaded.
- Importance level of generated alerts.
Information about parameters of IDS user rules
Information about parameters of IDS user rules can contain the following:
- Name of the imported IDS rule.
- Requests to scan using the IDS rule.
- Time of last scan completion.
- State of the user rule file.
- Import date of the user rule file.
- Importance level of generated alerts.
Data on network isolation rules.
Data on network isolation rules may contain the following information:
- Rule name.
- Unique ID of the isolated host.
- Rule status.
- Name of the user account that created or modified the rule.
- List of exclusions from the rule.
Data on report templates.
Report template data may contain the following information:
- ID of the user who created or modified the template.
- Template creation date.
- Date of last modification of the template.
- HTML code of the template.
Data on the general settings of the program.
Data on the general settings of the program may contain the following information:
- Settings of layouts in the Dashboard section.
- IOC scan settings.
- SIEM system integration settings.
- Mail sensor integration settings.
- Activity indicators of Endpoint Agent components.
- VIP group addresses.
Service data necessary for program operation
The service data necessary for program operation is provided in the table below. Service data may also contain the user data described above in this section.
Service data necessary for program operation
Data type |
Storage location |
Access to data |
Storage duration |
|---|---|---|---|
Event log of the operating system. |
|
Access for users with root privileges. |
Indefinite. |
Program data cache (redis). |
|
User access is defined by the administrator using operating system tools. Access is provided only over an encrypted IPSec channel. |
Indefinite. |
Alert export files. Files may contain the following information:
|
|
User access is defined by the administrator using operating system tools. Data export is available only for authorized users. Access is provided only over an encrypted IPSec channel. |
Indefinite. |
Artifacts of the Sandbox component, PCAP files of intercepted traffic. |
|
User access is defined by the administrator using operating system tools. |
Files are rotated as the allocated storage location is filled. |
Object scan queue. |
|
User access is defined by the administrator using operating system tools. |
Until scan completion. |
Objects in quarantine, and objects received from the Endpoint Agent component. |
|
User access is defined by the administrator using operating system tools. |
Files are rotated as the allocated storage location is filled. |
YARA Rules |
|
User access is defined by the administrator using operating system tools. |
Indefinite. |
Certificates of servers used for integration of program components. |
|
User access is defined by the administrator using operating system tools. Information about actions with certificates is saved in the program event log. |
Indefinite. |
Encryption keys transmitted between program components. |
|
User access is defined by the administrator using operating system tools. Information about modifications to encryption keys is saved in the program event log. |
Indefinite. |