Service data of the application

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the service data of Kaspersky Anti Targeted Attack Platform is provided in the table below

Service data of Kaspersky Anti Targeted Attack Platform

Data type

Location and duration of storage

User account information

  • User account ID.
  • User account name.
  • Password (salted hash).

The information is stored indefinitely on the Central Node server in the /data directory.

 

Information about МDR, KSN, KPSN integration.

OSMP integration settings:

  • IP address or FQDN of the Central Node server to which the OSMP Console redirects
  • IP address or FQDN of the OSMP server that is responsible for user authentication when logging in to the web interface of Kaspersky Anti Targeted Attack Platform
  • Secret data (stored in an encrypted form).

Information about applied license keys or activation codes.

Endpoint Agent settings.

Settings of the mail server used for sending notifications:

  • IP address and port of the server.
  • Fingerprint of the certificate.
  • Login and password hash of the user authorized on the server.
  • Name of the secret that is used as the decryption key.
  • Whether encryption is being used.

Name of the current server.

Addresses of servers connected to the current server and information about certificates used for mutual authentication with them.

Connector settings:

  • Address of the connector server.
  • Server address of the third-party system with which the connector interacts.

Information about secrets and user account information of Central Node users.

Address of the monitoring point.

Information about ICAP exclusions.

Settings of Sensor integration with ICAP:

  • State (enabled or disabled).
  • Maximum number of connections.
  • Connection address in REQMOD mode.
  • Connection address in RESPMOD mode.
  • ICAP request header that contains the IP address of the client that made the HTTP request when this request is received through the proxy server.
  • ICAP request header that contains the port of the client that made the HTTP request when this request is received through the proxy server.
  • User name.
  • ICAP request header that contains the user name of the client that made the HTTP request when this request is received through the proxy server.
  • Whether base64 decoding was used.
  • Operating mode.
  • Scan timeout.
  • Detection importance.
  • Page returned to the user when a file is blocked
  • Page returned to the user when a URL is blocked
  • Interfaces listened on.

Settings for sending user-defined intrusion detection rules to KSN.

Information about the state and names of Keytab files used in Kerberos authentication.

Information about KSMG email message scanning priorities.

CPU and RAM load notification settings:

  • CPU, hard drive, and RAM usage thresholds.
  • Statistics update interval.

Information about certificates used for mutual authentication of Sensor and Central Node.

Settings of Sensor integration with POP3:

  • IP address and port of the POP3 server.
  • Login and password hash of the user authorized on the POP3 server.
  • Name of the secret that is used as the decryption key.
  • Certificate verification policy.
  • Client certificates.

Proxy server settings:

  • IP address and port of the proxy server.
  • Login and password hash of the user authorized on the proxy server.
  • Name of the secret that is used as the decryption key.
  • State of the proxy server.

Storage server settings:

  • Storage size.
  • Storage duration.

Settings of Sandbox servers:

  • IP address and name of the server.
  • State of the server.
  • Fingerprint of the certificate.

Sandbox component settings:

  • List of virtual machine images.
  • Sandbox synchronization state.

Security settings:

  • Password change and reset period.
  • Failed authentication counter.
  • Maximum user inactivity time.
  • Dashboard locking state because of user inactivity.

Settings of Sensor servers: maximum size of a file that can be sent for scanning.

SIEM settings:

  • State of local and remote update and action logs.
  • TLS encryption state.
  • SIEM server addresses and ports.
  • Network protocol being used.
  • ID of the host sending data to SIEM.
  • TLS encryption certificate.

Settings of Sensor integration with SMTP:

  • Certificates used for mutual authentication.
  • Domain and subdomain names.
  • SMTP client networks and subnets.
  • TLS security level.
  • Status of requesting client TLS certificate.
  • Status of the SMTP integration.

SNMP connection settings:

  • Login.
  • Password hash.
  • Name of the secret that is used as the decryption key.
  • Protocol version.
  • Status of the SNMP integration.

Settings of Sensor integration with SPAN:

  • Interfaces listened on.
  • State of saving HTTP headers.
  • SPAN state.
  • Client certificates.

Settings of storage for mirrored traffic from SPAN ports:

  • Storage state and size.
  • Directory being used.
  • Maximum number of files.

 

Time zone settings.

Update settings:

  • Update server type.
  • Custom URL of the update server.

The information is stored indefinitely on the Central Node server in the /data directory.

System event log

OS log files are stored indefinitely in the /var/log directory on the server hosting the Central Node component.

Log with information about the application operation.

The log file is stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on a server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

File scan queue.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on a server. When the Central Node component is installed on a cluster, data is stored on storage servers. The data is retained until the scan is completed.

Files received from computers with the Endpoint Agent component.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on a server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

Files with YARA and IDS rules (user-defined and from Kaspersky).

Files are stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on a server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

 

Files with data about detections sent to external systems.

Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on a server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

 

Artifacts of the Sandbox component.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

Files for which detections were created by the Sandbox component.

Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

Certificate files used for the authentication of application components.

Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

Encryption keys that are transmitted between application components.

Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

 

Copies of mirrored traffic from SPAN ports.

Files are stored in storage mounted on the server with the Sensor component. Data is deleted as disk space becomes full.

ICAP exclusion filters.

Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

  • Dumps of traffic relevant to registered events.
  • Dumps of traffic relevant to network sessions.
  • Information about observables.
  • Information about Network Anomaly Detection rules.
  • NGFW connector settings.

 

The data is stored on the Central Node server in the /data/storage/volumes/nta_database directory. Data is rotated as disk space becomes filled.

Information about an email message sent for scanning to Kaspersky Anti Targeted Attack Platform from Kaspersky Secure Mail Gateway:

  • Message ID assigned by Kaspersky Secure Mail Gateway.
  • Information about actions applied to the message by Kaspersky Secure Mail Gateway.

When Central Node is installed on a server (not as a cluster), data is stored on the Central Node server in the /data directory. When Central Node is installed as a cluster, the data is stored in the ceph storage.

If an alert is generated as a result of scanning a message, the data is rotated when the number of alerts created as a result of scanning by a specific technology reaches 1,000,000. If no alert is generated, the data is rotated after 7 days.

Passwords for scanning encrypted archives sent for scanning from Kaspersky Secure Mail Gateway.

Data is stored on the Central Node server in the /data directory if the component is installed on a server. When the Central Node component is deployed as a cluster, data is stored on storage servers.

The data is rotated after the encrypted archive is scanned.

Information about custom widget layouts:

  • ID of the user account that owns the custom layout.
  • Settings of the custom layout.

Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on a server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

Information about user accounts:

  • User account ID.
  • User account name.
  • Domain name of the user.
  • User account role.
  • Account status.
  • Tenant access permissions.
  • ID of the tenant in which the user account was created.
  • Date and time of the last password change for the user account.

Information about Central Node components:

  • Central Node server ID.
  • IP address of the Central Node server.
  • Central Node server name.
  • Central Node activity indicator.

Information about tenants:

  • Tenant ID.
  • Tenant name.
  • Names of servers with the Central Node component assigned to this tenant.
  • Tenant creation date.

Information about computers connected to the Central Node with the Endpoint Agent component:

  • ID of the Endpoint Agent computer assigned by Kaspersky Security Center.
  • Name of the Endpoint Agent computer.
  • Date and time when the first and last telemetry packet were sent to the Central Node component.
  • Status of the Endpoint Agent self-defense mechanism.
  • Operating system of the Endpoint Agent computer.
  • IP address of the Endpoint Agent computer.
  • Version of the application that acts as the Endpoint Agent component.
  • License key status of the application that acts as the Endpoint Agent component.
  • ID of the Endpoint Agent computer.

 

Data of the scanned object: domain.

Information about custom intrusion detection rules:

  • User name of the user account that uploaded the file with user-defined Intrusion Detection rules.
  • Date and time when the file with user-defined Intrusion Detection rules was uploaded.
  • Status of the user-defined Intrusion Detection rule.
  • Importance specified in the user-defined Intrusion Detection rule file.

Information about scan exclusions:

  • List of objects excluded from the scan.
  • Exclusion rule ID.
  • User name of the user that added the scan exclusion rule.
  • Name of the exclusion rule.
  • Creation date and time of the exclusion rule.
  • ID of the tenant for which the exclusion rule was created.
  • Names of components to which the exclusion rules apply.

Information about reports and report templates:

  • ID of the user account that created or modified the report template.
  • Template creation date.
  • Date of last modification of the template.
  • Text of the template as HTML code.
  • Tenant ID.
  • Name of the template.
  • ID of the user account that created the template.
  • Report creation date.
  • Period specified in the report.
  • Servers for which the report was generated.
  • Report description.
  • Report templates
  • Text of the report as HTML code.

Information about Endpoint Agent component certificates:

  • User name of the user account that uploaded the Endpoint Agent component certificate file.
  • Digest of the certificate.
  • Serial number of the certificate.
  • Public key.
  • Expiration date of the certificate.

Information about user-defined Sandbox rules:

  • State of the Sandbox component scan rule
  • Type of the rule
  • Masks of included objects
  • Masks of excluded objects
  • Size of scanned files
  • Rule creation date and time
  • ID of the virtual machine where the rule is assigned

Virtual machine configuration information:

  • IP address of the server hosting the Sandbox component
  • List of virtual machines

Information about user accounts on devices:

  • User account ID.
  • User account name.
  • Name of the computer on which the user is authorized.

The data is stored on the Central Node server in the /data/storage/volumes/nta_database directory. Data is rotated as disk space becomes filled.

 

Network session information:

  • Names of the participants in the network communication.
  • IP and MAC addresses of the participants of the network communication.

Information about devices registered in the application:

  • Device names.
  • IP and MAC addresses of devices.

Data saved when integrated with the Endpoint Agent component as part of the NDR functionality:

  • IP and MAC addresses of the computer with the Endpoint Agent component.
  • Name of the computer with the Endpoint Agent component.
  • Name of the user account registered on the computer with the Endpoint Agent component.
  • The operating system that the computer is running.
  • User Agent.

Information about network traffic events: IP and MAC addresses of devices.

Information about executable files on Endpoint Agent computers connected as part of the NDR functionality:

  • File name.
  • Path to the file.
  • File version.
  • MD5 and SHA256 hash of the file.

 

Audit log for user activity related to the NDR functionality.

Page top