Data in detections

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the data that may be stored when creating detections is listed in the table below.

Data in Kaspersky Anti Targeted Attack Platform detections

Data type	Location and duration of storage
The following data is stored on the server for all detections: Detection creation date and time. Date and time of detection modification. Scan results for the object. Category of the detected object. Name of the detected file. Type of the detected file. Source of the detected object. Detected URL. MD5 and SHA256 hash of the detected file. User agent. The user account to which the alert associated with the detection was assigned. List of files. Alert importance depending on the security impact this alert may have on the computer or corporate LAN, based on Kaspersky experience. The technology that made the detection. Status of the alert associated with the detection. Name of the user to which the alert associated with the detection was assigned. ID of the user that has processed or is processing the alert associated with the detection. ID of the event in network traffic (when using the NDR functionality). Device IDs (when using the NDR functionality). Name of the computer from which the data was sent. Name of the computer that received the data. Additional information about the alert.	If the Central Node is installed on a server, detection information is stored on the Central Node server in the /data directory. If Central Node is installed as a cluster, detection information is stored in a ceph storage. Data is rotated when the number of detection records generated by an individual scanning technology reaches 1,000,000.
When the alert associated with the detection is modified, the following information is stored on the server: The user account that modified the alert. The user account to which the alert was assigned. Date and time of alert modification. Alert status. User comment.
If alerts are generated as a result of scanning by NDR technologies (Intrusion Detection or Aggregated Alerts), the following information may be stored on the server: Source of the detected object. Data transfer systems Source address and port of the network interaction Name of the technology that generated the alert Name of the Kaspersky IDS rule that generated the alert Package that was scanned to generate the alert Payload that was scanned to generate the alert HTTP request method HTTP request body Name of the monitoring point from which the traffic was received ID of the network interface on which the monitoring point is located Version of the application databases used to generate the detection Scan results
If the detection was created as a result of scanning by the Cloud Access Security Broker technology, the following information may be stored on the server: Source of the detected object. Source address and port of the network interaction Name of the cloud service for which the alert was registered. Category of the cloud service for which the alert was registered. File sharing indicator. Version of the application databases used to generate the detection Data transfer systems Scan results
If the detection was created as a result of scanning a file, the following information may be stored on the server: File name. Full name of the file. Source of the detected object. MD5- and SHA256 hash of the file. File size. Information about the signature of the file. Metadata of scanned files and their sources.
If the detection was created as a result of scanning FTP traffic, the following information may be stored on the server: URI of the FTP request.
If the detection was created as a result of scanning HTTP traffic, the following information may be stored on the server: URI of the HTTP request. URI of the request source. User agent. Information about the proxy server.
If the detection was created as a result of scanning by the Intrusion Detection technology, the following information may be stored on the server: Name of the computer from which the data was sent. Name of the computer that received the data. The IP address of the computer from which the data was sent. The IP address of the computer that received the data. Transmitted data. Data transfer time. URL extracted from the file containing the traffic, User Agent, and method. File containing the traffic where the detection occurred. List of detected objects.
If the detection was created as a result of scanning by the URL Reputation technology, the following information may be stored on the server: Name of the computer from which the data was sent. Name of the computer that received the data. The IP address of the computer from which the data was sent. The IP address of the computer that received the data. The URI of the transferred resource. URI from the email message. Information about the proxy server. ID of the email message. Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message). Subject of the email message. Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second. List of detected objects. Time of network connection. URL of network connection. User agent. Server name.
If the detection was created as a result of scanning in accordance with user-defined IOC or TAA (IOA) rules, the following information may be stored on the server: Name of TAA (IOA) rule. Name of the IOC file. List of hosts with the Endpoint Agent component. Information about detected objects.
If the detection was created as a result of scanning HTTP traffic, the following information may be stored on the server: Version of the application databases used to generate the detection. Names of detected objects. MD5 hashes of detected objects. Information about detected objects. Scan result.
If the detection was created as a result of scanning by the Anti-Malware technology, the following information may be stored on the server: ID of the computer on which the detection was generated. Name of the computer from which the data was sent. The IP address of the computer from which the data was sent. Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert. List of detected objects. Additional information about the detection.
If the detection was created as a result of a DNS activity detection, the following information may be stored on the server: DNS query data. Contents of the DNS server response to the query. List of queried hosts.
If the detection was created using YARA rules, the following information can be stored on the server: Database version of YARA rules that were used to generate the detection. Scan result. Name of the detected object. MD5 hash of the detected object. Additional information about the detection.
If the detection was created as a result of scanning a file, the following information may be stored on the server: Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message. Subject of the email message. Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second. All service headers of the message (as they appear in the message).	If the Central Node is installed on a server, detection information is stored on the Central Node server in the /data directory. If Central Node is installed as a cluster, detection information is stored in a ceph storage. The data is stored indefinitely.
If the detection was created as a result of a rescan, the following information may be stored on the server: Name of the detected file. MD5 and SHA256 hash of the detected file.

Data type

Location and duration of storage

The following data is stored on the server for all detections:

Detection creation date and time.
Date and time of detection modification.
Scan results for the object.
Category of the detected object.
Name of the detected file.
Type of the detected file.
Source of the detected object.
Detected URL.
MD5 and SHA256 hash of the detected file.
User agent.
The user account to which the alert associated with the detection was assigned.
List of files.
Alert importance depending on the security impact this alert may have on the computer or corporate LAN, based on Kaspersky experience.
The technology that made the detection.
Status of the alert associated with the detection.
Name of the user to which the alert associated with the detection was assigned.
ID of the user that has processed or is processing the alert associated with the detection.
ID of the event in network traffic (when using the NDR functionality).
Device IDs (when using the NDR functionality).
Name of the computer from which the data was sent.
Name of the computer that received the data.
Additional information about the alert.

If the Central Node is installed on a server, detection information is stored on the Central Node server in the /data directory. If Central Node is installed as a cluster, detection information is stored in a ceph storage.

Data is rotated when the number of detection records generated by an individual scanning technology reaches 1,000,000.

When the alert associated with the detection is modified, the following information is stored on the server:

The user account that modified the alert.
The user account to which the alert was assigned.
Date and time of alert modification.
Alert status.
User comment.

If alerts are generated as a result of scanning by NDR technologies (Intrusion Detection or Aggregated Alerts), the following information may be stored on the server:

Source of the detected object.
Data transfer systems
Source address and port of the network interaction
Name of the technology that generated the alert
Name of the Kaspersky IDS rule that generated the alert
Package that was scanned to generate the alert
Payload that was scanned to generate the alert
HTTP request method
HTTP request body
Name of the monitoring point from which the traffic was received
ID of the network interface on which the monitoring point is located
Version of the application databases used to generate the detection
Scan results

If the detection was created as a result of scanning by the Cloud Access Security Broker technology, the following information may be stored on the server:

Source of the detected object.
Source address and port of the network interaction
Name of the cloud service for which the alert was registered.
Category of the cloud service for which the alert was registered.
File sharing indicator.
Version of the application databases used to generate the detection
Data transfer systems
Scan results

If the detection was created as a result of scanning a file, the following information may be stored on the server:

File name.
Full name of the file.
Source of the detected object.
MD5- and SHA256 hash of the file.
File size.
Information about the signature of the file.
Metadata of scanned files and their sources.

If the detection was created as a result of scanning FTP traffic, the following information may be stored on the server:

URI of the FTP request.

If the detection was created as a result of scanning HTTP traffic, the following information may be stored on the server:

URI of the HTTP request.
URI of the request source.
User agent.
Information about the proxy server.

If the detection was created as a result of scanning by the Intrusion Detection technology, the following information may be stored on the server:

Name of the computer from which the data was sent.
Name of the computer that received the data.
The IP address of the computer from which the data was sent.
The IP address of the computer that received the data.
Transmitted data.
Data transfer time.
URL extracted from the file containing the traffic, User Agent, and method.
File containing the traffic where the detection occurred.
List of detected objects.

If the detection was created as a result of scanning by the URL Reputation technology, the following information may be stored on the server:

Name of the computer from which the data was sent.
Name of the computer that received the data.
The IP address of the computer from which the data was sent.
The IP address of the computer that received the data.
The URI of the transferred resource.
URI from the email message.
Information about the proxy server.
ID of the email message.
Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
Subject of the email message.
Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
List of detected objects.
Time of network connection.
URL of network connection.
User agent.
Server name.

If the detection was created as a result of scanning in accordance with user-defined IOC or TAA (IOA) rules, the following information may be stored on the server:

Name of TAA (IOA) rule.
Name of the IOC file.
List of hosts with the Endpoint Agent component.
Information about detected objects.

If the detection was created as a result of scanning HTTP traffic, the following information may be stored on the server:

Version of the application databases used to generate the detection.
Names of detected objects.
MD5 hashes of detected objects.
Information about detected objects.
Scan result.

If the detection was created as a result of scanning by the Anti-Malware technology, the following information may be stored on the server:

ID of the computer on which the detection was generated.
Name of the computer from which the data was sent.
The IP address of the computer from which the data was sent.
Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
List of detected objects.
Additional information about the detection.

If the detection was created as a result of a DNS activity detection, the following information may be stored on the server:

DNS query data.
Contents of the DNS server response to the query.
List of queried hosts.

If the detection was created using YARA rules, the following information can be stored on the server:

Database version of YARA rules that were used to generate the detection.
Scan result.
Name of the detected object.
MD5 hash of the detected object.
Additional information about the detection.

If the detection was created as a result of scanning a file, the following information may be stored on the server:

Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message.
Subject of the email message.
Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
All service headers of the message (as they appear in the message).

The data is stored indefinitely.

If the detection was created as a result of a rescan, the following information may be stored on the server:

Name of the detected file.
MD5 and SHA256 hash of the detected file.