Data in requests to the KATA Central Node component
When integrated with the Central Node component, the following data is stored locally on the device with Kaspersky Endpoint Agent installed.
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.
Data from Kaspersky Endpoint Agent requests to the Central Node component:
In the synchronization requests:
Unique Kaspersky Endpoint Agent identifier.
Basic part of the server web address.
Device name.
Local time on the device.
Self-defense status of Kaspersky Endpoint Agent.
Name and version of the operating system that is installed on the device.
Kaspersky Endpoint Agent version.
Versions of the application settings and task settings.
Task statuses in Kaspersky Endpoint Agent: identifiers of running tasks, execution statuses, execution error codes.
Statuses of Kaspersky Endpoint Agent settings: type of settings being used, version of settings, status of applying the settings, error codes of applying the settings.
In requests for obtaining files from the server:
Unique identifiers of files.
Unique Kaspersky Endpoint Agent identifier.
Unique identifiers of certificates.
Basic part of the web address of the server with the Central Node component installed.
In the reports on task execution results:
Information about the objects detected during IOC scan.
Flags of the additional actions performed by Kaspersky Endpoint Agent upon completion of tasks (for example, "deleteFileAfterReboot": false).
Task execution errors and return codes.
Statuses with which the tasks were completed.
Task completion time.
Version of the settings used for execution of the tasks.
Information about the objects submitted to the server, quarantined objects, and objects restored from the quarantine: paths to objects, MD5 and SHA256 hashes, identifiers of quarantined objects.
Information about the processes started or stopped on the device with Kaspersky Endpoint Agent installed upon the server request: PID and UniquePID, error code.
Files requested by the server.
Telemetry packets.
Data on running processes:
Executable file name, including full path and extension.
Process autorun parameters.
Process ID.
Login session ID.
Login session name.
Date and time when the process was started.
Data on files:
File path.
File name.
File size.
File attributes.
Date and time when the file was created.
Date and time when the file was last modified.
Data in errors that occur when information about objects was retrieved:
Full name of the object that was processed when an error occurred.
Error code.
Telemetry data:
Data type in the registry prior to the committed update operation.
Data in the registry key prior to the committed change operation.
The text of the processed script or a part of it.
Type of the processed object.
Way of passing a command to the command interpreter.
Data from the requests of the Central Node component to Kaspersky Endpoint Agent:
Task settings:
Task types.
Task schedule settings.
Names and passwords of the accounts under which the tasks can be run.
Versions of settings.
Identifiers of quarantined objects.
Paths to the objects.
MD5 and SHA256 hashes of the objects.
Command line to start the process together with the arguments.
Flags of the additional actions performed by Kaspersky Endpoint Agent upon completion of the task.
IOC file identifiers to be retrieved from the server.
IOC files.
Folders for which the results of the Get forensic task must be received.
Masks of the object names and extensions for the Get forensic task.
Network isolation settings:
Types of settings.
Versions of settings.
Lists of network isolation exclusions and exclusion settings: traffic direction, IP addresses, ports, protocols, and full paths to executable files.
Flags of additional actions performed by Kaspersky Endpoint Agent.
Time of automatic isolation disabling.
Settings for prevention executing of files and opening of documents:
Types of settings.
Versions of settings.
Lists of execution prevention rules and rule settings: paths to objects, types of objects, MD5 and SHA256 hashes of objects.
Flags of additional actions performed by Kaspersky Endpoint Agent.
Event filtering settings:
Module names.
Paths to objects.
MD5 and SHA256 hashes of the objects.
Identifiers of the entries in Windows event log.
Digital certificate settings.
Traffic direction, IP addresses, ports, protocols, full paths to executable files.
User names.
User logon types.
Types of telemetry events for which filters are applied.