Data provided to SIEM servers
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.
When integrated with a SIEM system, Kaspersky Endpoint Agent may store the following data locally and send it to SIEM servers:
- General data:
- MD5 hash of the object.
- SHA256 hash of the object.
- Application version.
- File version.
- File modification time.
- File modification time.
- IntegrityLevel value.
- Logon session ID.
- Zone ID.
- Terminal session ID.
- User name.
- Application name.
- File name.
- Process command line.
- File system attribute mask.
- Method from the HTTP request.
- Final status of threat processing.
- File description.
- Full path to the image file.
- Previous IntegrityLevel value.
- Previous Logon session ID.
- Previous privileges and privilege attributes.
- Privileges and privilege attributes.
- Application vendor.
- Path from the HTTP request.
- File size.
- System identifier of the process.
- Process status.
- Account type.
- Operation type.
- Session type.
- File type.
- Unique identifier of the image file.
- Unique identifier of the process.
- Unique identifier of the parent process.
- Host from the HTTP request.
- Data about object signing certificates:
- Certificate serial number.
- The Chaintype.
- Publisher name.
- Subject name.
- Certificate thumbprint algorithm.
- Certificate thumbprint.
- Validity period: no earlier than.
- Validity period: no later than.
- Time when the file signature was created.
- Data about registry objects:
- Registry key.
- Content of the registry key value.
- Name of the registry key value.
- Type of the registry value.
- Name of the registry key before the operation.
- Data in the registry key before the operation.
- Type of value in the registry before the operation.
- Data on objects and their scan results:
- Email address of the sender who sent the object.
- Email address of the recipient.
- URI of the object (HTTP, HTTPS).
- IANA protocol number.
- Object name.
- Command line.
- Local network address.
- Original identifier of the process.
- Network address of the host that caused the suspicious activity.
- Content of the script scanned via AMSI.
- Link to the process that downloaded the object.
- Object type.
- Content type of the script scanned via AMSI.
- Unique identifier of the process.
Page top