Data received as a result of IOC Scan task execution

Kaspersky Endpoint Agent automatically submits data on the IOC Scan task execution results to Kaspersky Security Center to create a threat development chain.

The data is stored in Kaspersky Security Center database. By default, this data is stored for 7 days.

The data in the IOC Scan task execution results may contain the following information:

• IP address from the ARP table.
• Physical address from the ARP table.
• DNS record type and name.
• IP address of the protected device.
• Physical address (MAC-address) of the protected device.
• Identifier in the event log entry.
• Data source name in the log.
• Log name.
• User.
• Event time.
• MD5 hash of the file.
• SHA256 hash of the file.
• Full name of the file (including path).
• File size.
• Remote IP address to which connection was established during scan.
• Remote port to which connection was established during scan.
• Local adapter IP address.
• Port open on the local adapter.
• Protocol as a number (in accordance with the IANA standard).
• Process name.
• Process arguments.
• Path to the process file.
• Windows identifier (PID) of the process.
• Windows identifier (PID) of the parent process.
• User account that started the process.
• Date and time when the process was started.
• Service name.
• Service description.
• Path and name of the DLL service (for svchost).
• Path and name of the service executable file.
• Windows identifier (PID) of the service.
• Service type (for example, a kernel driver or adapter).
• Service status.
• Service launch mode.
• User account name.
• Volume name.
• Volume letter.
• Volume type.
• Windows registry value.
• Registry hive value.
• Registry key path (without hive and value name).
• Registry setting.
• System (environment).
• Operating system name and version.
• Network name of the protected device.
• Domain or group the protected device belongs to.

Page top