Data provided when using Kaspersky Anti Targeted Attack Platform

When integrating Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA), a component of the Kaspersky Anti Targeted Attack Platform solution, Kaspersky Endpoint Security stores and send to Kaspersky Security Center the following information, which may contain personal and confidential data:

• Service data:
  • KATA server addresses
  • Public key of the certificate of the server for integrating with Kaspersky Endpoint Detection and Response (KATA)
  • Cryptocontainer with the client certificate for integrating with Kaspersky Endpoint Detection and Response (KATA)
  • credentials for authenticating on the proxy server
  • settings for the frequency of synchronization with the KATA server and settings for sending data to the KATA server
  • status of the connection with the KATA server and information about client certificate and server certificate errors

When integrating Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security stores the following information and may send it to the KATA server:

• Information for synchronization requests to the EDR (KATA) component:
  • Unique identifier
  • Base part of the server address
  • Device name
  • IP address of the device
  • MAC address of the device
  • Local time on the device
  • Name and version of the operating system installed on the device
  • Version of Kaspersky Endpoint Security
  • Version of the application settings and task settings
  • Task status (task identifiers, statuses, error codes)
• Information from requests to the EDR (KATA) component in task execution reports:
  • IP address of the device
  • Task execution errors and return codes
  • Task completion statuses
  • Task completion time
  • Versions of task settings used
  • Information about processes started or stopped on the device at the server's request: PID and UniquePID, error code, MD5 and SHA256 checksums of objects
  • Files requested by the server
  • Telemetry packets
  • Information about running processes:
    • executable file name, including the full path and extension
    • process launch settings
    • process identifier
    • system logon session code
    • system logon session name
    • process launch date and time
    • MD5 and SHA256 checksums of the object
  • Information about files:
    • File path
    • File name
    • File size
    • File attributes
    • Date and time of file creation
    • Date and time of last file modification
    • MD5 and SHA256 checksums of the object
  • Information about errors that occur while getting information about objects:
    • Full name of the object being processed when the error occurred
    • Error code
• Information from requests from the KATA server to the built-in agent of Kaspersky Endpoint Security (task settings):
  • Task types
  • Task start schedule settings
  • Names and passwords of accounts used to start tasks
  • Versions of settings
  • Paths to objects
  • MD5 and SHA256 checksums of objects
  • Command line (including arguments) used to start the process
  • Description of services
  • Type of service start
• Parameters of the responses sent by the KATA server to the built-in agent of Kaspersky Endpoint Security:
  • Get File task:
    • Full path to the file or directory
    • Hashing algorithm Possible values: MD5 and/or SHA256
    • Checksums (MD5 and SHA256) of the file
  • Delete File task:
    • confirmation of deletion, or an error that occurred.
  • Run Process task:
    • Full path to the executable file used to start the process
    • Command line of the process
    • Full path to the working directory of the process
  • Terminate Process task:
    • Unique PID of the process.
    • System PID of the process.
    • Process termination error code (0 if the process terminated successfully).
  • IOC Scan task:
    • Scan results (whether each indicator was detected, objects found, and information about which branch of the indicator was detected).

    For the objects in which indicators were detected, different values are returned depending on their type:

    • ArpEntry: IP address from the ARP table (including ipv6), physical address from the ARP table.
    • File: MD5 hash of the file, SHA256 hash of the file, full file name (including path), file size.
    • Port: remote IP address and port used to established a connection during scan; IP address and port of the local adapter; protocol type (TCP, UDP, IP, RAWIP).
    • Process: process name; process arguments; path to the process file; system PID of the process; system PID of the parent process; name of the user that the process is running as; date and time the process started.
    • SystemInfo: OS name; OS version; network name of a computer without a domain; domain or workgroup.
    • User: user name
• Network isolation: whether network isolation is enforced.

Page top