Data provided when using Kaspersky Anti Targeted Attack Platform
When integrating Kaspersky Endpoint Security with Kaspersky Anti Targeted Attack Platform, Kaspersky Endpoint Security stores and send to Kaspersky Security Center the following information, which may contain personal and confidential data:
Service data:
KATA server addresses
public key of the server certificate for integration with the EDR (KATA) component
cryptocontainer with the client certificate for integration with EDR (KATA) component
credentials for authenticating on the proxy server
settings for the frequency of synchronization with the KATA server and settings for sending data to the KATA server
status of the connection with the KATA server and information about client certificate and server certificate errors
When integrating Kaspersky Endpoint Security with Kaspersky Anti Targeted Attack Platform, Kaspersky Endpoint Security stores the following information and may send it to the KATA server:
Information for synchronization requests to the EDR (KATA) component:
Unique identifier
Base part of the server address
Device name
IP address of the device
MAC address of the device
Local time on the device
Name and version of the operating system installed on the device
Version of Kaspersky Endpoint Security
Version of the application settings and task settings
Task status (task identifiers, statuses, error codes)
Information from requests to the EDR (KATA) component in task execution reports:
IP address of the device
Task execution errors and return codes
Task completion statuses
Task completion time
Versions of task settings used
Information about processes started or stopped on the device at the server's request: PID and UniquePID, error code, MD5 and SHA-256 checksums of objects
Files requested by the server
Telemetry packets
Information about running processes:
executable file name, including the full path and extension
process launch settings
process identifier
system logon session code
system logon session name
process launch date and time
Checksums (MD5 and SHA-256)
Information about files:
File path
File name
File size
File attributes
Date and time of file creation
Date and time of last file modification
Checksums (MD5 and SHA-256)
Information about errors that occur while getting information about objects:
Full name of the object being processed when the error occurred
Error code
Information from requests from the KATA server to the built-in agent of Kaspersky Endpoint Security (task settings):
Task types
Task start schedule settings
Names and passwords of accounts used to start tasks
Versions of settings
Paths to objects
Checksums (MD5 and SHA-256) of objects
Command line (including arguments) used to start the process
Description of services
Type of service start
Parameters of the responses sent by the KATA server to the built-in agent of Kaspersky Endpoint Security:
Get File task:
Full path to the file or directory
Hashing algorithm Possible values: MD5 and/or SHA-256
Checksums (MD5 and SHA-256) of the file
Delete File task:
confirmation of deletion, or an error that occurred.
Run Process task:
Full path to the executable file used to start the process
Command line of the process
Full path to the working directory of the process
Terminate Process task:
Unique PID of the process.
System PID of the process.
Process termination error code (0 if the process terminated successfully).
IOC Scan task:
Scan results (whether each indicator was detected, objects found, and information about which branch of the indicator was detected).
For the objects in which indicators were detected, different values are returned depending on their type:
ArpEntry: IP address from the ARP table (including ipv6), physical address from the ARP table.
File: MD5 hash of the file, SHA-256 hash of the file, full file name (including path), file size.
Port: remote IP address and port used to established a connection during scan; IP address and port of the local adapter; protocol type (TCP, UDP, IP, RAWIP).
Process: process name; process arguments; path to the process file; system PID of the process; system PID of the parent process; name of the user that the process is running as; date and time the process started.
SystemInfo: OS name; OS version; network name of a computer without a domain; domain or workgroup.