Data provided when using Kaspersky Endpoint Detection and Response Optimum
Data transmitted together with IOC Scan task results
Kaspersky Endpoint Security automatically sends data about IOC Scan task results to Kaspersky Security Center.
IOC Scan task result data may contain the following information:
- Network information:
- IP address from the Address Resolution Protocol (ARP) table
- MAC address from the Address Resolution Protocol table
- Type and name of DNS record
- IP address of the protected device
- MAC address of the protected device
- IP address and port of the remote connection
- IP address of the local network adapter
- Number of the open port on the local adapter
- Protocol number according to the Internet Assigned Numbers Authority (IANA) standard
- Information about processes:
- Process name
- Process arguments
- Path to the executable file of the process
- Process ID (PID)
- Parent process ID
- Name of the user that started the process
- Date and time when the process was started
- Information about services:
- Service name
- Service description
- Path and name of the service executable file
- Service ID
- Service type (kernel driver, adapter, etc.)
- Service status
- Service starting mode
- Name of the user that started the service
- Information about the file system:
- Volume name
- Volume letter
- Volume type
- Information about the operating system:
- Name and version of the operating system
- Network name of the protected device
- Domain or group to which the device belongs
- Information about web activity:
- Browser name
- Browser version
- Time of the last access to the web resource
- Web address of the HTTP request
- Name of the user that made the HTTP request
- Name of the process that made the HTTP request
- Path to the executable file of the process that made the HTTP request
- ID of the process that made the HTTP request
- HTTP referer (web address of the HTTP request source)
- Web address of the requested resource
- User agent of the processed web request (HTTP User-Agent)
- HTTP request execution time
- Unique ID of the process that made the HTTP request
Data for creating a threat development chain
Data for creating a threat development chain may contain the following information:
- General information about the alert:
- Alert date and time
- Object name
- Scan mode
- Status of the last action related to the alert
- Reason why the alert processing failed
- Information about the processed object:
- Process identifier
- Parent process ID
- Process file ID
- Command line of the process
- Name of the user that started the process
- ID of the session in which the process was started
- Type of the session in which the process was started
- Integrity level of the processed object
- Whether the user belongs to privileged groups
- ID of the processed object
- Full name of the processed object
- ID of the protected device
- Full name of the object (local file or web address)
- MD5 and SHA256 checksums of the processed object
- Type of the processed object
- Date when the object was created and last modified
- Size of the processed object
- Attributes of the processed object
- Information about the organization that signed the object
- Verification result of the digital certificate of the object
- security identifier (SID) of the object
- Time zone ID of the object
- Web address from which the object was downloaded (for files only)
- Name of the application that downloaded the file
- MD5 and SHA256 checksums of the application that downloaded the file
- Name of the application that last modified the file
- MD5 and SHA256 checksums of the application that last modified the file
- Number of times the processed object was started
- Date and time of the first start of the processed object
- Unique ID of the file
- Full name of the file (local file or web address)
- Web address of the processed web request
- source of the processed web request's links (HTTP referer)
- User agent of the processed web request
- Type of the processed web request (GET or POST)
- Local IP port of the processed web request
- Remote IP port of the processed web request
- Connection direction (inbound or outbound) of the processed web request
- ID of the process into which the malicious code was injected
Page top