Data provided when integrating with the Kaspersky Endpoint Detection and Response Expert (on-premise) component
When integrating Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response Expert (on-premise), Kaspersky Endpoint Security stores the following information, which may contain personal and confidential data:
List of servers for integrating with Kaspersky Endpoint Detection and Response Expert (on-premise).
Public key of the certificate of the server providing integration with Kaspersky Endpoint Detection and Response Expert (on-premise).
Client certificate for integrating with Kaspersky Endpoint Detection and Response Expert (on-premise).
Credentials for authenticating on the proxy server
Settings for the frequency of synchronization with the server that is responsible for the integration with Kaspersky Endpoint Detection and Response Expert (on-premise) and data transmission settings for this server.
The status of the connection to the server that handles integration with Kaspersky Endpoint Detection and Response Expert (on-premise), and information about client and server certificate errors.
Parameters of tasks coming from servers for integrating with Kaspersky Endpoint Detection and Response Expert (on-premise):
Task start schedule settings
Names and passwords of accounts that must be used to start tasks
Versions of settings
Type of service start
Names of services
Command line (including arguments) used to start the process
MD5 and SHA256 hashes of objects
Paths to objects
IOC files
Isolation settings in accordance with which a device is blocked from connecting to other devices except those specified in the exclusions
When the Kaspersky Endpoint Security application is integrated with Kaspersky Endpoint Detection and Response Expert (on-premise), the application saves and can transmit the following data to the integration server:
Information for synchronization requests to the EDR Expert (on-premise) component:
Unique identifier
Base part of the server address
Device name
IP address of the device
MAC address of the device
Local time on the device
Name and version of the operating system installed on the device
Version of Kaspersky Endpoint Security
Release date of the application databases being used
License key status
Information from requests to the EDR Expert (on-premise) component in task execution reports:
IP address of the device
Unique identifier
Base part of the server address
MAC address of the device
Task execution errors and return codes
Task completion statuses
Task completion time
Versions of task settings used
Information about processes started or stopped on the device at the server's request: PID and UniquePID, error code, MD5 and SHA256 checksums of objects
Files requested by the server
Information about errors while getting information about objects: full name of the object that was processed with an error; error code
Network isolation status
For IOCs, scan results are returned (whether each indicator was detected, objects found, and information about which branch of the indicator was detected).
For YARA rules, search results are returned (whether the rule was triggered or not, found objects, and information about which rule was triggered).
For objects in which IOCs were detected, and YARA rules, different values are returned depending on the type:
ArpEntry: IP address from the ARP table (including ipv6), physical address from the ARP table.
File: MD5 hash of the file, SHA256 hash of the file, full file name (including path), file size.
Port: remote IP address and port used to established a connection during scan; IP address and port of the local adapter; protocol type (TCP, UDP, IP, RAWIP).
Process: process name; process arguments; path to the process file; system PID of the process; system PID of the parent process; name of the user that started the process; date and time the process started.
SystemInfo: OS name; OS version; network name of the device without a domain; domain or workgroup.
User: user name.
For quarantined objects:
File path
File size
File IDs that were assigned when quarantining
Original file deletion flag
For files received in, restored, or deleted from Quarantine:
File IDs that were assigned when quarantining
For prevented executions of executable files or scripts:
Process ID
Parent process ID
System ID
Logon session ID
Process status
Date and time of execution interception
For prohibited document openings by office applications:
Process ID.
File ID
Date and time of execution interception
List of files in the specified directory:
File name
Absolute path to file
File size
File type
Name and ID of the owner user and owner group
File access permissions
Special file system flags applied to each file
File metadata
Number of hard links to the file
File creation, modification, and last access times
List of running processes on the device:
Process name
Process start time
Process status
Process ID (PID) and parent process ID
Current working directory of the process
Command line options that the process was started with
Environment variables
Path to the executable file of the process
Session ID of the user that started the process
IDs of the user and group that started the process
IDs of the user and group with whose rights the process has access to files and resources in the system
List of autorun points:
Type of the autorun point
File name
Absolute path to file
File access permissions
Special file system flags applied to each file
Name and ID of the owner user and owner group
File creation, modification, and last access times
Process memory image:
Process name
Full path to process file
Process dump file
Size of the process dump file
Device memory image: dump file of the device RAM
Device disk image
Information about files:
Unique ID of the file
MD5 hash of the object
File contents
Data in telemetry packets:
Data for telemetry events:
Event ID.
The number of the event in the sequence of the telemetry packets being sent.
Event type.
Event time.
Information about the protected device:
Name of the protected device.
ID of the protected device in Kaspersky Security Center.
ID of the protected device in Kaspersky Endpoint Detection and Response Expert (on-premise).
Name, version, family of the operating system installed on the protected device.
Startup and shutdown times of the operating system installed on the protected device.
Information about files:
Unique ID of the file
File path
File name
File size
File attributes
Creation date and time of the file
Last modification date and time of the file
MD5 and SHA256 hashes of the object
Information (name and ID) about the user and group that own the file
Information about running processes:
Process file ID
Process ID.
Command line options that the process was started with
Session ID
Date and time when the process was started
Information (name and ID) about the user and group that started the process
Information about the process gaining access to the memory of another process:
Process ID.
Method and address of injection.
Command line (including arguments) used to modify the process.
System call arguments of the process.
Information about detected and processed threats:
Name of the detected threat and the technology that detected the threat, according to the Kaspersky classification
Release date and version of the application databases
Web address from which the infected object was downloaded
Threat processing status
The reason why the threat cannot be eliminated
Unique ID of the threat file
File modification data:
Unique ID of the modified file
Unique ID of the process that made the changes
Information about the modification
Data about changes in the system:
Unique ID of the process that made the changes
Information about the change that occurred
User logon information:
Session ID
User information (name and ID)
IP address of the device from which the session was established
Data about processes being terminated: unique ID of the process
Information about loading a library into the address space of the process: the ID of the loaded library
Information about an established network connection:
Local IP address
Remote IP address
Direction of the connection
Protocol
Information about the process that is listening for external network connections on a certain port:
Local address (port and IP address)
Protocol
DNS server query information:
Domain name of the queried resource
IP address of the queried resource
DNS server IP address
Query type
Information about connected external devices:
Operation type (device connection)
Device type
Unique device ID
Device name
Device path
Information about the application and its modules:
Application version.
Time when the application was installed, started, stopped, or uninstalled.
Initiator of the action with the application.
Reason for stopping the application in case of an abnormal stop.
Return codes in case of an abnormal stop.
Information about interaction with task schedulers (task creation and deletion):
Task name.
Path to the scheduled command.
Task launch schedule.
Name of the user that created the task.
Name of the user that started the task.
Name of the user that deleted the task.
Information about service creation, deletion, and modification:
Service name (including the previous name if changed)
Service type (including the previous type if changed)
Path to the executable file (including the previous path if changed)
Service dependencies (including the previous dependencies if changed)
Name of the user that started the service (including the previous user name if changed)
Display name of the service (including the previous display name if changed)
Name of the user that created, deleted, or modified the service
Deferred deletion flag
Information about console input:
ID and type of the process that initiated the console input
Content of the console input
Information about mounted devices:
System name of the volume
Mount point
Information about changes in the process memory:
System call arguments of the process
Information about the process that performed the code injection and about its parent process
Process ID and unique ID of the process and parent process
The command line that was used to start the process and the parent process
Environment variables of the process
Type of user account under which the process and parent process were started
System call that was used to spawn the process
IDs of the user and group that started the process
Name and full name of the process and parent process
Full path to the process and parent process
MD5 and SHA256 hashes of the process and parent process
Session ID
Name, domain name, and ID of the user that started the process and parent process
Information about the process through which the process that performed the code injection was loaded
Unique ID of the process through which the process was loaded
Name and full name of the file through which the process was loaded
Full path to the process through which the process was loaded
MD5 hash of the process through which the process was loaded
Information about the process that is the initiator of the process
Process ID and unique ID of the process that is the initiator of the process
Command line of the process that is the initiator of the process
Name and domain name of the user that started the process that is the initiator of the process
Name and full name of the process that is the initiator of the process
Full path to the process that is the initiator of the process
MD5 and SHA256 hashes of the process that is the initiator of the process