Service data of the application

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Service data of Kaspersky Anti Targeted Attack Platform include:

• Data on user accounts.
• Information about computers connected to the Central Node component on which the Endpoint Agent component is installed.
• Data about presets and prevention rules.
• Information about tasks assigned to computers with the Endpoint Agent component.
• Data about TAA (IOA) user-defined rules.
• Data about user IDS user-defined rules.
• Data about IOC user-defined rules.
• Data on network isolation rules.
• Data about scan exclusions.
• Data on report templates.
• Information about Endpoint Agent component certificates.

  The above data is stored indefinitely on the server hosting the Central Node component in the / data directory if the Central Node component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• System event log

  OS log files are stored indefinitely in the /var/log directory on the server hosting the Central Node component.

• Log with information about the application operation.

  The log file is stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• File scan queue.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. The data is retained until the scan is completed.

• Files received from computers with the Endpoint Agent component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files with YARA and IDS rules (user-defined and from Kaspersky).

  Files are stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Files with data about alerts sent to external systems.

  Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Artifacts of the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files for which alerts were created by the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Certificate files used for the authentication of application components.

  Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

• Encryption keys that are transmitted between application components.

  Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

• Copies of raw network traffic.

  Files are stored in storage mounted on the server with the Sensor component. Data is deleted as disk space becomes full.

• ICAP exclusion filters

  Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

The application stores the following information about user accounts:

• Account ID.
• Account name.
• The hash and salt of the account password.
• Domain name of the user.
• Account role.
• Account status.
• Access rights to tenants in distributed solution and multitenancy mode.
• ID of the tenant in distributed solution and multitenancy mode.

The application stores the following information about computers connected to the Central Node component on which the Endpoint Agent component is installed:

• ID of the computer assigned by Kaspersky Security Center.
• Computer name.
• IP address of the computer.
• The operating system used on the computer.
• The version of the application that fills the role of the component.
• Self-Defense status.
• Date and time when the first and last telemetry packet were sent to the Central Node component.
• Date and time of the last IOC scan run.
• Result of the last IOC scan run.
• Status of the license on the host.

The application stores the following information about the prevention rules:

• MD5 or SHA256 hash of the file that is prevented from running.
• The account name of the user who created the prevention rule.
• The account name of the user who changed the prevention rule.
• List of computers on which the file is prevented from running.
• Prevention rules change log.
• Prevention rule creation date and time.
• Date and time of prevention rule modification.
• Name of the prevention rule.
• Attribute indicating whether the user must be notified about file start being blocked.

The application stores the following information about tasks assigned to computers with the Endpoint Agent component:

• Task type.
• Computer name.
• IP address of the computer.
• Task creation date and time.
• Task expiration date.
• Name of the user account that created the task.
• Task settings data.
• Task report data.
• Task comments.

The application stores the following information about TAA (IOA) user-defined rules:

• Rule name.
• Source code of the request being scanned.
• Rule ID.
• Rule status.
• Rule creation date and time.
• The importance that was specified when the rule was added.
• Level of confidence that depends on the likelihood of false alarms as defined by the user when the rule was added.

The application stores the following information about IDS user-defined rules:

• Account name of the user who uploaded the rules file.
• Date and time when the rule file was uploaded.
• Status of the rule.
• Importance specified in the rule file.

The application stores the following information about IOC user-defined rules:

• Account name of the user who uploaded the rules file.
• Name of the IOC file.
• Contents of the IOC file.
• Date and time when the IOC file was uploaded.
• Status of the IOC rule.
• Importance as specified in the IOC file.
• Description of the IOC rule.

The application stores the following information about YARA user-defined rules:

• Account name of the user who uploaded the rules file.
• Contents of the YARA file.
• Date and time when the YARA file was uploaded.
• Name of the file containing YARA rules.
• Importance.
• Status of the YARA rule.

The application stores the following information about network isolation rules:

• Account name of the user that enabled network isolation.
• ID of the isolated computer.
• Rule name.
• Rule status.
• List of resources excluded from network isolation.
• Date and time when the network isolation rule was modified.
• State of the rule.
• Expiration date of the network isolation rule.

The application stores the following information about scan exclusions:

• Account name of the user that added the exception.
• List of objects excluded from the scan.
• Rule exception ID.
• Name of the exclusion.
• Date and time when the exclusion was created.

The application stores the following information about report templates:

• ID of the user account that created or modified the template.
• Template creation date.
• Date of last modification of the template.
• Text of the template as HTML code.
• Name of the template.

The application stores the following information about Endpoint Agent component certificates:

• Account name of the user who uploaded the certificate file.
• Digest of the certificate.
• Serial number of the certificate.
• Public key.
• Expiration date of the certificate.

The application stores the following information about Sandbox scan rules:

• State of the rule
• Type of the rule
• Masks of included objects
• Masks of excluded objects
• Size of scanned files
• Rule creation date and time
• ID of the virtual machine where the rule is assigned

The application stores the following information about the virtual machine configuration:

• IP address of the server hosting the Sandbox component
• List of virtual machines

Page top