Data in alerts

Alerts may contain user data. If Central Node is installed on a server, information about alerts and files that caused an alert when scanned is stored on the Central Node server in the /data directory. If Central Node is installed as a cluster, information about alerts and files that caused an alert when scanned is stored in ceph storage.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

The following information is stored in all alerts:

• Date and time of detection.
• Date and time of alert modification.
• Category of the detected object.
• Name of the detected file.
• Alert source.
• Detected URL.
• MD5 and SHA256 hash of the detected file.
• User comments added to the alert information.
• ID of the TAA (IOA) rule by which the alert was generated.
• IP address and name of the computer on which the alert was generated.
• ID of the computer on which the alert was generated.
• User agent.
• The user account to which the alert was assigned.
• List of files.

When an alert is changed, the following information is stored on the server:

• The user account that modified the alert.
• The user account to which the alert was assigned.
• Date and time of alert modification.
• Alert status.
• User comment.

If an email message was detected, the following information may be stored on the server:

• Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message.
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• All service headers of the message (as they appear in the message).

If the alert was generated by URL Reputation technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• The URI of the transferred resource.
• Information about the proxy server.
• Unique ID of the email message.
• Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• List of detected objects.
• Time of network connection.
• URL of network connection.
• User agent.

If the alert was generated by Intrusion Detection System technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• Transmitted data.
• Data transfer time.
• URL extracted from the file containing the traffic, User Agent, and method.
• File containing the traffic where the alert occurred.
• Object category based on the IDS database.
• Name of the custom IDS rule that was used to generate the alert.
• HTTP request body.
• List of alerts.

If the alert was generated using YARA rules, the following information can be stored on the server:

• Version of YARA rules that was used to generate the alert.
• Category of the detected object.
• Name of the detected object.
• MD5 hash of the detected object.
• Date and time when the object was detected.
• Additional information about the alert.

If the alert was generated using the Sandbox component, the following information may be stored on the server:

• Version of the application databases used to generate the alert.
• Category of the detected object.
• Names of detected objects.
• MD5 hashes of detected objects.
• Information about detected objects.

If the alert was generated by IOC or TAA (IOA) user rules, the following information can be stored on the server:

• Date and time of scan completion.
• IDs of the computers on which the alert was generated.
• Name of TAA (IOA) rule.
• Name of the IOC file.
• Information about detected objects.
• List of hosts with the Endpoint Agent component.

If the alert was generated by Anti-Malware Engine technology, the following information may be stored on the server:

• Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
• Category of the detected object.
• List of detected objects.
• MD5 hash of detected objects.
• Additional information about the alert.

If the alert was generated as a result of a rescan, the following information may be stored on the server:

• File name.

If the alert was generated as a result of scanning a file, the following information may be stored on the server:

• Full name of the detected file.
• MD5 and SHA256 hash of the detected file.
• Size of the detected file.
• Information about the signature of the file.

If the alert was generated as a result of scanning FTP traffic, the following information may be stored on the server:

• URI of the FTP request.

If the alert was generated as a result of scanning HTTP traffic, the following information may be stored on the server:

• URI of the HTTP request.
• URI of the request source.
• User agent.
• Information about the proxy server.

See also Data of the Central Node and Sensor components Traffic data of the Sensor component Data in events Data in reports Data on objects in Storage and Quarantine

Page top