Kaspersky Managed Detection and Response

Data provision

February 12, 2024

ID 198749

In order for some components of Kaspersky Managed Detection and Response to work, it's necessary for Kaspersky to process the user's data. Components do not send data without the permission of the Kaspersky Managed Detection and Response administrator.

The list of user's data depends on the region where the solution is used. For your region, the list of user data may differ from that listed in this section.

Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.

List of data on events occurring on User devices

In order to identify new and challenging data security threats and their sources, as well as threats of intrusion, and to take prompt measures to increase the protection of the data stored and processed with a computer by the Customer, the Customer agrees to automatically provide the following information in order to receive the Service:

  • The date of software installation and activation; full name and version of the software, including information on installed updates; and the localization language of the software.
  • Information about the software installed on the computer, including the operating system version and the date of its download and installed updates, and about kernel objects, drivers, services, Autostart entries, programs that are automatically launched in the event of various system events (e.g., operating system startup, user login, etc.) and their configurations, browser extensions, Microsoft Internet Explorer extensions, print system extensions, Windows Explorer extensions, operating system shell extensions, loaded object checksums (MD5), Active Setup elements, and control panel applications, browser and mail client versions.
  • Information about file system permissions, the effective bit for file system permissions, file system permission versions, environment variables, and names of system calls.
  • Information about inherited permissions for a system file.
  • Information about the computer's name, IP addresses, default gateways, MAC addresses and hardware, including a checksum of the HDD's serial number, the last 12 bytes of the computer security ID (SID), and the security zone identifier contained in the NTFS data stream.
  • Information about the software tools used to fix problems in the software installed on the User's computer, or to change its functionality, and the return codes received after the installation of each piece of software.
  • Information about the state of the computer's anti-virus protection, including the versions and release dates and times of the anti-virus databases in use, statistics about updates and connections to Kaspersky Lab's services, job identifiers, and the identifiers and versions of the software components performing the scan, flags denoting the internal Kaspersky testing environment, the primary error codes for a specific event, the secondary error codes for a specific event, and the ordinal numbers of events.
  • License key and serial number of Kaspersky Lab’s products, and names and versions of these products. Identifiers of Kaspersky Lab’s product installations, and the client description from the license information file.
  • Information about Customer user accounts: user account name, name of the user, operating system identifier, logon information, privileges, group memberships, types of logon sessions to the system, name of the authentication packet, domain names, DNS names used for authentication system logon sessions, the server name used for authentication, the user principal name (UPN) for the account, and the SID.
  • Full content of operating system logs.
  • Information about call systems.
  • Information about detection from Kaspersky Lab’s programs that support Kaspersky Managed Detection and Response.
  • Information about received emails, including: sender and recipient email addresses, subject, attachment information: attachment file name, size, hash (MD5), and file format analysis results.
  • Information about the coordinates of the screen area where the screenshot was taken.
  • Information about network connections, including sender and receiver IP addresses and ports, IPv6 zone indices, information about the direction of the network connection (inbound/outbound), the types and masks of DNS queries made, error codes for a DNS query operation, response to a DNS query, and information about the requested DNS server.
  • HTTP connection data and methods, including visited web addresses, referrer URLs, user agents, and network authentication protocol data: MD5 hash of data for Kerberos authentication, account or computer name, the name of the Kerberos realm name to which the server name belongs, the domain to which the client name belongs, the UPN for the account, the cryptography package that was used for the issued Kerberos ticket, the flag mask for the Kerberos ticket in hexadecimal format, the Kerberos ticket issue time, the Kerberos ticket expiration time, the expiration date of the ticket (after which the ticket cannot be renewed), and the name of the domain controller used to issue the Kerberos ticket.
  • Information about application layer protocols: LDAP search request size, LDAP search request filter, unique name of the LDAP search request, list of attributes for the LDAP search request.
  • .NET information: full name of the downloaded .NET build, assembly flags for the downloaded .NET build, module flags for the downloaded .NET module, the domain name for the downloaded .NET build, modules for the generated MSIL stub, information about the managed method: the namespace of the managed method of interoperation, name of the managed method of interoperation, signature of the managed method of interoperation, signature of the native method, and signature of the method stub.
  • Information about files processed in the operating system: file name and path, size, attributes, file and object types, results of file format analysis, checksum (MD5), web address of the file download, sender email address from which the file was received and the subject of the email, the contents of the file system of the VERSIONINFO structure in the file metadata, information about the publisher if the file is signed, the user ID of the file owner, the group ID of the file owners, the timestamp of the last file access, the timestamp that the file metadata was last modified, file creation, the digital signature verification flag masks, the timestamps and codes of operations on files and objects, the number of executable file launches, the file format identifier, the full path to the object and path to the object container, the contents of the autorun file, and the file name and path to the file on the remote network resource that is being accessed.
  • Contents of the \etc\ directory.
  • Command output data.
  • Auditd data: operation result, operation description, event type, and operation user.
  • Information about the process: process identifier (PID), process call tracing, information about the process executable file and its command line, information about the parent process, MD5 hash of the executable file computation error code, primary error codes, process integrity information, session logon information, command line, command line arguments for the process, environment variables for the target process, unique identifier of the process activity log, name and/or address of the code injection site, information about access rights for the process, error codes for calculating the MD5 hash for an object from the process command line, a list of file wrappers that encapsulate the object, the initial working directory for the target process, and the array of identifiers (PIDs) for processes that are complete.
  • Registry information: names, sections, and values.
  • Information about remote operations: the name of the remote computer and the fully qualified (FQDN) name of the remote computer on which the remote operation was performed, the name of the user account that initiated the remote operation, the system-provided identifier of the remote process that initiated the remote operation, the start time of the remote process that initiated the remote operation, the name of the namespace for the user of the WMI events, the name of the user's WMI events filter, the name of the created user of WMI events, and the source code of the user of the WMI events.
  • Error information: error code for the MD5 calculation, file access error code, primary error codes, and secondary error codes.
  • Information about response event tasks created by Kaspersky Lab’s specialists and the User’s specialists: event name and type, date and time when the event occurred, settings and results of the response task (information about the object [path to the object, object name and size, and MD5 and SHA256 checksums], information about quarantining the object, information about deleting the object, information about process termination, information about deleting a registry key/branch, information about process startup, information about objects requested by Kaspersky Lab’s specialists for detailed analysis upon the User's consent [name, path, size and type of the object, MD5 and SHA256 checksums, object description, date and time of file request processing, and file contents], information about the installation and removal of network isolation of the device, and information about errors resulting from the response task).
  • Data about scripts running on the computer: command line arguments, contents of the script or part of the script running on the computer, and contents of the object or part of the object received by AMSI.
  • Data about commands received by the console application, including the command-line interpreters, using input redirection via a pipe or file, as well as commands executed by the user in console applications, including the command-line interpreters.

List of data about events detected as a result of network traffic analysis

In order to identify new and challenging data security events and their sources, as well as threats of intrusion, and to take prompt measures to increase the protection of the data stored and processed with a computer by the Customer, the Customer agrees to provide the following information automatically in order to receive the Service:

  • Information about the identifier, version, type, and timestamp of the record in the anti-virus database used to detect an information security event, the name of the threat based on Kaspersky Lab’s classification, timestamp of anti-virus databases being used, file type code, file format identifier, the task identifier of the software that detected the event, flag of the reputation verification, or file signature verification.
  • Information to determine the reputation of files and web resources, including IP address and the domain name of the URL address at which the reputation is being requested, the name of the file that was executed at the time the event was detected, the file path and checksums (MD5) of the file, and its path.
  • Information about emulation of the executable file, including file size and its checksums (MD5, SHA256, SHA1), the version of the emulation component, emulation depth, an array of properties of logical blocks and functions within logical blocks obtained during the emulation, and data from the executable file’s PE headers.
  • Information about all detected objects, including the name and size of the object, the full path to the object on the computer, checksums (MD5, SHA256) of the files being processed, the name of the event associated with the object, detection date and time, flag of the presence of the file's digital signature, the name of the organization that signed the file, the trust status and threat level of the file, the identifier and priority of the rule used for detection, and the type of detection technology.
  • The type of source from which the object was downloaded, the source's IP address (or checksum (MD5) of the IP address, when it is local), the source's URL address, as well as the referrer URL address, the name, the domain's name and checksum (MD5) of the name of the host, that sent the downloading request, and the service information about the web-browser, that sent the downloading request.
  • Checksums (MD5) of the local and domain parts of the sender's and the receiver’s email addresses, as well as the checksum (MD5) of the email’s subject.
  • Local and remote IP addresses of the network connection, the numbers of the local and remote ports, and the connection’s protocol identifier.
  • URL address and name of the target host, and the host’s IP addresses.
  • The identifier of the operating system, that is installed on a virtual machine, that is used by the software to analyze objects.
  • Additional information about events, including the frequency index of the file in the User’s local network, the date of the file's intrusion in the local network and on the User’s computer, the identifiers of the accounts the process was started from, checksums of their user names, as well as the names of their domains or workgroups, and information about the privileges of user accounts.
  • Information about the network activity of the process, including the domain names of the network resources that are used to establish a connection, and IP addresses of the domains, the frequency of the connection to the selected network resource, the size and type of the transferred data.
  • Information about the usage of the domain of the network resource, including the frequency index of the requests to the domain from the local network, the time stamp of the first request to the domain from the local network, the duration of the requests from different users and checksums of their names, the names of the computers that initiated the requests to the domain, and additional information about detection reasons.
  • Service information about the statistics processing component, including the date and time of the beginning and the end of the term that was used to analyze the statistics data, the volume of the free and used disk memory, the time of the last event processing, the operating time of different detection algorithms, messages about the component's errors, and messages about the successful start of different detection algorithms.
  • Data sent to technical support.

Data provision while using Kaspersky Endpoint Agent

For details about the provision of data while using Kaspersky Endpoint Agent, refer to Kaspersky Endpoint Agent for Windows.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.