Data provided when using Kaspersky Anti Targeted Attack Platform

When integrating Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA), a component of the Kaspersky Anti Targeted Attack Platform solution, Kaspersky Endpoint Security stores the following internal information, which may contain personal and confidential data:

• KATA server addresses
• Public key of the certificate of the server for integrating with Kaspersky Endpoint Detection and Response (KATA)
• Cryptocontainer with the client certificate for integrating with Kaspersky Endpoint Detection and Response (KATA)
• Credentials for authenticating on the proxy server
• Settings for the frequency of synchronization with the KATA server and settings for sending data to the KATA server
• Status of the connection with the KATA server and information about client certificate and server certificate errors
• Settings of tasks received from KATA servers:
  • Task start schedule settings
  • Names and passwords of accounts that must be used to start tasks
  • Versions of settings
  • Type of service start
  • Names of services
  • Command line (including arguments) used to start the process
  • MD5 and SHA256 hashes of objects
  • Paths to objects
  • IOC files
• Isolation settings in accordance with which a device is blocked from connecting to other devices except those specified in the exclusions

When integrating Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security stores the following information and may send it to the KATA server:

• Information for synchronization requests to the EDR (KATA) component:
  • Unique identifier
  • Base part of the server address
  • Device name
  • IP address of the device
  • MAC address of the device
  • Local time on the device
  • Name and version of the operating system installed on the device
  • Version of Kaspersky Endpoint Security
  • Release date of the application databases being used
  • License status
• Information from requests to the EDR (KATA) component in task execution reports:
  • IP address of the device
  • Unique identifier
  • Base part of the server address
  • MAC address of the device
  • Task execution errors and return codes
  • Task completion statuses
  • Task completion time
  • Versions of task settings used
  • Information about processes started or stopped on the device at the server's request: PID and UniquePID, error code, MD5 and SHA256 checksums of objects
  • Files requested by the server
  • Information about errors while getting information about objects: full name of the object that was processed with an error; error code
  • Network isolation status
  • For IOCs, scan results are returned (whether each indicator was detected, objects found, and information about which branch of the indicator was detected).
  • For objects in which IOCs were detected, different values are returned depending on the type of indicator:
    • ArpEntry: IP address from the ARP table (including ipv6), physical address from the ARP table.
    • File: MD5 hash of the file, SHA256 hash of the file, full file name (including path), file size.
    • Port: remote IP address and port used to established a connection during scan; IP address and port of the local adapter; protocol type (TCP, UDP, IP, RAWIP).
    • Process: process name; process arguments; path to the process file; system PID of the process; system PID of the parent process; name of the user that started the process; date and time the process started.
    • SystemInfo: OS name; OS version; network name of the device without a domain; domain or workgroup.
    • User: user name.
• Data in telemetry packets:
  • Information about files:
    • Unique ID of the file
    • File path
    • File name
    • File size
    • File attributes
    • Creation date and time of the file
    • Last modification date and time of the file
    • MD5 and SHA256 hashes of the object
    • Information (name and ID) about the user and group that own the file
  • Information about running processes:
    • Unique ID of the process file
    • Command line options that the process was started with
    • Process IDs
    • Session ID
    • Date and time when the process was started
    • Information (name and ID) about the user and group that started the process
  • Information about detected and processed threats:
    • Name of the detected threat and the technology that detected the threat, according to the Kaspersky classification.
    • Application database version
    • Web address from which the infected object was downloaded.
    • Threat processing status.
    • The reason why the threat cannot be eliminated.
    • Unique ID of the threat file
  • File modification data:
    • Unique ID of the modified file
    • Unique ID of the process that made the changes
    • Information about the modification
  • Data about changes in the system:
    • Unique ID of the process that made the changes
    • Information about the change that occurred
  • User logon information:
    • Session ID
    • User information (name and ID)
    • IP address of the device from which the session was established
  • Data about processes being terminated: unique ID of the process.

The information listed here can also be saved in trace files and dump.