Data of the Central Node and Sensor components

This section contains the following information about user data that is stored on the server with the Central Node component and on the server with the Sensor component:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

Traffic data of the Sensor component

Traffic data of the Sensor component is stored on the server with the Sensor component or on the server with Sensor and Central Node components if Sensor and Central Node are installed on the same server.

Traffic data is recorded and stored in sequentially created files. The program stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached (you can configure this setting)
• The configured time interval has elapsed (you can configure this setting)
• The traffic saving service or the entire Kaspersky Anti Targeted Attack Platform program is restarted

As traffic data accrues, Kaspersky Anti Targeted Attack Platform filters data and keeps only the following information:

• Information related to alerts generated by the Targeted Attack Analyzer technology
• PCAP files in which:
  • Source or destination IP address matches an IP address from the alert
  • Traffic data belongs to the time period within 15 minutes from the alert time

Filtered traffic data is moved to a separate section. The rest of the traffic data (that do not satisfy filtering criteria) is deleted.

Filtered traffic data is saved in sequentially created files. The program stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached
• The configured time interval has elapsed

Filtered data traffic is stored for the last 24 hours. Older data is deleted.

Data in alerts

Alerts may contain user data. If the Central Node component is installed on the server, information about alerts and files that resulted in an alert are stored on the server hosting the Central Node component in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory. When the Central Node component is installed on a cluster, information about alerts and files that resulted in an alert are stored on the storage servers.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

The following information is stored in all alerts:

• Alert time.
• Category of the detected object.
• Name of the detected file.
• Detected URL.
• MD5 and SHA256 hash of the detected file.
• User comments added to the alert information.
• ID of the TAA rule by which the alert was generated.
• IP address and name of the computer on which the alert was generated.
• ID of the computer on which the alert was generated.

When an alert is changed, the following information is stored on the server:

• The user account that modified the alert.
• The user account to which the alert was assigned.
• Date and time of alert modification.

If an email message was detected, the following information may be stored on the server:

• Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message.
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• All service headers of the message (as they appear in the message).

If the alert was generated by URL Reputation technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• The URI of the transferred resource.
• Information about the proxy server.
• Unique ID of the email message.
• Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• List of detected objects.
• Time of network connection.
• URL of network connection.

If the alert was generated by Intrusion Detection System technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• Transmitted data.
• Data transfer time.
• URL extracted from the file containing the traffic, User Agent, and method.
• File containing the traffic where the alert occurred.

If the alert was generated using YARA rules, the following information can be stored on the server:

• Version of YARA rules that was used to generate the alert.
• Category of the detected object.
• Name of the detected object.
• MD5 hash of the detected object.

If the alert was generated using the Sandbox component, the following information may be stored on the server:

• Version of the program databases used to generate the alert.
• Category of the detected object.
• Names of detected objects.
• MD5 hashes of detected objects.
• Information about detected objects.

If the alert was generated by IOC or TAA (IOA) user rules, the following information can be stored on the server:

• Date and time of scan completion.
• IDs of the computers on which the alert was generated.
• Name of TAA (IOA) rule.
• Name of the IOC file.
• Information about detected objects.

If the alert was generated by Anti-Malware Engine technology, the following information may be stored on the server:

• Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
• Category of the detected object.
• List of detected objects.
• MD5 hash of detected objects.
• Additional information about the alert.

Data in events

Events may contain user data. If the Central Node component is installed on the server, information about occurred events is stored on the server with the component in the /data/var/lib/kaspersky/storage/fastsearch/elasticsearch/data/ directory. When the Central Node component is installed on a cluster, information is stored on storage servers.

Data is rotated as the disk becomes full.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Event data can contain information related to the following:

• Name of the computer where the event occurred.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Name of the user account under which the event occurred.
• Name of the group that the user belongs to.
• Event type.
• Event time.
• Information about the file for which the event was logged: name, path, full name.
• MD5 and SHA256 hash of the file.
• File creation time.
• File modification time.
• File access rights.
• Environment variables of the process.
• Command-line parameters.
• Text of the command entered into the command line.
• Local IP address of the adapter.
• Local port.
• Remote host name.
• Remote host IP address.
• Port on the remote host.
• URLs and IP addresses of visited websites, and links from these websites.
• Network connection protocol.
• HTTP request method.
• HTTP request header.
• Information about Windows registry variables: path to the variable, variable name, variable value.
• Contents of a script or binary file sent for AMSI scanning.
• Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.

Data in reports

Reports may contain user data. If the Central Node component is installed on the server, information about occurred events is stored indefinitely on the server with the component in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory. When the Central Node component is installed on a cluster, information is stored on storage servers.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Reports may contain the following information:

• Report creation date.
• Time period covered in the report.
• ID of the user account that generated the report.
• Report status.
• Text of the report as HTML code.

Data on objects in Storage and Quarantine

Objects in Storage and Quarantine may contain user data. Information about objects in Storage and about copies of objects quarantined on computers with Kaspersky Endpoint Agent using the Get file tasks is stored indefinitely on the Central Node server in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Data on objects in Storage and Quarantine may contain the following information:

• Name of the object.
• Path to the object on the computer with Kaspersky Endpoint Agent.
• MD5 and SHA256 hash of the file.
• ID of the user who quarantined the object on the computer with Kaspersky Endpoint Agent.
• ID of the user who placed the object in Storage.
• IP address of the computer on which the quarantined object is stored.
• Name of the computer on which the quarantined object is stored.
• Unique ID of the computer on which the quarantined object is stored in Storage.
• ID of the TAA (IOA) rule by which the alert was generated.
• Category of the detected object.
• Results for the object scanned using individual modules and technologies of the program.