Kaspersky Anti Targeted Attack Platform Help

Kaspersky Anti Targeted Attack Platform

Print Support Send link

Scope of transmitted data

Scope of transmitted data

Information that is transmitted for each alert is listed in the following table.

Scope of transmitted alert data

Parameter	Value	Description
`alertID`	Integer value.	Alert ID.
`eventTimeStamp`	Date and time.	Event time.
`detectTimestamp`	Date and time.	Time when alert information was recorded in the Kaspersky Anti Targeted Attack Platform database.
`importance`	One of the following values: `high` `medium` `low`	Alert importance.
`objectSource`	One of the following values: `web` `mail` `endpoint` `external` `dns`	Source of the detected object.
`technology`	One of the following values: `am` – Anti-Malware Engine `sb` – Sandbox `yara` – YARA `url_reputation` – URL Reputation `ids` – Intrusion Detection System `taa` – Targeted Attack Analyzer	Technology that was used to detect the object.
`objectType`	One of the following values: `file`. `URL`. `host` (for remote domains or hosts).	Type of detected object.
`object`	Depends on the type of detected object.	Data on the detected object.
`detection`	Depends on the technology that was used to detect the object.	Data on detected threats.
`details`	Depends on the source of detected object.	Data on the environment of detected objects.

In this section

Data on detected objects

Data on detected threats

Data on the environment of detected objects

Page top

Data on detected objects

The scope of transmitted data on detected objects depending on the type of the object is listed in the following table.

Data on detected objects

	Parameter	Data type	Description	Example
`file`	`processedObject.MD5`	MD5	MD5 hash of the file or composite object that was sent for scanning.	`1839a1e9621c58dadf782e131df3821f`
	`processedObject.SHA256`	SHA256	SHA256 hash of the file or composite object that was sent for scanning.	`7bbfc1d690079b0c591e146c4294305da1cee857e12db40f4318598fdb503a47`
	`processedObject.fileName`	String	Name of the file or composite object that was sent for scanning.	`EICAR-CURE.com`
	`processedObject.fileType`	String	Type of the file or composite object that was sent for scanning.	`GeneralTxt`
	`processedObject.fileSize`	Integer	Size of the file or composite object that was sent for scanning, in bytes.	`184`
	`detectedObject.MD5`	MD5	MD5 hash of the file (simple object or file within a composite object) in which the threat was detected.	`1839a1e9621c58dadf782e131df3821f`
	`detectedObject.fileName`	String	Name of the file (simple object or file within a composite object) in which the threat was detected.	`EICAR-CURE.com`
	`detectedObject.fileSize`	Integer	Size of the file (simple object or file within a composite object) in which the threat was detected, in bytes.	`184`
`URL`	`detectedObject`	String	URL of the detected object.	`http://example.com/link`
`host`	`detectedObject`	Array	List of domains to which detected objects belong. For the `TAA` technology, only one domain is listed. For the `URL` technology, as well as for objects with the `objectSource=dns` parameter, the list can contain several domains.	`example.org, example.net`

Data on detected threats

The scope of transmitted data on detected threats depending on the technology that was used to generate the alert is listed in the table below.

Data on detected threats

Technology	Parameter	Description	Data type	Example
One of the following technologies: Anti-Malware Engine. YARA. Intrusion Detection System.	`detect`	List of detected threats.	Array	`HEUR:Trojan.Win32.Generic, Trojan-DDoS.Win32.Macri.avy, UDS:DangerousObject.Multi.Generic`
	`dataBaseVersion`	Version of databases used to scan the file.	Integer	`201811190706`
Sandbox	`detect`	List of detected threats.	Array	`HEUR:Trojan.Win32.Generic, Trojan-DDoS.Win32.Macri.avy, UDS:DangerousObject.Multi.Generic`
	`image`	Name of the virtual machine image where the file was scanned.	String	`Win7`
	`dataBaseVersion`	Database version in the following format: `<version of the program databases which were used to scan the file> / <version of the IDS module databases>`.	Integer	`201902031107/ 201811190706`
URL Reputation	`detect`	List of URL Reputation categories for the detected object (for objects of type `URL` or `host`).	Array	`Phishing host, Malicious host, Botnet C&C(Backdoor.Win32.Mokes)`
Targeted Attack Analyzer	`detect`	Name of the TAA module alert.	The only possible value is `Suspicious remote host activity`	`Suspicious remote host activity`

Data on the environment of detected objects

The scope of transmitted data on the environment of detected objects depending on the source of the object is listed in the following table.

Data on the environment of detected objects

Source of the object	Parameter	Description	Data type	Example
`web`	`sourceIP`	IP address of the computer that established the connection.	IP address	`192.0.2.0`
	`sourceHostname`	Name of the computer that established the connection.	String	`example.com`
	`destinationIp`	IP address of the computer with which the connection was established.	IP address	`198.51.100.0`
	`destinationPort`	Port of the computer with which the connection was established.	Integer	`3128`
	`URL`	URL of the web resource that was accessed. IDS technology alerts do not have this parameter. For URL technology alerts, this parameter has the same value as the `detectedObject` parameter.	String	`https://example.com:443/`
	`method.`	HTTP request method.	String	`Connect`
	`referrer`	URL from which the redirect was made.	String	`https://example.com:443/`
	`agentString`	`User agent` header of the HTTP request that contains the name and version of the client application.	String	`Mozilla/4.0`
`mail`	`mailFrom`	Sender's email address.	String	`sender@example.com`
	`mailTo`	Comma-separated list of recipient email addresses.	Array	`recipient1@example.com, recipient2@example.com`
	`subject`	Subject of the message.	String	`'You are the winner'`
	`messageId`	Email message ID.	String	`1745028736.156014.1542897410859.JavaMail.svc_jira_pool@hqconflapp2`
`endpoint` `external`	`hostName`	Name of the computer on which the alert was generated.	String	`computername.example.com`
`endpoint` `external`	`IP`	IP address of the computer on which the alert was generated.	IP address	`198.51.100.0`
`dns`	`sourceIp`	IP address of the computer which initiated the DNS connection.	IP address	`192.0.2.0`
	`destinationIp`	IP address of the computer with which the DNS connection was established (typically, a DNS server).	IP address	`198.51.100.0`
	`destinationPort`	Port of the computer with which the DNS connection was established (typically, a DNS server).	Integer	`3128`
	`dnsMessageType`	Type of the DNS message: `Request` `Response`	String	`Request`
	`dnsRequestType`	One of the following DNS request types: `A`. `AAA`. `CNAME`. `MX`.	String	`MX`
	`domainToBeResolved`	Domain name from the DNS request.	String	`example.com`

Contents

Scope of transmitted data

Data on detected objects

Data on detected threats

Data on the environment of detected objects