Events may contain user data. If the Central Node component is installed on the server, information about occurred events is stored on the server with the component in the /data/var/lib/kaspersky/storage/fastsearch/elasticsearch/data/ directory. When the Central Node component is installed on a cluster, information is stored on storage servers.
Data is rotated as the disk becomes full.
Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.
Event data can contain information related to the following:
Name of the computer where the event occurred.
Unique ID of the computer with Kaspersky Endpoint Agent.
Name of the user account under which the event occurred.
Name of the group that the user belongs to.
Event type.
Event time.
Information about the file for which the event was logged: name, path, full name.
MD5 and SHA256 hash of the file.
File creation time.
File modification time.
File access rights.
Environment variables of the process.
Command-line parameters.
Text of the command entered into the command line.
Local IP address of the adapter.
Local port.
Remote host name.
Remote host IP address.
Port on the remote host.
URLs and IP addresses of visited websites, and links from these websites.
Network connection protocol.
HTTP request method.
HTTP request header.
Information about Windows registry variables: path to the variable, variable name, variable value.
Contents of a script or binary file sent for AMSI scanning.
Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.