In order for Kaspersky Endpoint Detection and Response Expert to work, it's necessary for Kaspersky to process the user's data. Components do not send data without the permission of the Kaspersky Endpoint Detection and Response Expert administrator.
Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.
The following data is used for the operation of Kaspersky EDR Expert:
You give consent to send user's data by confirming that you agree with the Data Processing Agreement during activation of the solution. After activation, you can view the Data Processing Agreement by clicking the Kaspersky Endpoint Detection and Response Expert tile in the Marketplace section or by clicking the Kaspersky EDR Expert settings button in the Threat hunting section.
The following information about alerts is sent to Kaspersky Security Center Cloud Console:
Name and internal unique identifier of the device related to the alert
Names and user account security identifiers (SID) related to the alert
Date and time of the alert creation
Alert type (IOA alert or IOC alert)
Date and time of the first event related to the alert
Date and time of the last event related to the alert
Data about triggered rules:
Identifier of the rule
Name of the rule
Severity of the rule
Confidence of the rule
If an IOA rule is triggered, the following data is sent:
Signs that the custom rule has been triggered
MITRE technique and MITRE tactic identifiers related to the triggered rule
If an IOC rule is triggered, the following data is sent:
Description of the IOC rule
Information about detected objects (for example, files, processes, loaded modules, local and remote network addresses, registry keys and values, DNS records, system log records, users, Windows services)
Identifier, start time, and end time of the IOC scan task