Data necessary for the functioning of the workspace
Kaspersky Security Center Cloud Console processes the following data:
- Details of devices detected on the organization's network
Network Agent receives the data listed below from the networked devices and transfers it to Administration Server:
- Technical specifications of the detected device and its components required for device identification that have been received by means of network polling:
- Active Directory polling:
Active Directory devices: distinguished name of the device; Windows domain name received from the domain controller; device name in the Windows environment; NetBIOS domain name; DNS domain and DNS name of the device; Security Account Manager (SAM) account (name for logging in to the system used for support of clients and servers running earlier operating system versions, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager); distinguished name of the domain; distinguished names of the groups to which the device belongs; distinguished name of the user managing the device; and globally unique identifier (GUID) and parent GUID of the device.
When the Active Directory network is polled, the following types of data are also processed for the purpose of displaying information about the managed infrastructure and use of this information by the user, for example, during protection deployment:
- Active Directory organizational units: distinguished name of the organizational unit; distinguished name of the domain; GUID and parent GUID of the organizational unit.
- Active Directory domains: Windows domain name received from the domain controller; DNS domain; GUID of the domain.
- Active Directory users: display name of the user; distinguished name of the user; distinguished name of the domain; name of the user's organization; name of the department where the user works; distinguished name of another user acting as the user's manager; full name of the user; SAM account; Email address; alternate email address; main phone number; alternate phone number; mobile phone number; user's position name; distinguished names of the groups to which the user belongs; user globally unique identifier (GUID); user security identifier (SID) (unique binary value used to identify the user as a security principal); and user principal name (UPN)—internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, the UPN maps to the user email name.
- Active Directory groups: distinguished name of the group; email address; distinguished name of the domain; SAM account; distinguished names of other groups to which the group belongs; SID group; group GUID.
- Active Directory polling:
- Samba domain polling:
Samba devices: distinguished name of the device; domain name received from the domain controller; NetBIOS device name; NetBIOS domain name; DNS domain and DNS name of the device; Security Account Manager (SAM) account; distinguished name of the domain; distinguished names of the groups to which the device belongs; distinguished name of the user managing the device; globally unique identifier (GUID) and parent GUID of the device.
- Samba organization units: distinguished name of the organizational unit; distinguished name of the domain; GUID and parent GUID of the organizational unit.
- Samba domain: domain name received from the domain controller; DNS domain; GUID of the domain.
- Samba users: display name of the user; distinguished name of the user; name of the user's organization; name of the department where the user works; distinguished name of another user acting as the user's manager; full name of the user; SAM account; Email address; alternate email address; main phone number; alternate phone number; mobile phone number; user's position name; distinguished names of the groups to which the user belongs; user globally unique identifier (GUID); user security identifier (SID) (unique binary value used to identify the user as a security principal); user principal name (UPN)—internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, the UPN maps to the user email name.
- Samba groups: distinguished name of the group; email address; distinguished name of the domain; SAM account; distinguished names of other groups to which the group belongs; SID group; group GUID.
- Windows domain polling:
- Name of the Windows domain or workgroup
- Device NetBIOS name
- DNS domain and DNS name of the device
- Device name and description
- Device visibility on the network
- Device IP address
- Device type (workstation, server, SQL Server, domain controller, etc.)
- Type of operating system on the device
- Version of the device operating system
- Time the information about the device was last updated
- Time the device was last visible on the network
- IP range polling:
- Device IP address
- Device DNS name or NetBIOS name
- Device name and description
- Device MAC address
- Time the device was last visible on the network
- Technical specifications of the detected device and its components required for device identification that have been received by means of network polling:
- Details of managed devices.
Network Agent transfers the data listed below from the device to Administration Server. The user enters the display name and description of the device in the Kaspersky Security Center Cloud Console interface:
- Technical specifications of the managed device and its components required for device identification:
- Display name (generated on the basis of the NetBIOS name, can be modified manually) and description of the device (entered manually)
- Windows domain name and type (Windows NT domain / Windows workgroup)
- Device name in the Windows environment
- DNS domain and DNS name of the device
- Device IP address
- Device subnet mask
- Device network location
- Device MAC address
- Device serial number (if available)
- Type of operating system on the device
- Whether the device is a virtual machine together with hypervisor type
- Whether the device is a dynamic virtual machine as part of Virtual Desktop Infrastructure (VDI)
- Device GUID
- Network Agent instance ID
- Network Agent installation ID
- Network Agent permanent ID
- Other specifications of managed devices and their components required for audit of managed devices and for making decisions about whether specific patches and updates are applicable:
- Windows Update Agent (WUA) status
- Operating system architecture
- Operating system vendor
- Operating system build number
- Operating system release ID
- Operating system location folder
- If the device is a virtual machine—the virtual machine type
- Device response waiting time
- Whether Network Agent is running in stand-alone mode
- Detailed information about activity on managed devices:
- Date and time of the last update
- Date and time the device was last visible on the network
- Restart waiting status ("Restart is required.")
- Time the device was turned on
- Details of device user accounts and their work sessions
- Distribution point operation statistics if the device is a distribution point:
- Date and time the distribution point was created
- Work folder name
- Work folder size
- Number of synchronizations with the Administration Server
- Date and time the device last synchronized with the Administration Server
- Number and total size of transferred files
- Number and total size of files downloaded by clients
- Volume of data downloaded by clients using Transmission Control Protocol (TCP)
- Volume of data sent to clients using multicasting
- Volume of data downloaded by clients using multicasting
- Number of multicast distributions
- Total volume of multicast distribution
- Number of synchronizations with clients after the last synchronization with the Administration Server
- Name of the virtual Administration Server which manages the device
- Details of cloud devices:
- Cloud Region
- Virtual Private Cloud (VPC)
- Cloud availability zone
- Cloud subnet
- Cloud placement group
- Details of mobile devices. The managed application transfers this data from the mobile device to Administration Server. The full list of data is available in the documentation of the managed application.
- Technical specifications of the managed device and its components required for device identification:
- Details of Kaspersky applications installed on the device.
The managed application transfers data from the device to Administration Server through Network Agent:
- Kaspersky managed applications and Kaspersky Security Center Cloud Console components installed on the device
- Settings of Kaspersky applications installed on the managed device:
- Kaspersky application name and version
- Status
- Real-time protection status
- Last device scan date and time
- Number of threats detected
- Number of objects that failed to be disinfected
- Tasks for Kaspersky security application
- Availability and status of the application components
- Time of last update and version of anti-virus databases
- Details of Kaspersky application settings
- Information about the active license keys
- Information about the reserve license keys
- Application installation date
- Application installation ID
- Application operation statistics: events related to changes in the status of Kaspersky application components on the managed device and to performance of tasks initiated by the application components
- Device status defined by the Kaspersky application
- Tags assigned by the Kaspersky application
- Set of installed and applicable updates for the Kaspersky application:
- Display name, version, and language of the application
- Internal name of the application
- Application name and version from the registry key
- Application installation folder
- Patch version
- List of installed application autopatches
- Whether the application is supported by Kaspersky Security Center Cloud Console
- Whether the application is installed on a cluster
- Details of data encryption errors on devices: error ID, time of occurrence, operation type (encryption/decryption), error description, file path, description of encryption rule, device ID, and user name
- Events of Kaspersky Security Center Cloud Console components and Kaspersky managed applications.
Network Agent transfers data from the device to Administration Server.
The description of an event can contain the following data:
- Device name
- Device user name
- Name of the administrator who connected to the device remotely
- Name, version, and vendor of the application installed on the device
- Path to the application installation folder on the device
- Path to the file on the device and file name
- Application name and command-line parameters under which the application was run
- Patch name, patch file name, patch ID, level of the vulnerability fixed by the patch, description of the patch installation error
- Device IP address
- Device MAC address
- Device restart status
- Name of the task that published the event
- Whether the device switched to stand-alone mode and reason for switching
- Information about the security issue on the device: security issue type, security issue name, severity level, security issue description, security issue details transmitted by the Kaspersky application
- Size of free disk space on the device
- Whether the Kaspersky application is running in limited functionality mode, IDs of functional scopes
- Old and new value of the Kaspersky application setting
- Description of the error that occurred when the Kaspersky application or any of its components performed the operation
- Settings of Kaspersky Security Center Cloud Console components and Kaspersky managed applications presented in policies and policy profiles.
The user enters data in the Kaspersky Security Center Cloud Console interface.
- Task settings of Kaspersky Security Center Cloud Console components and Kaspersky managed applications
The user enters data in the Kaspersky Security Center Cloud Console interface.
- Data processed by the Vulnerability and patch management feature.
Network Agent transfers the data listed below from the device to Administration Server:
- Details of applications and patches installed on managed devices (Applications registry). Applications can be identified on the basis of information about executable files detected on managed devices by the Application Control feature:
- Application/patch ID
- Parent application ID (for a patch)
- Application/patch name and version
- Whether the application/patch is an .msi file of Windows Installer
- Application/patch vendor
- Localization language ID
- Application/patch installation date
- Application installation path
- Technical Support website of application/patch vendor
- Technical Support phone number
- ID of the installed application instance
- Comment
- Uninstallation key
- Key for installation in silent mode
- Patch classification
- Web address for additional information about the patch
- Registry key of the application
- Application build number
- User SID
- Operating system type (Windows, Unix)
- Information about the hardware detected on managed devices (Hardware registry):
- Device ID
- Device type (motherboard, CPU, RAM, mass storage device, video adapter, sound card, network interface controller, monitor, optical disc device)
- Device name
- Description
- Vendor
- Serial number
- Revision
- Information about the driver: developer, version, description, and release date
- Information about BIOS: developer, version, serial number, and release date
- Chipset
- Clock rate
- Number of CPU cores
- Number of CPU threads
- CPU platform
- Storage device rotation speed
- RAM: type, part number
- Video memory
- Sound card codec
- Details of vulnerabilities in third-party software detected on managed devices:
- Vulnerability identifier
- Vulnerability severity level (Warning, High, Critical)
- Vulnerability type (Microsoft, third-party)
- Web address of the page on which the vulnerability is described
- Time the vulnerability entry was created
- Vendor name
- Localized vendor name
- Vendor ID
- Application name
- Localized name of the application
- Application installation code
- Application version
- Application localization language
- List of CVE identifiers from the vulnerability description
- Kaspersky protection technologies blocking the vulnerability (File Threat Protection, Behavior Detection, Web Threat Protection, Mail Threat Protection, Host Intrusion Prevention, ZETA Shield)
- Path to the object file in which the vulnerability was detected
- Vulnerability detection time
- IDs of the Knowledge Base articles from the vulnerability description
- IDs of the security bulletins from the vulnerability description
- List of updates for the vulnerability
- Whether an exploit exists for the vulnerability
- Whether malware exists for the vulnerability
- Details of updates available for third-party applications installed on managed devices:
- Application name and version
- Vendor
- Application localization language
- Operating system
- List of patches according to installation sequence
- Original version of the application to which the patch is applied
- Application version after patch installation
- Patch ID
- Build number
- Installation flags
- License Agreements for the patch
- Whether the patch is a prerequisite for installation of other patches
- List of required installed applications and their updates
- Sources of information about the patch
- Additional information about the patch (addresses of web pages)
- Web address for patch download, file name, version, revision, and SHA256
- Details of Microsoft updates found by the WSUS feature:
- Update revision number
- Microsoft update type (Driver, Software, Category, Detectoid)
- Update importance level according to the Microsoft Security Response Center (MSRC) bulletin (Low, Medium, High, Critical)
- IDs of the MSRC bulletins related to the update
- IDs of articles in the MSRC Knowledge Base
- Update name (header)
- Update description
- Whether the update installer is interactive
- Installation flags
- Update classification (Critical Updates, Definition Updates, Drivers, Feature Packs, Security Updates, Service Packs, Tools, Update Rollups, Updates, Upgrade)
- Information about the application to which the update is applied
- End User License Agreement (EULA) ID
- EULA text
- Whether the EULA must be accepted for update installation
- Information about the associated updates (ID and revision number)
- Update ID (Global Microsoft Windows update identity)
- IDs of the superseded updates
- Whether the update is hidden
- Whether the update is mandatory
- Update installation status (Not applicable, Not assigned for installation, Assigned, Installing, Installed, Failed, Restart is required, Not assigned for installation (new version))
- CVE IDs for the update
- Company that released the update, or the "Company missing" value
- List of Microsoft updates found by the WSUS feature that must be installed on the device.
- Details of applications and patches installed on managed devices (Applications registry). Applications can be identified on the basis of information about executable files detected on managed devices by the Application Control feature:
- Information about executable files detected on managed devices by the Application Control feature (may be associated with information from the Applications registry). A full list of data is given in the section that describes data for devices managed through the corresponding application.
The managed application transfers data from the device to Administration Server through Network Agent.
- Information about files placed in Backup. A full list of data is given in the section that describes data for devices managed through the corresponding application.
The managed application transfers data from the device to Administration Server through Network Agent.
- Information about files requested by Kaspersky specialists for detailed analysis. A full list of data is given in the section that describes data for devices managed through the corresponding application.
The managed application transfers data from the device to Administration Server through Network Agent.
- Information about the status and triggering of Adaptive Anomaly Control rules. A full list of data is given in the section that describes data for devices managed through the corresponding application.
The managed application transfers data from the device to Administration Server through Network Agent.
- Information about devices (memory units, information transfer tools, information hardcopy tools, and connection buses) installed or connected to the managed device and detected by the Device Control feature. A full list of data is given in the section that describes data for devices managed through the corresponding application.
The managed application transfers data from the device to Administration Server through Network Agent.
- Data about alerts:
- Date and time of the first telemetry event in the alert
- Date and time of the last telemetry event in the alert
- Name of the triggered rule (the User enters this in the Kaspersky Security Center Cloud Console interface)
- Alert status
- Resolution (False Positive, True Positive, Low Priority)
- ID and name of the user who is assigned for the alert
- Unique ID in the Kaspersky Security Center Cloud Console database and the name of the device related to the events that are alert sources
- SID and name of the user of the device related to the events that are alert sources
- Observables, that is, observable data related to the events that are alert sources:
- IP address
- MD5 hash sum of the file and file path
- Web address
- Domain
- Additional details of the object related to the alert (received from the application)
- Comments to the alert:
- Date and time when the comment was added
- User who added the comment
- Text of the comment
- Alert changelog:
- Date and time of the change
- User who performed the change
- Change description
- Data about security issues:
- Date and time of the first event in the security issue
- Date and time of the last event in the security issue
- Security issue name (the user enters this in the Kaspersky Security Center Cloud Console interface)
- Brief description of the security issue
- Security issue priority
- Security issue status
- ID and name of the user assigned for the security issue
- Resolution (False Positive, True Positive, Low Priority, Merged)
- Comment to the security issue:
- Date and time when the comment was added
- User who added the comment
- Text of the comment
- Security issue changelog:
- Date and time of the change
- User who performed the change
- Change description
- Data processed by the data encryption feature of Kaspersky applications.
The managed application transfers the data listed below from the device to Administration Server through Network Agent. The user enters the description of the drive in the Kaspersky Security Center Cloud Console interface:
- List of drives on the devices:
- Drive name
- Encryption status
- Drive type (boot drive, disk drive)
- Drive serial number
- Description
- Details of data encryption errors on the devices:
- Date and time when the error occurred
- Operation type (encryption, decryption)
- Error description
- File path
- Rule description
- Device ID
- User name
- Error ID
- Data encryption settings of the Kaspersky application.
A full list of data is given in the section that describes data for devices managed through the corresponding application.
- List of drives on the devices:
- Details of the entered activation codes.
The User enters data in the Kaspersky Security Center Cloud Console interface.
- User accounts.
The User enters the data listed below in the Kaspersky Security Center Cloud Console interface:
- Name
- Description
- Full name
- Email address
- Main phone number
- Password
- One-time security code for two-step verification
- Data required for user authentication using Active Directory:
- Active Directory Federation Services (ADFS) settings:
- Main URL of the authentication provider
- Trusted root certificates for ADFS
- Client ID generated in ADFS
- Secret key for protection of access to ADFS
- Scope of the tokens
- Active Directory domain with which the integration is performed
- Name of the token field containing the user SID
- Name of the token field containing the array of SIDs of the user's groups
The User enters data in the Kaspersky Security Center Cloud Console interface.
- Active Directory Federation Services (ADFS) settings:
- Data required to authenticate users by using Microsoft Entra ID.
- Microsoft Entra ID integration settings:
- ID of the Microsoft Entra ID tenant
- Client ID generated in the Microsoft Entra ID tenant
- Client secret created in the Microsoft Entra ID tenant
The user enters data in the Kaspersky Security Center Cloud Console interface.
- Data about users and groups in the Microsoft Entra ID tenant, which Kaspersky Security Center Cloud Console receives as a result of the Microsoft Entra ID polling:
- Data about users in the Microsoft Entra ID tenant: user object identifier; user security identifier; user display name; name of the user's organization; name of the department in which the user works; user position; email address; primary phone number; mobile phone number; user login; names of groups to which the user belongs.
- Data about users created in Microsoft Entra ID as a result of synchronization with on-premises Active Directory: user security identifier in on-premises Active Directory; domain name in on-premises Active Directory; user login in on-premises Active Directory; SAM account of the user in on-premises Active Directory; distinguished user name in on-premises Active Directory.
- Data about groups in the Microsoft Entra ID tenant: group object identifier; group security identifier; group display name; email address; names of other groups to which the group belongs.
- Data about groups created in Microsoft Entra ID as a result of synchronization with on-premises Active Directory: the security identifier of the group in on-premises Active Directory; SAM account of the group in on-premises Active Directory.
- Microsoft Entra ID integration settings:
- Revision history of management objects: Administration Server, Administration group, Policy, Task, User / security group, Installation package.
- The User enters the data listed below in the Kaspersky Security Center Cloud Console interface:
- Administration Server
- Administration group
- Policy
- Task
- User / Security group
- Installation package
- IP address of the device on which the User created a revision. Administration Server detects the IP address automatically.
- The User enters the data listed below in the Kaspersky Security Center Cloud Console interface:
- Registry of deleted management objects.
The User enters data in the Kaspersky Security Center Cloud Console interface.
- Installation packages created from the file, as well as installation settings.
The User enters data in the Kaspersky Security Center Cloud Console interface.
- Data required for the display of Kaspersky announcements in Kaspersky Security Center Cloud Console:
- Information about managed Kaspersky applications used by the User: application ID, full version number.
- The User's localization of the Kaspersky Security Center Cloud Console interface.
- Information about the activation of the Software on the Device: Software license ID; Software license term; Software license expiration date and time; type of Software license used; Software subscription type; Software subscription expiration date and time; current status of the Software subscription; reason of current/changing status of Software subscription; ID of the price list item through which the Software license was purchased.
- Information about the legal agreement accepted by the User while using the Software: type of the legal agreement; version of the legal agreement; flag indicating whether the user has accepted the terms of the legal agreement.
- Information about the announcements received from the Rightholder: announcement ID; time of receipt of the announcement; status of receiving the announcement.
The User enters data in the Kaspersky Security Center Cloud Console interface.
- Kaspersky Security Center Cloud Console user settings.
The User enters the data listed below in the Kaspersky Security Center Cloud Console interface:
- User interface localization language
- User interface theme
- Display settings of the monitoring panel
- Information about the status of notifications: Already read / Not yet read
- Status of columns in spreadsheets: Show/Hide
- Tutorial progress
- Data received when using the Remote diagnostics feature on a managed device: trace files, system information, details of Kaspersky applications installed on the device, dump files, log files, results of running diagnostic scripts received from Technical Support.
- Data that the User enters in the Kaspersky Security Center Cloud Console interface:
- Administration group name when creating a hierarchy of administration groups
- Email address when configuring email notifications
- Tags for devices and tagging rules
- Tags for applications
- User categories of applications
- Role name when assigning a role to a user
- Information about subnets: subnet name, description, address, and mask
- Settings of reports and selections
- Any other data entered by the User
- Data received from a secondary Administration Server deployed on-premises.
The data processed by the Kaspersky Security Center Administration Server is described in Kaspersky Security Center Online Help.
When connecting a Kaspersky Security Center Administration Server deployed on-premises as a secondary in relation to Kaspersky Security Center Cloud Console, Kaspersky Security Center Cloud Console processes the following types of data from the secondary Administration Server:
- Information about the devices on the organization's network received as a result of device discovery in the Active Directory network or Windows network, or through scanning of IP intervals
- Information about the Active Directory organizational units, domains, users, and groups received as a result of Active Directory network polling
- Information about managed devices, their technical specifications, including those required for device identification, accounts of device users and their working sessions
- Information about mobile devices transferred by using the Exchange ActiveSync protocol
- Information about mobile devices transferred by using the iOS MDM protocol
- Details of Kaspersky applications installed on the device: settings, operation statistics, device status defined by the application, installed and applicable updates, tags
- Information transferred with event settings from Kaspersky Security Center components and Kaspersky managed applications
- Settings of Kaspersky Security Center components and Kaspersky managed applications presented in policies and policy profiles
- Task settings of Kaspersky Security Center components and Kaspersky managed applications
- Data processed by the Vulnerability and patch management feature: details of applications and patches; information about the hardware; details of vulnerabilities in third-party software detected on managed devices; details of updates available for third-party applications; details of Microsoft updates found by the WSUS feature
- User categories of applications
- Details of executable files detected on managed devices by the Application Control feature
- Details of files placed in Backup
- Details of files placed in Quarantine
- Details of files requested by Kaspersky specialists for detailed analysis
- Information about the status and triggering of Adaptive Anomaly Control rules
- Details of devices (memory units, information transfer tools, information hardcopy tools, and connection buses) installed or connected to the managed device and detected by the Application Control feature
- Encryption settings of the Kaspersky application: repository of encryption keys, device encryption status
- Information about the errors of data encryption performed on devices using the Data encryption feature of Kaspersky applications
- List of managed programmable logic controllers (PLCs)
- Details of the entered activation codes
- User accounts
- Revision history of management objects
- Registry of deleted management objects
- Installation packages created from the file, as well as installation settings
- Kaspersky Security Center Web Console user settings
- Any data that the user enters in the Administration Console or Kaspersky Security Center Cloud Console interface
- Certificate for secure connection of managed devices to the Kaspersky Security Center components
- Information uploaded from the managed device when using the Remote Diagnostics feature: diagnostic files (dump files, log files, trace files, etc.) and data contained in those files.
- Data required for Kaspersky Security Center Cloud Console integration with an SIEM system for event export:
- Data required for connection and authentication:
- SIEM system connection address and port
- SIEM server authentication certificate
- Trusted certificate and private key for client authentication of Kaspersky Security Center Cloud Console in the SIEM system
The User enters data in the Kaspersky Security Center Cloud Console interface.
- Data that Kaspersky Security Center Cloud Console receives from the SIEM system: public key of the SIEM server certificate for the SIEM server authentication.
- Data required for connection and authentication:
- Data required for Kaspersky Security Center Cloud Console interaction with cloud environment:
- Amazon Web Services (AWS):
- Access key ID of the IAM user account
- Secret key of the IAM user account
- Microsoft Azure:
- Azure Application ID
- Azure subscription ID
- Azure Application password
- Account name for Azure repository
- Account access key for Azure repository
- Google Cloud:
- Google client email
- Project ID
- Private key
The User enters data in the Kaspersky Security Center Cloud Console interface.
- Amazon Web Services (AWS):
- Data transferred by an unsupported Kaspersky application
When you install Network Agent on a device that has a Kaspersky application installed but not supported by Kaspersky Security Center Cloud Console, this Kaspersky application will still transfer data to Kaspersky Security Center Cloud Console. (The list of data is provided in the "About data provision" section of the Help system of the application.) However, Kaspersky Security Center Cloud Console will not be able to process the data transferred by the unsupported application in the way that the process is described for the main functionality of Kaspersky Security Center Cloud Console.
The list of supported Kaspersky applications is presented in Kaspersky Security Center Cloud Console Online Help.
- Statistical information about user attempts to gain access to cloud services.
A managed application transfers data from the device to Administration Server through Network Agent. For the full list of transferred data, refer to Help of the managed application.
- Data for creating a threat development chain.
A managed application transfers data from the device to Administration Server through Network Agent. For the full list of transferred data, refer to Help of the managed application.
- Data required for integration of Kaspersky Security Center with the Kaspersky Managed Detection and Response service.
Token for the integration initiation, integration token, and user session token. The User enters the token to initiate the integration in the Kaspersky Security Center Cloud Console interface. The Kaspersky Managed Detection and Response service transfers both the integration token and user session token through the MDR plug-in.