Kaspersky Industrial CyberSecurity for Networks Public API (v3)

Download OpenAPI specification:Download

Public API for external connectors

Authentication

Bearer authentication

All API methods must include the access token used to authenticate and authorize calls in the request header. Specifying an access token in a URI is not supported. Not specifying an access token in these cases results in a returned 401 error code.

Security Scheme Type HTTP
HTTP Authorization Scheme bearer
Bearer format "JWT"

About

Product information - Kaspersky Industrial CyberSecurity for Networks release version and list of installed components and their versions.
You can get product version and component info from Kaspersky Industrial CyberSecurity for Networks by using the about api methods.

Get information about the Kaspersky Industrial CyberSecurity for Networks version.

path Parameters
version
required
string

Responses

Response samples

Content type
application/json
{
  • "version": "3.0.0.512",
  • "updateableComponents": [
    ]
}

ApplicationMessages


The application message log stores information about errors in application operation and about errors in operations performed by system processes of Kaspersky Industrial CyberSecurity for Networks.
You can get application messages from Kaspersky Industrial CyberSecurity for Networks by using the application messages api methods.

Query several application messages.

Returns a specified number of application messages starting from a certain offset (but not including application message with specified offset). You can specify filtering and paging options for application messages. By default, application messages are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

  • id
  • date
  • status
  • node
  • systemProcess
  • descriptionId

Fields that can be used for sorting:
  • id
path Parameters
version
required
string
Request Body schema:

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter
object Nullable

Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object:

  1. Each item of this array indicates the name of the field to be used for filtering and the filter conditions.
  2. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned.
  3. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first).
  4. Each condition can have the following parameters:
    • field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress").
    • condition(optional) - condition for the field value. Supported options:
      • "=" - equals. This is also used if this parameter is not defined.
      • "<>" - does not equal.
      • ">" - the value of field is larger than value. Applicable only to numerical and time values.
      • ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values.
      • "<" - the value of field is less than value. Applicable only to numerical and time values.
      • "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values.
      • "IsEmpty" - the value of field is empty. Value is ignored.
      • "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values.
    • value - value or values that are compared.
      • Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation".
      • Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z".
    • operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options:
      • "and" - the condition is added by AND. It is also used if this parameter is not defined.
      • "or" - the condition is added by OR.
    • Parsing of the values of parameters and all comparisons are not case sensitive.
    • If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter.

Example of a simple condition with an AND conjunction.

{
        "query":
        {
            ...
            "filter":
            [
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"],
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }
}

Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND:

{
        "query":
        {
            ...
            "filter":
            [
                [
                    {
                        "field": "propName1",
                        "condition": ">=",
                        "value": 10
                    },
                    {
                        "field": "propName1",
                        "value": 1,
                        "operator": "or"
                    }
                ],
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"]
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }     
}
Array of objects (ColumnOrderDto) Nullable

Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.

offset
integer <int32> [ 0 .. 2147483647 ] Nullable

0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.

limit
integer <int32> [ 0 .. 1000 ] Nullable

Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Content type
{
  • "filter": [
    ],
  • "sort": [
    ],
  • "offset": 200,
  • "limit": 100
}

Response samples

Content type
application/json
{
  • "offset": 200,
  • "limit": 100,
  • "values": [
    ]
}

AuditMessages


Kaspersky Industrial CyberSecurity for Networks can save information about actions performed by users in the application.
Information is saved in the audit log if user activity audit is enabled.
You can get audit entries from Kaspersky Industrial CyberSecurity for Networks by using the audit messages api methods.

Query several audit entries.

Returns a specified number of audit entries starting from a certain offset (but not including audit entry with specified offset). You can specify filtering and paging options for audit entries. By default, audit entries are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

  • id
  • date
  • node
  • user
  • action
  • result

Fields that can be used for sorting:
  • id
path Parameters
version
required
string
Request Body schema:

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter
object Nullable

Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object:

  1. Each item of this array indicates the name of the field to be used for filtering and the filter conditions.
  2. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned.
  3. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first).
  4. Each condition can have the following parameters:
    • field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress").
    • condition(optional) - condition for the field value. Supported options:
      • "=" - equals. This is also used if this parameter is not defined.
      • "<>" - does not equal.
      • ">" - the value of field is larger than value. Applicable only to numerical and time values.
      • ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values.
      • "<" - the value of field is less than value. Applicable only to numerical and time values.
      • "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values.
      • "IsEmpty" - the value of field is empty. Value is ignored.
      • "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values.
    • value - value or values that are compared.
      • Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation".
      • Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z".
    • operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options:
      • "and" - the condition is added by AND. It is also used if this parameter is not defined.
      • "or" - the condition is added by OR.
    • Parsing of the values of parameters and all comparisons are not case sensitive.
    • If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter.

Example of a simple condition with an AND conjunction.

{
        "query":
        {
            ...
            "filter":
            [
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"],
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }
}

Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND:

{
        "query":
        {
            ...
            "filter":
            [
                [
                    {
                        "field": "propName1",
                        "condition": ">=",
                        "value": 10
                    },
                    {
                        "field": "propName1",
                        "value": 1,
                        "operator": "or"
                    }
                ],
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"]
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }     
}
Array of objects (ColumnOrderDto) Nullable

Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.

offset
integer <int32> [ 0 .. 2147483647 ] Nullable

0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.

limit
integer <int32> [ 0 .. 1000 ] Nullable

Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Content type
{
  • "filter": [
    ],
  • "sort": [
    ],
  • "offset": 200,
  • "limit": 100
}

Response samples

Content type
application/json
{
  • "offset": 200,
  • "limit": 100,
  • "values": [
    ]
}

Configuration

Kaspersky Industrial CyberSecurity for Networks provides the capability for a Connector to query its configuration.
You can get connector configuration information from Kaspersky Industrial CyberSecurity for Networks by using the configuration api methods.

Returns information about the current connector.

path Parameters
version
required
string

Responses

Response samples

Content type
application/json
{
  • "config": "- type: string\n name: address\n default: yes\n max_len: 1024\n- type: uint\n name: portNumber\n range: {from: 0, to: 65535}\n default: yes\n default_value: 0\n- type: string\n name: transportProtocol\n loc: yes\n values: [TCP, UDP]\n default: yes",
  • "eventTypesToSend": [
    ],
  • "forwardAppMessages": true,
  • "forwardAuditMessages": false
}

Devices


Devices, connected to the industrial network. Kaspersky Industrial CyberSecurity for Networks monitors their activity and updates information about them, making it easier for an administrator to make security-related decisions.
You can get a list of devices and their protocols from Kaspersky Industrial CyberSecurity for Networks by using devices api methods.
In addition to getting devices from Kaspersky Industrial CyberSecurity for Networks, you can create your own devices in Kaspersky Industrial CyberSecurity for Networks, edit and remove them.

Query several devices.

Returns a specified number of devices starting from a certain offset (but not including device with specified offset). You can specify filtering and paging options for devices. By default, devices are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

  • id
  • name
  • status
  • addressInformation:macAddress
  • addressInformation:ipAddress
  • category
  • group
  • securityState
  • lastSeen
  • vulnerability:cveId
  • vulnerability:state
  • lastModified
  • created
  • os
  • hardware:Vendor
  • hardware:Model
  • hardware:Version
  • software:Vendor
  • software:Model
  • software:Version
  • networkName
  • label
  • hasIndustrialConfig

Fields that can be used for sorting:
  • id
path Parameters
version
required
string
Request Body schema:

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter
object Nullable

Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object:

  1. Each item of this array indicates the name of the field to be used for filtering and the filter conditions.
  2. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned.
  3. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first).
  4. Each condition can have the following parameters:
    • field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress").
    • condition(optional) - condition for the field value. Supported options:
      • "=" - equals. This is also used if this parameter is not defined.
      • "<>" - does not equal.
      • ">" - the value of field is larger than value. Applicable only to numerical and time values.
      • ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values.
      • "<" - the value of field is less than value. Applicable only to numerical and time values.
      • "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values.
      • "IsEmpty" - the value of field is empty. Value is ignored.
      • "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values.
    • value - value or values that are compared.
      • Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation".
      • Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z".
    • operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options:
      • "and" - the condition is added by AND. It is also used if this parameter is not defined.
      • "or" - the condition is added by OR.
    • Parsing of the values of parameters and all comparisons are not case sensitive.
    • If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter.

Example of a simple condition with an AND conjunction.

{
        "query":
        {
            ...
            "filter":
            [
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"],
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }
}

Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND:

{
        "query":
        {
            ...
            "filter":
            [
                [
                    {
                        "field": "propName1",
                        "condition": ">=",
                        "value": 10
                    },
                    {
                        "field": "propName1",
                        "value": 1,
                        "operator": "or"
                    }
                ],
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"]
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }     
}
Array of objects (ColumnOrderDto) Nullable

Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.

offset
integer <int32> [ 0 .. 2147483647 ] Nullable

0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.

limit
integer <int32> [ 0 .. 1000 ] Nullable

Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Content type
{
  • "filter": [
    ],
  • "sort": [
    ],
  • "offset": 200,
  • "limit": 100
}

Response samples

Content type
application/json
{
  • "offset": 200,
  • "limit": 100,
  • "values": [
    ]
}

Query single device.

path Parameters
id
required
integer <int64> >= 1

ID of the requested event.

version
required
string

Responses

Response samples

Content type
application/json
{
  • "id": 123456,
  • "name": "BoilerPlc",
  • "description": "Very long description text",
  • "status": "Recognized",
  • "addressInformation": [
    ],
  • "category": "Plc",
  • "group": "group1",
  • "securityState": "Critical",
  • "lastSeen": "2020-12-15T11:17:12",
  • "lastModified": "2020-11-14T10:16:11",
  • "created": "2020-10-26T10:15:06",
  • "os": "Linux",
  • "networkName": "factory-net",
  • "hardwareVendor": "Siemens",
  • "hardwareModel": "S7-1500",
  • "hardwareVersion": "3.51",
  • "softwareVendor": "SomeCompany",
  • "softwareModel": "FirmwareOs1",
  • "softwareVersion": "1.23",
  • "isRouter": false,
  • "labels": [
    ],
  • "vulnerabilities": [
    ],
  • "processControlSettings": {
    },
  • "attributes": [
    ],
  • "userAttributes": [
    ]
}

Edit existing device.

You can edit device data in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters
id
required
integer <int64> >= 1

ID of the edited device.

version
required
string
Request Body schema:

Parameters of the edited device.

allowProcessControlSettingsUpdate
required
boolean

Allow editing of industrial configuration.

name
required
string <= 8192 characters

Unique name of the device.

required
Array of objects (DeviceAddressInformation) non-empty

MAC and IP addresses of the device.

description
string <= 65536 characters Nullable

Description of the device.

status
string (AssetStatus)
Enum: "Unauthorized" "Recognized" "Archived"
category
string (AssetType)
Enum: "ScadaHmi" "Rpa" "Server" "Workstation" "Plc" "EngineeringStation" "MobileDevice" "NetworkDevice" "Other" "Laptop" "HmiPanel" "Printer" "UPS" "NetworkCamera" "Gateway" "StorageSystem" "Firewall" "Switch" "VirtualSwitch" "Router" "VirtualRouter" "WiFi" "Historian"
os
string <= 65536 characters Nullable

Name of the operating system of the device.

hardwareVendor
string <= 65536 characters Nullable

Name of the device manufacturer.

hardwareModel
string <= 65536 characters Nullable

Device hardware model.

hardwareVersion
string <= 65536 characters Nullable

Device hardware version.

softwareVendor
string <= 65536 characters Nullable

Device software vendor.

softwareModel
string <= 65536 characters Nullable

Device software model.

softwareVersion
string <= 65536 characters Nullable

Device software version.

networkName
string <= 65536 characters Nullable

Name used to represent the device in the network.

isRouter
boolean

This parameter denotes whether the device is a routing device.

labels
Array of strings Nullable

A list of labels assigned to the device.

Array of objects (DeviceUserAttributeData) Nullable

Any user additional parameters of the device returned in pairs "Name, Value".

Responses

Request samples

Content type
{
  • "allowProcessControlSettingsUpdate": true,
  • "name": "BoilerPlc",
  • "addressInformation": [
    ],
  • "description": "Very long description text",
  • "status": "Recognized",
  • "category": "NetworkDevice",
  • "os": "Linux",
  • "hardwareVendor": "Siemens",
  • "hardwareModel": "S7-1500",
  • "hardwareVersion": "3.51",
  • "softwareVendor": "SomeCompany",
  • "softwareModel": "FirmwareOs1",
  • "softwareVersion": "1.23",
  • "networkName": "factory-net",
  • "isRouter": false,
  • "labels": [
    ],
  • "userAttributes": [
    ]
}

Response samples

Content type
application/json
{
  • "status": "Error",
  • "errors": [
    ]
}

Remove existing device.

You can remove devices from Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters
id
required
integer <int64> >= 1

ID of the removed device.

version
required
string

Responses

Query protocols of device.

path Parameters
id
required
integer <int64> >= 1

ID of the device whose protocols are being queried.

version
required
string

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Create new device.

You can create devices in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters
version
required
string
Request Body schema:

Parameters of the created device.

whatIfDuplicate
required
string (DuplicateAction)
Enum: "Skip" "Overwrite"
allowProcessControlSettingsLoss
required
boolean

Allow loss of industrial configuration.

name
required
string <= 8192 characters

Unique name of the device.

required
Array of objects (DeviceAddressInformation) non-empty

MAC and IP addresses of the device.

description
string <= 65536 characters Nullable

Description of the device.

status
string (AssetStatus)
Enum: "Unauthorized" "Recognized" "Archived"
category
string (AssetType)
Enum: "ScadaHmi" "Rpa" "Server" "Workstation" "Plc" "EngineeringStation" "MobileDevice" "NetworkDevice" "Other" "Laptop" "HmiPanel" "Printer" "UPS" "NetworkCamera" "Gateway" "StorageSystem" "Firewall" "Switch" "VirtualSwitch" "Router" "VirtualRouter" "WiFi" "Historian"
os
string <= 65536 characters Nullable

Name of the operating system of the device.

hardwareVendor
string <= 65536 characters Nullable

Name of the device manufacturer.

hardwareModel
string <= 65536 characters Nullable

Device hardware model.

hardwareVersion
string <= 65536 characters Nullable

Device hardware version.

softwareVendor
string <= 65536 characters Nullable

Device software vendor.

softwareModel
string <= 65536 characters Nullable

Device software model.

softwareVersion
string <= 65536 characters Nullable

Device software version.

networkName
string <= 65536 characters Nullable

Name used to represent the device in the network.

isRouter
boolean

This parameter denotes whether the device is a routing device.

labels
Array of strings Nullable

A list of labels assigned to the device.

Array of objects (DeviceUserAttributeData) Nullable

Any user additional parameters of the device returned in pairs "Name, Value".

Responses

Request samples

Content type
{
  • "whatIfDuplicate": "Skip",
  • "allowProcessControlSettingsLoss": true,
  • "name": "BoilerPlc",
  • "addressInformation": [
    ],
  • "description": "Very long description text",
  • "status": "Recognized",
  • "category": "NetworkDevice",
  • "os": "Linux",
  • "hardwareVendor": "Siemens",
  • "hardwareModel": "S7-1500",
  • "hardwareVersion": "3.51",
  • "softwareVendor": "SomeCompany",
  • "softwareModel": "FirmwareOs1",
  • "softwareVersion": "1.23",
  • "networkName": "factory-net",
  • "isRouter": false,
  • "labels": [
    ],
  • "userAttributes": [
    ]
}

Response samples

Content type
application/json
{
  • "status": "Created",
  • "deviceId": 12345
}

Events

Events are messages generated by Kaspersky Industrial CyberSecurity for Networks in response to suspicious industrial network traffic, detected attacks, and other security-related data. You can get events from Kaspersky Industrial CyberSecurity for Networks by using the events api methods. In addition to getting events from Kaspersky Industrial CyberSecurity for Networks, you can register your own events in Kaspersky Industrial CyberSecurity for Networks. Kaspersky Industrial CyberSecurity for Networks handles these events as it does any other events.

Query several events.

Returns a specified number of events starting from a certain offset (but not including event with specified offset). You can specify filtering and paging options for events. By default, events are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

  • startTime
  • lastSeenTime
  • title
  • severity
  • source:ipAddress
  • source:port
  • source:macAddress
  • source:applicationLevelAddress
  • destination:ipAddress
  • destination:port
  • destination:macAddress
  • destination:applicationLevelAddress
  • vlanId
  • protocol
  • technology
  • totalAppearances
  • id
  • status
  • triggeredRule
  • monitoringPointId
  • eventType
  • mark
  • origin

Fields that can be used for sorting:
  • id
path Parameters
version
required
string
Request Body schema:

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter
object Nullable

Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object:

  1. Each item of this array indicates the name of the field to be used for filtering and the filter conditions.
  2. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned.
  3. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first).
  4. Each condition can have the following parameters:
    • field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress").
    • condition(optional) - condition for the field value. Supported options:
      • "=" - equals. This is also used if this parameter is not defined.
      • "<>" - does not equal.
      • ">" - the value of field is larger than value. Applicable only to numerical and time values.
      • ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values.
      • "<" - the value of field is less than value. Applicable only to numerical and time values.
      • "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values.
      • "IsEmpty" - the value of field is empty. Value is ignored.
      • "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values.
    • value - value or values that are compared.
      • Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation".
      • Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z".
    • operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options:
      • "and" - the condition is added by AND. It is also used if this parameter is not defined.
      • "or" - the condition is added by OR.
    • Parsing of the values of parameters and all comparisons are not case sensitive.
    • If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter.

Example of a simple condition with an AND conjunction.

{
        "query":
        {
            ...
            "filter":
            [
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"],
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }
}

Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND:

{
        "query":
        {
            ...
            "filter":
            [
                [
                    {
                        "field": "propName1",
                        "condition": ">=",
                        "value": 10
                    },
                    {
                        "field": "propName1",
                        "value": 1,
                        "operator": "or"
                    }
                ],
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"]
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }     
}
Array of objects (ColumnOrderDto) Nullable

Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.

offset
integer <int32> [ 0 .. 2147483647 ] Nullable

0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.

limit
integer <int32> [ 0 .. 1000 ] Nullable

Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Content type
{
  • "filter": [
    ],
  • "sort": [
    ],
  • "offset": 200,
  • "limit": 100
}

Response samples

Content type
application/json
{
  • "offset": 200,
  • "limit": 100,
  • "values": [
    ]
}

Query single event.

path Parameters
id
required
integer <int64> >= 1

ID of the requested event.

version
required
string

Responses

Response samples

Content type
application/json
{
  • "id": 123456,
  • "eventType": 123123,
  • "title": "Something happened",
  • "severity": "Warning",
  • "startTime": "2020-10-27T14:32:25Z",
  • "lastSeenTime": "2020-10-27T14:32:26Z",
  • "endTime": "2020-10-27T14:32:26Z",
  • "protocol": "Modbus",
  • "communications": [
    ],
  • "technology": "Dpi",
  • "totalAppearances": 10,
  • "status": "Proposed",
  • "description": "Very long description text",
  • "triggeredRule": "Rule name",
  • "triggeredRuleId": 123,
  • "monitoringPoint": "Mpoint 1",
  • "monitoringPointId": 1,
  • "monitoringPointDeletedTime": "2020-10-26T10:15:06",
  • "mark": 0,
  • "origin": "System",
  • "childrenCount": 6,
  • "assets": [
    ],
  • "params": [
    ],
  • "vulnerabilities": [
    ]
}

Register event.

You can register events in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters
version
required
string
Request Body schema:

Parameters of the registered event.

title
required
string [ 1 .. 4096 ] characters

A title defined for the event type.

severity
required
string (EventSeverity)
Enum: "Info" "Warning" "Critical"
startTime
required
string <date-time>

For an event that is not an incident � date and time of event registration. For an incident � date and time of registration of the first event included in the incident.

lastSeenTime
string <date-time>

For an event that is not an incident, this is the date and time when the event last occurred. It may contain the date and time of event registration, or the date and time when the event regenerate counter value increased if the conditions for event registration were repeated during the event regenerate timeout.

endTime
required
string <date-time>

For an event that is not an incident, this is the date and time when the Resolved status was assigned, or the date and time of the event regenerate timeout. For an incident, this is the latest date and time of the end of events that are part of the incident.

totalAppearances
integer <int32> [ 0 .. 2147483647 ] Nullable

For an event that is not an incident, this is the value of the regenerate counter after the event is registered within the event regenerate timeout.

description
string [ 0 .. 32000 ] characters Nullable

Description specified for the event type.

triggeredRuleName
string [ 0 .. 4096 ] characters Nullable

For an event that is not an incident, this is the name of the Process Control rule or Intrusion Detection rule whose triggering caused the registration of the event. For an incident, this is the name of the correlation rule whose triggering caused the registration of the incident.

monitoringPointId
integer <int32> [ 0 .. 65535 ] Nullable

In identifier of the monitoring point whose traffic invoked registration of the event.

mark
integer <int32> [ 0 .. 7 ] Nullable

A numerical value from 0 to 7, which represents a selection of icons that one can set for any event or incident to find events and incidents based on a criterion that is not in the table.

origin
required
string (EventOrigin)
Enum: "Unspecified" "User" "System"
object Nullable

An array of the name-value pairs of the event's additional parameters.

Responses

Request samples

Content type
{
  • "title": "Something happened",
  • "severity": "Warning",
  • "startTime": "2020-10-27T14:32:25Z",
  • "lastSeenTime": "2020-10-27T14:32:26Z",
  • "endTime": "2020-10-27T14:32:26Z",
  • "totalAppearances": 10,
  • "description": "Very long description text",
  • "triggeredRuleName": "Rule name",
  • "monitoringPointId": 1,
  • "mark": 0,
  • "origin": "System",
  • "params": {
    }
}

Response samples

Content type
application/json
{
  • "errorMessage": "Error message text"
}

EventTypes

Defined set of parameters for registering events in Kaspersky Industrial CyberSecurity for Networks. A unique number (event type code) is assigned to each event type. You can get event types from Kaspersky Industrial CyberSecurity for Networks by using the event types api methods.

Get list of event types.

path Parameters
version
required
string

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]

Get one event type.

path Parameters
id
required
integer <int64> >= 1

Event type ID.

version
required
string

Responses

Response samples

Content type
application/json
{
  • "eventTypeId": 1,
  • "title": "Incident",
  • "description": "A sequence of events corresponding to the incident was detected.",
  • "severity": "Critical",
  • "technology": "External",
  • "eventRegenerateTimeout": 3000,
  • "trafficKeeping": {
    }
}

MonitoringPoints


Monitoring points are used for receiving and processing industrial network traffic in Kaspersky Industrial CyberSecurity for Networks.
You can get monitoring points from Kaspersky Industrial CyberSecurity for Networks by using monitoring-points api methods.

Query monitoring points dictionary.

path Parameters
version
required
string

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Query single monitoring point.

path Parameters
id
required
integer <int64> >= 1

ID of the queried monitoring point.

version
required
string

Responses

Response samples

Content type
application/json
{
  • "mpId": 12345,
  • "name": "MonitoringPoint1",
  • "nicId": "nic1",
  • "hostId": "sensor1",
  • "enabled": true,
  • "createdTime": "2020-10-27T14:32:25Z",
  • "deletedTime": "2020-10-27T14:32:25Z"
}

ProtocolStacks


Kaspersky Industrial CyberSecurity for Networks uses several dictionaries, including a dictionary of protocols.
You can get protocols from Kaspersky Industrial CyberSecurity for Networks by using protocol-stacks api methods.

Query protocol stacks dictionary.

path Parameters
version
required
string

Responses

Response samples

Content type
application/json
[
  • {
    }
]

Query single protocol stack.

path Parameters
id
required
integer <int64> >= 1

ID of the queried ProtocolStack.

version
required
string

Responses

Response samples

Content type
application/json
{
  • "protocolStackId": 12345,
  • "name": "ModbusTcp",
  • "protocolStackName": "TCP/ModbusTcp",
  • "parentId": 5001,
  • "etherType": 123,
  • "ipType": 345,
  • "customType": "345",
  • "isIndustrial": true,
  • "isActive": true
}

ServerSettings

Provides the capability for a recipient system to query data on the general settings of Kaspersky Industrial CyberSecurity for Networks. You can get server settings from Kaspersky Industrial CyberSecurity for Networks by using the server settings api methods.

Returns information about the locale being used by the product.

path Parameters
version
required
string

Responses

Response samples

Content type
application/json
{
  • "localization": "ru"
}

Tags

Tags are values that describe parameters of an industrial process. For example, a manufacturing process involving. a thermal oxidizer may have temperature, residence time, and turbulence among many other tags.
You can get tags from Kaspersky Industrial CyberSecurity for Networks by using the tags api methods.

Query several tags.

Returns a specified number of tags starting from a certain offset (but not including tag with specified offset). You can specify filtering and paging options for tags. By default, tags are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

  • assetName
  • assetId
  • assetAddress
  • group
  • assetProtocolId
  • protocol
  • protocolStackId
  • name
  • id
  • favourite
  • measureUnit
  • origin

Fields that can be used for sorting:
  • id
path Parameters
version
required
string
Request Body schema:

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter
object Nullable

Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object:

  1. Each item of this array indicates the name of the field to be used for filtering and the filter conditions.
  2. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned.
  3. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first).
  4. Each condition can have the following parameters:
    • field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress").
    • condition(optional) - condition for the field value. Supported options:
      • "=" - equals. This is also used if this parameter is not defined.
      • "<>" - does not equal.
      • ">" - the value of field is larger than value. Applicable only to numerical and time values.
      • ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values.
      • "<" - the value of field is less than value. Applicable only to numerical and time values.
      • "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values.
      • "IsEmpty" - the value of field is empty. Value is ignored.
      • "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values.
    • value - value or values that are compared.
      • Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation".
      • Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z".
    • operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options:
      • "and" - the condition is added by AND. It is also used if this parameter is not defined.
      • "or" - the condition is added by OR.
    • Parsing of the values of parameters and all comparisons are not case sensitive.
    • If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter.

Example of a simple condition with an AND conjunction.

{
        "query":
        {
            ...
            "filter":
            [
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"],
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }
}

Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND:

{
        "query":
        {
            ...
            "filter":
            [
                [
                    {
                        "field": "propName1",
                        "condition": ">=",
                        "value": 10
                    },
                    {
                        "field": "propName1",
                        "value": 1,
                        "operator": "or"
                    }
                ],
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"]
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }     
}
Array of objects (ColumnOrderDto) Nullable

Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.

offset
integer <int32> [ 0 .. 2147483647 ] Nullable

0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.

limit
integer <int32> [ 0 .. 1000 ] Nullable

Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Content type
{
  • "filter": [
    ],
  • "sort": [
    ],
  • "offset": 200,
  • "limit": 100
}

Response samples

Content type
application/json
{
  • "offset": 200,
  • "limit": 100,
  • "values": [
    ]
}

Query single tag.

path Parameters
id
required
integer <int64> >= 1

ID of the requested event.

version
required
string

Responses

Response samples

Content type
application/json
{
  • "assetId": 2345,
  • "assetName": "Schneider Electric Modicon Momentum",
  • "assetAddress": "1.0.0.0",
  • "group": "Group 1",
  • "protocol": "Modbus TCP",
  • "protocolStackId": 2,
  • "assetProtocolId": 1,
  • "name": "Tag",
  • "id": 1,
  • "favourite": true,
  • "measureUnit": "kgs/cm2",
  • "description": "Tag Description",
  • "address": "{\"area\": \"HoldingRegisters\", \"address\": \"123\"}",
  • "origin": "User",
  • "scaling": {
    },
  • "operativeParameters": "{\"d\":{\"type\":{\"n\":\"ValueType\",\"s\":\"Float\",\"t\":\"e\",\"v\":1},\"value\":{\"t\":\"d\",\"v\":0.14147095680236816,\"x\":1}},\"n\":\"Float\"}",
  • "tagDataType": "Int16"
}

Vulnerabilities


Kaspersky Industrial CyberSecurity for Networks can detect the vulnerabilities of devices. Kaspersky Industrial CyberSecurity for Networks identifies a vulnerability in an asset/device if the specific device is linked to a specific CVE record. One asset can have multiple vulnerabilities.
You can get vulnerabilities from Kaspersky Industrial CyberSecurity for Networks by using the vulnerabilities api methods.

Query several vulnerability entries.

Returns a specified number of vulnerability entries starting from a certain offset (but not including entry with specified offset). You can specify filtering and paging options for vulnerability entries. By default, vulnerability entries are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

  • cveId
  • cvsScore
  • state
  • description
  • assetGroup
  • assetName
  • assetAddress
  • firstDetected
  • lastDetected
  • published
  • attackConditions
  • impact
  • vector

Fields that can be used for sorting:
  • assetVulnerabilityId
path Parameters
version
required
string
Request Body schema:

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter
object Nullable

Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object:

  1. Each item of this array indicates the name of the field to be used for filtering and the filter conditions.
  2. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned.
  3. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first).
  4. Each condition can have the following parameters:
    • field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress").
    • condition(optional) - condition for the field value. Supported options:
      • "=" - equals. This is also used if this parameter is not defined.
      • "<>" - does not equal.
      • ">" - the value of field is larger than value. Applicable only to numerical and time values.
      • ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values.
      • "<" - the value of field is less than value. Applicable only to numerical and time values.
      • "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values.
      • "IsEmpty" - the value of field is empty. Value is ignored.
      • "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values.
    • value - value or values that are compared.
      • Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation".
      • Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z".
    • operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options:
      • "and" - the condition is added by AND. It is also used if this parameter is not defined.
      • "or" - the condition is added by OR.
    • Parsing of the values of parameters and all comparisons are not case sensitive.
    • If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter.

Example of a simple condition with an AND conjunction.

{
        "query":
        {
            ...
            "filter":
            [
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"],
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }
}

Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND:

{
        "query":
        {
            ...
            "filter":
            [
                [
                    {
                        "field": "propName1",
                        "condition": ">=",
                        "value": 10
                    },
                    {
                        "field": "propName1",
                        "value": 1,
                        "operator": "or"
                    }
                ],
                {
                    "field": "propName3",
                    "condition": "isOneOf",
                    "value": ["DPI", "NIC", "CC"]
                },
                {
                    "field": "propName4",
                    "condition": ">=",
                    "value": "2020-10-27T17:32:25.806Z"
                }
            ]
        }     
}
Array of objects (ColumnOrderDto) Nullable

Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.

offset
integer <int32> [ 0 .. 2147483647 ] Nullable

0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.

limit
integer <int32> [ 0 .. 1000 ] Nullable

Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Content type
{
  • "filter": [
    ],
  • "sort": [
    ],
  • "offset": 200,
  • "limit": 100
}

Response samples

Content type
application/json
{
  • "offset": 200,
  • "limit": 100,
  • "values": [
    ]
}

Query single vulnerability.

path Parameters
id
required
integer <int64> >= 1

ID of the queried vulnerability.

version
required
string

Responses

Response samples

Content type
application/json
{
  • "assetVulnerabilityId": 12345,
  • "cveId": "CVE-2020-1234",
  • "cvsScore": 5.9,
  • "state": "Active",
  • "description": "Very long description text",
  • "assetGroup": "Group / Subgroup",
  • "assetName": "Asset 1",
  • "assetAddress": "192.168.0.1",
  • "assetId": 5678,
  • "firstDetected": "2020-10-27T14:32:25Z",
  • "lastDetected": "2020-10-27T14:32:25Z",
  • "published": "2020-10-27T14:32:25Z",
  • "attackConditions": "Attack conditions text",
  • "impact": "Some impact",
  • "vector": "Vector text",
  • "mitigations": [
    ],
  • "references": [
    ],
  • "cveEvents": [
    ],
  • "matchedCpes": [
    ],
  • "events": [
    ],
  • "otherAssets": [
    ]
}