KSC Open API
Kaspersky Security Center API description
|
There is support for performing a full-text search on certain unstructured text data, such as “description” and “comments” attributes for a host, and various “event description”, “event type name”, and “event task display name” attributes of an event, etc.
Full-text search uses a full-text query. A full-text query is a series of clauses separated by spaces and special words.
Full-text search supports single and multiple character wildcard searches within single terms. To perform a single character wildcard search, use the "?" symbol. To perform a multiple character wildcard search, use the "*" symbol. The single character wildcard search looks for terms that match that with the single character replaced. A multiple character wildcard search looks for 0 or more characters. You can also use a wildcard search in the middle of a term.
Example:
te?t
test*
te*t
As indicated above, a full-text query is a series of clauses separated by spaces and special words. Special words are AND (&&), OR (||), and NOT, which are used as logical operations to make a complex query. They must be uppercase.
Clauses may be prefixed by a plus(+) or a minus(-) sign, indicating that the clause is required or prohibited, respectively.
Examples:
samba suse samba OR suse samba || suse
+samba +suse samba && suse samba AND suse
myhost -samba -suse
Alternative syntax is also possible: the quoted part of a string is considered to have a ‘+’ sign before each word. So, text (with quotes!) like the following:
"samba suse"
is equivalent to:
+samba +suse
When using full-text search syntax with a quoted string inside a "Search filter" (see Search filter syntax.), you should use escape quotes.
Example: Host has a display name which starts from A and the host comment contains the words `samba` and `suse`:
(&(KLHST_WKS_DN="A*")(KLHST_WKS_COMMENT="+samba +suse")) is equivalent to Search filter with escape quotes: (&(KLHST_WKS_DN="A*")(KLHST_WKS_COMMENT="""samba suse"""))