Request for querying event information
September 6, 2024
ID 248951
To create a request for getting information about events, the HTTP GET method is used.
You can set the parameters for executing a cURL command by using additional switches (see the table below).
Please refer to the cURL documentation for more information about cURL command switches.
At the first request, Kaspersky Anti Targeted Attack Platform creates a ContinuationToken (hereinafter also referred to as the "token"). The application sends events available in the system at the time of the token creation. When a new token is created, Kaspersky Anti Targeted Attack Platform sends events available in the system at the time of creation of this token.
The token contains information about which data were transmitted last. If you want to receive events recorded after the last request, you must save the created token and use it in future requests.
Command syntax
For the first request:
curl --cert <path to the TLS certificate file> --key <path to the private key file> -X GET "<URL of the server with the Central Node component>:<port, 443 by default>/kata/events_api/v1/<external_system_id>/events"
If the request is processed successfully, information about requested events and the token value are displayed.
For subsequent requests:
curl --cert <path to the TLS certificate file> --key <path to the private key file> -X GET "<URL of the server with the Central Node component>:<port, 443 by default>/kata/events_api/v1/<external_system_id>/events&continuation_token=<token value received by the first request>"
If the request is processed successfully, information about events received since the last request is displayed.
You can create a request to output information about events by specifying the maximum collection time and number of events, as well as event filtering parameters:
curl --cert <path to the TLS certificate file> --key <path to the private key file> -X GET "<URL of the server with the Central Node component>:<port, 443 by default>/kata/events_api/v1/<external_system_id>/events?filter=<event filter>&max_timeout=<maximum event collection time>&max_events=<maximum number of events>&continuation_token=<token value received by the first request>"
If you specified the value of the filter parameter for the first request, you do not have to specify it during subsequent requests: the filtering parameters are saved from the previous request and are used if no new parameters are passed in subsequent requests. If you do not want to use filtering, do not specify a value for the parameter.
Settings
Parameter | Type | Description |
|---|---|---|
| UUID | Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform. |
| string | Event filtering settings. These are set using the event query language. |
| int | Maximum event collection time. Specified in the following format: PT<integer value>S. For example, PT300S. The server sends information about events collected during the specified time. The default value is 5 minutes. This value is used unless otherwise specified in the request. The maximum event collection time may not exceed 5 minutes. If you specify a value greater than 5 minutes, the Central Node server returns an error. The actual total time to wait for events may be increased. |
| int | Maximum number of events If no value is specified in the request, Kaspersky Anti Targeted Attack Platform calculates it based on the number of hosts on which the Endpoint Agent component is installed. Examples of values for typical configurations:
The value specified in the request must not exceed these limits. |
| string | Value of the token. |
Example of entering commands with parameters
|
|
If parameter values contain special characters, you must use URL encoding or the
--data-urlencode option in requests.
Example of commands with URL-encoded parameters
|
Example of commands with parameters that use the --data-urlencode option
|
Response
HTTP code: 200
Format: JSON
|
Returned value
Return code | Description |
|---|---|
| Incorrect parameters. |
| Authorization required. |
| Internal server error. Repeat the request later. |
