Using Kaspersky Anti Targeted Attack Platform API NDR
The REST API server, which provides access to the NDR functionality to external systems, runs on the Central Node server and processes requests using the REST (Representational State Transfer) architectural style. Requests to the REST API server are made using HTTPS. You can configure the REST API server under Settings → Connection Servers (including replacing the default self-signed certificate with a trusted certificate).
The JSON format is used to represent data in requests and responses.
The documentation containing descriptions of requests based on the REST architectural style is published as an Online Help Guide on the Kaspersky Online Help page. This documentation is a developer guide in English. The developer guide also provides sample code and detailed descriptions of callable elements that are available in requests sent to the REST API server.
Open the documentation describing requests to the REST API server, version 3
Open the documentation describing requests to the REST API server, version 4
External systems can use Kaspersky Anti Targeted Attack Platform API to:
- Receive information about devices known to the application.
- Add, modify, and delete devices.
- Receive information about registered network traffic events (NDR events).
- Send NDR events to Kaspersky Anti Targeted Attack Platform (the system event type with code 4000005400 is used for registering the events).
- Receive information about detected vulnerabilities.
- Receive application messages and audit records.
- Receive information about allow rules.
- Enable, disable, and delete allow rules.
- Receive information about risks associated with devices.
- Receive information about address spaces.
- Send the network topology map report to Kaspersky Anti Targeted Attack Platform.
- Send, receive, and delete information about users on devices.
- Send and receive information about applications and patches on devices.
- Send and delete information about executable files on devices.
- Send the contents of the device logs.
- Receive the following application data:
- List of servers with application components
- List of monitoring points and their parameters
- List of supported protocol stacks and their parameters
- List of NDR event types and their parameters
- Current state and operating mode of technologies
- Application version and release dates of the installed updates
- Information about the added license key
- Application localization language
All of the listed actions are available when making requests to the REST API server version 4. Some of these actions are not supported when making requests to the REST API server version 3.
External systems using the Kaspersky Anti Targeted Attack Platform API connect to the Central Node component via connectors. Connectors use certificates for a secure connection. For each external system that you want to send requests to the REST API server, you need to create a separate connector in Kaspersky Anti Targeted Attack Platform.
The external system must use an authentication token to connect to Kaspersky Anti Targeted Attack Platform. Kaspersky Anti Targeted Attack Platform issues an authentication token at the request of an external system and token uses the certificates of the connector that was created for this system. The authentication token remains valid for 10 hours. The external system can renew the authentication token by special request.
Documentation containing a description of queries for authentication token operations is published as an Online Help Guide on the Kaspersky Online Help page. This documentation is a developer guide in English.
Open the documentation describing queries for authentication token operations, version 3.0
Open the documentation describing queries for authentication token operations, version 4
Kaspersky Anti Targeted Attack Platform API allows interacting with external systems in the following ways:
- Interaction based on the REST architectural style
- Interaction over the WebSocket protocol
External systems can use the WebSocket protocol for interaction in the Kaspersky Anti Targeted Attack Platform API to create subscriptions to modified values received by the application.