Kaspersky Industrial CyberSecurity for Networks Public API (v4)

Download OpenAPI specification:Download

Public API for external connectors

Authentication

Bearer authentication

All API methods must include the access token used to authenticate and authorize calls in the request header. Specifying an access token in a URI is not supported. Not specifying an access token in these cases results in a returned 401 error code.

Security Scheme Type	HTTP
HTTP Authorization Scheme	bearer
Bearer format	"JWT"

About

Product information - Kaspersky Industrial CyberSecurity for Networks release version and list of installed components and their versions.
You can get product version and component info from Kaspersky Industrial CyberSecurity for Networks by using the about API methods.

Get information about the Kaspersky Industrial CyberSecurity for Networks version.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"version": "4.0.0.343",
"updateableComponents": [{"type": "Icr",
"releaseTime": "2022-08-21T23:00:07"
},
{"type": "Idsir",
"releaseTime": "2022-08-21T23:00:07"
}
]
}

AddressSpaces

Provides the capability for a recipient system to query information about single or multiple address spaces.

Query several address spaces.

Returns a specified number of address spaces starting from a certain offset (but not including address spaces with specified offset). You can specify filtering and paging options for address spaces. By default, address spaces are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

id
name
readOnly
rules:id
rules:vlanType
rules:subnetType
rules:subnetType
rules:subnets:from
rules:subnets:to
rules:vlans:from
rules:vlans:to
rules:monitoringPoints:id
rules:connectors:id
rules:eppProxyNodes:id

Fields that can be used for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of address spaces in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "ReadOnly",
"condition": "=",
"value": false
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 123456,
"name": "AddressSpace1",
"description": "AddressSpace1 description",
"readOnly": false,
"rules": [{"id": 2323,
"description": "AddressSpaceRule description",
"vlanType": "SpecificVlans",
"subnetType": "L2AndL3",
"trafficSource": "MonitoringPoints",
"subnets": [{"from": "192.168.0.1",
"to": "192.168.0.100"
},
{"from": "10.16.0.0/16",
"to": null
}
],
"vlans": [{"from": 1,
"to": 10
}
],
"monitoringPoints": [{"id": 1
}
],
"eppProxyNodes": null,
"activePollingConnectors": null
}
]
}
]
}

Query single address space.

path Parameters

id required	integer <int64> >= 0 ID of the requested address space.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 123456,
"name": "string",
"description": "string",
"readOnly": true,
"rules": [{"id": 123456,
"description": "string",
"vlanType": "AnyVlanOrNoVlanTagged",
"subnetType": "L2Only",
"trafficSource": "MonitoringPoints",
"subnets": [{"from": "string",
"to": "string"
}
],
"vlans": [{"from": 0,
"to": 0
}
],
"monitoringPoints": [{"id": 123456
}
],
"eppProxyNodes": [{"eppProxyId": 0
}
],
"activePollingConnectors": [{"id": 0
}
]
}
]
}

AllowRules

Allowing rules can be of the following types:

ruleType=Event - rules of this type are necessary for reducing the number of repeated events that do not require operator attention in Kaspersky Industrial CyberSecurity for Networks
ruleType=Nic - rules of this type are necessary for whitewashing of network communications using a specific protocol
ruleType=CommandControl - rules of this type are necessary for whitewashing certain system commands

You can get allowing rules from Kaspersky Industrial CyberSecurity for Networks by using the allowing rules API methods.

Query single allowing rule.

path Parameters

id required	integer <int64> >= 1 ID of the requested allowing rule.
version required	string

Responses

Response samples

200

Content type

application/json

{"commands": "ADD; CHECKPOINT LOAD; CHECKPOINT LOAD FINISH; CHECKPOINT LOAD INIT - RESPONSE; CHECKPOINT LOAD STOP",
"protocols": "Foxboro FCP280/FCP270 - device interaction",
"isDpiDetectable": false,
"addressType": "Ip",
"timestampCreated": "2020-10-26T10:15:06",
"timestampModified": "2020-10-26T11:15:06",
"monitoringPoint": "",
"monitoringPointTimestampDeleted": null,
"id": 12369,
"isActive": true,
"ruleType": "Nic",
"side1": {"macAddressRanges": [{"from": "ff:ff:ff:ff:ff:ff",
"to": "ff:ff:ff:ff:ff:ff"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
}
],
"portAddressRanges": [{"from": 8000,
"to": 8080
}
],
"ipAddressSpaceIds": [123,
567,
892
],
"macAddressSpaceIds": [233,
577
]
},
"side2": {"macAddressRanges": [{"from": "00:50:56:ac:b5:32",
"to": "00:50:56:ac:b5:45"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
},
{"from": "1.1.12.1",
"to": "1.1.12.10"
}
],
"portAddressRanges": [ ],
"ipAddressSpaceIds": [0
],
"macAddressSpaceIds": [0
]
},
"comment": "",
"isAutoGenerated": true,
"eventType": "",
"eventTypeId": 0,
"triggeredRule": ""
}

Edit existing allowing rule.

You can edit allowing rule data in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

id required	integer <int64> >= 1 ID of the edited allowing rule.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the edited allowing rule:

IsActive

isActive

required

boolean

State of activity of allowing rule.

Responses

Request samples

Payload

Content type

{"isActive": true
}

Remove existing allowing rule.

You can remove allowing rules from Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

id required	integer <int64> >= 1 ID of the removed allowing rule.
version required	string

Responses

Query several allowing rules.

Returns a specified number of allowing rules starting from a certain offset (but not including rules with specified offset). You can specify filtering and paging options for rules. By default, allowing rules are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

Id
IsActive
RuleType
Commands
Protocols
TimestampCreated
TimestampModified
TriggeredRule
MonitoringPoint
EventType
IsAutoGenerated

Fields that can be used for sorting:

Id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of allowing rules in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "EventType",
"condition": "=",
"value": "Nic"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"commands": "ADD; CHECKPOINT LOAD; CHECKPOINT LOAD FINISH; CHECKPOINT LOAD INIT - RESPONSE; CHECKPOINT LOAD STOP",
"protocols": "Foxboro FCP280/FCP270 - device interaction",
"isDpiDetectable": false,
"addressType": "Ip",
"timestampCreated": "2020-10-26T10:15:06",
"timestampModified": "2020-10-26T11:15:06",
"monitoringPoint": "",
"monitoringPointTimestampDeleted": null,
"id": 12371,
"isActive": true,
"ruleType": "Nic",
"side1": {"macAddressRanges": [{"from": "ff:ff:ff:ff:ff:ff",
"to": "ff:ff:ff:ff:ff:ff"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
}
],
"portAddressRanges": [{"from": 8000,
"to": 8080
}
],
"ipAddressSpaceIds": [123,
567,
892
],
"macAddressSpaceIds": [233,
577
]
},
"side2": {"macAddressRanges": [{"from": "00:50:56:ac:b5:32",
"to": "00:50:56:ac:b5:45"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
},
{"from": "1.1.12.1",
"to": "1.1.12.10"
}
],
"portAddressRanges": [ ],
"ipAddressSpaceIds": [0
],
"macAddressSpaceIds": [0
]
},
"comment": "",
"isAutoGenerated": true,
"eventType": "",
"eventTypeId": 0,
"triggeredRule": ""
}
]
}

ApplicationMessages

The application message log stores information about errors in application operation and about errors in operations performed by system processes of Kaspersky Industrial CyberSecurity for Networks.
You can get application messages from Kaspersky Industrial CyberSecurity for Networks by using the application messages API methods.

Query several application messages.

Returns a specified number of application messages starting from a certain offset (but not including application message with specified offset). You can specify filtering and paging options for application messages. By default, application messages are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

id
date
status
node
systemProcess
descriptionId

Fields that can be used for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Status",
"condition": "=",
"value": "CriticalMalfunction"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 12345,
"date": "2020-10-27T14:32:25Z",
"status": "CriticalMalfunction",
"node": "Server1",
"systemProcess": "Filter",
"descriptionId": 2324,
"description": "Something happened"
}
]
}

AuditMessages

Kaspersky Industrial CyberSecurity for Networks can save information about actions performed by users in the application.
Information is saved in the audit log if user activity audit is enabled.
You can get audit entries from Kaspersky Industrial CyberSecurity for Networks by using the audit messages API methods.

Query several audit entries.

Returns a specified number of audit entries starting from a certain offset (but not including audit entry with specified offset). You can specify filtering and paging options for audit entries. By default, audit entries are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

id
date
node
user
action
result

Fields that can be used for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Result",
"condition": "=",
"value": "Success"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 12335,
"date": "2020-10-27T14:32:25Z",
"node": "Server1",
"user": "Adam",
"action": "Some user action",
"result": "Success",
"description": "Very long description text"
}
]
}

Configuration

Kaspersky Industrial CyberSecurity for Networks provides the capability for a Connector to query its configuration.
You can get connector configuration information from Kaspersky Industrial CyberSecurity for Networks by using the configuration API methods.

Returns information about the current connector.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"config": "- type: string\n  name: address\n  default: yes\n  max_len: 1024\n- type: uint\n  name: portNumber\n  range: {from: 0, to: 65535}\n  default: yes\n  default_value: 0\n- type: string\n  name: transportProtocol\n  loc: yes\n  values: [TCP, UDP]\n  default: yes",
"eventTypesToSend": [3
],
"forwardAppMessages": true,
"forwardAuditMessages": false
}

Devices

Devices, connected to the industrial network. Kaspersky Industrial CyberSecurity for Networks monitors their activity and updates information about them, making it easier for an administrator to make security-related decisions.
You can get a list of devices and their protocols from Kaspersky Industrial CyberSecurity for Networks by using devices API methods.
In addition to getting devices from Kaspersky Industrial CyberSecurity for Networks, you can create your own devices in Kaspersky Industrial CyberSecurity for Networks, edit and remove them.

Query several devices.

Returns a specified number of devices starting from a certain offset (but not including device with specified offset). You can specify filtering and paging options for devices. By default, devices are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

id
name
status
addressInformation:macAddress
addressInformation:ipAddress
category
group
securityState
lastSeen
risks:id
risks:name
risks:state
risks:category
risks:score
risks:baseScore
lastModified
created
os
hardwareVendor
hardwareModel
hardwareVersion
softwareVendor
softwareModel
softwareVersion
networkName
label
hasIndustrialConfig
epp:name
epp:rtpState
epp:lastSync
influence

Fields that can be used for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Category",
"condition": "=",
"value": "Plc"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 123456,
"name": "BoilerPlc",
"description": "Very long description text",
"status": "Recognized",
"addressInformation": [{"networkInterfaceId": 32424,
"networkInterfaceName": "ens32",
"macAddress": "ff:aa:bb:cc:dd:ee",
"macAddressSpaceId": 1,
"ipAddresses": [{"id": 121212,
"ip": "192.168.0.20",
"addressSpaceId": 1
},
{"id": 121213,
"ip": "192.168.0.21",
"addressSpaceId": 5
}
]
},
{"networkInterfaceId": 32425,
"networkInterfaceName": "Name",
"macAddress": "ee:aa:bb:cc:dd:ee",
"macAddressSpaceId": null,
"ipAddresses": [{"id": 121214,
"ip": "192.168.1.21",
"addressSpaceId": 3
}
]
}
],
"category": "Plc",
"categoryConfidence": 100,
"group": "group1",
"securityState": "Critical",
"influence": "Normal",
"lastSeen": "2020-12-15T11:17:12",
"lastModified": "2020-11-14T10:16:11",
"created": "2020-10-26T10:15:06",
"os": "Linux",
"osConfidence": 200,
"networkName": "factory-net",
"networkNameConfidence": 200,
"hardwareVendor": "Siemens",
"hardwareVendorConfidence": 200,
"hardwareModel": "S7-1500",
"hardwareModelConfidence": 200,
"hardwareVersion": "3.51",
"hardwareVersionConfidence": 200,
"softwareVendor": "SomeCompany",
"softwareVendorConfidence": 200,
"softwareModel": "FirmwareOs1",
"softwareModelConfidence": 200,
"softwareVersion": "1.23",
"softwareVersionConfidence": 200,
"isRouter": false,
"isRouterConfidence": 200,
"labels": ["label1",
"label2"
],
"risks": [{"id": 122334,
"name": "Risk name 1",
"category": "TechnologicalRisk",
"state": "Accepted",
"baseScore": 5.5,
"score": 6.1,
"typeId": null
},
{"id": 122334,
"name": "Risk name 2",
"category": "Vulnerability",
"state": "Active",
"baseScore": 7.1,
"score": 8,
"typeId": null
}
],
"processControlSettings": {"deviceType": "Siemens Simatic S-1500",
"protocols": [{"id": 123123,
"name": "S7CommOverTcp",
"protocolStackId": 2,
"systemCommands": {"total": 23,
"monitored": 7
},
"addresses2": [{"addressConfig": "{ \"ip\": \"192.168.0.20\", \"port\": 102, \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 1,
"macAddressSpaceId": 1
}
]
},
{"id": 123123,
"name": "IndustrialEthernet",
"protocolStackId": 12,
"systemCommands": {"total": 25,
"monitored": 9
},
"addresses2": [{"addressConfig": "{ \"mac\": \"ff:aa:bb:cc:dd:ee\", \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 2,
"macAddressSpaceId": 2
}
]
}
]
},
"attributes": [{"name": "name1",
"value": "value1",
"isAutoupdated": false,
"confidence": 1
},
{"name": "name2",
"value": "value2",
"isAutoupdated": true,
"confidence": 2
}
],
"userAttributes": [{"name": "nameU1",
"value": "valueU1"
},
{"name": "nameU2",
"value": "valueU2"
}
],
"epp": {"name": "KICS",
"lastSync": "2021-08-01T00:00:01",
"rtpState": "Running",
"keaVersion": "1.2",
"version": "3.4.5",
"licenses": [{"serialNumber": "xx.yy.zz",
"status": "Active",
"expirationDate": "2022-01-01T00:00:00"
},
{"serialNumber": "ww.ww.ww",
"status": "Reserved",
"expirationDate": "2023-01-01T00:00:00"
}
],
"basesVersion": "2021-07-01T10:11:12"
}
}
]
}

Query single device.

path Parameters

id required	integer <int64> >= 1 ID of the requested event.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 123456,
"name": "BoilerPlc",
"description": "Very long description text",
"status": "Recognized",
"addressInformation": [{"networkInterfaceId": 32424,
"networkInterfaceName": "ens32",
"macAddress": "ff:aa:bb:cc:dd:ee",
"macAddressSpaceId": 1,
"ipAddresses": [{"id": 121212,
"ip": "192.168.0.20",
"addressSpaceId": 1
},
{"id": 121213,
"ip": "192.168.0.21",
"addressSpaceId": 2
}
]
},
{"networkInterfaceId": 32425,
"networkInterfaceName": "Name",
"macAddress": "ee:aa:bb:cc:dd:ee",
"macAddressSpaceId": 1,
"ipAddresses": [{"id": 121214,
"ip": "192.168.1.21",
"addressSpaceId": 1
}
]
}
],
"category": "Plc",
"categoryConfidence": 100,
"group": "group1",
"securityState": "Critical",
"influence": 0,
"lastSeen": "2020-12-15T11:17:12",
"lastModified": "2020-11-14T10:16:11",
"created": "2020-10-26T10:15:06",
"os": "Linux",
"osConfidence": 200,
"networkName": "factory-net",
"networkNameConfidence": 200,
"hardwareVendor": "Siemens",
"hardwareVendorConfidence": 200,
"hardwareModel": "S7-1500",
"hardwareModelConfidence": 200,
"hardwareVersion": "3.51",
"hardwareVersionConfidence": 200,
"softwareVendor": "SomeCompany",
"softwareVendorConfidence": 200,
"softwareModel": "FirmwareOs1",
"softwareModelConfidence": 200,
"softwareVersion": "1.23",
"softwareVersionConfidence": 200,
"isRouter": false,
"isRouterConfidence": 200,
"labels": ["label1",
"label2"
],
"risks": [{"id": 122334,
"name": "Risk name 1",
"category": "TechnologicalRisk",
"state": "Accepted",
"baseScore": 5.5,
"score": 6.1,
"typeId": null
},
{"id": 122334,
"name": "Risk name 2",
"category": "Vulnerability",
"state": "Active",
"baseScore": 7.1,
"score": 8,
"typeId": null
}
],
"processControlSettings": {"deviceType": "Siemens Simatic S-1500",
"protocols": [{"id": 123123,
"name": "S7CommOverTcp",
"protocolStackId": 2,
"systemCommands": {"total": 23,
"monitored": 7
},
"addresses2": [{"addressConfig": "{ \"ip\": \"192.168.0.20\", \"port\": 102, \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 1,
"macAddressSpaceId": 1
}
]
},
{"id": 123123,
"name": "IndustrialEthernet",
"protocolStackId": 12,
"systemCommands": {"total": 25,
"monitored": 9
},
"addresses2": [{"addressConfig": "{ \"mac\": \"ff:aa:bb:cc:dd:ee\", \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 2,
"macAddressSpaceId": 2
}
]
}
]
},
"attributes": [{"name": "name1",
"value": "value1",
"isAutoupdated": false,
"confidence": 1
},
{"name": "name2",
"value": "value2",
"isAutoupdated": true,
"confidence": 2
}
],
"userAttributes": [{"name": "nameU1",
"value": "valueU1"
},
{"name": "nameU2",
"value": "valueU2"
}
],
"epp": {"name": "KICS",
"lastSync": "2021-08-01T00:00:01",
"rtpState": "Running",
"keaVersion": "1.2",
"version": "3.4.5",
"licenses": [{"serialNumber": "xx.yy.zz",
"status": "Active",
"expirationDate": "2022-01-01T00:00:00"
},
{"serialNumber": "ww.ww.ww",
"status": "Reserved",
"expirationDate": "2023-01-01T00:00:00"
}
],
"basesVersion": "2021-07-01T10:11:12"
}
}

Partial change device fields.

path Parameters

id required	integer <int64> >= 1 ID of the device.
version required	string

query Parameters

dontBreakOnFailure	boolean Default: false Continue other operations if one of them failed.
sourceId	integer <int64> External source identifier.

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Field operations.

Array ()

op	string (PatchOperationType) Enum: "Add" "Remove" "Replace" "Test"
path required	string^(\/\w+)*(\/-)?$
value	object Nullable

Responses

Request samples

Payload

Content type

[{"op": "Add",
"path": "string",
"value": { }
}
]

Response samples

200

Content type

application/json

[{"result": "Succeeded",
"op": "Add",
"path": "string",
"value": { }
}
]

Edit existing device.

You can edit device data in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

id required	integer <int64> >= 1 ID of the edited device.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the edited device.

allowProcessControlSettingsUpdate required	boolean Allow editing of industrial configuration.
name required	string <= 8192 characters Unique name of the device.
required	Array of objects (DeviceAddressInformation) non-empty MAC and IP addresses of the device.
description	string <= 65536 characters Nullable Description of the device.
status	string (AssetStatus) Enum: "Unauthorized" "Recognized" "Archived"
category	string (AssetType) Enum: "ScadaHmi" "Rpa" "Server" "Workstation" "Plc" "EngineeringStation" "MobileDevice" "NetworkDevice" "Other" "Laptop" "HmiPanel" "Printer" "UPS" "NetworkCamera" "Gateway" "StorageSystem" "Firewall" "Switch" "VirtualSwitch" "Router" "VirtualRouter" "WiFi" "Historian"
os	string <= 65536 characters Nullable Name of the operating system of the device.
hardwareVendor	string <= 65536 characters Nullable Name of the device manufacturer.
hardwareModel	string <= 65536 characters Nullable Device hardware model.
hardwareVersion	string <= 65536 characters Nullable Device hardware version.
softwareVendor	string <= 65536 characters Nullable Device software vendor.
softwareModel	string <= 65536 characters Nullable Device software model.
softwareVersion	string <= 65536 characters Nullable Device software version.
networkName	string <= 65536 characters Nullable Name used to represent the device in the network.
isRouter	boolean This parameter denotes whether the device is a routing device.
influence	string (DeviceInfluenceType) Enum: "BusinessCritical" "Important" "Normal"
labels	Array of strings Nullable A list of labels assigned to the device.
	Array of objects (DeviceUserAttributeData) Nullable Any user additional parameters of the device returned in pairs "Name, Value".

Responses

Request samples

Payload

Content type

{"allowProcessControlSettingsUpdate": true,
"name": "BoilerPlc",
"addressInformation": [{"networkInterfaceId": 123409,
"networkInterfaceName": null,
"macAddress": "11:22:33:44:55:66",
"macAddressSpaceId": null,
"ipAddresses": [{"id": 101,
"ip": "1.2.3.4",
"addressSpaceId": null
},
{"id": 102,
"ip": "1.2.3.5",
"addressSpaceId": null
}
]
}
],
"description": "Very long description text",
"status": "Recognized",
"category": "NetworkDevice",
"os": "Linux",
"hardwareVendor": "Siemens",
"hardwareModel": "S7-1500",
"hardwareVersion": "3.51",
"softwareVendor": "SomeCompany",
"softwareModel": "FirmwareOs1",
"softwareVersion": "1.23",
"networkName": "factory-net",
"isRouter": false,
"influence": 0,
"labels": ["label1",
"label2"
],
"userAttributes": [{"name": "name1",
"value": "value1"
},
{"name": "name2",
"value": "value2"
}
]
}

Response samples

400

Content type

application/json

{"status": "Error",
"errors": [{"field": "ip",
"path": "addressInformation/ipAddresses[0]",
"errorMessage": "Wrong ip address format"
}
]
}

Remove existing device.

You can remove devices from Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

id required	integer <int64> >= 1 ID of the removed device.
version required	string

Responses

Assignment an industrial configuration to the device.

path Parameters

id required	integer <int64> >= 1 ID of the device.
version required	string

query Parameters

mode

required

string (AssignIndustrialConfigMode)

Enum: "Replace" "Merge"

Mode of assignment industrial configuration.

Request Body schema: multipart/form-data

config

required

string <binary>

Responses

Response samples

200
400

Content type

application/json

{"addedTags": 10,
"tagErrors": 0,
"removedTags": 5,
"replacedTags": 5,
"removedRules": 1
}

Query protocols of device.

path Parameters

id required	integer <int64> >= 1 ID of the device whose protocols are being queried.
version required	string

Responses

Response samples

200

Content type

application/json

[{"id": 12345,
"name": "ModbusTcp",
"protocolStackId": 1,
"systemCommands": {"total": 15,
"monitored": 3
},
"addresses2": [{"addressConfig": "{ \"ip\": \"192.168.0.7\", \"port\": 502, \"unit\": 0 }",
"ipAddressSpaceId": 1,
"macAddressSpaceId": 1
},
{"addressConfig": "{ \"ip\": \"192.168.0.8\", \"port\": 502, \"unit\": 0 }",
"ipAddressSpaceId": 2,
"macAddressSpaceId": 2
}
]
}
]

Create new device.

You can create devices in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the created device.

whatIfDuplicate required	string (DuplicateAction) Enum: "Skip" "Overwrite"
allowProcessControlSettingsLoss required	boolean Allow loss of industrial configuration.
name required	string <= 8192 characters Unique name of the device.
required	Array of objects (DeviceAddressInformation) non-empty MAC and IP addresses of the device.
description	string <= 65536 characters Nullable Description of the device.
status	string (AssetStatus) Enum: "Unauthorized" "Recognized" "Archived"
category	string (AssetType) Enum: "ScadaHmi" "Rpa" "Server" "Workstation" "Plc" "EngineeringStation" "MobileDevice" "NetworkDevice" "Other" "Laptop" "HmiPanel" "Printer" "UPS" "NetworkCamera" "Gateway" "StorageSystem" "Firewall" "Switch" "VirtualSwitch" "Router" "VirtualRouter" "WiFi" "Historian"
os	string <= 65536 characters Nullable Name of the operating system of the device.
hardwareVendor	string <= 65536 characters Nullable Name of the device manufacturer.
hardwareModel	string <= 65536 characters Nullable Device hardware model.
hardwareVersion	string <= 65536 characters Nullable Device hardware version.
softwareVendor	string <= 65536 characters Nullable Device software vendor.
softwareModel	string <= 65536 characters Nullable Device software model.
softwareVersion	string <= 65536 characters Nullable Device software version.
networkName	string <= 65536 characters Nullable Name used to represent the device in the network.
isRouter	boolean This parameter denotes whether the device is a routing device.
influence	string (DeviceInfluenceType) Enum: "BusinessCritical" "Important" "Normal"
labels	Array of strings Nullable A list of labels assigned to the device.
	Array of objects (DeviceUserAttributeData) Nullable Any user additional parameters of the device returned in pairs "Name, Value".

Responses

Request samples

Payload

Content type

{"whatIfDuplicate": "Skip",
"allowProcessControlSettingsLoss": true,
"name": "BoilerPlc",
"addressInformation": [{"networkInterfaceId": 0,
"networkInterfaceName": null,
"macAddress": "11:22:33:44:55:66",
"macAddressSpaceId": null,
"ipAddresses": [{"id": 0,
"ip": "1.2.3.4",
"addressSpaceId": null
},
{"id": 0,
"ip": "1.2.3.5",
"addressSpaceId": null
}
]
}
],
"description": "Very long description text",
"status": "Recognized",
"category": "NetworkDevice",
"os": "Linux",
"hardwareVendor": "Siemens",
"hardwareModel": "S7-1500",
"hardwareVersion": "3.51",
"softwareVendor": "SomeCompany",
"softwareModel": "FirmwareOs1",
"softwareVersion": "1.23",
"networkName": "factory-net",
"isRouter": false,
"influence": 0,
"labels": ["label1",
"label2"
],
"userAttributes": [{"name": "name1",
"value": "value1"
},
{"name": "name2",
"value": "value2"
}
]
}

Response samples

201
400

Content type

application/json

{"status": "Created",
"deviceId": 12345
}

Events

Events are messages generated by Kaspersky Industrial CyberSecurity for Networks in response to suspicious industrial network traffic, detected attacks, and other security-related data. You can get events from Kaspersky Industrial CyberSecurity for Networks by using the events API methods. In addition to getting events from Kaspersky Industrial CyberSecurity for Networks, you can register your own events in Kaspersky Industrial CyberSecurity for Networks. Kaspersky Industrial CyberSecurity for Networks handles these events as it does any other events.

Query several events.

Returns a specified number of events starting from a certain offset (but not including event with specified offset). You can specify filtering and paging options for events. By default, events are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

startTime
lastSeenTime
title
score
source:ipAddress
source:ipAddressSpaceId
source:port
source:macAddress
source:macAddressSpaceId
source:applicationLevelAddress
destination:ipAddress
destination:ipAddressSpaceId
destination:port
destination:macAddress
destination:macAddressSpaceId
destination:applicationLevelAddress
application:eppUserName
application:eppApplicationName
vlanId
protocol
technology
totalAppearances
id
status
triggeredRule
monitoringPointId
eventType
mark
origin

Fields that can be used for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Technology",
"condition": "=",
"value": "Dpi"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 123456,
"eventType": 123123,
"title": "Something happened",
"score": 5.3,
"startTime": "2020-10-27T14:32:25Z",
"lastSeenTime": "2020-10-27T14:32:26Z",
"endTime": "2020-10-27T14:32:26Z",
"protocol": "Modbus",
"communications": [{"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 0,
"sourcePort": 20,
"sourceMac": "ff:aa:bb:cc:dd:ee",
"sourceMacAddressSpaceId": 0,
"sourceApplication": "slot=10",
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 1,
"destinationPort": 30,
"destinationMac": "ff:aa:bb:cc:dd:ee",
"destinationMacAddressSpaceId": 1,
"destinationApplication": "slot=5",
"applicationProtocol": null,
"vlanId": 0,
"protocolStack": ["TCP",
"Modbus"
],
"protocolStackId": 1232,
"protocolStackPath": "TCP/Modbus",
"systemCommandId": 12312,
"systemCommandName": "STOP_PLC"
}
],
"technology": "Dpi",
"totalAppearances": 10,
"status": "Proposed",
"description": "Very long description text",
"triggeredRule": "Rule name",
"triggeredRuleId": 123,
"monitoringPoint": "Mpoint 1",
"monitoringPointId": 1,
"monitoringPointDeletedTime": "2020-10-26T10:15:06",
"mark": 0,
"origin": "System",
"childrenCount": 6,
"assets": [{"id": 12312
}
],
"params": [{"name": "param1",
"value": "value 1"
},
{"name": "param2",
"value": "value 2"
}
],
"risks": [{"id": 21213
}
],
"applications": [{"eppApplication": {"applicationId": 1,
"applicationName": "Microsoft® Windows® Operating System",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\\\WINDOWS\\\\System32\\\\smss.exe",
"osName": "Microsoft Windows 10 Pro",
"isServer": true,
"signatureCheckResult": true,
"md5": "2c3f91bb4c0994a7b36ed0b6b14ec9c7",
"sha256": "56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3",
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": {"userId": 202,
"userName": "Administrator",
"logonType": "Interactive",
"accountType": "Admin"
}
},
{"eppApplication": {"applicationId": 1,
"applicationName": "Microsoft® Windows® Operating System",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\\\WINDOWS\\\\System32\\\\smss.exe",
"osName": "Microsoft Windows 10 Pro",
"isServer": true,
"signatureCheckResult": true,
"md5": "2c3f91bb4c0994a7b36ed0b6b14ec9c7",
"sha256": "56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3",
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": null
}
]
}
]
}

Query single event.

path Parameters

id required	integer <int64> >= 1 ID of the requested event.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 123456,
"eventType": 123123,
"title": "Something happened",
"score": 5.3,
"startTime": "2020-10-27T14:32:25Z",
"lastSeenTime": "2020-10-27T14:32:26Z",
"endTime": "2020-10-27T14:32:26Z",
"protocol": "Modbus",
"communications": [{"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 0,
"sourcePort": 20,
"sourceMac": "ff:aa:bb:cc:dd:ee",
"sourceMacAddressSpaceId": 0,
"sourceApplication": "slot=10",
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 1,
"destinationPort": 30,
"destinationMac": "ff:aa:bb:cc:dd:ee",
"destinationMacAddressSpaceId": 1,
"destinationApplication": "slot=5",
"applicationProtocol": null,
"vlanId": 0,
"protocolStack": ["TCP",
"Modbus"
],
"protocolStackId": 1232,
"protocolStackPath": "TCP/Modbus",
"systemCommandId": 12312,
"systemCommandName": "STOP_PLC"
}
],
"technology": "Dpi",
"totalAppearances": 10,
"status": "Proposed",
"description": "Very long description text",
"triggeredRule": "Rule name",
"triggeredRuleId": 123,
"monitoringPoint": "Mpoint 1",
"monitoringPointId": 1,
"monitoringPointDeletedTime": "2020-10-26T10:15:06",
"mark": 0,
"origin": "System",
"childrenCount": 6,
"assets": [{"id": 12312
}
],
"params": [{"name": "param1",
"value": "value 1"
},
{"name": "param2",
"value": "value 2"
}
],
"risks": [{"id": 21213
}
],
"applications": [{"eppApplication": {"applicationId": 1,
"applicationName": "Microsoft® Windows® Operating System",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\\\WINDOWS\\\\System32\\\\smss.exe",
"osName": "Microsoft Windows 10 Pro",
"isServer": true,
"signatureCheckResult": true,
"md5": "2c3f91bb4c0994a7b36ed0b6b14ec9c7",
"sha256": "56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3",
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": {"userId": 202,
"userName": "Administrator",
"logonType": "Interactive",
"accountType": "Admin"
}
}
]
}

Edit existing event.

You can edit event data in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

id required	integer <int64> >= 1 ID of the edited event.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the edited event:

status
mark

status	string (EventUserState) Enum: "Proposed" "Active" "Resolved"
mark	integer <int32> Nullable A numeric value from 0 to 7. This value represents a selection of icons that can be set for any event or incident to find events and incidents based on criteria that is not in the table.

Responses

Request samples

Payload

Content type

{"status": "Proposed",
"mark": 0
}

Response samples

400

Content type

application/json

"string"

Query traffic for several events.

Returns a zip-file with traffic associated with several events. Filtering and sorting is done in a similar way to the QueryEvents() method.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This lets you define the parameters for filtering and sorting, the offset and maximum number of events in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Technology",
"condition": "=",
"value": "Dpi"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200
400

Content type

application/json

"string"

Query traffic for single event.

Returns a pcap-file with traffic associated with a single event.

path Parameters

id required	integer <int64> >= 1 ID of the requested event.
version required	string

Responses

Response samples

200
400

Content type

application/json

"string"

Register event.

You can register events in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the registered event.

title required	string [ 1 .. 4096 ] characters A title defined for the event type.
score required	number <float> [ 0 .. 10 ] Score of an event or incident.
startTime required	string <date-time> For an event that is not an incident - the date and time of the event was registered. For an incident - date and time of registration of the first event included in the incident.
lastSeenTime	string <date-time> Nullable For an event that is not an incident - the date and time when the event last occurred. It may contain the date and time of the event registration, or the date and time when the event regenerate counter value increased if the conditions for the event registration were repeated during the event regenerate timeout.
endTime required	string <date-time> For an event that is not an incident - the date and time when the Resolved status was assigned, or the date and time of the event regenerate timeout. For an incident - the latest date and time of the end of events that are part of the incident.
totalAppearances	integer <int32> [ 1 .. 2147483647 ] Nullable For an event that is not an incident - the value of the regenerate counter after the event is registered within the event regenerate timeout.
description	string [ 0 .. 32000 ] characters Nullable The description specified for the event type.
triggeredRuleName	string [ 0 .. 4096 ] characters Nullable For an event that is not an incident - the name of the Process Control rule or Intrusion Detection rule whose triggering caused the registration of the event. For an incident - the name of the correlation rule whose triggering caused the registration of the incident.
monitoringPointId	integer <int32> [ 0 .. 65535 ] Identifier of the monitoring point whose traffic invoked registration of the event.
mark	integer <int32> [ 0 .. 7 ] A numerical value from 0 to 7, which represents a selection of icons that one can set for any event or incident to find events and incidents based on a criteria that is not in the table.
origin required	string (EventOrigin) Enum: "Unknown" "System" "User"
	object Nullable An array of the name-value pairs of the event's additional parameters.
	Array of objects (CreateEventCommunication) Nullable An array of the event communications.
	Array of objects (CreateEventApplication) Nullable An array of the event applications and the user sessions.

Responses

Request samples

Payload

Content type

{"title": "Something happened",
"score": 7.7,
"startTime": "2020-10-27T14:32:25Z",
"lastSeenTime": "2020-10-27T14:32:26Z",
"endTime": "2020-10-27T14:32:26Z",
"totalAppearances": 10,
"description": "Very long description text",
"triggeredRuleName": "Rule name",
"monitoringPointId": 1,
"mark": 0,
"origin": "User",
"params": {"param1": "value 1",
"param2": "value 2"
},
"communications": [{"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 1234,
"sourcePort": 20,
"sourceMac": "ff:aa:bb:cc:dd:ee",
"sourceMacAddressSpaceId": 1234,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 1234,
"destinationPort": 30,
"destinationMac": "ff:aa:bb:cc:dd:ee",
"destinationMacAddressSpaceId": 1234,
"vlanId": 0,
"protocolStackId": 1232
}
],
"applications": [{"eppApplication": {"applicationName": "Microsoft® Windows® Operating System",
"osName": "Microsoft Windows 10 Pro",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.746",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\Windows\\System32\\mspaint.exe",
"isServer": false,
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": {"userName": "Administrator",
"accountType": "Admin",
"logonType": "Interactive"
}
},
{"eppApplication": {"applicationName": "Microsoft® Windows® Operating System",
"osName": "Microsoft Windows 10 Pro",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\WINDOWS\\System32\\smss.exe",
"isServer": false,
"communicationIndex": 2,
"communicationIsSource": false
},
"eppUser": {"userName": "TEMPLATE-FOR-KS\\autotester",
"accountType": "Admin",
"logonType": "Interactive"
}
}
]
}

Response samples

400
500

Content type

application/json

{"errorMessage": "string"
}

EventTypes

Defined set of parameters for registering events in Kaspersky Industrial CyberSecurity for Networks. A unique number (event type code) is assigned to each event type. You can get event types from Kaspersky Industrial CyberSecurity for Networks by using the event types API methods.

Get list of event types.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"eventTypeId": 1,
"title": "Incident",
"description": "A sequence of events corresponding to the incident was detected.",
"severity": "Critical",
"technology": "Dpi",
"eventRegenerateTimeout": 3000,
"trafficKeeping": {"keep": true,
"packetsBefore": 1024,
"packetsAfter": 2048,
"timeBefore": 120,
"timeAfter": 60
}
},
{"eventTypeId": 2,
"title": "Event from external system",
"description": "Long description",
"severity": "Warning",
"technology": "External",
"eventRegenerateTimeout": 1000,
"trafficKeeping": {"keep": false,
"packetsBefore": 0,
"packetsAfter": 0,
"timeBefore": 0,
"timeAfter": 0
}
}
]

Get one event type.

path Parameters

id required	integer <int64> >= 1 Event type ID.
version required	string

Responses

Response samples

200

Content type

application/json

{"eventTypeId": 1,
"title": "Incident",
"description": "A sequence of events corresponding to the incident was detected.",
"severity": "Critical",
"technology": "External",
"eventRegenerateTimeout": 3000,
"trafficKeeping": {"keep": true,
"packetsBefore": 1024,
"packetsAfter": 2048,
"timeBefore": 120,
"timeAfter": 60
}
}

License

Information about the added license key.
You can get information about the added license key by using the license key API methods.

Get information about the added license key.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"localization": "en",
"serialNumber": {"customerId": 2028,
"applicationId": 9482,
"serialNumber": 1465860564,
"key": "250a-0007ec-575f41d4"
},
"productName": "Kaspersky Industrial CyberSecurity for Networks Standard Server, Limited Updates International Edition. 1 - Server 1 year NFR License: KICS for Networks",
"licenseInstallationDate": "2020-12-31T00:00:00",
"licenseExpirationDate": "2019-12-18T00:00:00",
"licenseCreationDate": "2020-01-01T00:00:00",
"licenseStatus": "Active",
"daysTillLicenseExpire": 41
}

MonitoringPoints

Monitoring points are used for receiving and processing industrial network traffic in Kaspersky Industrial CyberSecurity for Networks.
You can get monitoring points from Kaspersky Industrial CyberSecurity for Networks by using monitoring-points API methods.

Query monitoring points dictionary.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"mpId": 12345,
"name": "MonitoringPoint1",
"nicId": "nic1",
"hostId": "sensor1",
"enabled": true,
"createdTime": "2020-10-27T14:32:25Z",
"deletedTime": "2020-10-27T14:32:25Z"
}
]

Query single monitoring point.

path Parameters

id required	integer <int64> >= 1 ID of the queried monitoring point.
version required	string

Responses

Response samples

200

Content type

application/json

{"mpId": 12345,
"name": "MonitoringPoint1",
"nicId": "nic1",
"hostId": "sensor1",
"enabled": true,
"createdTime": "2020-10-27T14:32:25Z",
"deletedTime": "2020-10-27T14:32:25Z"
}

NetworkTopologyMap

You can send a network topology map report by using the network topology map API methods.

Send a network topology map report.

You can send a network topology map report in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request to send a network topology map report.

apmId	integer <int64> Unique ID of active polling method.
	Array of objects (NtmNodeInfo) Nullable List of nodes.

Responses

Request samples

Payload

Content type

{"apmId": 1,
"nodes": [{"timestamp": "2020-01-01T12:00:00",
"rawData": "specific data"
}
]
}

Response samples

400

Content type

application/json

{"error": "Error text"
}

ProtocolStacks

Kaspersky Industrial CyberSecurity for Networks uses several dictionaries, including a dictionary of protocols.
You can get protocols from Kaspersky Industrial CyberSecurity for Networks by using protocol-stacks API methods.

Query protocol stacks dictionary.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"protocolStackId": 12345,
"name": "Modbus TCP",
"protocolStackName": "TCP/Modbus TCP",
"parentId": 5001,
"etherType": 123,
"ipType": 345,
"customType": "345",
"isIndustrial": true,
"isActive": true
}
]

Query single protocol stack.

path Parameters

id required	integer <int64> >= 1 ID of the queried ProtocolStack.
version required	string

Responses

Response samples

200

Content type

application/json

{"protocolStackId": 12345,
"name": "ModbusTcp",
"protocolStackName": "TCP/ModbusTcp",
"parentId": 5001,
"etherType": 123,
"ipType": 345,
"customType": "345",
"isIndustrial": true,
"isActive": true
}

Risks

Kaspersky Industrial CyberSecurity for Networks can detect the risks of devices. One asset can have multiple risks.
You can get risks from Kaspersky Industrial CyberSecurity for Networks by using the risks API methods.

Query several risk entries.

Returns a specified number of risk entries starting from a certain offset (but not including entry with specified offset). You can specify filtering and paging options for risk entries. By default, risk entries are not sorted. You should use {sort} property from argument to specify sort order.
Fields that can be used for filtering:

id
typeId
name
category
score
cveSource
sourceIp
sourceMac
destinationIp
destinationMac
assetId
assetGroup
assetName
assetAddress
state
firstDetected
lastStateChanged
attackConditions
impact
vector
matchedCpes:cpe

Fields that can be used for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. This argument allows you to define the parameters for filtering and sorting, the offset and maximum number of risks in the returned results.

filter	object Nullable Filtering parameters. To define a filter in a query, an array of filtering conditions is passed in the filter object: Each item of this array indicates the name of the field to be used for filtering and the filter conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specific type are returned. To configure filtering in a query, the filter object containing an array of conditions is defined. An item of this array can be either a condition or a group of conditions in the form of a conditions array. The maximum nesting of groups is three levels (including the first). Each condition can have the following parameters: field (required) - object field name from the table of fields of the specific object type in camelCase. Subparameters are indicated after a colon (example - IP address of the source field: "source:ipAddress"). condition(optional) - condition for the field value. Supported options: "=" - equals. This is also used if this parameter is not defined. "<>" - does not equal. ">" - the value of field is larger than value. Applicable only to numerical and time values. ">=" - the value of field is larger than or equal to value. Applicable only to numerical and time values. "<" - the value of field is less than value. Applicable only to numerical and time values. "<=" - the value of field is less than or equal to value. Applicable only to numerical and time values. "IsEmpty" - the value of field is empty. Value is ignored. "IsOneOf" - the value of field is empty or is equal to one of the values in the value array. Value contains an array of possible values. value - value or values that are compared. Members of enums are indicated as strings in the English locale without spaces, special characters, or anything indicated in brackets. Examples: "DPI", "Warning", "EngineeringWorkstation". Dates are indicated in ISO_8601 format with full indication of all parts of the date and time. Example: "2020-10-25T17:32:25.707Z". operator - logical operation that merges this condition with other conditions and groups of conditions at the specific level. The operator of the first top-level condition is ignored. The operator of the first condition in a group is considered to be the operator of this group. Supported options: "and" - the condition is added by AND. It is also used if this parameter is not defined. "or" - the condition is added by OR. Parsing of the values of parameters and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with an AND conjunction. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested conditions group in which the conditions are merged by OR, while the top-level conditions are merged by AND: { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting results. The list of columns that can participate in sorting depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable 0-based index of the item in the full list where the results must begin. If no offset is specified, the results return the data beginning at the start of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the results return all data beginning from the offset or from the start of the list depending on whether an offset is defined.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Score",
"condition": ">",
"value": 5
},
{"field": "State",
"condition": "<>",
"value": "Remediated"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 12345,
"typeId": 121327,
"name": "Some risk detected.",
"category": "Vulnerability",
"baseScore": 5.9,
"score": 5.9,
"cveSource": "NVD",
"protocolStackId": 1,
"sourcePort": 8081,
"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": null,
"sourceMac": "aa:bb:cc:dd:ee:ff",
"sourceMacAddressSpaceId": null,
"destinationPort": 8082,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": null,
"destinationMac": "aa:bb:cc:dd:ee:ff",
"destinationMacAddressSpaceId": null,
"assetGroup": "Group / Subgroup",
"assetName": "Asset 1",
"assetAddress": "192.168.0.1",
"assetId": 5678,
"state": "Active",
"comments": "User comments",
"firstDetected": "2020-10-27T14:32:25Z",
"lastStateChanged": "2020-10-27T14:32:26Z",
"description": "Long description text",
"attackConditions": "Attack conditions text",
"impact": "Some impact",
"vector": "Vector text",
"cveId": "CVE identifier",
"bduFstecIds": "BDU:2019-00775, BDU:2019-01763",
"mitigations": [{"id": 234788,
"type": "Primary",
"typeName": "Primary mitigation",
"source": "Vendor",
"sourceName": "Provided by vendor",
"mitigation": "Update the firmware"
}
],
"references": [{"id": 123,
"type": "VendorAdvisory",
"typeName": "Vendor advisory text",
"uri": "http://my.server/1.pdf",
"title": "Reference title"
}
],
"cveEvents": [{"id": 213578,
"type": "AdvisoryPublished",
"typeName": "Event has been published",
"date": "2020-10-27T14:32:25Z"
}
],
"matchedCpes": [{"id": 1,
"cpe": "SFGSFGSDFGSDFGSDFGDF",
"displayName": "Siemens firmware",
"targetType": "Hardware",
"viewOrder": 0
}
],
"events": [{"id": 23234,
"timeStampLastSeen": "2020-10-27T14:32:25Z",
"title": "Some event",
"userState": "Active"
}
],
"otherAssets": [{"id": 2,
"title": "Asset 2",
"address": "192.168.0.2"
}
]
}
]
}

Query single risk.

path Parameters

id required	integer <int64> >= 1 ID of the queried risk.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 12345,
"typeId": 31231,
"name": "Some risk detected.",
"category": "Vulnerability",
"baseScore": 5.9,
"score": 5.9,
"cveSource": "NVD",
"protocolStackId": 1,
"sourcePort": 8081,
"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 1,
"sourceMac": "aa:bb:cc:dd:ee:ff",
"sourceMacAddressSpaceId": 2,
"destinationPort": 8082,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 3,
"destinationMac": "aa:bb:cc:dd:ee:ff",
"destinationMacAddressSpaceId": 4,
"assetGroup": "Group / Subgroup",
"assetName": "Asset 1",
"assetAddress": "192.168.0.1",
"assetId": 5678,
"state": "Active",
"comments": "User comments",
"firstDetected": "2020-10-27T14:32:25Z",
"lastStateChanged": "2020-10-27T14:32:26Z",
"description": "Long description text",
"attackConditions": "Attack conditions text",
"impact": "Some impact",
"vector": "Vector text",
"cveId": "CVE identifier",
"bduFstecIds": "BDU:2019-00775, BDU:2019-01763",
"mitigations": [{"id": 234788,
"type": "Primary",
"typeName": "Primary mitigation",
"source": "Vendor",
"sourceName": "Provided by vendor",
"mitigation": "Update the firmware"
}
],
"references": [{"id": 123,
"type": "VendorAdvisory",
"typeName": "Vendor advisory text",
"uri": "http://my.server/1.pdf",
"title": "Reference title"
}
],
"cveEvents": [{"id": 213578,
"type": "AdvisoryPublished",
"typeName": "Event has been published",
"date": "2020-10-27T14:32:25Z"
}
],
"matchedCpes": [{"id": 1,
"cpe": "SFGSFGSDFGSDFGSDFGDF",
"displayName": "Siemens firmware",
"targetType": "Hardware",
"viewOrder": 0
}
],
"events": [{"id": 23234,
"timeStampLastSeen": "2020-10-27T14:32:25Z",
"title": "Some event",
"userState": "Active"
}
],
"otherAssets": [{"id": 2,
"title": "Asset 2",
"address": "192.168.0.2"
}
]
}

Create new risk.

You can create risks in Kaspersky Industrial CyberSecurity for Networks by using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the created risk.

typeId	integer <int64> >= 0 Unique ID of the risk type.
baseScore	number <float> [ 0 .. 10 ] Nullable Base risk score.
name	string <= 8192 characters Nullable Name of the risk.
description	string <= 65536 characters Nullable Description of the risk.
firstDetected	string <date-time> Time when the risk was first detected in the specific device.
lastStateChanged	string <date-time> Time when the risk last changed its state.
deviceId	integer <int64> >= 0 Nullable ID of the device where the risk was detected.
sourceIp	string Nullable IP address of one of the communication participants, due to which the risk was generated (filled only if there is communication).
sourceIpAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of source IP address.
sourceMac	string Nullable MAC address of one of the communication participants, due to which the risk was generated (filled only if there is communication).
sourceMacAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of source MAC address.
sourcePort	integer <int32> [ 0 .. 65535 ] Nullable Port of one of the communication participants, due to which the risk was generated (filled only if there is communication).
destinationIp	string Nullable IP address of the second communication participant, due to which the risk was generated (filled only if there is communication).
destinationIpAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of destination IP address.
destinationMac	string Nullable MAC address of the second communication participant, due to which the risk was generated (filled only if there is communication).
destinationMacAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of destination MAC address.
destinationPort	integer <int32> [ 0 .. 65535 ] Nullable Port of the second communication participant, due to which the risk was generated (filled only if there is communication).
comments	string <= 1000 characters Nullable User comments of the risk.
	Array of objects (RiskMitigationParameters) Nullable Recommendations on the risk mitigation.
	object (VulnerabilityRiskParameters)

Responses

Request samples

Payload

Content type

{"typeId": 1,
"baseScore": 5.5,
"name": "Some name",
"description": "Some description",
"firstDetected": "2020-10-27T14:32:25Z",
"lastStateChanged": "2020-10-27T14:32:26Z",
"deviceId": 1,
"sourceIp": "192.168.1.2",
"sourceIpAddressSpaceId": 1,
"sourceMac": "aa:bb:cc:dd:ee:ff",
"sourceMacAddressSpaceId": 2,
"sourcePort": 8081,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 3,
"destinationMac": "aa:bb:cc:dd:ee:ff",
"destinationMacAddressSpaceId": 4,
"destinationPort": 8082,
"comments": "User comments",
"mitigations": [{"type": "Primary",
"typeName": "Some type name",
"source": "Vendor",
"sourceName": "Some source name",
"mitigation": "Risk mitigation"
}
],
"vulnerabilityRiskInfo": {"cveId": "Cve identifier",
"matchedCpe": "Matched cpe",
"cpeDisplayName": "Cpe display name",
"cpeTarget": "Software",
"published": "2020-10-27T14:32:25Z",
"references": [{"type": "VendorAdvisory",
"typeName": "Vendor advisory text",
"uri": "http://my.server/1.pdf",
"title": "Reference title"
}
],
"attackConditions": "Attack conditions text",
"impact": "Some impact",
"vector": "Vector text",
"bduFstecIds": "BDU:2019-00775"
}
}

Response samples

400

Content type

application/json

"string"

Update existing risk comments.

path Parameters

id required	integer <int64> >= 1 ID of the risk.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

New risk comments string.

string <= 65536 characters

Responses

Request samples

Payload

Content type

"string"

Response samples

400

Content type

application/json

"string"

Set a new state for the existing risk.

path Parameters

id required	integer <int64> >= 1 ID of the risk.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

New risk state.

string (UpdateRiskStateRequest)

Enum: "Active" "Accepted"

Responses

Request samples

Payload

Content type

"Active"

Response samples

400

Content type

application/json

"string"

ServerSettings

Provides the capability for a recipient system to query data on the general settings of Kaspersky Industrial CyberSecurity for Networks. You can get server settings from Kaspersky Industrial CyberSecurity for Networks by using the server settings API methods.

Returns information about the locale being used by the product.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"localization": "ru"
}

Technologies

Information about the state of the technologies.
You can get information about the state of the technologies by using the technologies API methods.

Get information about the state of the technologies.

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"type": "Ids",
"name": "Arpspoofing",
"enabled": true,
"mode": "NotSupported",
"status": "Ok",
"errorMessage": ""
},
{"type": "Am",
"name": "AttributeDiscovery",
"enabled": true,
"mode": "NotSupported",
"status": "InProgress",
"errorMessage": ""
},
{"type": "Nic",
"name": "NetworkIntegrityControl",
"enabled": true,
"mode": "Learning",
"status": "Error",
"errorMessage": "Something wrong"
}
]

Kaspersky Industrial CyberSecurity for Networks Public API (v4)

Authentication

Bearer authentication

About

Get information about the Kaspersky Industrial CyberSecurity for Networks version.

path Parameters

Responses

Response samples

AddressSpaces

Query several address spaces.

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Query single address space.

path Parameters

Responses

Response samples

AllowRules

Query single allowing rule.

path Parameters

Responses

Response samples

Edit existing allowing rule.

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Remove existing allowing rule.

path Parameters

Responses

Query several allowing rules.

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

ApplicationMessages

Query several application messages.

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

AuditMessages

Query several audit entries.

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Configuration

Returns information about the current connector.

path Parameters

Responses

Response samples

Devices

Query several devices.

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Query single device.

path Parameters

Responses

Response samples

Partial change device fields.

path Parameters

query Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Edit existing device.

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json