Kaspersky Industrial CyberSecurity for Networks Public API (v4)

Download OpenAPI specification:Download

Public API for external connectors

Authentication

Bearer authentication

All API methods must include an access token to authenticate and authorize calls in a request header. Specifying an access token in a URI is not supported. Not specifying an access token in these cases results in a returned 401 error code.

Security Scheme Type	HTTP
HTTP Authorization Scheme	bearer
Bearer format	"JWT"

About

Product information includes Kaspersky Industrial CyberSecurity for Networks release version and a list of installed components and their versions.
You can get product version and component information from Kaspersky Industrial CyberSecurity for Networks using the about API methods.

Getting product information

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"version": "4.0.0.343",
"updateableComponents": [{"type": "Icr",
"releaseTime": "2022-08-21T23:00:07"
},
{"type": "Idsir",
"releaseTime": "2022-08-21T23:00:07"
}
]
}

AddressSpaces

Kaspersky Industrial CyberSecurity for Networks allows a recipient system to query information about a single address space or several address spaces.

Querying several address spaces

You can get several address spaces starting from a certain offset, not including an address spaces with the specified offset. You can specify filtering and paging options for the address spaces. By default, address spaces are not sorted. Use the sort property from argument to specify sorting order.
You can use the following fields for filtering:

id
name
readOnly
rules:id
rules:vlanType
rules:subnetType
rules:subnetType
rules:subnets:from
rules:subnets:to
rules:vlans:from
rules:vlans:to
rules:monitoringPoints:id
rules:connectors:id
rules:eppProxyNodes:id

You can use the following fields for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define parameters for filtering and sorting, such as an offset and a maximum number of address spaces in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "ReadOnly",
"condition": "=",
"value": false
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 123456,
"name": "AddressSpace1",
"description": "AddressSpace1 description",
"readOnly": false,
"rules": [{"id": 2323,
"description": "AddressSpaceRule description",
"vlanType": "SpecificVlans",
"subnetType": "L2AndL3",
"trafficSource": "MonitoringPoints",
"subnets": [{"from": "192.168.0.1",
"to": "192.168.0.100"
},
{"from": "10.16.0.0/16",
"to": null
}
],
"vlans": [{"from": 1,
"to": 10
}
],
"monitoringPoints": [{"id": 1
}
],
"eppProxyNodes": null,
"activePollingConnectors": null
}
]
}
]
}

Querying a single address space

path Parameters

id required	integer <int64> >= 0 ID of the requested address space.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 123456,
"name": "string",
"description": "string",
"readOnly": true,
"rules": [{"id": 123456,
"description": "string",
"vlanType": "AnyVlanOrNoVlanTagged",
"subnetType": "L2Only",
"trafficSource": "MonitoringPoints",
"subnets": [{"from": "string",
"to": "string"
}
],
"vlans": [{"from": 0,
"to": 0
}
],
"monitoringPoints": [{"id": 123456
}
],
"eppProxyNodes": [{"eppProxyId": 0
}
],
"activePollingConnectors": [{"id": 0
}
]
}
]
}

AllowRules

Allowing rules can be of the following types:

Rules with the type "Event" can reduce the number of repeated events that do not require operator attention in Kaspersky Industrial CyberSecurity for Networks.
Rules with the type "Nic" can add network communications to the allowlist using a specific protocol.
Rules with the type "CommandControl" can add certain system commands to the allowlist.

You can get allowing rules from Kaspersky Industrial CyberSecurity for Networks using the allowing rules API methods.

Querying a single allowing rule

path Parameters

id required	integer <int64> >= 1 ID of the requested allowing rule.
version required	string

Responses

Response samples

200

Content type

application/json

{"commands": "ADD; CHECKPOINT LOAD; CHECKPOINT LOAD FINISH; CHECKPOINT LOAD INIT - RESPONSE; CHECKPOINT LOAD STOP",
"protocols": "Foxboro FCP280/FCP270 - device interaction",
"isDpiDetectable": false,
"addressType": "Ip",
"timestampCreated": "2020-10-26T10:15:06",
"timestampModified": "2020-10-26T11:15:06",
"monitoringPoint": "",
"monitoringPointTimestampDeleted": null,
"id": 12369,
"isActive": true,
"ruleType": "Nic",
"side1": {"macAddressRanges": [{"from": "ff:ff:ff:ff:ff:ff",
"to": "ff:ff:ff:ff:ff:ff"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
}
],
"portAddressRanges": [{"from": 8000,
"to": 8080
}
],
"ipAddressSpaceIds": [123,
567,
892
],
"macAddressSpaceIds": [233,
577
]
},
"side2": {"macAddressRanges": [{"from": "00:50:56:ac:b5:32",
"to": "00:50:56:ac:b5:45"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
},
{"from": "1.1.12.1",
"to": "1.1.12.10"
}
],
"portAddressRanges": [ ],
"ipAddressSpaceIds": [0
],
"macAddressSpaceIds": [0
]
},
"comment": "",
"isAutoGenerated": true,
"eventType": "",
"eventTypeId": 0,
"triggeredRule": ""
}

Editing an existing allowing rule

You can edit allowing rule data in Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

id required	integer <int64> >= 1 ID of the allowing rule that you want to edit.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

You can edit the following parameters of the allowing rule:

IsActive

isActive

required

boolean

Activity state of the allowing rule.

Responses

Request samples

Payload

Content type

{"isActive": true
}

Removing an existing allowing rule

You can remove allowing rules from Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

id required	integer <int64> >= 1 ID of the allowing rule that you want to remove.
version required	string

Responses

Querying several allowing rules

You can get several allowing rules starting from a certain offset, not including the rules with the specified offset. You can specify filtering and paging options for the rules. By default, allowing rules are not sorted. Use the sort property from argument to specify sorting order.
You can use the following fields for filtering:

Id
IsActive
RuleType
Commands
Protocols
TimestampCreated
TimestampModified
TriggeredRule
MonitoringPoint
EventType
IsAutoGenerated

You can use the following fields for sorting:

Id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define the parameters for filtering and sorting, such as an offset and a maximum number of allowing rules in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "EventType",
"condition": "=",
"value": "Nic"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"commands": "ADD; CHECKPOINT LOAD; CHECKPOINT LOAD FINISH; CHECKPOINT LOAD INIT - RESPONSE; CHECKPOINT LOAD STOP",
"protocols": "Foxboro FCP280/FCP270 - device interaction",
"isDpiDetectable": false,
"addressType": "Ip",
"timestampCreated": "2020-10-26T10:15:06",
"timestampModified": "2020-10-26T11:15:06",
"monitoringPoint": "",
"monitoringPointTimestampDeleted": null,
"id": 12371,
"isActive": true,
"ruleType": "Nic",
"side1": {"macAddressRanges": [{"from": "ff:ff:ff:ff:ff:ff",
"to": "ff:ff:ff:ff:ff:ff"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
}
],
"portAddressRanges": [{"from": 8000,
"to": 8080
}
],
"ipAddressSpaceIds": [123,
567,
892
],
"macAddressSpaceIds": [233,
577
]
},
"side2": {"macAddressRanges": [{"from": "00:50:56:ac:b5:32",
"to": "00:50:56:ac:b5:45"
}
],
"ipAddressRanges": [{"from": "1.1.1.1",
"to": "1.1.1.10"
},
{"from": "1.1.12.1",
"to": "1.1.12.10"
}
],
"portAddressRanges": [ ],
"ipAddressSpaceIds": [0
],
"macAddressSpaceIds": [0
]
},
"comment": "",
"isAutoGenerated": true,
"eventType": "",
"eventTypeId": 0,
"triggeredRule": ""
}
]
}

ApplicationMessages

An application message log stores information about errors in application operation and errors in operations performed by system processes of Kaspersky Industrial CyberSecurity for Networks.
You can get application messages from Kaspersky Industrial CyberSecurity for Networks using the application messages API methods.

Querying several application messages

You can get several application messages starting from a certain offset, not including the application message with the specified offset. You can specify filtering and paging options for the application messages. By default, application messages are not sorted. Use the sort property from argument to specify sorting order.
You can use the following fields for filtering:

id
date
status
node
systemProcess
descriptionId

You can use the following fields for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define the parameters for filtering and sorting, such as an offset and a maximum number of application messages in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Status",
"condition": "=",
"value": "CriticalMalfunction"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 12345,
"date": "2020-10-27T14:32:25Z",
"status": "CriticalMalfunction",
"node": "Server1",
"systemProcess": "Filter",
"descriptionId": 2324,
"description": "Something happened"
}
]
}

AuditMessages

Kaspersky Industrial CyberSecurity for Networks can save information about actions that users performed in the application.
Information is saved in the audit log if user activity audit is enabled.
You can get audit entries from Kaspersky Industrial CyberSecurity for Networks using the audit messages API methods.

Querying several audit entries

You can get a specified number of audit entries starting from a certain offset, not including the audit entry with the specified offset. You can specify filtering and paging options for the audit entries. By default, audit entries are not sorted. Use the sort property from argument to specify sorting order.
You can use the following fields for filtering:

id
date
node
user
action
result

You can use the following fields for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define the parameters for filtering and sorting, such as an offset and a maximum number of audit entries in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Result",
"condition": "=",
"value": "Success"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 12335,
"date": "2020-10-27T14:32:25Z",
"node": "Server1",
"user": "Adam",
"action": "Some user action",
"result": "Success",
"description": "Very long description text"
}
]
}

Configuration

Kaspersky Industrial CyberSecurity for Networks provides a capability for a connector to query its configuration.
You can get connector configuration information from Kaspersky Industrial CyberSecurity for Networks using the configuration API methods.

Returning information about the current connector

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"config": "- type: string\n  name: address\n  default: yes\n  max_len: 1024\n- type: uint\n  name: portNumber\n  range: {from: 0, to: 65535}\n  default: yes\n  default_value: 0\n- type: string\n  name: transportProtocol\n  loc: yes\n  values: [TCP, UDP]\n  default: yes",
"eventTypesToSend": [3
],
"forwardAppMessages": true,
"forwardAuditMessages": false
}

Devices

Devices are connected to the industrial network. Kaspersky Industrial CyberSecurity for Networks monitors device activity and updates information about them. It allows an administrator to make security-related decisions.
You can get a list of devices and their protocols from Kaspersky Industrial CyberSecurity for Networks using devices API methods.
You can also create, edit, and remove devices in Kaspersky Industrial CyberSecurity for Networks.

Querying several devices

You can get several devices starting from a certain offset, not including the device with the specified offset. You can specify filtering and paging options for the devices. By default, devices are not sorted. Use the sort property from argument to specify sorting order.
You can use the following fields for filtering:

id
name
status
addressInformation:macAddress
addressInformation:ipAddress
category
group
securityState
lastSeen
risks:id
risks:name
risks:state
risks:category
risks:score
risks:baseScore
lastModified
created
os
hardwareVendor
hardwareModel
hardwareVersion
softwareVendor
softwareModel
softwareVersion
networkName
label
hasIndustrialConfig
epp:name
epp:rtpState
epp:lastSync
influence

You can use the following fields for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define the parameters for filtering and sorting, such as an offset and a maximum number of devices in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Category",
"condition": "=",
"value": "Plc"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 123456,
"name": "BoilerPlc",
"description": "Very long description text",
"status": "Recognized",
"addressInformation": [{"networkInterfaceId": 32424,
"networkInterfaceName": "ens32",
"macAddress": "ff:aa:bb:cc:dd:ee",
"macAddressSpaceId": 1,
"ipAddresses": [{"id": 121212,
"ip": "192.168.0.20",
"addressSpaceId": 1
},
{"id": 121213,
"ip": "192.168.0.21",
"addressSpaceId": 5
}
]
},
{"networkInterfaceId": 32425,
"networkInterfaceName": "Name",
"macAddress": "ee:aa:bb:cc:dd:ee",
"macAddressSpaceId": null,
"ipAddresses": [{"id": 121214,
"ip": "192.168.1.21",
"addressSpaceId": 3
}
]
}
],
"category": "Plc",
"categoryConfidence": 100,
"group": "group1",
"securityState": "Critical",
"influence": "Normal",
"lastSeen": "2020-12-15T11:17:12",
"lastModified": "2020-11-14T10:16:11",
"created": "2020-10-26T10:15:06",
"os": "Linux",
"osConfidence": 200,
"networkName": "factory-net",
"networkNameConfidence": 200,
"hardwareVendor": "Siemens",
"hardwareVendorConfidence": 200,
"hardwareModel": "S7-1500",
"hardwareModelConfidence": 200,
"hardwareVersion": "3.51",
"hardwareVersionConfidence": 200,
"softwareVendor": "SomeCompany",
"softwareVendorConfidence": 200,
"softwareModel": "FirmwareOs1",
"softwareModelConfidence": 200,
"softwareVersion": "1.23",
"softwareVersionConfidence": 200,
"isRouter": false,
"isRouterConfidence": 200,
"labels": ["label1",
"label2"
],
"risks": [{"id": 122334,
"name": "Risk name 1",
"category": "TechnologicalRisk",
"state": "Accepted",
"baseScore": 5.5,
"score": 6.1,
"typeId": null
},
{"id": 122334,
"name": "Risk name 2",
"category": "Vulnerability",
"state": "Active",
"baseScore": 7.1,
"score": 8,
"typeId": null
}
],
"processControlSettings": {"deviceType": "Siemens Simatic S-1500",
"protocols": [{"id": 123123,
"name": "S7CommOverTcp",
"protocolStackId": 2,
"systemCommands": {"total": 23,
"monitored": 7
},
"addresses2": [{"addressConfig": "{ \"ip\": \"192.168.0.20\", \"port\": 102, \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 1,
"macAddressSpaceId": 1
}
]
},
{"id": 123123,
"name": "IndustrialEthernet",
"protocolStackId": 12,
"systemCommands": {"total": 25,
"monitored": 9
},
"addresses2": [{"addressConfig": "{ \"mac\": \"ff:aa:bb:cc:dd:ee\", \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 2,
"macAddressSpaceId": 2
}
]
}
]
},
"attributes": [{"name": "name1",
"value": "value1",
"isAutoupdated": false,
"confidence": 1
},
{"name": "name2",
"value": "value2",
"isAutoupdated": true,
"confidence": 2
}
],
"userAttributes": [{"name": "nameU1",
"value": "valueU1"
},
{"name": "nameU2",
"value": "valueU2"
}
],
"epp": {"name": "KICS",
"lastSync": "2021-08-01T00:00:01",
"rtpState": "Running",
"keaVersion": "1.2",
"version": "3.4.5",
"licenses": [{"serialNumber": "xx.yy.zz",
"status": "Active",
"expirationDate": "2022-01-01T00:00:00"
},
{"serialNumber": "ww.ww.ww",
"status": "Reserved",
"expirationDate": "2023-01-01T00:00:00"
}
],
"basesVersion": "2021-07-01T10:11:12"
},
"hardwareInfo": {"cpus": [{"deviceId": "CPU0",
"name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz",
"numberOfCores": 4,
"numberOfLogicalProcessors": 8
},
{"deviceId": "CPU1",
"name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz",
"numberOfCores": 4,
"numberOfLogicalProcessors": 8
}
],
"bios": {"manufacturer": "LENOVO",
"majorVersion": 1,
"minorVersion": 38,
"releaseDate": "2023-01-01T00:00:00"
},
"ram": {"totalPhysicalMemory": 17179869184
},
"localDisks": [{"deviceId": "C:",
"freeSpace": 53687091200,
"size": 268435456000
},
{"deviceId": "D:",
"freeSpace": 53687091200,
"size": 536870912000
}
],
"usbDevices": [{"deviceId": "USB\\VID_0529&PID_0620\\6&1BAF74D7&0&1",
"pnpClass": "SmartCardReader",
"name": "Microsoft Usb ccid Smartcard Reader"
},
{"deviceId": "USB\\VID_0529&PID_0620\\6&1BAF74D7&0&2",
"pnpClass": "DumbCardReader",
"name": "Microsoft Usb dumb card Reader"
}
],
"opticalDrives": [{"name": "HL-DT-ST DVD-RAM GP60NS60 USB Device",
"mediaLoaded": true
},
{"name": "ML-DT-ST DVD-ROM CP60NS60 USB Device",
"mediaLoaded": false
}
]
}
}
]
}

Querying a single device

path Parameters

id required	integer <int64> >= 1 ID of the requested device.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 123456,
"name": "BoilerPlc",
"description": "Very long description text",
"status": "Recognized",
"addressInformation": [{"networkInterfaceId": 32424,
"networkInterfaceName": "ens32",
"macAddress": "ff:aa:bb:cc:dd:ee",
"macAddressSpaceId": 1,
"ipAddresses": [{"id": 121212,
"ip": "192.168.0.20",
"addressSpaceId": 1
},
{"id": 121213,
"ip": "192.168.0.21",
"addressSpaceId": 2
}
]
},
{"networkInterfaceId": 32425,
"networkInterfaceName": "Name",
"macAddress": "ee:aa:bb:cc:dd:ee",
"macAddressSpaceId": 1,
"ipAddresses": [{"id": 121214,
"ip": "192.168.1.21",
"addressSpaceId": 1
}
]
}
],
"category": "Plc",
"categoryConfidence": 100,
"group": "group1",
"securityState": "Critical",
"influence": 0,
"lastSeen": "2020-12-15T11:17:12",
"lastModified": "2020-11-14T10:16:11",
"created": "2020-10-26T10:15:06",
"os": "Linux",
"osConfidence": 200,
"networkName": "factory-net",
"networkNameConfidence": 200,
"hardwareVendor": "Siemens",
"hardwareVendorConfidence": 200,
"hardwareModel": "S7-1500",
"hardwareModelConfidence": 200,
"hardwareVersion": "3.51",
"hardwareVersionConfidence": 200,
"softwareVendor": "SomeCompany",
"softwareVendorConfidence": 200,
"softwareModel": "FirmwareOs1",
"softwareModelConfidence": 200,
"softwareVersion": "1.23",
"softwareVersionConfidence": 200,
"isRouter": false,
"isRouterConfidence": 200,
"labels": ["label1",
"label2"
],
"risks": [{"id": 122334,
"name": "Risk name 1",
"category": "TechnologicalRisk",
"state": "Accepted",
"baseScore": 5.5,
"score": 6.1,
"typeId": null
},
{"id": 122334,
"name": "Risk name 2",
"category": "Vulnerability",
"state": "Active",
"baseScore": 7.1,
"score": 8,
"typeId": null
}
],
"processControlSettings": {"deviceType": "Siemens Simatic S-1500",
"protocols": [{"id": 123123,
"name": "S7CommOverTcp",
"protocolStackId": 2,
"systemCommands": {"total": 23,
"monitored": 7
},
"addresses2": [{"addressConfig": "{ \"ip\": \"192.168.0.20\", \"port\": 102, \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 1,
"macAddressSpaceId": 1
}
]
},
{"id": 123123,
"name": "IndustrialEthernet",
"protocolStackId": 12,
"systemCommands": {"total": 25,
"monitored": 9
},
"addresses2": [{"addressConfig": "{ \"mac\": \"ff:aa:bb:cc:dd:ee\", \"rack\": 0, \"slot\": 2 }",
"ipAddressSpaceId": 2,
"macAddressSpaceId": 2
}
]
}
]
},
"attributes": [{"name": "name1",
"value": "value1",
"isAutoupdated": false,
"confidence": 1
},
{"name": "name2",
"value": "value2",
"isAutoupdated": true,
"confidence": 2
}
],
"userAttributes": [{"name": "nameU1",
"value": "valueU1"
},
{"name": "nameU2",
"value": "valueU2"
}
],
"epp": {"name": "KICS",
"lastSync": "2021-08-01T00:00:01",
"rtpState": "Running",
"keaVersion": "1.2",
"version": "3.4.5",
"licenses": [{"serialNumber": "xx.yy.zz",
"status": "Active",
"expirationDate": "2022-01-01T00:00:00"
},
{"serialNumber": "ww.ww.ww",
"status": "Reserved",
"expirationDate": "2023-01-01T00:00:00"
}
],
"basesVersion": "2021-07-01T10:11:12"
},
"hardwareInfo": {"cpus": [{"deviceId": "CPU0",
"name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz",
"numberOfCores": 4,
"numberOfLogicalProcessors": 8
},
{"deviceId": "CPU1",
"name": "Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz",
"numberOfCores": 4,
"numberOfLogicalProcessors": 8
}
],
"bios": {"manufacturer": "LENOVO",
"majorVersion": 1,
"minorVersion": 38,
"releaseDate": "2023-01-01T00:00:00"
},
"ram": {"totalPhysicalMemory": 17179869184
},
"localDisks": [{"deviceId": "C:",
"freeSpace": 53687091200,
"size": 268435456000
},
{"deviceId": "D:",
"freeSpace": 53687091200,
"size": 536870912000
}
],
"usbDevices": [{"deviceId": "USB\\VID_0529&PID_0620\\6&1BAF74D7&0&1",
"pnpClass": "SmartCardReader",
"name": "Microsoft Usb ccid Smartcard Reader"
},
{"deviceId": "USB\\VID_0529&PID_0620\\6&1BAF74D7&0&2",
"pnpClass": "DumbCardReader",
"name": "Microsoft Usb dumb card Reader"
}
],
"opticalDrives": [{"name": "HL-DT-ST DVD-RAM GP60NS60 USB Device",
"mediaLoaded": true
},
{"name": "ML-DT-ST DVD-ROM CP60NS60 USB Device",
"mediaLoaded": false
}
]
}
}

Changing device fields

path Parameters

id required	integer <int64> >= 1 ID of the device.
version required	string

query Parameters

dontBreakOnFailure	boolean Default: false Identifies whether operations must continue if one of them fails.
sourceId	integer <int64> External source identifier.

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Field operations.

Array ()

op	string (PatchOperationType) Enum: "Add" "Remove" "Replace" "Test"
path required	string non-empty ^(\/\w+)*(\/-)?$
value	object Nullable

Responses

Request samples

Payload

Content type

[{"op": "Add",
"path": "string",
"value": { }
}
]

Response samples

200

Content type

application/json

[{"result": "Succeeded",
"op": "Add",
"path": "string",
"value": { }
}
]

Editing an existing device

You can edit device data in Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

id required	integer <int64> >= 1 ID of the device that you want to edit.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the device that you want to edit.

allowProcessControlSettingsUpdate required	boolean Allow industrial configuration editing.
name required	string [ 1 .. 8192 ] characters Unique name of the device.
required	Array of objects (DeviceAddressInformation) non-empty MAC and IP addresses of the device.
description	string <= 65536 characters Nullable Description of the device.
status	string (AssetStatus) Enum: "Unauthorized" "Recognized" "Archived"
category	string (AssetType) Enum: "ScadaHmi" "Rpa" "Server" "Workstation" "Plc" "EngineeringStation" "MobileDevice" "NetworkDevice" "Other" "Laptop" "HmiPanel" "Printer" "UPS" "NetworkCamera" "Gateway" "StorageSystem" "Firewall" "Switch" "VirtualSwitch" "Router" "VirtualRouter" "WiFi" "Historian"
os	string <= 65536 characters Nullable Name of an operating system of the device.
hardwareVendor	string <= 65536 characters Nullable Name of a device manufacturer.
hardwareModel	string <= 65536 characters Nullable Device hardware model.
hardwareVersion	string <= 65536 characters Nullable Device hardware version.
softwareVendor	string <= 65536 characters Nullable Device software vendor.
softwareModel	string <= 65536 characters Nullable Device software model.
softwareVersion	string <= 65536 characters Nullable Device software version.
networkName	string <= 65536 characters Nullable Name used to represent the device in the network.
isRouter	boolean Identifies whether the device is a routing device.
influence	string (DeviceInfluenceType) Enum: "BusinessCritical" "Important" "Normal"
labels	Array of strings Nullable List of labels assigned to the device.
	Array of objects (DeviceUserAttributeData) Nullable Any additional user-defined parameters of the device returned in pairs "Name, Value".

Responses

Request samples

Payload

Content type

{"allowProcessControlSettingsUpdate": true,
"name": "BoilerPlc",
"addressInformation": [{"networkInterfaceId": 123409,
"networkInterfaceName": null,
"macAddress": "11:22:33:44:55:66",
"macAddressSpaceId": null,
"ipAddresses": [{"id": 101,
"ip": "1.2.3.4",
"addressSpaceId": null
},
{"id": 102,
"ip": "1.2.3.5",
"addressSpaceId": null
}
]
}
],
"description": "Very long description text",
"status": "Recognized",
"category": "NetworkDevice",
"os": "Linux",
"hardwareVendor": "Siemens",
"hardwareModel": "S7-1500",
"hardwareVersion": "3.51",
"softwareVendor": "SomeCompany",
"softwareModel": "FirmwareOs1",
"softwareVersion": "1.23",
"networkName": "factory-net",
"isRouter": false,
"influence": 0,
"labels": ["label1",
"label2"
],
"userAttributes": [{"name": "name1",
"value": "value1"
},
{"name": "name2",
"value": "value2"
}
]
}

Response samples

400

Content type

application/json

{"status": "Error",
"errors": [{"field": "ip",
"path": "addressInformation/ipAddresses[0]",
"errorMessage": "Wrong ip address format"
}
]
}

Removing an existing device

You can remove devices from Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

id required	integer <int64> >= 1 ID of the device that you want to remove.
version required	string

Responses

Assigning an industrial configuration to a device

path Parameters

id required	integer <int64> >= 1 ID of the device.
version required	string

query Parameters

mode

required

string (AssignIndustrialConfigMode)

Enum: "Replace" "Merge"

Mode of industrial configuration assignment.

Request Body schema: multipart/form-data

config

required

string <binary>

Responses

Response samples

200
400

Content type

application/json

{"addedTags": 10,
"tagErrors": 0,
"removedTags": 5,
"replacedTags": 5,
"removedRules": 1
}

Querying device protocols

path Parameters

id required	integer <int64> >= 1 ID of the device for which protocols are queried.
version required	string

Responses

Response samples

200

Content type

application/json

[{"id": 12345,
"name": "ModbusTcp",
"protocolStackId": 1,
"systemCommands": {"total": 15,
"monitored": 3
},
"addresses2": [{"addressConfig": "{ \"ip\": \"192.168.0.7\", \"port\": 502, \"unit\": 0 }",
"ipAddressSpaceId": 1,
"macAddressSpaceId": 1
},
{"addressConfig": "{ \"ip\": \"192.168.0.8\", \"port\": 502, \"unit\": 0 }",
"ipAddressSpaceId": 2,
"macAddressSpaceId": 2
}
]
}
]

Creating a device

You can create devices in Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the created device.

whatIfDuplicate required	string (DuplicateAction) Enum: "Skip" "Overwrite"
allowProcessControlSettingsLoss required	boolean Allow loss of industrial configuration.
name required	string [ 1 .. 8192 ] characters Unique name of the device.
required	Array of objects (DeviceAddressInformation) non-empty MAC and IP addresses of the device.
description	string <= 65536 characters Nullable Description of the device.
status	string (AssetStatus) Enum: "Unauthorized" "Recognized" "Archived"
category	string (AssetType) Enum: "ScadaHmi" "Rpa" "Server" "Workstation" "Plc" "EngineeringStation" "MobileDevice" "NetworkDevice" "Other" "Laptop" "HmiPanel" "Printer" "UPS" "NetworkCamera" "Gateway" "StorageSystem" "Firewall" "Switch" "VirtualSwitch" "Router" "VirtualRouter" "WiFi" "Historian"
os	string <= 65536 characters Nullable Name of an operating system of the device.
hardwareVendor	string <= 65536 characters Nullable Name of a device manufacturer.
hardwareModel	string <= 65536 characters Nullable Device hardware model.
hardwareVersion	string <= 65536 characters Nullable Device hardware version.
softwareVendor	string <= 65536 characters Nullable Device software vendor.
softwareModel	string <= 65536 characters Nullable Device software model.
softwareVersion	string <= 65536 characters Nullable Device software version.
networkName	string <= 65536 characters Nullable Name used to represent the device in the network.
isRouter	boolean Identifies whether the device is a routing device.
influence	string (DeviceInfluenceType) Enum: "BusinessCritical" "Important" "Normal"
labels	Array of strings Nullable List of labels assigned to the device.
	Array of objects (DeviceUserAttributeData) Nullable Any additional user-defined parameters of the device returned in pairs "Name, Value".

Responses

Request samples

Payload

Content type

{"whatIfDuplicate": "Skip",
"allowProcessControlSettingsLoss": true,
"name": "BoilerPlc",
"addressInformation": [{"networkInterfaceId": 0,
"networkInterfaceName": null,
"macAddress": "11:22:33:44:55:66",
"macAddressSpaceId": null,
"ipAddresses": [{"id": 0,
"ip": "1.2.3.4",
"addressSpaceId": null
},
{"id": 0,
"ip": "1.2.3.5",
"addressSpaceId": null
}
]
}
],
"description": "Very long description text",
"status": "Recognized",
"category": "NetworkDevice",
"os": "Linux",
"hardwareVendor": "Siemens",
"hardwareModel": "S7-1500",
"hardwareVersion": "3.51",
"softwareVendor": "SomeCompany",
"softwareModel": "FirmwareOs1",
"softwareVersion": "1.23",
"networkName": "factory-net",
"isRouter": false,
"influence": 0,
"labels": ["label1",
"label2"
],
"userAttributes": [{"name": "name1",
"value": "value1"
},
{"name": "name2",
"value": "value2"
}
]
}

Response samples

201
400

Content type

application/json

{"status": "Created",
"deviceId": 12345
}

Events

Events are messages generated by Kaspersky Industrial CyberSecurity for Networks in response to probably malicious industrial network traffic, detected attacks, and other security-related data. You can get events from Kaspersky Industrial CyberSecurity for Networks using the events API methods. In addition, you can register your own events in Kaspersky Industrial CyberSecurity for Networks. Kaspersky Industrial CyberSecurity for Networks handles these events as it does any other events.

Querying several events

You can get several events starting from a certain offset, not including event with specified offset. You can specify filtering and paging options for the events. By default, events are not sorted. Use the sort property from argument to specify sorting order.
You can use the following fields for filtering:

startTime
lastSeenTime
title
score
source:ipAddress
source:ipAddressSpaceId
source:port
source:macAddress
source:macAddressSpaceId
source:applicationLevelAddress
destination:ipAddress
destination:ipAddressSpaceId
destination:port
destination:macAddress
destination:macAddressSpaceId
destination:applicationLevelAddress
application:eppUserName
application:eppApplicationName
vlanId
protocol
technology
totalAppearances
id
status
triggeredRule
monitoringPointId
eventType
mark
origin

You can use the following fields for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define the parameters for filtering and sorting, such as an offset and a maximum number of events in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Technology",
"condition": "=",
"value": "Dpi"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 123456,
"eventType": 123123,
"title": "Something happened",
"score": 5.3,
"startTime": "2020-10-27T14:32:25Z",
"lastSeenTime": "2020-10-27T14:32:26Z",
"endTime": "2020-10-27T14:32:26Z",
"protocol": "Modbus",
"communications": [{"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 0,
"sourcePort": 20,
"sourceMac": "ff:aa:bb:cc:dd:ee",
"sourceMacAddressSpaceId": 0,
"sourceApplication": "slot=10",
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 1,
"destinationPort": 30,
"destinationMac": "ff:aa:bb:cc:dd:ee",
"destinationMacAddressSpaceId": 1,
"destinationApplication": "slot=5",
"applicationProtocol": null,
"vlanId": 0,
"protocolStack": ["TCP",
"Modbus"
],
"protocolStackId": 1232,
"protocolStackPath": "TCP/Modbus",
"systemCommandId": 12312,
"systemCommandName": "STOP_PLC"
}
],
"technology": "Dpi",
"totalAppearances": 10,
"status": "Proposed",
"description": "Very long description text",
"triggeredRule": "Rule name",
"triggeredRuleId": 123,
"monitoringPoint": "Mpoint 1",
"monitoringPointId": 1,
"monitoringPointDeletedTime": "2020-10-26T10:15:06",
"mark": 0,
"origin": "System",
"childrenCount": 6,
"assets": [{"id": 12312
}
],
"params": [{"name": "param1",
"value": "value 1"
},
{"name": "param2",
"value": "value 2"
}
],
"risks": [{"id": 21213
}
],
"applications": [{"eppApplication": {"applicationId": 1,
"applicationName": "Microsoft® Windows® Operating System",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\\\WINDOWS\\\\System32\\\\smss.exe",
"osName": "Microsoft Windows 10 Pro",
"isServer": true,
"signatureCheckResult": true,
"md5": "2c3f91bb4c0994a7b36ed0b6b14ec9c7",
"sha256": "56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3",
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": {"userId": 202,
"userName": "Administrator",
"logonType": "Interactive",
"accountType": "Admin"
}
},
{"eppApplication": {"applicationId": 1,
"applicationName": "Microsoft® Windows® Operating System",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\\\WINDOWS\\\\System32\\\\smss.exe",
"osName": "Microsoft Windows 10 Pro",
"isServer": true,
"signatureCheckResult": true,
"md5": "2c3f91bb4c0994a7b36ed0b6b14ec9c7",
"sha256": "56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3",
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": null
}
]
}
]
}

Querying a single event

path Parameters

id required	integer <int64> >= 1 ID of the requested event.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 123456,
"eventType": 123123,
"title": "Something happened",
"score": 5.3,
"startTime": "2020-10-27T14:32:25Z",
"lastSeenTime": "2020-10-27T14:32:26Z",
"endTime": "2020-10-27T14:32:26Z",
"protocol": "Modbus",
"communications": [{"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 0,
"sourcePort": 20,
"sourceMac": "ff:aa:bb:cc:dd:ee",
"sourceMacAddressSpaceId": 0,
"sourceApplication": "slot=10",
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 1,
"destinationPort": 30,
"destinationMac": "ff:aa:bb:cc:dd:ee",
"destinationMacAddressSpaceId": 1,
"destinationApplication": "slot=5",
"applicationProtocol": null,
"vlanId": 0,
"protocolStack": ["TCP",
"Modbus"
],
"protocolStackId": 1232,
"protocolStackPath": "TCP/Modbus",
"systemCommandId": 12312,
"systemCommandName": "STOP_PLC"
}
],
"technology": "Dpi",
"totalAppearances": 10,
"status": "Proposed",
"description": "Very long description text",
"triggeredRule": "Rule name",
"triggeredRuleId": 123,
"monitoringPoint": "Mpoint 1",
"monitoringPointId": 1,
"monitoringPointDeletedTime": "2020-10-26T10:15:06",
"mark": 0,
"origin": "System",
"childrenCount": 6,
"assets": [{"id": 12312
}
],
"params": [{"name": "param1",
"value": "value 1"
},
{"name": "param2",
"value": "value 2"
}
],
"risks": [{"id": 21213
}
],
"applications": [{"eppApplication": {"applicationId": 1,
"applicationName": "Microsoft® Windows® Operating System",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\\\WINDOWS\\\\System32\\\\smss.exe",
"osName": "Microsoft Windows 10 Pro",
"isServer": true,
"signatureCheckResult": true,
"md5": "2c3f91bb4c0994a7b36ed0b6b14ec9c7",
"sha256": "56afe5133fdc5806ec6b19436f7b55f1499cfc94619740c171424fbcf7808fd3",
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": {"userId": 202,
"userName": "Administrator",
"logonType": "Interactive",
"accountType": "Admin"
}
}
]
}

Editing an existing event

You can edit event data in Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

id required	integer <int64> >= 1 ID of the event that you want to edit.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the event to edit:

status
mark

status	string (EventUserState) Enum: "Proposed" "Active" "Resolved"
mark	integer <int32> Nullable Numeric value from 0 to 7 that represents a selection of icons that you can set for any event or incident to find events and incidents based on criteria that are not in the table.

Responses

Request samples

Payload

Content type

{"status": "Proposed",
"mark": 0
}

Response samples

400

Content type

application/json

"string"

Querying traffic for several events

You can get a ZIP file with traffic associated with several events. The traffic can be filtered and sorted in the same way as for the QueryEvents() method.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define parameters for filtering and sorting, such as an offset and a maximum number of events in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Id",
"condition": ">",
"value": 12370
},
{"field": "Technology",
"condition": "=",
"value": "Dpi"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200
400

Content type

application/json

"string"

Querying traffic for a single event

You can get a PCAP file with traffic associated with a single event.

path Parameters

id required	integer <int64> >= 1 ID of the requested event.
version required	string

Responses

Response samples

200
400

Content type

application/json

"string"

Registering an event

You can register events in Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the event that you want to register.

title required	string [ 1 .. 4096 ] characters Title defined for the event type.
score required	number <float> [ 0 .. 10 ] Score of the event or incident.
startTime required	string <date-time> For an event that is not an incident: date and time when the event was registered. For an incident: date and time when the first event included in the incident was registered.
lastSeenTime	string <date-time> Nullable For an event that is not an incident: date and time when the event last occurred. It may contain date and time when the event was registered, or date and time when the value of an event regenerate counter increased if the conditions for event registration were repeated during the event regenerate timeout.
endTime required	string <date-time> For an event that is not an incident: date and time when the Resolved status was assigned, or date and time of the event regenerate timeout. For an incident: the latest date and time of the end of events that are part of the incident.
totalAppearances	integer <int32> [ 1 .. 2147483647 ] Nullable For an event that is not an incident: value of a regenerate counter after the event was registered within the event regenerate timeout.
description	string [ 0 .. 32000 ] characters Nullable Description specified for the event type.
triggeredRuleName	string [ 0 .. 4096 ] characters Nullable For an event that is not an incident: name of a Process Control rule or an Intrusion Detection rule that was triggered and caused event registration. For an incident: name of a correlation rule that was triggered and caused incident registration.
monitoringPointId	integer <int32> [ 0 .. 65535 ] Identifier of the monitoring point whose traffic invoked registration of the event.
mark	integer <int32> [ 0 .. 7 ] Numeric value from 0 to 7 that represents a selection of icons that you can set for any event or incident to find events and incidents based on criteria that are not in the table.
origin required	string (EventOrigin) Enum: "Unknown" "System" "User"
	object Nullable Array of name-value pairs that are additional parameters of the event.
	Array of objects (CreateEventCommunication) Nullable Array of event communications.
	Array of objects (CreateEventApplication) Nullable Array of event applications and user sessions.

Responses

Request samples

Payload

Content type

{"title": "Something happened",
"score": 7.7,
"startTime": "2020-10-27T14:32:25Z",
"lastSeenTime": "2020-10-27T14:32:26Z",
"endTime": "2020-10-27T14:32:26Z",
"totalAppearances": 10,
"description": "Very long description text",
"triggeredRuleName": "Rule name",
"monitoringPointId": 1,
"mark": 0,
"origin": "User",
"params": {"param1": "value 1",
"param2": "value 2"
},
"communications": [{"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 1234,
"sourcePort": 20,
"sourceMac": "ff:aa:bb:cc:dd:ee",
"sourceMacAddressSpaceId": 1234,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 1234,
"destinationPort": 30,
"destinationMac": "ff:aa:bb:cc:dd:ee",
"destinationMacAddressSpaceId": 1234,
"vlanId": 0,
"protocolStackId": 1232
}
],
"applications": [{"eppApplication": {"applicationName": "Microsoft® Windows® Operating System",
"osName": "Microsoft Windows 10 Pro",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.746",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\Windows\\System32\\mspaint.exe",
"isServer": false,
"communicationIndex": 0,
"communicationIsSource": true
},
"eppUser": {"userName": "Administrator",
"accountType": "Admin",
"logonType": "Interactive"
}
},
{"eppApplication": {"applicationName": "Microsoft® Windows® Operating System",
"osName": "Microsoft Windows 10 Pro",
"productName": "Microsoft® Windows® Operating System",
"productVersion": "10.0.19041.964",
"productVendor": "Microsoft Corporation",
"imagePath": "C:\\WINDOWS\\System32\\smss.exe",
"isServer": false,
"communicationIndex": 2,
"communicationIsSource": false
},
"eppUser": {"userName": "TEMPLATE-FOR-KS\\autotester",
"accountType": "Admin",
"logonType": "Interactive"
}
}
]
}

Response samples

400
500

Content type

application/json

{"errorMessage": "string"
}

EventTypes

Event type is a defined set of parameters for registering events in Kaspersky Industrial CyberSecurity for Networks. A unique number (event type code) is assigned to each event type. You can get event types from Kaspersky Industrial CyberSecurity for Networks using the event types API methods.

Getting a list of event types

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"eventTypeId": 1,
"title": "Incident",
"description": "A sequence of events corresponding to the incident was detected.",
"severity": "Critical",
"technology": "Dpi",
"eventRegenerateTimeout": 3000,
"trafficKeeping": {"keep": true,
"packetsBefore": 1024,
"packetsAfter": 2048,
"timeBefore": 120,
"timeAfter": 60
}
},
{"eventTypeId": 2,
"title": "Event from external system",
"description": "Long description",
"severity": "Warning",
"technology": "External",
"eventRegenerateTimeout": 1000,
"trafficKeeping": {"keep": false,
"packetsBefore": 0,
"packetsAfter": 0,
"timeBefore": 0,
"timeAfter": 0
}
}
]

Getting one event type

path Parameters

id required	integer <int64> >= 1 Event type ID.
version required	string

Responses

Response samples

200

Content type

application/json

{"eventTypeId": 1,
"title": "Incident",
"description": "A sequence of events corresponding to the incident was detected.",
"severity": "Critical",
"technology": "External",
"eventRegenerateTimeout": 3000,
"trafficKeeping": {"keep": true,
"packetsBefore": 1024,
"packetsAfter": 2048,
"timeBefore": 120,
"timeAfter": 60
}
}

License

Information about a license key.
You can get information about the added license key using the license-key API methods.

Getting information about the added license key

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"localization": "en",
"serialNumber": {"customerId": 2028,
"applicationId": 9482,
"serialNumber": 1465860564,
"key": "250a-0007ec-575f41d4"
},
"productName": "Kaspersky Industrial CyberSecurity for Networks Standard Server, Limited Updates International Edition. 1 - Server 1 year NFR License: KICS for Networks",
"licenseInstallationDate": "2020-12-31T00:00:00",
"licenseExpirationDate": "2019-12-18T00:00:00",
"licenseCreationDate": "2020-01-01T00:00:00",
"licenseStatus": "Active",
"daysTillLicenseExpire": 41
}

MonitoringPoints

Monitoring points are used for receiving and processing industrial network traffic in Kaspersky Industrial CyberSecurity for Networks.
You can get monitoring points from Kaspersky Industrial CyberSecurity for Networks using monitoring-points API methods.

Querying a dictionary with monitoring points

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"mpId": 12345,
"name": "MonitoringPoint1",
"nicId": "nic1",
"hostId": "sensor1",
"enabled": true,
"createdTime": "2020-10-27T14:32:25Z",
"deletedTime": "2020-10-27T14:32:25Z"
}
]

Querying a single monitoring point

path Parameters

id required	integer <int64> >= 1 ID of the queried monitoring point.
version required	string

Responses

Response samples

200

Content type

application/json

{"mpId": 12345,
"name": "MonitoringPoint1",
"nicId": "nic1",
"hostId": "sensor1",
"enabled": true,
"createdTime": "2020-10-27T14:32:25Z",
"deletedTime": "2020-10-27T14:32:25Z"
}

NetworkTopologyMap

You can send a network topology map report using the network topology map API methods.

Sending a network topology map report

You can send a network topology map report in Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request to send a network topology map report includes the following parameters.

apmId	integer <int64> Unique ID of active polling method.
	Array of objects (NtmNodeInfo) Nullable List of nodes.

Responses

Request samples

Payload

Content type

{"apmId": 1,
"nodes": [{"timestamp": "2020-01-01T12:00:00",
"rawData": "specific data"
}
]
}

Response samples

400

Content type

application/json

{"error": "Error text"
}

Nodes

Information about the state of nodes.
You can get information about the state of nodes using the technologies API methods.

Getting information about the state of nodes

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"id": "D156FFE4-BECA-4E8F-8FC9-858F18626934",
"type": "Server",
"name": "KICS server",
"monitoringPointIds": [1,
5,
7
]
},
{"id": "F63DD168-D0E4-4EF1-9C92-BC77DCE9DFD0",
"type": "Sensor",
"name": "KICS sensor 1",
"monitoringPointIds": [2
]
},
{"id": "C04B4906-269A-437D-9765-6F9F85FFD98E",
"type": "Sensor",
"name": "KICS sensor 2",
"monitoringPointIds": [3
]
}
]

ProtocolStacks

Kaspersky Industrial CyberSecurity for Networks uses several dictionaries, including a dictionary of protocols.
You can get protocols from Kaspersky Industrial CyberSecurity for Networks using protocol-stacks API methods.

Querying a dictionary with protocol stacks

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

[{"protocolStackId": 12345,
"name": "Modbus TCP",
"protocolStackName": "TCP/Modbus TCP",
"parentId": 5001,
"etherType": 123,
"ipType": 345,
"customType": "345",
"isIndustrial": true,
"isActive": true
}
]

Querying a single protocol stack

path Parameters

id required	integer <int64> >= 1 ID of the queried protocol stack.
version required	string

Responses

Response samples

200

Content type

application/json

{"protocolStackId": 12345,
"name": "ModbusTcp",
"protocolStackName": "TCP/ModbusTcp",
"parentId": 5001,
"etherType": 123,
"ipType": 345,
"customType": "345",
"isIndustrial": true,
"isActive": true
}

Risks

Kaspersky Industrial CyberSecurity for Networks can detect risks of devices. One asset can have multiple risks.
You can get risks from Kaspersky Industrial CyberSecurity for Networks using the risks API methods.

Querying several risk entries

You can get several risk entries starting from a certain offset, not including the risk with the specified offset. You can specify filtering and paging options for risk entries. By default, risk entries are not sorted. Use the sort property from argument to specify sorting order.
You can use the following fields for filtering:

id
typeId
name
category
score
cveSource
sourceIp
sourceMac
destinationIp
destinationMac
assetId
assetGroup
assetName
assetAddress
state
firstDetected
lastStateChanged
attackConditions
impact
vector
matchedCpes:cpe

You can use the following fields for sorting:

id

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Query argument. Specify the argument to define parameters for filtering and sorting, such as an offset and a maximum number of risks in the returned results.

filter	object Nullable Filtering parameters. To define a filter, pass an array of filtering conditions to the filter object: Each item in the array indicates a name of the field to be used for filtering and filtering conditions. If no filtering conditions are defined (there is no object filtering array or it is empty), all objects of the specified type are returned. To configure filtering, define a filter object containing an array of conditions. Each item in the array can be a condition or a group of conditions in the form of an array. The maximum nesting of groups is three levels, including the first. Each filtering condition can have the following parameters: field (required)—Object field name from the table of fields of the specific object type, in the camelCase format. Specify subparameters after a colon. For example, to specify an IP address of a source field, use "source:ipAddress". condition (optional)—Filtering condition for the field value. Supported values: "="—Equals. This value is also used if this parameter is not defined. "<>"—Does not equal. ">"—Field value is larger than the value in the value array. Use only for numeric and time values. ">="—Field value is larger than or equals to the value in the value array. Use only for numeric and time values. "<"—Field value is less than the value in a value array. Use only for numeric and time values. "<="—Field value is less than or equals to the value in a value array. Use only for numeric and time values. "IsEmpty"—Field value is empty. The value in the value array is ignored. "IsOneOf"—Field value is empty or equals to one of the values in the value array. The value array contains an array of possible values. value—Value or values with which the field is compared. Specify elements of enums as strings in the English locale without spaces, special characters, or brackets. For example, "DPI", "Warning", "EngineeringWorkstation". Specify dates in the ISO 8601 format with full indication of all parts of the date and time. For example, "2020-10-25T17:32:25.707Z". operator—Logical operator that combines conditions and condition groups at a specific level. The operator in the first top-level condition is ignored. The operator in the first condition in a group is considered to be the operator of this group. Supported values: "and"—Condition is added with the AND operator. This operator is also used if the parameter is not defined. "or"—Condition is added with the OR operator. Parameter values and all comparisons are not case sensitive. If an unsupported parameter value is defined, the "Incorrect parameters" error is returned with the name and value of the parameter. Example of a simple condition with the AND operator. { "query": { ... "filter": [ { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"], }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } } Example of a set of conditions with a nested condition group. The conditions in the group are combined with the OR operator, while the top-level conditions are combined with the AND operator. { "query": { ... "filter": [ [ { "field": "propName1", "condition": ">=", "value": 10 }, { "field": "propName1", "value": 1, "operator": "or" } ], { "field": "propName3", "condition": "isOneOf", "value": ["DPI", "NIC", "CC"] }, { "field": "propName4", "condition": ">=", "value": "2020-10-27T17:32:25.806Z" } ] } }
	Array of objects (ColumnOrderDto) Nullable Sorting parameters. A list of columns that can be sorted depends on the type of requested data. A full list is provided in the description of the corresponding paging method.
offset	integer <int32> [ 0 .. 2147483647 ] Nullable Zero-based index of the item in the full list from which the sorting must begin. If no offset is specified, the sorting results start at the beginning of the full list.
limit	integer <int32> [ 0 .. 1000 ] Nullable Maximum number of items in the results. If no limit is specified, the method returns all data beginning from the offset.

Responses

Request samples

Payload

Content type

{"filter": [{"field": "Score",
"condition": ">",
"value": 5
},
{"field": "State",
"condition": "<>",
"value": "Remediated"
}
],
"sort": [{"column": "Id",
"direction": "Asc",
"nullsBehaviour": null
}
],
"offset": 200,
"limit": 100
}

Response samples

200

Content type

application/json

{"offset": 200,
"limit": 100,
"values": [{"id": 12345,
"typeId": 121327,
"name": "Some risk detected.",
"category": "Vulnerability",
"baseScore": 5.9,
"score": 5.9,
"cveSource": "NVD",
"protocolStackId": 1,
"sourcePort": 8081,
"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": null,
"sourceMac": "aa:bb:cc:dd:ee:ff",
"sourceMacAddressSpaceId": null,
"destinationPort": 8082,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": null,
"destinationMac": "aa:bb:cc:dd:ee:ff",
"destinationMacAddressSpaceId": null,
"assetGroup": "Group / Subgroup",
"assetName": "Asset 1",
"assetAddress": "192.168.0.1",
"assetId": 5678,
"state": "Active",
"comments": "User comments",
"firstDetected": "2020-10-27T14:32:25Z",
"lastStateChanged": "2020-10-27T14:32:26Z",
"description": "Long description text",
"attackConditions": "Attack conditions text",
"impact": "Some impact",
"vector": "Vector text",
"cveId": "CVE identifier",
"bduFstecIds": "BDU:2019-00775, BDU:2019-01763",
"mitigations": [{"id": 234788,
"type": "Primary",
"typeName": "Primary mitigation",
"source": "Vendor",
"sourceName": "Provided by vendor",
"mitigation": "Update the firmware"
}
],
"references": [{"id": 123,
"type": "VendorAdvisory",
"typeName": "Vendor advisory text",
"uri": "http://my.server/1.pdf",
"title": "Reference title"
}
],
"cveEvents": [{"id": 213578,
"type": "AdvisoryPublished",
"typeName": "Event has been published",
"date": "2020-10-27T14:32:25Z"
}
],
"matchedCpes": [{"id": 1,
"cpe": "SFGSFGSDFGSDFGSDFGDF",
"displayName": "Siemens firmware",
"targetType": "Hardware",
"viewOrder": 0
}
],
"events": [{"id": 23234,
"timeStampLastSeen": "2020-10-27T14:32:25Z",
"title": "Some event",
"userState": "Active"
}
],
"otherAssets": [{"id": 2,
"title": "Asset 2",
"address": "192.168.0.2"
}
]
}
]
}

Query single risk.

path Parameters

id required	integer <int64> >= 1 ID of the queried risk.
version required	string

Responses

Response samples

200

Content type

application/json

{"id": 12345,
"typeId": 31231,
"name": "Some risk detected.",
"category": "Vulnerability",
"baseScore": 5.9,
"score": 5.9,
"cveSource": "NVD",
"protocolStackId": 1,
"sourcePort": 8081,
"sourceIp": "192.168.0.1",
"sourceIpAddressSpaceId": 1,
"sourceMac": "aa:bb:cc:dd:ee:ff",
"sourceMacAddressSpaceId": 2,
"destinationPort": 8082,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 3,
"destinationMac": "aa:bb:cc:dd:ee:ff",
"destinationMacAddressSpaceId": 4,
"assetGroup": "Group / Subgroup",
"assetName": "Asset 1",
"assetAddress": "192.168.0.1",
"assetId": 5678,
"state": "Active",
"comments": "User comments",
"firstDetected": "2020-10-27T14:32:25Z",
"lastStateChanged": "2020-10-27T14:32:26Z",
"description": "Long description text",
"attackConditions": "Attack conditions text",
"impact": "Some impact",
"vector": "Vector text",
"cveId": "CVE identifier",
"bduFstecIds": "BDU:2019-00775, BDU:2019-01763",
"mitigations": [{"id": 234788,
"type": "Primary",
"typeName": "Primary mitigation",
"source": "Vendor",
"sourceName": "Provided by vendor",
"mitigation": "Update the firmware"
}
],
"references": [{"id": 123,
"type": "VendorAdvisory",
"typeName": "Vendor advisory text",
"uri": "http://my.server/1.pdf",
"title": "Reference title"
}
],
"cveEvents": [{"id": 213578,
"type": "AdvisoryPublished",
"typeName": "Event has been published",
"date": "2020-10-27T14:32:25Z"
}
],
"matchedCpes": [{"id": 1,
"cpe": "SFGSFGSDFGSDFGSDFGDF",
"displayName": "Siemens firmware",
"targetType": "Hardware",
"viewOrder": 0
}
],
"events": [{"id": 23234,
"timeStampLastSeen": "2020-10-27T14:32:25Z",
"title": "Some event",
"userState": "Active"
}
],
"otherAssets": [{"id": 2,
"title": "Asset 2",
"address": "192.168.0.2"
}
]
}

Creating a risk

You can create risks in Kaspersky Industrial CyberSecurity for Networks using this API.

path Parameters

version

required

string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Parameters of the risk that you want to create.

typeId	integer <int64> >= 0 Unique ID of the risk type.
baseScore	number <float> [ 0 .. 10 ] Nullable Base risk score.
name	string <= 8192 characters Nullable Name of the risk.
description	string <= 65536 characters Nullable Description of the risk.
firstDetected	string <date-time> Time when the risk was first detected in the specific device.
lastStateChanged	string <date-time> Time when the risk last changed its state.
deviceId	integer <int64> >= 0 Nullable ID of the device where the risk was detected.
sourceIp	string Nullable IP address of one of the communication participants that generated the risk. This parameter is empty if there is no communication.
sourceIpAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of a source IP address.
sourceMac	string Nullable MAC address of one of the communication participants that generated the risk. This parameter is empty if there is no communication.
sourceMacAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of a source MAC address.
sourcePort	integer <int32> [ 0 .. 65535 ] Nullable Port of one of the communication participants that generated the risk. This parameter is empty if there is no communication.
destinationIp	string Nullable IP address of the second communication participant that generated the risk. This parameter is empty if there is no communication.
destinationIpAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of a destination IP address.
destinationMac	string Nullable MAC address of the second communication participant that generated the risk. This parameter is empty if there is no communication.
destinationMacAddressSpaceId	integer <int64> >= 0 Nullable Address space identifier of a destination MAC address.
destinationPort	integer <int32> [ 0 .. 65535 ] Nullable Port of the second communication participant that generated the risk. This parameter is empty if there is no communication.
comments	string <= 1000 characters Nullable User comments of the risk.
	Array of objects (RiskMitigationParameters) Nullable Recommendations on the risk mitigation.
	object (VulnerabilityRiskParameters)

Responses

Request samples

Payload

Content type

{"typeId": 1,
"baseScore": 5.5,
"name": "Some name",
"description": "Some description",
"firstDetected": "2020-10-27T14:32:25Z",
"lastStateChanged": "2020-10-27T14:32:26Z",
"deviceId": 1,
"sourceIp": "192.168.1.2",
"sourceIpAddressSpaceId": 1,
"sourceMac": "aa:bb:cc:dd:ee:ff",
"sourceMacAddressSpaceId": 2,
"sourcePort": 8081,
"destinationIp": "192.168.0.1",
"destinationIpAddressSpaceId": 3,
"destinationMac": "aa:bb:cc:dd:ee:ff",
"destinationMacAddressSpaceId": 4,
"destinationPort": 8082,
"comments": "User comments",
"mitigations": [{"type": "Primary",
"typeName": "Some type name",
"source": "Vendor",
"sourceName": "Some source name",
"mitigation": "Risk mitigation"
}
],
"vulnerabilityRiskInfo": {"cveId": "Cve identifier",
"matchedCpe": "Matched cpe",
"cpeDisplayName": "Cpe display name",
"cpeTarget": "Software",
"published": "2020-10-27T14:32:25Z",
"references": [{"type": "VendorAdvisory",
"typeName": "Vendor advisory text",
"uri": "http://my.server/1.pdf",
"title": "Reference title"
}
],
"attackConditions": "Attack conditions text",
"impact": "Some impact",
"vector": "Vector text",
"bduFstecIds": "BDU:2019-00775"
}
}

Response samples

400

Content type

application/json

"string"

Updating comments of an existing risk

path Parameters

id required	integer <int64> >= 1 ID of the risk.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

String with new comments for the risk.

string <= 65536 characters

Responses

Request samples

Payload

Content type

"string"

Response samples

400

Content type

application/json

"string"

Setting a new state for an existing risk

path Parameters

id required	integer <int64> >= 1 ID of the risk.
version required	string

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

New state for the risk.

string (UpdateRiskStateRequest)

Enum: "Active" "Accepted"

Responses

Request samples

Payload

Content type

"Active"

Response samples

400

Content type

application/json

"string"

ServerSettings

Kaspersky Industrial CyberSecurity for Networks provides capability for a recipient system to query data on general settings. You can get server settings from Kaspersky Industrial CyberSecurity for Networks using the server settings API methods.

Querying information about the locale used by the application

path Parameters

version

required

string

Responses

Response samples

200

Content type

application/json

{"localization": "ru"
}

Technologies

Information about the state of technologies.
You can get information about the state of technologies using the technologies API methods.

Getting information about the state of technologies

path Parameters

version

required

string

query Parameters

nodeId	string
monitoringPointId	integer <int64>

Responses

Response samples

200

Content type

application/json

[{"type": "Ids",
"name": "Arpspoofing",
"enabled": true,
"mode": "NotSupported",
"status": "Ok",
"errorMessage": "",
"learningExpiration": "2023-10-26T01:11:17.114023+03:00"
},
{"type": "Am",
"name": "AttributeDiscovery",
"enabled": true,
"mode": "NotSupported",
"status": "InProgress",
"errorMessage": "",
"learningExpiration": "2023-10-26T01:11:17.1140237+03:00"
},
{"type": "Nic",
"name": "NetworkIntegrityControl",
"enabled": true,
"mode": "Learning",
"status": "Error",
"errorMessage": "Something wrong",
"learningExpiration": "2023-10-26T01:11:17.1140239+03:00"
}
]

Kaspersky Industrial CyberSecurity for Networks Public API (v4)

Authentication

Bearer authentication

About

Getting product information

path Parameters

Responses

Response samples

AddressSpaces

Querying several address spaces

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Querying a single address space

path Parameters

Responses

Response samples

AllowRules

Querying a single allowing rule

path Parameters

Responses

Response samples

Editing an existing allowing rule

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Removing an existing allowing rule

path Parameters

Responses

Querying several allowing rules

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

ApplicationMessages

Querying several application messages

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

AuditMessages

Querying several audit entries

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Configuration

Returning information about the current connector

path Parameters

Responses

Response samples

Devices

Querying several devices

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Querying a single device

path Parameters

Responses

Response samples

Changing device fields

path Parameters

query Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Response samples

Editing an existing device

path Parameters

Request Body schema: application/json-patch+jsonapplication/json-patch+jsonapplication/jsontext/jsonapplication/*+json

Responses

Request samples

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json

Request Body schema:
application/json-patch+json
application/json-patch+json
application/json
text/json
application/*+json