KSC Open API  13.1
Kaspersky Security Center API description
List of event filter attributes

List of event filter attributes is presented below.

NameTypeDescription
"GNRL_EA_SEVERITY"paramInt

Event severity. May have the following values:

  • 1 - Severity "Information"
  • 2 - Severity "Warning"
  • 3 - Severity "Error"
  • 4 - Severity "Critical"

"KLEVP_EVENT_PRODUCT"paramStringProduct name *.
"KLEVP_EVENT_INTERNAL_VERSION"paramStringProduct version name *.
"KLEVP_EVENT_DISPLAY_VERSION"paramStringProduct build.
"KLEVP_EVENT_VERSION"paramStringEither a display or an internal product version, depending on the context (obsolete).
"KLEVP_EVENT_HOST"paramStringHost name. A unique server-generated string.
"KLEVP_EVENT_TASK_NAME"paramStringDisplay name of the task.
"KLEVP_EVENT_HOST_DISPNAME"paramStringDisplay name of the host.
"KLEVP_EVENT_HOST_GROUP"paramStringName of the group where host is located.
"KLEVP_EVENT_GROUP_TASK_ID"paramStringString identity of the task that published the event. See TASK_UNIQUE_ID.
"EVP_INCL_GNRL_EVENTS"paramBoolInclude general and specific product events. False by default. If set to true for a local task history, the parameters "KLEVP_EVENT_TASK_NAME" and "KLEVP_EVENT_PRODUCT" must be also set.
"EVP_INCL_TASK_STATES"paramBoolInclude events on task states changes; optional; false by default.
"KLEVP_EVENT_TYPE"paramStringName of the event type. For example:
  • "KLPRCI_TaskState" - Task execution state changed. See "task_new_state" attribute.
  • "KLEVP_GroupTaskSyncState" - Task synchronization state changed. See "task_new_state" attribute.
  • "GNRL_EV_VIRUS_FOUND" - Threat found. See also Parameters GNRL_EA_PARAM_* for some events for the list of general (cross-products) events.
"KLEVP_EVENT_GNRL_TYPES_ARRAY"Array of (paramString)List of the event types names, similar to "KLEVP_EVENT_TYPE". Optional.
"KLEVP_EVENT_GNRL_TYPE"paramStringInteresting general event type (not task state change event), to be used when "EVP_INCL_GNRL_EVENTS" = true. Optional.
"KLEVP_EVENT_TSK_STATE_TYPE"paramStringInteresting task state change event type ("KLPRCI_TaskState" or "KLEVP_GroupTaskSyncState"), to be used when "EVP_INCL_TASK_STATES" = true. Optional.
"task_new_state"paramIntTask state (for events of type "KLPRCI_TaskState"), to be used when "EVP_INCL_TASK_STATES" = true. Optional. The following values are possible: Group task state enum.
"EVP_LAST_EVENTS_ONLY"paramBoolInclude only the last task states, instead of all events on task states changes. Don't use with "EVP_INCL_GNRL_EVENTS" = true. Optional. False by default.
"KLEVP_EVENT_RISE_TIME_LEAST"paramDateTimeEarliest time when the event was published, in UTC.
"KLEVP_EVENT_RISE_TIME_GREATEST"paramDateTimeLatest time when the event was published, in UTC.
"KLEVP_EVENT_RISE_TIME_LAST_DAYS"paramIntMaximum period since the event was published until the moment of the event search, in days.
"KLEVP_EVENT_HOST_IP_FROM"paramIntStart of the IPv4 diapason.
"KLEVP_EVENT_HOST_TO"paramIntEnd of the IPv4 diapason.
"KLEVP_EVENT_DOMAIN"paramStringDNS suffix.
"KLEVP_EVENT_NT_DOMAIN"paramStringName of the NT domain.
"KLEVP_EVENT_HOST_NETBIOSNAME"paramStringHost windows (NetBIOS) name.
"KLEVP_EVENT_RI_NEED_REBOOT"paramBoolNeed reboot flag is set by the event, for "EVP_LAST_EVENTS_ONLY" = true only.
"KLEVP_EVENT_RI_ERR_REASONS"Array of (paramInt)Set of remote software installation fail reasons, see Software installation error classes enum, for "EVP_LAST_EVENTS_ONLY" = true only.
"KLEVP_RFC2254_FILTER"paramString

Additional general RFC2254-like filter string (see Search filter syntax.) which can be constructed using supported event attributes. see List of event attributes for attribute names.

For example, to find events from a virtual server with ID 7, having identity more than 1234567, with severity "Error" (3) or "Critical" (4), and type "GNRL_EV_VIRUS_FOUND" or "KLPRCI_TaskState":

"(&(KLVSRV_ID=7)(event_db_id>1234567)(|(GNRL_EA_SEVERITY=3)(GNRL_EA_SEVERITY=4)(|(event_type="GNRL_EV_VIRUS_FOUND")(event_type="KLPRCI_TaskState"))))"

"EVP_FTX_QUERY"paramStringFull-text search condition. See Full-text attribute.
"EVP_MAX_EVENTS_COUNT"paramIntResult set must not contain more that specified number of event records.
"EVP_MAX_EVENTS_SRCH_AREA"paramIntSearch will be from last N events. Optional.
"EVP_INCLUDE_VS"paramBoolInclude data from virtual servers. Optional. True by default.