KSC Open API
Kaspersky Security Center API description
Search filter syntax.

A number of methods use a so-called 'search filter' that has syntax resembling (but not similar to!) the one from RFC 2254.

General syntax

    filter     = "(" filtercomp ")"
    filtercomp = and / or / not / item
    and        = "&" filterlist
    or         = "|" filterlist
    not        = "!" filter
    filterlist = 1*filter
    item       = simple
    simple     = attr filtertype value
    filtertype = equal / greater / less / notequal
    equal      = "="
    greater    = ">"
    less       = "<"
    notequal   = "<>"
    attr       = AttributeDescription 
    value      = Integer / Quoted string / UTC time / Binary


  • Integer must be provided as signed decimal.
  • Quoted string such as "some computer", it also may contain the following wildcards (in this case the 'filtertype' must be 'equal').

    ?Any single character.
    *Any string of zero or more characters.
    [ ]Any single character within the specified range ([a-f]) or set ([abcdef]).
    [^]Any single character not within the specified range ([^a-f]) or set ([^abcdef]).

    If the string must contain a quote then put it twice, for example, "some ""computer"""
  • UTC time can be specified either in absolute or relative format. Absolute format: T"YYYY-MM-DD hh:mm:ss". Example: T"2005-04-27 23:59:01". To specify UTC time in relative format, the 'Pseudovalue' CURTIME([<signed integer delta>]) may be used as "current time (in UTC) + \<signed integer delta\>".

  • Binary must be provided as hex, with the '0x' prefix. For example, 0xF41748C0BEF943a6AE2C5D1010F046AD.

Bit operations

Comparing bits is also supported and has the following syntax:

        "(" attr bitop bitmask filtertype bits ")"

Where:

  • attr - attribute name
  • bitop - bit operation ('&' or '|')
  • bitmask - the bitmask, integer
  • logical operation: equal / greater / less / notequal
  • bits - value to compare with, integer

Example: (| (KLHST_WKS_GROUPID = 0 ) (KLHST_WKS_STATUS_MASK & 2 = 2 ) )

Check for existence

Some attributes are optional, and may have no value for some elements (have NULL value).


To check the attribute for existence (IS NOT NULL) use following syntax:

    "(" attr ")"

For example,

    (dev_encFlags)


To check the attribute for inexistence (IS NULL) use following syntax:

    "(!(" attr "))"

For example,

    (!(dev_encFlags))

Examples

("Host display name does not match wildcard A*") AND (Host is a member of group with ID = 0 OR ID = 1) AND (host status mask has zero bit set) AND (host connected to Administration Server in last 24 hours)

                (&
                    (!KLHST_WKS_DN = "A*")
                    (|
                        (KLHST_WKS_GROUPID = 0 )
                        (KLHST_WKS_GROUPID = 1 )
                    )
                    (KLHST_WKS_STATUS_MASK & 1 <> 0 )
                    (KLHST_WKS_LAST_NAGENT_CONNECTED > CURTIME(-86400) )
                )

Expression "(attribute dev_encFlags does not exist ) OR (attribute dev_encFlags corresonds the mask 3)" will have following syntax:

            (| (!(dev_encFlags)) (dev_encFlags & 3 <> 0) )



For some attributes, you can use full-text search. See Full-text search