KSC Open API
Kaspersky Security Center API description
|
A number of methods use a so-called 'search filter' that has syntax resembling (but not similar to!) the one from RFC 2254.
filter = "(" filtercomp ")" filtercomp = and / or / not / item and = "&" filterlist or = "|" filterlist not = "!" filter filterlist = 1*filter item = simple simple = attr filtertype value filtertype = equal / greater / less / notequal equal = "=" greater = ">" less = "<" notequal = "<>" attr = AttributeDescription value = Integer / Quoted string / UTC time / Binary
? | Any single character. |
* | Any string of zero or more characters. |
[ ] | Any single character within the specified range ([a-f]) or set ([abcdef]). |
[^] | Any single character not within the specified range ([^a-f]) or set ([^abcdef]). |
Comparing bits is also supported and has the following syntax:
"(" attr bitop bitmask filtertype bits ")"
Where:
Example: (| (KLHST_WKS_GROUPID = 0 ) (KLHST_WKS_STATUS_MASK & 2 = 2 ) )
Some attributes are optional, and may have no value for some elements (have NULL value).
To check the attribute for existence (IS NOT NULL) use following syntax:
"(" attr ")"
For example,
(dev_encFlags)
To check the attribute for inexistence (IS NULL) use following syntax:
"(!(" attr "))"
For example,
(!(dev_encFlags))
("Host display name does not match wildcard A*") AND (Host is a member of group with ID = 0 OR ID = 1) AND (host status mask has zero bit set) AND (host connected to Administration Server in last 24 hours)
(&
(!KLHST_WKS_DN = "A*")
(|
(KLHST_WKS_GROUPID = 0 )
(KLHST_WKS_GROUPID = 1 )
)
(KLHST_WKS_STATUS_MASK & 1 <> 0 )
(KLHST_WKS_LAST_NAGENT_CONNECTED > CURTIME(-86400) )
)
Expression "(attribute dev_encFlags does not exist ) OR (attribute dev_encFlags corresonds the mask 3)" will have following syntax:
(| (!(dev_encFlags)) (dev_encFlags & 3 <> 0) )
For some attributes, you can use full-text search. See Full-text search