KSC Open API
Kaspersky Security Center API description
Search filter syntax

Some methods use a 'search filter', the syntax of which resembles the syntax from RFC 2254 (note that these syntaxes are not identical).

General syntax

    filter     = "(" filtercomp ")"
    filtercomp = and / or / not / item
    and        = "&" filterlist
    or         = "|" filterlist
    not        = "!" filter
    filterlist = 1*filter
    item       = simple
    simple     = attr filtertype value
    filtertype = equal / greater / less / notequal
    equal      = "="
    greater    = ">"
    less       = "<"
    notequal   = "<>"
    attr       = AttributeDescription 
    value      = Integer / Quoted string / UTC time / Binary


  • Integer must be specified as a signed decimal number.
  • Quoted string (for example, "some computer") may also contain the following wildcards (in this case the 'filtertype' must be 'equal').

    ?Any single character.
    *Any string of zero or more characters.
    [ ]Any single character within the specified range ([a-f]) or set ([abcdef]).
    [^]Any single character that is not within the specified range ([^a-f]) or set ([^abcdef]).

    If the string contains a quote, then put it twice.
    Example: "some ""computer"""
  • UTC time can be specified either in absolute or relative format. Absolute format: T"YYYY-MM-DD hh:mm:ss".
    Example: T"2005-04-27 23:59:01". To specify UTC in relative format, the 'Pseudovalue' CURTIME([<signed integer delta>]) may be used as "current time (in UTC) + \<signed integer delta\>".

  • Binary must be provided as hex, and use the '0x' prefix.
    Example: 0xF41748C0BEF943a6AE2C5D1010F046AD.

Bit operations

Bit comparison is also supported and has the following syntax:

        "(" attr bitop bitmask filtertype bits ")"

Where:

  • attr - attribute name
  • bitop - bit operation ('&' or '|')
  • bitmask - the bitmask, integer
  • logical operation: equal / greater / less / notequal
  • bits - value for comparison, integer

Example: (| (KLHST_WKS_GROUPID = 0 ) (KLHST_WKS_STATUS_MASK & 2 = 2 ) )

Check for existence

Some attributes are optional and may have no value for some elements (have NULL value).


To check if an attribute exists (IS NOT NULL), use the following syntax:

    "(" attr ")"

For example,

    (dev_encFlags)


To check if an attribute does not exist (IS NULL), use the following syntax:

    "(!(" attr "))"

For example,

    (!(dev_encFlags))

Examples

("Host display name does not match wildcard A*") AND (Host is a member of group with ID = 0 OR ID = 1) AND (host status mask has zero bit set) AND (host connected to Administration Server in last 24 hours)

                (&
                    (!KLHST_WKS_DN = "A*")
                    (|
                        (KLHST_WKS_GROUPID = 0 )
                        (KLHST_WKS_GROUPID = 1 )
                    )
                    (KLHST_WKS_STATUS_MASK & 1 <> 0 )
                    (KLHST_WKS_LAST_NAGENT_CONNECTED > CURTIME(-86400) )
                )

Expression "(attribute dev_encFlags does not exist ) OR (attribute dev_encFlags corresonds the mask 3)" will have the following syntax:

            (| (!(dev_encFlags)) (dev_encFlags & 3 <> 0) )



For some attributes, you can use full-text search. See Full-text search