KSC Open API
Kaspersky Security Center API description
|
Some methods use a 'search filter', the syntax of which resembles the syntax from RFC 2254 (note that these syntaxes are not identical).
filter = "(" filtercomp ")" filtercomp = and / or / not / item and = "&" filterlist or = "|" filterlist not = "!" filter filterlist = 1*filter item = simple simple = attr filtertype value filtertype = equal / greater / less / notequal equal = "=" greater = ">" less = "<" notequal = "<>" attr = AttributeDescription value = Integer / Quoted string / UTC time / Binary
? | Any single character. |
* | Any string of zero or more characters. |
[ ] | Any single character within the specified range ([a-f]) or set ([abcdef]). |
[^] | Any single character that is not within the specified range ([^a-f]) or set ([^abcdef]). |
Bit comparison is also supported and has the following syntax:
"(" attr bitop bitmask filtertype bits ")"
Where:
Example: (| (KLHST_WKS_GROUPID = 0 ) (KLHST_WKS_STATUS_MASK & 2 = 2 ) )
Some attributes are optional and may have no value for some elements (have NULL value).
To check if an attribute exists (IS NOT NULL), use the following syntax:
"(" attr ")"
For example,
(dev_encFlags)
To check if an attribute does not exist (IS NULL), use the following syntax:
"(!(" attr "))"
For example,
(!(dev_encFlags))
("Host display name does not match wildcard A*") AND (Host is a member of group with ID = 0 OR ID = 1) AND (host status mask has zero bit set) AND (host connected to Administration Server in last 24 hours)
(&
(!KLHST_WKS_DN = "A*")
(|
(KLHST_WKS_GROUPID = 0 )
(KLHST_WKS_GROUPID = 1 )
)
(KLHST_WKS_STATUS_MASK & 1 <> 0 )
(KLHST_WKS_LAST_NAGENT_CONNECTED > CURTIME(-86400) )
)
Expression "(attribute dev_encFlags does not exist ) OR (attribute dev_encFlags corresonds the mask 3)" will have the following syntax:
(| (!(dev_encFlags)) (dev_encFlags & 3 <> 0) )
For some attributes, you can use full-text search. See Full-text search