Request for querying event information
February 16, 2024
ID 248951
To create a request for getting information about events, the HTTP GET method is used.
At the first request, Kaspersky Anti Targeted Attack Platform creates a ContinuationToken (hereinafter also referred to as the "token"). The application sends events available in the system at the time of the token creation. When a new token is created, Kaspersky Anti Targeted Attack Platform sends events available in the system at the time of creation of this token.
The token contains information about which data were transmitted last. If you want to receive events recorded after the last request, you must save the created token and use it in future requests.
Command syntax
For the first request:
GET "<URL of the Central Node server>:<port, 443 by default>/kata/events_api/v1/<external_system_id>/events"
If the request is processed successfully, information about requested events and the token value are displayed.
For subsequent requests:
GET "<URL of the server with the Central Node component>:<port, 443 by default>/kata/events_api/v1/<external_system_id>/events&continuation_token=<value of the token retrieved by the first request>"
If the request is processed successfully, information about events received since the last request is displayed.
You can create a request to output information about events by specifying the maximum collection time and number of events, as well as event filtering parameters:
GET "<URL of Central Node server>:<port, 443 by default>/kata/events_api/v1/<external_system_id>/events=?filter=<event filter>&max_timeout=<maximum event collection time>&max_events=<maximum number of events>&continuation_token=<value of the token retrieved by the first request>"
If you specified the value of the filter
parameter for the first request, you do not have to specify it during subsequent requests: the filtering parameters are saved from the previous request and are used if no new parameters are passed in subsequent requests. If you do not want to use filtering, do not specify a value for the parameter.
Settings
Parameter | Type | Description |
---|---|---|
| UUID | Unique ID of the external system used for authorization in Kaspersky Anti Targeted Attack Platform. |
| string | Event filtering settings. These are set using the event query language. |
| int | Maximum event collection time. Specified in the following format: PT<integer value>S. For example, PT300S. The server sends information about events collected during the specified time. The default value is 5 minutes. This value is used unless otherwise specified in the request. The maximum event collection time may not exceed 5 minutes. If you specify a value greater than 5 minutes, the Central Node server returns an error. The actual total time to wait for events may be increased. |
| int | Maximum number of events If no value is specified in the request, Kaspersky Anti Targeted Attack Platform calculates it based on the number of hosts on which the Endpoint Agent component is installed. Examples of values for typical configurations:
The value specified in the request must not exceed these limits. |
| string | Value of the token. |
Example of entering commands with parameters
|
|
Returned value
Return code | Description |
---|---|
| Operation completed successfully. |
| Incorrect parameters. |
| Authorization required. |
| Internal server error. Repeat the request later. |