about_Oath_Tokens_Filter
Describes the syntax and behavior of the OATH token search filter that is supported by the SystoLOCK module for Windows PowerShell.
Some commands in the SystoLOCK module use the Filter parameter to search for tokens. The Filter parameter was implemented to provide support for PowerShell variables, rich data types, improved error checking, and an extended form of the PowerShell Expression Language.
Using token filters allows you to improve the performance of a token lookup operation by moving the actual filtering logic to the server side.
The following syntax descriptions use the Backus-Naur form to show the SystoLOCK Expression Language for the Filter parameter.
<Filter> ::= '{' <FilterComponentList> '}'
<FilterComponentList> ::= <FilterComponent>
| <FilterComponent> <JoinOperator> <FilterComponent>
| <NotOperator> <FilterComponent>
<FilterComponent> ::= <PropertyName> <FilterOperator> <Value>
| '(' <FilterComponent> ')'
<FilterOperator> ::= '-eq' | '=='
| '-le' | '<='
| '-ge' | '>='
| '-ne' | '!=' | '<>'
| '-lt' | '<'
| '-gt' | '>'
| '-approx' | '~='
| '-bor' | '|'
| '-band' | '&'
| '-recursivematch'
| '-like' | '~'
| '-notlike' | '-nlike' | '!~'
<JoinOperator> ::= <AndOperator> | <OrOperator>
<AndOperator> ::= '-and' | '&&'
<OrOperator> ::= '-or' | '||'
<NotOperator> ::= '-not' | '!'
<Value> ::= *
| $null
| $true | false
| NUMBER | 0xHEXNUMBER
| IDENTIFIER | '<STRING>' | "<STRING>"
| $PowerShellVariable
AgreementKey: Indicates whether the ECDH agreement key is set.Algorithm: OTP algorithm identifier (HOTP, TOTP).Class: Token type (hardware or software).CreationTime: Time when a token was created.DisableTime: Value indicating when the token was disabled.Drift: Time drift value for time-based tokens, in intervals.FriendlyName: Token friendly name.HasPin: Indicates if the PIN value is set.Identifier: Token unique identifier.Interval: Interval value for time-based OTP algorithms, in seconds.IssueNumber: Token issue number.LastTimeUsed: The last time the token was used.LockTime: Value indicating when the token was locked.Manufacturer: Name of the token manufacturer.Model: Token model name.NotAfter: Time when a token becomes valid.NotBefore: Time when a token becomes invalid.NumberOfTransactions: Maximum number of times the token can be used.PerformedTransactions: Number of successfully completed transactions.ResponseLength: Length of the resulting one-time password.User: Identifier of the user assigned to this token.| Operator name | Description | Example |
|---|---|---|
Present |
Checks if a property present | Drift -eq * |
Absent |
Checks if a property absent | Drift -ne * |
Equal |
Compares a property for equality | ResponseLength -eq 6 |
LessThanOrEqual |
Checks whether a property is less than or equal to a value | Drift -le 4 |
GreaterThanOrEqual |
Checks whether a property is greater than or equal to a value | Drift -ge 8 |
NotEqual |
Compares a property for inequality | ResponseLength -ne 6 |
LessThan |
Checks whether a property is less than a value | Drift -lt 15 |
GreaterThan |
Checks whether a property is greater than a value | Drift -gt 16 |
Approx |
Checks whether a property is approximately equal to a value | Model ~= R2D2 |
BinaryOr |
Performs bitwise or operation | Drift -bor 23 |
BinaryAnd |
Performs bitwise and operation | Drift -band 42 |
RecursiveMatch |
Performs a recursive equality match | User -recursivematch 'cn=User,dc=example' |
Like |
Allows wildcard comparisons with * | FriendlyName -like '*external' |
NotLike |
Allows negated wildcard comparisons with * | FriendlyName -notlike '*external' |
And |
Joins conditions using AND | Drift <= 23 -and HasPin == $true |
Or |
Joins conditions using OR | Drift >= 42 -or LockTime == * |
Not |
Negates condition | -not Algorithm == HotpSha1 |
Get-SystoLockOathToken -Filter 'Class -eq Software'
Get-SystoLockOathToken -Filter 'Drift -eq *' | Measure-Object
Get-SystoLockOathToken -Filter 'Drift -ne *' | Measure-Object
$monthAgo = [DateTime]::UtcNow.AddDays(-30)
Get-SystoLockOathToken -Filter 'LastTimeUsed -lt $monthAgo'
Get-SystoLockOathTokenAssignment -Filter 'Algorithm == TotpSha256'
Get-SystoLockOathToken -Filter 'Algorithm == TotpSha256 && User == $null'
# manufacturer name starts with Sys
Get-SystoLockOathToken -Filter 'Manufacturer -like Sys'
# manufacturer name does not start with Sys
Get-SystoLockOathToken -Filter 'Manufacturer -notlike Sys'
Export-SystoLockOathToken -Filter '{ NotAfter < '2026-01-01' }' -File .\tokens-about-to-expire.pskcxml
The following section gives examples of how to use the filters in common queries.