Copy a pack Generally available; Added in 9.4.0

POST /api/osquery/packs/{id}/copy
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/osquery/packs/{id}/copy

Refer to Spaces for more information.

Create a copy of a query pack with a unique name by appending a _copy suffix. If the name already exists, a numeric suffix is added (e.g., _copy_2). The copied pack is always created with enabled set to false.

Path parameters

  • id string Required

    The ID of the pack to copy.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object Required
      Hide data attributes Show data attributes object
      • created_at string(date-time)
      • created_by string | null
      • created_by_profile_uid string
      • description string

        The pack description.

      • enabled boolean

        Enables the pack.

      • name string Required

        The pack name.

      • policy_ids array[string]

        A list of agents policy IDs.

      • queries array[object]

        Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.

        Hide queries attributes Show queries attributes object
        • ecs_mapping array[object]

          ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping).

          Hide ecs_mapping attributes Show ecs_mapping attributes object

          ECS mapping item in saved-object storage format (key-value pair).

          • key string

            The ECS field name.

          • value object Additional properties
            Hide value attributes Show value attributes object
        • id string
        • interval integer
        • platform string
        • query string
        • removed boolean
        • snapshot boolean
        • timeout integer
        • version string
      • saved_object_id string Required

        The saved object ID of the copied pack.

      • shards array[object]

        Shard configuration as an array of key-value pairs.

        Hide shards attributes Show shards attributes object
        • key string
        • value number
      • updated_at string(date-time)
      • updated_by string | null
      • updated_by_profile_uid string
      • version integer

        The pack version number.
POST /api/osquery/packs/{id}/copy 
curl \
 --request POST 'https://localhost:5601/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334/copy' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "created_at": "2025-02-26T13:37:30.452Z",
    "created_by": "elastic",
    "description": "My pack",
    "enabled": false,
    "name": "my_pack_copy",
    "policy_ids": [],
    "queries": [
      {
        "ecs_mapping": [
          {
            "key": "client.port",
            "value": {
              "field": "port"
            }
          }
        ],
        "id": "ports",
        "interval": 60,
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "snapshot": true,
        "timeout": 120
      }
    ],
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856",
    "shards": [],
    "updated_at": "2025-02-26T13:37:30.452Z",
    "updated_by": "elastic"
  }
}