Path parameters

• id string Required

  The ID of the pack to copy.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attribute Show response attribute object

  • data object Required
    Hide data attributes Show data attributes object

    • created_at string(date-time)
    • created_by string | null
    • created_by_profile_uid string
    • description string

      The pack description.

    • enabled boolean

      Enables the pack.

    • interval integer

      Pack-level interval, in seconds. Used when schedule_type is interval. Mutually exclusive with rrule_schedule.

      Minimum value is 1.

    • name string Required

      The pack name.

    • policy_ids array[string]

      A list of agents policy IDs.

    • queries array[object]

      Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.

      Hide queries attributes Show queries attributes object

      • ecs_mapping array[object]

        ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping).

        Hide ecs_mapping attributes Show ecs_mapping attributes object

        ECS mapping item in saved-object storage format (key-value pair).

        • key string

          The ECS field name.

        • value object Additional properties
          Hide value attributes Show value attributes object

          • field string

            The ECS field to map to.

          • value string | array[string]

            The value to map to the ECS field.

            One of:

            string-1 string array-2 array[string]
      • id string
      • interval integer
      • platform string
      • query string
      • removed boolean
      • rrule_schedule object

        RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.

        Hide rrule_schedule attributes Show rrule_schedule attributes object

        • end_date string(date-time)

          Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.

          Maximum length is 64.

        • rrule string Required

          Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).

          Maximum length is 2048.

        • splay string

          Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).

          Maximum length is 64.

        • start_date string(date-time) Required

          RFC 3339 datetime string for the schedule's start.

          Maximum length is 64.

        • timeout number

          Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.

      • schedule_type string

        Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.

        Values are interval or rrule.

      • snapshot boolean
      • timeout integer
      • version string
    • rrule_schedule object

      RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.

      Hide rrule_schedule attributes Show rrule_schedule attributes object

      • end_date string(date-time)

        Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.

        Maximum length is 64.

      • rrule string Required

        Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).

        Maximum length is 2048.

      • splay string

        Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).

        Maximum length is 64.

      • start_date string(date-time) Required

        RFC 3339 datetime string for the schedule's start.

        Maximum length is 64.

      • timeout number

        Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.

    • saved_object_id string Required

      The saved object ID of the copied pack.

    • schedule_type string

      Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.

      Values are interval or rrule.

    • shards array[object]

      Shard configuration as an array of key-value pairs.

      Hide shards attributes Show shards attributes object

      • key string
      • value number
    • updated_at string(date-time)
    • updated_by string | null
    • updated_by_profile_uid string
    • version integer

      The pack version number.