Create a live query

POST /api/osquery/live_queries

Create and run a live query.

application/json

Body Required

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

POST /api/osquery/live_queries
curl \
 --request POST https://localhost:5601/api/osquery/live_queries \
 --header "Content-Type: application/json" \
 --data '{"agent_all":true,"agent_ids":["string"],"agent_platforms":["string"],"agent_policy_ids":["string"],"alert_ids":["string"],"case_ids":["string"],"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"event_ids":["string"],"metadata":{},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string"}'
Request examples
{
  "agent_all": true,
  "agent_ids": [
    "string"
  ],
  "agent_platforms": [
    "string"
  ],
  "agent_policy_ids": [
    "string"
  ],
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "ecs_mapping": {
    "additionalProperty1": {
      "field": "string",
      "value": "string"
    },
    "additionalProperty2": {
      "field": "string",
      "value": "string"
    }
  },
  "event_ids": [
    "string"
  ],
  "metadata": {},
  "pack_id": "string",
  "queries": [
    {
      "ecs_mapping": {
        "additionalProperty1": {
          "field": "string",
          "value": "string"
        },
        "additionalProperty2": {
          "field": "string",
          "value": "string"
        }
      },
      "id": "string",
      "platform": "string",
      "query": "string",
      "removed": true,
      "snapshot": true,
      "version": "string"
    }
  ],
  "query": "string",
  "saved_query_id": "string"
}
Response examples (200)
{}