Create a live query

POST /api/osquery/live_queries

Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/osquery/live_queries

Refer to Spaces for more information.

Create and run a live query.

application/json

Body Required

agent_all boolean

When true, the query runs on all agents.
agent_ids array[string]

A list of agent IDs to run the query on.
agent_platforms array[string]

A list of agent platforms to run the query on.
agent_policy_ids array[string]

A list of agent policy IDs to run the query on.
alert_ids array[string]

A list of alert IDs associated with the live query.
case_ids array[string]

A list of case IDs associated with the live query.
ecs_mapping object

Map osquery results columns or static values to Elastic Common Schema (ECS) fields
Hide ecs_mapping attribute Show ecs_mapping attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
event_ids array[string]

A list of event IDs associated with the live query.
metadata object | null

Custom metadata object associated with the live query.
pack_id string

The ID of the pack.
queries array[object]

An array of queries to run.
Hide queries attributes Show queries attributes object
- ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
- id string
  
  The ID of the query.
- platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
- query string
  
  The SQL query you want to run.
- removed boolean
  
  Indicates whether the query is removed.
- snapshot boolean
  
  Indicates whether the query is a snapshot.
- version string
  
  Uses the Osquery versions greater than or equal to the specified version string.
query string

The SQL query you want to run.
saved_query_id string

The ID of a saved query.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data object Required
  
  Hide data attributes Show data attributes object
  
  @timestamp string(date-time)
  
  The timestamp when the action was created.
  
  action_id string Required
  
  The ID of the action.
  
  agent_all boolean
  
  Whether the query targets all agents.
  
  agent_ids array[string]
  
  The agent IDs targeted by the action.
  
  agent_platforms array[string]
  
  The agent platforms targeted.
  
  agent_policy_ids array[string]
  
  The agent policy IDs targeted.
  
  agents array[string]
  
  The resolved list of agent IDs.
  
  expiration string(date-time)
  
  The expiration date of the action.
  
  input_type string
  
  The input type.
  
  metadata object
  
  Custom metadata associated with the action.
  
  pack_id string
  
  The pack ID if the query was run from a pack.
  
  queries array[object]
  
  The queries in this action.
  
  Hide queries attributes Show queries attributes object
  
  action_id string
  
  agents array[string]
  
  ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string
  
  platform string
  
  query string
  
  saved_query_id string
  
  timeout integer
  
  version string
  
  type string
  
  The action type.
  
  user_id string
  
  The user who created the action.

POST /api/osquery/live_queries

curl \
 --request POST 'https://<KIBANA_URL>/api/osquery/live_queries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"agent_all":true,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"query":"select * from uptime;"}'

Request examples

{
  "agent_all": true,
  "ecs_mapping": {
    "host.uptime": {
      "field": "total_seconds"
    }
  },
  "query": "select * from uptime;"
}

{
  "agent_ids": [
    "16d7caf5-efd2-4212-9b62-73dafc91fa13"
  ],
  "query": "select * from processes;"
}

Response examples (200)

{
  "data": {
    "@timestamp": "2022-07-26T09:59:32.220Z",
    "action_id": "3c42c847-eb30-4452-80e0-728584042334",
    "agent_all": true,
    "agents": [
      "16d7caf5-efd2-4212-9b62-73dafc91fa13"
    ],
    "expiration": "2022-07-26T10:04:32.220Z",
    "input_type": "osquery",
    "queries": [
      {
        "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
        "agents": [
          "16d7caf5-efd2-4212-9b62-73dafc91fa13"
        ],
        "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
        "query": "select * from uptime;",
        "timeout": 120
      }
    ],
    "type": "INPUT_ACTION",
    "user_id": "elastic"
  }
}

Create a live query

Body Required

value string | array[string]

value string | array[string]

Responses

value string | array[string]