POST /api/osquery/packs
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/osquery/packs

Refer to Spaces for more information.

Create a query pack.

application/json

Body Required

  • description string

    The pack description.

  • enabled boolean

    Enables the pack.

  • name string

    The pack name.

  • policy_ids array[string]

    A list of agents policy IDs.

  • queries object

    An object of queries.

    Hide queries attribute Show queries attribute object
    • * object Additional properties
      Hide * attributes Show * attributes object
      • ecs_mapping object

        Map osquery results columns or static values to Elastic Common Schema (ECS) fields

        Hide ecs_mapping attribute Show ecs_mapping attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
      • id string

        The ID of the query.

      • platform string

        Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

      • query string

        The SQL query you want to run.

      • removed boolean

        Indicates whether the query is removed.

      • saved_query_id string

        The ID of a saved query.

      • snapshot boolean

        Indicates whether the query is a snapshot.

      • version string

        Uses the Osquery versions greater than or equal to the specified version string.

  • shards object

    An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.

    Hide shards attribute Show shards attribute object
    • * number Additional properties

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object Required
      Hide data attributes Show data attributes object
      • created_at string(date-time)

        The date and time the pack was created.

      • created_by string | null

        The user who created the pack.

      • created_by_profile_uid string

        The profile UID of the user who created the pack.

      • description string

        The pack description.

      • enabled boolean

        Enables the pack.

      • name string Required

        The pack name.

      • policy_ids array[string]

        A list of agents policy IDs.

      • queries object

        An object of queries.

        Hide queries attribute Show queries attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
          • ecs_mapping object

            Map osquery results columns or static values to Elastic Common Schema (ECS) fields

            Hide ecs_mapping attribute Show ecs_mapping attribute object
            • * object Additional properties
              Hide * attributes Show * attributes object
          • id string

            The ID of the query.

          • platform string

            Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

          • query string

            The SQL query you want to run.

          • removed boolean

            Indicates whether the query is removed.

          • saved_query_id string

            The ID of a saved query.

          • snapshot boolean

            Indicates whether the query is a snapshot.

          • version string

            Uses the Osquery versions greater than or equal to the specified version string.

      • saved_object_id string Required

        The saved object ID of the pack.

      • shards array[object]

        Shard configuration as an array of key-value pairs.

        Hide shards attributes Show shards attributes object
        • key string
        • value number
      • updated_at string(date-time)

        The date and time the pack was last updated.

      • updated_by string | null

        The user who last updated the pack.

      • updated_by_profile_uid string

        The profile UID of the user who last updated the pack.

      • version integer

        The pack version number.
POST /api/osquery/packs 
curl \
 --request POST 'https://<KIBANA_URL>/api/osquery/packs' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"My pack","enabled":true,"name":"my_pack","policy_ids":["my_policy_id","fleet-server-policy"],"queries":{"my_query":{"ecs_mapping":{"client.port":{"field":"port"},"tags":{"value":["tag1","tag2"]}},"interval":60,"query":"SELECT * FROM listening_ports;","timeout":120}},"shards":{"fleet-server-policy":58,"my_policy_id":35}}'