Create a saved query

POST /api/osquery/saved_queries

Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/osquery/saved_queries

Refer to Spaces for more information.

Create and save a query for later use.

application/json

Body Required

description string

The saved query description.
ecs_mapping object

Map osquery results columns or static values to Elastic Common Schema (ECS) fields
Hide ecs_mapping attribute Show ecs_mapping attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
id string

The ID of a saved query.
interval string

An interval, in seconds, on which to run the query.
platform string

Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
query string

The SQL query you want to run.
removed boolean

Indicates whether the query is removed.
snapshot boolean

Indicates whether the query is a snapshot.
version string

Uses the Osquery versions greater than or equal to the specified version string.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data object Required
  
  Hide data attributes Show data attributes object
  
  created_at string(date-time)
  
  created_by string | null
  
  created_by_profile_uid string
  
  description string
  
  The saved query description.
  
  ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  The ID of a saved query.
  
  interval integer | string
  
  An interval, in seconds, on which to run the query. May be returned as number or string.
  
  One of:
  integer-1 integer string-2 string
  
  platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
  
  prebuilt boolean
  
  Whether the saved query is prebuilt.
  
  query string
  
  The SQL query you want to run.
  
  removed boolean
  
  Indicates whether the query is removed.
  
  saved_object_id string Required
  
  The saved object ID of the saved query.
  
  snapshot boolean
  
  Indicates whether the query is a snapshot.
  
  timeout integer
  
  The query timeout in seconds.
  
  updated_at string(date-time)
  
  updated_by string | null
  
  updated_by_profile_uid string
  
  version integer | string
  
  The saved query version.
  
  One of:
  integer-1 integer string-2 string

POST /api/osquery/saved_queries

curl \
 --request POST 'https://<KIBANA_URL>/api/osquery/saved_queries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","query":"select * from uptime;","timeout":120,"version":"2.8.0"}'

Create a saved query

Body Required

value string | array[string]

Responses

value string | array[string]

interval integer | string

version integer | string