GET /api/osquery/packs
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/packs

Refer to Spaces for more information.

Get a list of all query packs.

Query parameters

  • page integer | null

    The page number to return.

  • pageSize integer | null

    The number of results to return per page.

  • sort string | null

    The field to sort results by.

    Default value is createdAt.

  • sortOrder string

    The sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • data array[object] Required

      An array of pack objects.

      Hide data attributes Show data attributes object
      • created_at string(date-time)
      • created_by string | null
      • created_by_profile_uid string
      • description string

        The pack description.

      • enabled boolean

        Enables the pack.

      • interval integer

        Pack-level interval, in seconds. Used when schedule_type is interval. Mutually exclusive with rrule_schedule.

        Minimum value is 1.

      • name string Required

        The pack name.

      • policy_ids array[string]

        A list of agents policy IDs.

      • queries array[object]

        Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.

        Hide queries attributes Show queries attributes object
        • ecs_mapping array[object]

          ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping).

          Hide ecs_mapping attributes Show ecs_mapping attributes object

          ECS mapping item in saved-object storage format (key-value pair).

          • key string

            The ECS field name.

          • value object Additional properties
            Hide value attributes Show value attributes object
        • id string
        • interval integer
        • platform string
        • query string
        • removed boolean
        • rrule_schedule object

          RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.

          Hide rrule_schedule attributes Show rrule_schedule attributes object
          • end_date string(date-time)

            Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.

            Maximum length is 64.

          • rrule string Required

            Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).

            Maximum length is 2048.

          • splay string

            Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).

            Maximum length is 64.

          • start_date string(date-time) Required

            RFC 3339 datetime string for the schedule's start.

            Maximum length is 64.

          • timeout number

            Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.

        • schedule_type string

          Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.

          Values are interval or rrule.

        • snapshot boolean
        • timeout integer
        • version string
      • read_only boolean

        Whether the pack is read-only (true for prebuilt packs).

      • rrule_schedule object

        RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.

        Hide rrule_schedule attributes Show rrule_schedule attributes object
        • end_date string(date-time)

          Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.

          Maximum length is 64.

        • rrule string Required

          Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).

          Maximum length is 2048.

        • splay string

          Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).

          Maximum length is 64.

        • start_date string(date-time) Required

          RFC 3339 datetime string for the schedule's start.

          Maximum length is 64.

        • timeout number

          Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.

      • saved_object_id string Required

        The saved object ID of the pack.

      • schedule_type string

        Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.

        Values are interval or rrule.

      • updated_at string(date-time)
      • updated_by string | null
      • updated_by_profile_uid string
      • version integer

        The pack version number.

    • page integer Required

      The current page number.

    • per_page integer Required

      The number of results per page.

    • total integer Required

      The total number of packs.
GET /api/osquery/packs 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/packs' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "created_at": "2025-02-26T13:37:30.452Z",
      "created_by": "elastic",
      "description": "My pack",
      "enabled": true,
      "name": "my_pack",
      "queries": [
        {
          "id": "ports",
          "interval": 60,
          "query": "SELECT * FROM listening_ports;",
          "removed": false,
          "snapshot": true,
          "timeout": 120
        }
      ],
      "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856",
      "updated_at": "2025-02-26T13:37:30.452Z",
      "updated_by": "elastic",
      "version": 1
    }
  ],
  "page": 1,
  "per_page": 20,
  "total": 1
}