GET /api/osquery/packs
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/packs

Refer to Spaces for more information.

Get a list of all query packs.

Query parameters

  • page integer | null

    The page number to return.

  • pageSize integer | null

    The number of results to return per page.

  • sort string | null

    The field to sort results by.

    Default value is createdAt.

  • sortOrder string

    The sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • data array[object] Required

      An array of pack objects.

      Hide data attributes Show data attributes object
      • created_at string(date-time)
      • created_by string | null
      • created_by_profile_uid string
      • description string

        The pack description.

      • enabled boolean

        Enables the pack.

      • name string Required

        The pack name.

      • policy_ids array[string]

        A list of agents policy IDs.

      • queries array[object]

        Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.

        Hide queries attributes Show queries attributes object
        • ecs_mapping array[object]

          ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping).

          Hide ecs_mapping attributes Show ecs_mapping attributes object

          ECS mapping item in saved-object storage format (key-value pair).

          • key string

            The ECS field name.

          • value object Additional properties
            Hide value attributes Show value attributes object
        • id string
        • interval integer
        • platform string
        • query string
        • removed boolean
        • snapshot boolean
        • timeout integer
        • version string
      • read_only boolean

        Whether the pack is read-only (true for prebuilt packs).

      • saved_object_id string Required

        The saved object ID of the pack.

      • updated_at string(date-time)
      • updated_by string | null
      • updated_by_profile_uid string
      • version integer

        The pack version number.

    • page integer Required

      The current page number.

    • per_page integer Required

      The number of results per page.

    • total integer Required

      The total number of packs.
GET /api/osquery/packs 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/packs' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "created_at": "2025-02-26T13:37:30.452Z",
      "created_by": "elastic",
      "description": "My pack",
      "enabled": true,
      "name": "my_pack",
      "queries": [
        {
          "id": "ports",
          "interval": 60,
          "query": "SELECT * FROM listening_ports;",
          "removed": false,
          "snapshot": true,
          "timeout": 120
        }
      ],
      "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856",
      "updated_at": "2025-02-26T13:37:30.452Z",
      "updated_by": "elastic",
      "version": 1
    }
  ],
  "page": 1,
  "per_page": 20,
  "total": 1
}