GET /api/osquery/packs/{id}
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/packs/{id}

Refer to Spaces for more information.

Get the details of a query pack using the pack ID.

Path parameters

  • id string Required

    The pack ID.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object Required

      The pack details.

      Hide data attributes Show data attributes object
      • created_at string(date-time)
      • created_by string | null
      • created_by_profile_uid string
      • description string

        The pack description.

      • enabled boolean

        Enables the pack.

      • name string Required

        The pack name.

      • namespaces array[string]

        The namespaces the pack belongs to.

      • policy_ids array[string]

        A list of agents policy IDs.

      • queries object

        An object of queries.

        Hide queries attribute Show queries attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
          • ecs_mapping object

            Map osquery results columns or static values to Elastic Common Schema (ECS) fields

            Hide ecs_mapping attribute Show ecs_mapping attribute object
            • * object Additional properties
              Hide * attributes Show * attributes object
          • id string

            The ID of the query.

          • platform string

            Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

          • query string

            The SQL query you want to run.

          • removed boolean

            Indicates whether the query is removed.

          • saved_query_id string

            The ID of a saved query.

          • snapshot boolean

            Indicates whether the query is a snapshot.

          • version string

            Uses the Osquery versions greater than or equal to the specified version string.

      • read_only boolean

        Whether the pack is read-only (true for prebuilt packs).

      • saved_object_id string Required

        The saved object ID of the pack.

      • shards object

        An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.

        Hide shards attribute Show shards attribute object
        • * number Additional properties
      • type string

        The saved object type.

      • updated_at string(date-time)
      • updated_by string | null
      • updated_by_profile_uid string
      • version integer

        The pack version number.
GET /api/osquery/packs/{id} 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334' \
 --header "Authorization: $API_KEY"