Update a pack

PUT /api/osquery/packs/{id}

Api key auth

Spaces method and path for this operation:

put /s/{space_id}/api/osquery/packs/{id}

Refer to Spaces for more information.

Update a query pack using the pack ID.

You cannot update a prebuilt pack.

Path parameters

id string Required

The pack ID.

application/json

Body Required

description string

The pack description.
enabled boolean

Enables the pack.
name string

The pack name.
policy_ids array[string]

A list of agents policy IDs.
queries object

An object of queries.
Hide queries attribute Show queries attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string
  
  The ID of the query.
  
  platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
  
  query string
  
  The SQL query you want to run.
  
  removed boolean
  
  Indicates whether the query is removed.
  
  saved_query_id string
  
  The ID of a saved query.
  
  snapshot boolean
  
  Indicates whether the query is a snapshot.
  
  version string
  
  Uses the Osquery versions greater than or equal to the specified version string.
shards object

An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
Hide shards attribute Show shards attribute object
- * number Additional properties

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data object
  
  Hide data attributes Show data attributes object
  
  created_at string(date-time)
  
  created_by string | null
  
  created_by_profile_uid string
  
  description string
  
  The pack description.
  
  enabled boolean
  
  Enables the pack.
  
  name string
  
  The pack name.
  
  policy_ids array[string]
  
  A list of agents policy IDs.
  
  queries object
  
  An object of queries.
  
  Hide queries attribute Show queries attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string
  
  The ID of the query.
  
  platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
  
  query string
  
  The SQL query you want to run.
  
  removed boolean
  
  Indicates whether the query is removed.
  
  saved_query_id string
  
  The ID of a saved query.
  
  snapshot boolean
  
  Indicates whether the query is a snapshot.
  
  version string
  
  Uses the Osquery versions greater than or equal to the specified version string.
  
  saved_object_id string
  
  The saved object ID of the pack.
  
  shards object
  
  An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
  
  Hide shards attribute Show shards attribute object
  
  * number Additional properties
  
  updated_at string(date-time)
  
  updated_by string | null
  
  updated_by_profile_uid string
  
  version integer
  
  The pack version number.

PUT /api/osquery/packs/{id}

curl \
 --request PUT 'https://<KIBANA_URL>/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"Updated pack description","enabled":true,"name":"my_pack_renamed"}'

Request example

{
  "description": "Updated pack description",
  "enabled": true,
  "name": "my_pack_renamed"
}

Response examples (200)

{
  "data": {
    "description": "Updated pack description",
    "enabled": true,
    "name": "my_pack_renamed",
    "policy_ids": [
      "my_policy_id"
    ],
    "queries": {
      "ports": {
        "interval": 60,
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "snapshot": true,
        "timeout": 120
      }
    },
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856",
    "shards": [],
    "updated_at": "2025-02-27T10:00:00.000Z",
    "updated_by": "elastic",
    "version": 2
  }
}

Update a pack

Path parameters

Body Required

value string | array[string]

Responses

value string | array[string]