Update a pack

PUT /api/osquery/packs/{id}

Api key auth

Spaces method and path for this operation:

put /s/{space_id}/api/osquery/packs/{id}

Refer to Spaces for more information.

Update a query pack using the pack ID.

You cannot update a prebuilt pack.

Path parameters

id string Required

The pack ID.

application/json

Body Required

description string

The pack description.
enabled boolean

Enables the pack.
interval integer

Pack-level interval, in seconds. Used when schedule_type is interval. Mutually exclusive with rrule_schedule.

Minimum value is 1.
name string

The pack name.
policy_ids array[string]

A list of agents policy IDs.
queries object

An object of queries.
Hide queries attribute Show queries attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string
  
  The ID of the query.
  
  platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
  
  query string
  
  The SQL query you want to run.
  
  removed boolean
  
  Indicates whether the query is removed.
  
  rrule_schedule object
  
  RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.
  
  Hide rrule_schedule attributes Show rrule_schedule attributes object
  
  end_date string(date-time)
  
  Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.
  
  Maximum length is 64.
  
  rrule string Required
  
  Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).
  
  Maximum length is 2048.
  
  splay string
  
  Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).
  
  Maximum length is 64.
  
  start_date string(date-time) Required
  
  RFC 3339 datetime string for the schedule's start.
  
  Maximum length is 64.
  
  timeout number
  
  Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.
  
  saved_query_id string
  
  The ID of a saved query.
  
  schedule_type string
  
  Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.
  
  Values are interval or rrule.
  
  snapshot boolean
  
  Indicates whether the query is a snapshot.
  
  version string
  
  Uses the Osquery versions greater than or equal to the specified version string.
rrule_schedule object

RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.
Hide rrule_schedule attributes Show rrule_schedule attributes object
- end_date string(date-time)
  
  Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.
  
  Maximum length is 64.
- rrule string Required
  
  Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).
  
  Maximum length is 2048.
- splay string
  
  Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).
  
  Maximum length is 64.
- start_date string(date-time) Required
  
  RFC 3339 datetime string for the schedule's start.
  
  Maximum length is 64.
- timeout number
  
  Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.
schedule_type string

Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.

Values are interval or rrule.
shards object

An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
Hide shards attribute Show shards attribute object
- * number Additional properties

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data object
  
  Hide data attributes Show data attributes object
  
  created_at string(date-time)
  
  created_by string | null
  
  created_by_profile_uid string
  
  description string
  
  The pack description.
  
  enabled boolean
  
  Enables the pack.
  
  interval integer
  
  Pack-level interval, in seconds. Used when schedule_type is interval. Mutually exclusive with rrule_schedule.
  
  Minimum value is 1.
  
  name string
  
  The pack name.
  
  policy_ids array[string]
  
  A list of agents policy IDs.
  
  queries object
  
  An object of queries.
  
  Hide queries attribute Show queries attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string
  
  The ID of the query.
  
  platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
  
  query string
  
  The SQL query you want to run.
  
  removed boolean
  
  Indicates whether the query is removed.
  
  rrule_schedule object
  
  RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.
  
  Hide rrule_schedule attributes Show rrule_schedule attributes object
  
  end_date string(date-time)
  
  Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.
  
  Maximum length is 64.
  
  rrule string Required
  
  Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).
  
  Maximum length is 2048.
  
  splay string
  
  Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).
  
  Maximum length is 64.
  
  start_date string(date-time) Required
  
  RFC 3339 datetime string for the schedule's start.
  
  Maximum length is 64.
  
  timeout number
  
  Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.
  
  saved_query_id string
  
  The ID of a saved query.
  
  schedule_type string
  
  Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.
  
  Values are interval or rrule.
  
  snapshot boolean
  
  Indicates whether the query is a snapshot.
  
  version string
  
  Uses the Osquery versions greater than or equal to the specified version string.
  
  rrule_schedule object
  
  RRULE schedule configuration consumed by osquerybeat. Loose date forms like "2024-01-01" are rejected with 400. DTSTART is NOT embedded in rrule; the separate start_date field is the schedule anchor.
  
  Hide rrule_schedule attributes Show rrule_schedule attributes object
  
  end_date string(date-time)
  
  Optional RFC 3339 datetime string for the schedule's end. MUST be after start_date.
  
  Maximum length is 64.
  
  rrule string Required
  
  Fully serialized RFC 5545 RRULE string (e.g. "FREQ=WEEKLY;BYDAY=MO,WE,FR"). The Kibana UI writes only a subset of parts — FREQ, INTERVAL, BYDAY, BYMONTHDAY, BYMONTH — but the server accepts and round-trips any well-formed parts (other recognized parts like BYHOUR, BYMINUTE, BYSETPOS, WKST, COUNT, UNTIL are preserved verbatim).
  
  Maximum length is 2048.
  
  splay string
  
  Optional Go duration string for splay (random execution delay), e.g. "30s", "5m", "1h". The Kibana form writes single-unit values only; compound durations ("1h30m") are tolerated on read for round-trip safety with osquerybeat's writer. Maximum 12 hours (43200 seconds).
  
  Maximum length is 64.
  
  start_date string(date-time) Required
  
  RFC 3339 datetime string for the schedule's start.
  
  Maximum length is 64.
  
  timeout number
  
  Optional query execution timeout, in seconds. Defaults to 60 in osquerybeat when unset.
  
  saved_object_id string
  
  The saved object ID of the pack.
  
  schedule_type string
  
  Discriminator for the pack's schedule mode. interval uses native osqueryd interval scheduling (seconds). rrule uses osquerybeat's RRULE-based recurrence scheduling. Per-query overrides MUST use the same mode as the pack — cross-mode overrides are rejected with 400.
  
  Values are interval or rrule.
  
  shards object
  
  An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
  
  Hide shards attribute Show shards attribute object
  
  * number Additional properties
  
  updated_at string(date-time)
  
  updated_by string | null
  
  updated_by_profile_uid string
  
  version integer
  
  The pack version number.

PUT /api/osquery/packs/{id}

curl \
 --request PUT 'https://<KIBANA_URL>/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"Updated pack description","enabled":true,"name":"my_pack_renamed"}'

Request example

{
  "description": "Updated pack description",
  "enabled": true,
  "name": "my_pack_renamed"
}

Response examples (200)

{
  "data": {
    "description": "Updated pack description",
    "enabled": true,
    "name": "my_pack_renamed",
    "policy_ids": [
      "my_policy_id"
    ],
    "queries": {
      "ports": {
        "interval": 60,
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "snapshot": true,
        "timeout": 120
      }
    },
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856",
    "shards": [],
    "updated_at": "2025-02-27T10:00:00.000Z",
    "updated_by": "elastic",
    "version": 2
  }
}

Update a pack

Path parameters

Body Required

value string | array[string]

Responses

value string | array[string]