[Osquery] Add docs for Osquery API (#137162)

docs/api/osquery-manager.asciidoc

@@ -0,0 +1,41 @@
+[[osquery-manager-api]]
+== Osquery manager API
+
+experimental[] Run live queries, manage packs and saved queries
+
+WARNING: Use the osquery manager APIs for managing packs and saved queries instead of lower-level <<saved-objects-api, saved objects API>>.
+
+The following osquery manager APIs are available: 
+
+* Live queries
+    ** <<osquery-manager-live-queries-api-get-all, Get all live queries API>> to retrieve a list of live queries
+    ** <<osquery-manager-live-queries-api-get, Get live query API>> to retrieve a single live query
+    ** <<osquery-manager-live-queries-api-create, Create live query API>> to create a live query
+    ** <<osquery-manager-live-queries-api-get-results, Get live query results API>> to retrieve the results of a single live query
+* Packs
+    ** <<osquery-manager-packs-api-get-all, Get all packs API>> to retrieve a list of packs
+    ** <<osquery-manager-packs-api-get, Get pack API>> to retrieve a pack
+    ** <<osquery-manager-packs-api-create, Create pack API>> to create a pack
+    ** <<osquery-manager-packs-api-update, Update pack API>> to partially update an existing pack
+    ** <<osquery-manager-packs-api-delete, Delete pack API>> to delete a pack
+* Saved queries
+    ** <<osquery-manager-saved-queries-api-get-all, Get all saved queries API>> to retrieve a list of saved queries
+    ** <<osquery-manager-saved-queries-api-get, Get saved query API>> to retrieve a saved query
+    ** <<osquery-manager-saved-queries-api-create, Create saved query API>> to create a saved query
+    ** <<osquery-manager-saved-queries-api-update, Update saved query API>> to partially update an existing saved query
+    ** <<osquery-manager-saved-queries-api-delete, Delete saved query API>> to delete a saved query
+
+include::osquery-manager/live-queries/get.asciidoc[]
+include::osquery-manager/live-queries/get-all.asciidoc[]
+include::osquery-manager/live-queries/get-results.asciidoc[]
+include::osquery-manager/live-queries/create.asciidoc[]
+include::osquery-manager/packs/get.asciidoc[]
+include::osquery-manager/packs/get-all.asciidoc[]
+include::osquery-manager/packs/create.asciidoc[]
+include::osquery-manager/packs/update.asciidoc[]
+include::osquery-manager/packs/delete.asciidoc[]
+include::osquery-manager/saved-queries/get.asciidoc[]
+include::osquery-manager/saved-queries/get-all.asciidoc[]
+include::osquery-manager/saved-queries/create.asciidoc[]
+include::osquery-manager/saved-queries/update.asciidoc[]
+include::osquery-manager/saved-queries/delete.asciidoc[]

docs/api/osquery-manager/live-queries/create.asciidoc

@@ -0,0 +1,184 @@
+[[osquery-manager-live-queries-api-create]]
+=== Create live query API
+++++
+<titleabbrev>Create live query</titleabbrev>
+++++
+
+experimental[] Create live queries.
+
+
+[[osquery-manager-live-queries-api-create-request]]
+==== Request
+
+`POST <kibana host>:<port>/api/osquery/live_queries`
+
+`POST <kibana host>:<port>/s/<space_id>/api/osquery/live_queries`
+
+
+[[osquery-manager-live-queries-api-create-path-params]]
+==== Path parameters
+
+`space_id`::
+  (Optional, string) An identifier for the space. When `space_id` is not provided in the URL, the default space is used.
+
+
+[[osquery-manager-live-queries-api-create-body-params]]
+==== Request body
+
+`agent_ids`:: (Optional, array) A list of agent IDs to run the query on.
+
+`agent_all`:: (Optional, boolean) When `true`, the query runs on all agents.
+
+`agent_platforms`:: (Optional, array) A list of agent platforms to run the query on.
+
+`agent_policy_ids`:: (Optional, array) A list of agent policy IDs to run the query on.
+
+`query`:: (Optional, string) The SQL query you want to run.
+
+`saved_query_id`:: (Optional, string) The ID of a saved query.
+
+`ecs_mapping`:: (Optional, object) Map osquery results columns or static values to Elastic Common Schema (ECS) fields.
+
+`pack_id`:: (Optional, string) The ID of the pack you want to run.
+
+`alert_ids`:: (Optional, array) A list of alert IDs associated to the live query.
+
+`case_ids`:: (Optional, array) A list of case IDs associated to the live query.
+
+`event_ids`:: (Optional, array) A list of event IDs associated to the live query.
+
+`metadata`:: (Optional, object) Custom metadata object associated to the live query.
+
+
+[[osquery-manager-live-queries-api-create-request-codes]]
+==== Response code
+
+`200`::
+    Indicates a successful call.
+
+
+[[osquery-manager-live-queries-api-create-example]]
+==== Examples
+
+Run a live query on all supported agents:
+
+ TIP: `osquery_manager` integration has to be added to the agent policy.
+
+[source,sh]
+--------------------------------------------------
+$ curl -X POST api/osquery/live_queries \
+{
+  "query": "select * from uptime;",
+
+  "ecs_mapping": {
+    "host.uptime": {
+      "field": "total_seconds"
+    }
+  },
+  "agent_all": true,
+}
+
+--------------------------------------------------
+// KIBANA
+
+
+The API returns the live query object:
+
+[source,sh]
+--------------------------------------------------
+{
+  "data": {
+    "action_id": "3c42c847-eb30-4452-80e0-728584042334",
+    "@timestamp": "2022-07-26T09:59:32.220Z",
+    "expiration": "2022-07-26T10:04:32.220Z", # after this time no more agents will run the query
+    "type": "INPUT_ACTION",
+    "input_type": "osquery",
+    "agent_ids": [],
+    "agent_all": true,
+    "agent_platforms": [],
+    "agent_policy_ids": [],
+    "agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"], # stores the actual queried agent IDs 
+    "user_id": "elastic",
+    "metadata": {
+      "execution_context": {
+        "name": "osquery",
+        "url": "/app/osquery/live_queries/new"
+      }
+    },
+    "queries": [
+      {
+        "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0", # unique ID of the query, use it when querying the live query API to get the single query results
+        "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2", # ID of the query, doesn't have to be unique
+        "query": "select * from uptime;",
+        "ecs_mapping": {
+          "host.uptime": {
+            "field": "total_seconds"
+          }
+        },
+        "agents": [
+          "16d7caf5-efd2-4212-9b62-73dafc91fa13" # stores the actual queried agent IDs 
+        ]
+      }
+    ]
+  }
+}
+--------------------------------------------------
+
+
+Run a pack on Darwin-supported agents: 
+
+[source,sh]
+--------------------------------------------------
+$ curl -X POST api/osquery/live_queries \
+{
+  "pack_id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832"
+  "agent_platforms": ["darwin"]
+}
+
+--------------------------------------------------
+// KIBANA
+
+The API returns the live query object:
+
+[source,sh]
+--------------------------------------------------
+{
+  "data": {
+    "action_id": "3c42c847-eb30-4452-80e0-728584042334",
+    "@timestamp": "2022-07-26T09:59:32.220Z",
+    "expiration": "2022-07-26T10:04:32.220Z", # after this time no more agents will run the query
+    "type": "INPUT_ACTION",
+    "input_type": "osquery",
+    "agent_ids": [],
+    "agent_all": false,
+    "agent_platforms": ["darwin"],
+    "agent_policy_ids": [],
+    "agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"], # stores the actual queried agent IDs 
+    "user_id": "elastic",
+    "pack_id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832",
+    "pack_name": "test_pack",
+    "pack_prebuilt": false,
+    "metadata": {
+      "execution_context": {
+        "name": "osquery",
+        "url": "/app/osquery/live_queries/new"
+      }
+    },
+    "queries": [
+      {
+        "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0", # unique ID of the query, use it when querying the live query API to get the single query results
+        "id": "uptime", # ID of the query, doesn't have to be unique
+        "query": "select * from uptime;",
+        "ecs_mapping": {
+          "host.uptime": {
+            "field": "total_seconds"
+          }
+        },
+        "agents": [
+          "16d7caf5-efd2-4212-9b62-73dafc91fa13" # stores the actual queried agent IDs 
+        ]
+      }
+    ]
+  }
+}
+--------------------------------------------------

docs/api/osquery-manager/live-queries/get-all.asciidoc

@@ -0,0 +1,97 @@
+[[osquery-manager-live-queries-api-get-all]]
+=== Get live queries API
+++++
+<titleabbrev>Get live queries</titleabbrev>
+++++
+
+experimental[] Get live queries.
+
+
+[[osquery-manager-live-queries-api-get-all-request]]
+==== Request
+
+`GET <kibana host>:<port>/api/osquery/live_queries`
+
+`GET <kibana host>:<port>/s/<space_id>/api/osquery/live_queries`
+
+
+[[osquery-manager-live-queries-api-get-all-params]]
+==== Path parameters
+
+`space_id`::
+(Optional, string) An identifier for the space. When `space_id` is not provided in the URL, the default space is used.
+
+
+=== Query parameters
+
+`page`::
+(Optional, integer) The page number to return. The default is `1`.
+
+`perPage`::
+(Optional, integer) The number of rules to return per page. The default is `20`.
+
+`sortField`::
+(Optional, string) The field that is used to sort the results. Options include `createdAt` or `updatedAt`.
+The default is `createdAt`.
++
+NOTE: Even though the JSON case object uses `created_at` and `updated_at`
+fields, you must use `createdAt` and `updatedAt` fields in the URL
+query.
+
+`sortOrder`::
+(Optional, string) Specified the sort order. Options include `desc` or `asc`.
+The defaults is `desc`.
+
+
+[[osquery-manager-live-queries-api-get-all-codes]]
+==== Response code
+
+`200`::
+Indicates a successful call.
+
+
+[[osquery-manager-live-queries-api-get-all-example]]
+==== Example
+
+Retrieve the last 10 live queries :
+
+[source,sh]
+--------------------------------------------------
+$ curl -X GET api/osquery/live_queries?page=1&perPage=10
+--------------------------------------------------
+// KIBANA
+
+The API returns a JSON object of the retrieved live queries:
+
+[source,sh]
+--------------------------------------------------
+{
+  "page": 1,
+  "per_page": 10,
+  "total": 11,
+  "data": [
+    {
+      "action_id": "3c42c847-eb30-4452-80e0-728584042334",
+      "expiration": "2022-07-26T10:04:32.220Z",
+      "@timestamp": "2022-07-26T09:59:32.220Z",
+      "agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
+      "user_id": "elastic",
+      "queries": [
+        {
+          "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
+          "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
+          "query": "select * from uptime;",
+          "saved_query_id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
+          "ecs_mapping": {
+            "host.uptime": {
+              "field": "total_seconds"
+            }
+          },
+          "agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
+        }
+      ],
+    },
+    {...}
+  ]
+}
+--------------------------------------------------

docs/api/osquery-manager/live-queries/get-results.asciidoc

@@ -0,0 +1,64 @@
+[[osquery-manager-live-queries-api-get-results]]
+=== Get live query results API
+++++
+<titleabbrev>Get live query results</titleabbrev>
+++++
+
+experimental[] Retrieve a single live query result by ID.
+
+
+[[osquery-manager-live-queries-api-get-results-request]]
+==== Request
+
+`GET <kibana host>:<port>/api/osquery/live_queries/<id>/results/<query_action_id>`
+
+`GET <kibana host>:<port>/s/<space_id>/api/osquery/live_queries/<query_action_id>`
+
+
+[[osquery-manager-live-queries-api-get-results-params]]
+==== Path parameters
+
+`space_id`::
+(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+(Required, string) The ID of the live query result you want to retrieve.
+
+`query_action_id`::
+(Required, string) The ID of the query action that generated the live query results.
+
+
+
+[[osquery-manager-live-queries-api-get-results-codes]]
+==== Response code
+
+`200`::
+Indicates a successful call.
+
+`404`::
+The specified live query or <query_action_id> doesn't exist.
+
+
+[[osquery-manager-live-queries-api-get-results-example]]
+==== Example
+
+Retrieve the live query results for `3c42c847-eb30-4452-80e0-728584042334` ID and `609c4c66-ba3d-43fa-afdd-53e244577aa0` query action ID:
+
+
+[source,sh]
+--------------------------------------------------
+$ curl -X GET api/osquery/live_queries/3c42c847-eb30-4452-80e0-728584042334/results/609c4c66-ba3d-43fa-afdd-53e244577aa0
+--------------------------------------------------
+// KIBANA
+
+The API returns a live query action single query result:
+
+[source,sh]
+--------------------------------------------------
+{
+  "data": {
+    "total": 2,
+    "edges": [{...}, {...}],
+  }
+}
+--------------------------------------------------

docs/api/osquery-manager/live-queries/get.asciidoc

@@ -0,0 +1,83 @@
+[[osquery-manager-live-queries-api-get]]
+=== Get live query API
+++++
+<titleabbrev>Get live query</titleabbrev>
+++++
+
+experimental[] Retrieves a single live query by ID.
+
+
+[[osquery-manager-live-queries-api-get-request]]
+==== Request
+
+`GET <kibana host>:<port>/api/osquery/live_queries/<id>`
+
+`GET <kibana host>:<port>/s/<space_id>/api/osquery/live_queries/<id>`
+
+
+[[osquery-manager-live-queries-api-get-params]]
+==== Path parameters
+
+`space_id`::
+(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+(Required, string) The ID of the live query you want to retrieve.
+
+
+[[osquery-manager-live-queries-api-get-codes]]
+==== Response code
+
+`200`::
+Indicates a successful call.
+
+`404`::
+The specified live query and ID doesn't exist.
+
+
+[[osquery-manager-live-queries-api-get-example]]
+==== Example
+
+Retrieve the live query object with the `bbe5b070-0c51-11ed-b0f8-ad31b008e832` ID:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X GET api/osquery/live_queries/bbe5b070-0c51-11ed-b0f8-ad31b008e832
+--------------------------------------------------
+// KIBANA
+
+The API returns a live query object:
+
+[source,sh]
+--------------------------------------------------
+{
+  "data": {
+    "action_id": "3c42c847-eb30-4452-80e0-728584042334",
+    "expiration": "2022-07-26T10:04:32.220Z",
+    "@timestamp": "2022-07-26T09:59:32.220Z",
+    "agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
+    "user_id": "elastic",
+    "queries": [
+      {
+        "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
+        "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
+        "query": "select * from uptime;",
+        "saved_query_id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
+        "ecs_mapping": {
+            "host.uptime": {
+                "field": "total_seconds"
+            }
+        },
+        "agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
+        "docs": 0, # results count
+        "failed": 1, # failed queries 
+        "pending": 0, # pending agents
+        "responded": 1, # total responded agents 
+        "successful": 0, # successful agents
+        "status": "completed" # single query status
+      }
+    ],
+    "status": "completed" # global status of the live query (completed, pending)
+  }
+}
+--------------------------------------------------

docs/api/osquery-manager/packs/create.asciidoc

@@ -0,0 +1,88 @@
+[[osquery-manager-packs-api-create]]
+=== Create pack API
+++++
+<titleabbrev>Create pack</titleabbrev>
+++++
+
+experimental[] Create packs.
+
+
+[[osquery-manager-packs-api-create-request]]
+==== Request
+
+`POST <kibana host>:<port>/api/osquery/packs`
+
+`POST <kibana host>:<port>/s/<space_id>/api/osquery/packs`
+
+
+[[osquery-manager-packs-api-create-path-params]]
+==== Path parameters
+
+`space_id`::
+  (Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+
+[[osquery-manager-packs-api-create-body-params]]
+==== Request body
+
+`name`:: (Required, string) The pack name.
+
+`description`:: (Optional, string) The pack description.
+
+`enabled`:: (Optional, boolean) Enables the pack.
+
+`policy_ids`:: (Optional, array) A list of agents policy IDs.
+
+`queries`:: (Required, object) An object of queries.
+
+
+[[osquery-manager-packs-api-create-request-codes]]
+==== Response code
+
+`200`::
+    Indicates a successful call.
+
+
+[[osquery-manager-packs-api-create-example]]
+==== Examples
+
+Create a pack:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X POST api/osquery/packs \
+{
+  "name": "my_pack",
+  "description": "My pack",
+  "enabled": true,
+  "policy_ids": [
+    "my_policy_id"
+  ],
+  "queries": {
+    "my_query": {
+      "query": "SELECT * FROM listening_ports;",
+      "interval": 60,
+      "ecs_mapping": {
+        "client.port": {
+          "field": "port"
+        },
+        "tags": {
+          "value": ["tag1", "tag2"]
+        }
+      }
+    }
+  }
+}
+
+--------------------------------------------------
+// KIBANA
+
+
+The API returns the pack object:
+
+[source,sh]
+--------------------------------------------------
+{
+    "data": {...}
+}
+--------------------------------------------------

docs/api/osquery-manager/packs/delete.asciidoc

@@ -0,0 +1,45 @@
+[[osquery-manager-packs-api-delete]]
+=== Delete pack API
+++++
+<titleabbrev>Delete pack</titleabbrev>
+++++
+
+experimental[] Delete packs.
+
+WARNING: Once you delete a pack, _it cannot be recovered_.
+
+
+[[osquery-manager-packs-api-delete-request]]
+==== Request
+
+`DELETE <kibana host>:<port>/api/osquery/packs/<id>`
+
+`DELETE <kibana host>:<port>/s/<space_id>/api/osquery/packs/<id>`
+
+
+[[osquery-manager-packs-api-delete-path-params]]
+==== Path parameters
+
+`space_id`::
+  (Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+  (Required, string) The ID of the pack you want to delete.
+
+
+[[osquery-manager-packs-api-delete-response-codes]]
+==== Response code
+
+`200`::
+  Indicates that the pack is deleted. Returns an empty response body. 
+
+
+==== Example
+
+Delete a pack object with the `bbe5b070-0c51-11ed-b0f8-ad31b008e832` ID:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X DELETE api/osquery/packs/bbe5b070-0c51-11ed-b0f8-ad31b008e832
+--------------------------------------------------
+// KIBANA

docs/api/osquery-manager/packs/get-all.asciidoc

@@ -0,0 +1,107 @@
+[[osquery-manager-packs-api-get-all]]
+=== Get packs API
+++++
+<titleabbrev>Get packs</titleabbrev>
+++++
+
+experimental[] Get packs.
+
+
+[[osquery-manager-packs-api-get-all-request]]
+==== Request
+
+`GET <kibana host>:<port>/api/osquery/packs`
+
+`GET <kibana host>:<port>/s/<space_id>/api/osquery/packs`
+
+
+[[osquery-manager-packs-api-get-all-params]]
+==== Path parameters
+
+`space_id`::
+(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+
+=== Query parameters
+
+`page`::
+(Optional, integer) The page number to return. The default is `1`.
+
+`perPage`::
+(Optional, integer) The number of rules to return per page. The default is `20`.
+
+`sortField`::
+(Optional, string) Specifies the field that sorts the results. Options include `createdAt` or `updatedAt`.
+The default is `createdAt`.
++
+NOTE: Even though the JSON case object uses the `created_at` and `updated_at`
+fields, you must use `createdAt` and `updatedAt` fields in the URL
+query.
+
+`sortOrder`::
+(Optional, string) Specifies the sort order. Options include `desc` or `asc`.
+The default is `desc`.
+
+
+[[osquery-manager-packs-api-get-all-codes]]
+==== Response code
+
+`200`::
+Indicates a successful call.
+
+
+[[osquery-manager-packs-api-get-all-example]]
+==== Example
+
+Retrieve the first 10 packs:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X GET api/osquery/packs?page=1&perPage=10&sortField=updatedAt&sortOrder=asc
+--------------------------------------------------
+// KIBANA
+
+The API returns a JSON object with the retrieved packs:
+
+[source,sh]
+--------------------------------------------------
+{
+  "page": 1,
+  "per_page": 10,
+  "total": 11,
+  "data": [
+    {
+      "type": "osquery-pack",
+      "id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832",
+      "namespaces": ["default"],
+      "attributes": {
+        "name": "test_pack",
+        "queries": [
+          {
+            "query": "select * from uptime",
+            "interval": 3600,
+            "id": "uptime",
+            "ecs_mapping": [
+              {
+                "value": {
+                  "field": "days"
+                },
+                "key": "message"
+              }
+            ]
+          }
+        ],
+        "enabled": true,
+        "created_at": "2022-07-25T19:41:10.263Z",
+        "created_by": "elastic",
+        "updated_at": "2022-07-25T20:12:01.455Z",
+        "updated_by": "elastic",
+        "description": ""
+      },
+      "policy_ids": []
+      }, 
+      {...}
+    ]
+  }
+}
+--------------------------------------------------

docs/api/osquery-manager/packs/get.asciidoc

@@ -0,0 +1,82 @@
+[[osquery-manager-packs-api-get]]
+=== Get pack API
+++++
+<titleabbrev>Get pack</titleabbrev>
+++++
+
+experimental[] Retrieve a single pack by ID.
+
+
+[[osquery-manager-packs-api-get-request]]
+==== Request
+
+`GET <kibana host>:<port>/api/osquery/packs/<id>`
+
+`GET <kibana host>:<port>/s/<space_id>/api/osquery/packs/<id>`
+
+
+[[osquery-manager-packs-api-get-params]]
+==== Path parameters
+
+`space_id`::
+(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+(Required, string) The ID of the pack you want to retrieve.
+
+
+[[osquery-manager-packs-api-get-codes]]
+==== Response code
+
+`200`::
+Indicates a successful call.
+
+`404`::
+The specified pack and ID doesn't exist.
+
+
+[[osquery-manager-packs-api-get-example]]
+==== Example
+
+Retrieve the pack object with the `bbe5b070-0c51-11ed-b0f8-ad31b008e832` ID:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X GET api/osquery/packs/bbe5b070-0c51-11ed-b0f8-ad31b008e832
+--------------------------------------------------
+// KIBANA
+
+The API returns the pack object:
+
+[source,sh]
+--------------------------------------------------
+{
+  "data": {
+    "id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832",
+    "type": "osquery-pack",
+    "namespaces": [
+      "default"
+    ],
+    "updated_at": "2022-07-25T20:12:01.455Z",
+    "name": "test_pack",
+    "queries": {
+      "uptime": {
+        "interval": 3600,
+        "query": "select * from uptime",
+        "ecs_mapping": {
+          "message": {
+            "field": "days"
+          }
+        }
+      }
+    },
+    "enabled": true,
+    "created_at": "2022-07-25T19:41:10.263Z",
+    "created_by": "elastic",
+    "updated_by": "elastic",
+    "description": "",
+    "policy_ids": [],
+    "read_only": false # true for prebuilt packs
+  }
+}
+--------------------------------------------------

docs/api/osquery-manager/packs/update.asciidoc

@@ -0,0 +1,74 @@
+[[osquery-manager-packs-api-update]]
+=== Update pack API
+++++
+<titleabbrev>Update pack</titleabbrev>
+++++
+
+experimental[] Update packs.
+
+WARNING: You are unable to update a prebuilt pack (`read_only = true`).
+
+
+[[osquery-manager-packs-api-update-request]]
+==== Request
+
+`PUT <kibana host>:<port>/api/osquery/packs/<id>`
+
+`PUT <kibana host>:<port>/s/<space_id>/api/osquery/packs/<id>`
+
+
+[[osquery-manager-packs-api-update-path-params]]
+==== Path parameters
+
+`space_id`::
+  (Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+  (Required, string) The ID of the pack you want to update.
+
+
+[[osquery-manager-packs-api-update-body-params]]
+==== Request body
+
+`name`:: (Optional, string) The pack name.
+
+`description`:: (Optional, string) The pack description.
+
+`enabled`:: (Optional, boolean) Enables the pack.
+
+`policy_ids`:: (Optional, array) A list of agent policy IDs.
+
+`queries`:: (Required, object) An object of queries.
+
+
+[[osquery-manager-packs-api-update-request-codes]]
+==== Response code
+
+`200`::
+    Indicates a successful call.
+
+
+[[osquery-manager-packs-api-update-example]]
+==== Examples
+
+Update a name of the <my_pack> pack:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X PUT api/osquery/packs/<id> \
+{
+  "name": "updated_my_pack_name",
+}
+
+--------------------------------------------------
+// KIBANA
+
+
+The API returns the pack saved object:
+
+[source,sh]
+--------------------------------------------------
+{
+    "data": {...}
+}
+--------------------------------------------------

docs/api/osquery-manager/saved-queries/create.asciidoc

@@ -0,0 +1,83 @@
+[[osquery-manager-saved-queries-api-create]]
+=== Create saved query API
+++++
+<titleabbrev>Create saved query</titleabbrev>
+++++
+
+experimental[] Create saved queries.
+
+
+[[osquery-manager-saved-queries-api-create-request]]
+==== Request
+
+`POST <kibana host>:<port>/api/osquery/saved_queries`
+
+`POST <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries`
+
+
+[[osquery-manager-saved-queries-api-create-path-params]]
+==== Path parameters
+
+`space_id`::
+  (Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+
+[[osquery-manager-saved-queries-api-create-body-params]]
+==== Request body
+
+`id`:: (Required, string) The saved query name.
+
+`description`:: (Optional, string) The saved query description.
+
+`platform`:: (Optional, string) Restricts the query to a specified platform. The default is 'all' platforms. To specify multiple platforms, use commas. For example, 'linux,darwin'.
+
+`query`:: (Required, string) The SQL query you want to run.
+
+`version`:: (Optional, string) Uses the Osquery versions greater than or equal to the specified version string.
+
+`internal`:: (Optional, string) An interval, in seconds, to run the query.
+
+`ecs_mapping`:: (Optional, object) Maps Osquery results columns or static values to ECS fields.
+
+
+[[osquery-manager-saved-queries-api-create-request-codes]]
+==== Response code
+
+`200`::
+    Indicates a successful call.
+
+
+[[osquery-manager-saved-queries-api-create-example]]
+==== Examples
+
+Create a saved query:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X POST api/osquery/saved_queries \
+{
+  "id": "saved_query_id",
+  "description": "Saved query description",
+  "query": "select * from uptime;",
+  "interval": "60",
+  "version": "2.8.0",
+  "platform": "linux,darwin",
+  "ecs_mapping": {
+    "host.uptime": {
+      "field": "total_seconds"
+    }
+  }
+}
+
+--------------------------------------------------
+// KIBANA
+
+
+The API returns the saved query object:
+
+[source,sh]
+--------------------------------------------------
+{
+    "data": {...}
+}
+--------------------------------------------------

docs/api/osquery-manager/saved-queries/delete.asciidoc

@@ -0,0 +1,45 @@
+[[osquery-manager-saved-queries-api-delete]]
+=== Delete saved query API
+++++
+<titleabbrev>Delete saved query</titleabbrev>
+++++
+
+experimental[] Delete saved queries.
+
+WARNING: Once you delete a saved query, _it cannot be recovered_.
+
+
+[[osquery-manager-saved-queries-api-delete-request]]
+==== Request
+
+`DELETE <kibana host>:<port>/api/osquery/saved_queries/<id>`
+
+`DELETE <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries/<id>`
+
+
+[[osquery-manager-saved-queries-api-delete-path-params]]
+==== Path parameters
+
+`space_id`::
+  (Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+  (Required, string) The ID of the saved query you want to delete.
+
+
+[[osquery-manager-saved-queries-api-delete-response-codes]]
+==== Response code
+
+`200`::
+  Indicates the saved query is deleted. Returns an empty response body. 
+
+
+==== Example
+
+Delete a saved query object with the `42ba9c50-0cc5-11ed-aa1d-2b27890bc90d` ID:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X DELETE api/osquery/saved_queries/42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
+--------------------------------------------------
+// KIBANA

docs/api/osquery-manager/saved-queries/get-all.asciidoc

@@ -0,0 +1,99 @@
+[[osquery-manager-saved-queries-api-get-all]]
+=== Get saved-queries API
+++++
+<titleabbrev>Get saved-queries</titleabbrev>
+++++
+
+experimental[] Get saved queries.
+
+
+[[osquery-manager-saved-queries-api-get-all-request]]
+==== Request
+
+`GET <kibana host>:<port>/api/osquery/saved_queries`
+
+`GET <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries`
+
+
+[[osquery-manager-saved-queries-api-get-all-params]]
+==== Path parameters
+
+`space_id`::
+(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+
+=== Query parameters
+
+`page`::
+(Optional, integer) The page number to return. The default is `1`.
+
+`perPage`::
+(Optional, integer) The number of rules to return per page. The default is `20`.
+
+`sortField`::
+(Optional, string) Specifies the field that sorts the results.
+Options include `createdAt` or `updatedAt`. The default is `createdAt`.
++
+NOTE: Even though the JSON case object uses the `created_at` and `updated_at`
+fields, you must use `createdAt` and `updatedAt` fields in the URL
+query.
+
+`sortOrder`::
+(Optional, string) Determines the sort order. Options include `desc` or `asc`.
+The default is `desc`.
+
+
+[[osquery-manager-saved-queries-api-get-all-codes]]
+==== Response code
+
+`200`::
+Indicates a successful call.
+
+
+[[osquery-manager-saved-queries-api-get-all-example]]
+==== Example
+
+Retrieve the first 10 saved queries:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X GET api/osquery/saved-queries?page=1&perPage=10&sortField=updatedAt&sortOrder=asc
+--------------------------------------------------
+// KIBANA
+
+The API returns a JSON object of the retrieved saved queries:
+
+[source,sh]
+--------------------------------------------------
+{
+  "page": 1,
+  "per_page": 100,
+  "total": 11,
+  "data": [
+    {
+      "type": "osquery-saved-query",
+      "id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
+      "namespaces": ["default"],
+      "attributes": {
+        "id": "saved_query_id",
+        "description": "Saved query description",
+        "query": "select * from uptime;",
+        "platform": "linux,darwin",
+        "version": "2.8.0",
+        "interval": "60",
+        "ecs_mapping": {
+          "host.uptime": {
+            "field": "total_seconds"
+          }
+        },
+        "created_by": "elastic",
+        "created_at": "2022-07-26T09:28:08.597Z",
+        "updated_by": "elastic",
+        "updated_at": "2022-07-26T09:28:08.597Z",
+        "prebuilt": false
+      },
+    },
+    {...}
+  ]
+}
+--------------------------------------------------

docs/api/osquery-manager/saved-queries/get.asciidoc

@@ -0,0 +1,84 @@
+[[osquery-manager-saved-queries-api-get]]
+=== Get saved query API
+++++
+<titleabbrev>Get saved query</titleabbrev>
+++++
+
+experimental[] Retrieve a single saved query by ID.
+
+
+[[osquery-manager-saved-queries-api-get-request]]
+==== Request
+
+`GET <kibana host>:<port>/api/osquery/saved_queries/<id>`
+
+`GET <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries/<id>`
+
+
+[[osquery-manager-saved-queries-api-get-params]]
+==== Path parameters
+
+`space_id`::
+(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+(Required, string) The ID of the saved query you want to retrieve.
+
+
+[[osquery-manager-saved-queries-api-get-codes]]
+==== Response code
+
+`200`::
+Indicates a successful call.
+
+`404`::
+The specified saved query and ID doesn't exist.
+
+
+[[osquery-manager-saved-queries-api-get-example]]
+==== Example
+
+Retrieve the saved query object with the `42ba9c50-0cc5-11ed-aa1d-2b27890bc90d` ID:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X GET api/osquery/saved_queries/42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
+--------------------------------------------------
+// KIBANA
+
+The API returns the saved query object:
+
+[source,sh]
+--------------------------------------------------
+{
+  "data": {
+    "id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
+    "type": "osquery-saved-query",
+    "namespaces": [
+      "default"
+    ],
+    "updated_at": "2022-07-26T09:28:08.600Z",
+    "version": "WzQzMTcsMV0=",
+    "attributes": {
+      "id": "saved_query_id",
+      "description": "Saved query description",
+      "query": "select * from uptime;",
+      "platform": "linux,darwin",
+      "version": "2.8.0",
+      "interval": "60",
+      "ecs_mapping": {
+        "host.uptime": {
+          "field": "total_seconds"
+        }
+      },
+      "created_by": "elastic",
+      "created_at": "2022-07-26T09:28:08.597Z",
+      "updated_by": "elastic",
+      "updated_at": "2022-07-26T09:28:08.597Z",
+      "prebuilt": false
+    },
+    "references": [],
+    "coreMigrationVersion": "8.4.0"
+  }
+}
+--------------------------------------------------

docs/api/osquery-manager/saved-queries/update.asciidoc

@@ -0,0 +1,78 @@
+[[osquery-manager-saved-queries-api-update]]
+=== Update saved query API
+++++
+<titleabbrev>Update saved query</titleabbrev>
+++++
+
+experimental[] Update saved queries.
+
+WARNING: You are unable to update a prebuilt saved query (`prebuilt = true`).
+
+
+[[osquery-manager-saved-queries-api-update-request]]
+==== Request
+
+`PUT <kibana host>:<port>/api/osquery/saved_queries/<id>`
+
+`PUT <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries/<id>`
+
+
+[[osquery-manager-saved-queries-api-update-path-params]]
+==== Path parameters
+
+`space_id`::
+  (Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
+
+`id`::
+  (Required, string) The ID of the saved query you want to update.
+
+
+[[osquery-manager-saved-queries-api-update-body-params]]
+==== Request body
+
+`id`:: (Required, string) The saved query name.
+
+`description`:: (Optional, string) The saved query description.
+
+`platform`:: (Optional, string) Restricts the query to a specified platform. The default is 'all' platforms. To specify multiple platforms, use commas. For example, 'linux,darwin'.
+
+`query`:: (Required, string) The SQL query you want to run.
+
+`version`:: (Optional, string) Runs on Osquery versions greater than or equal to the specified version string.
+
+`internal`:: (Optional, string) The interval, in seconds, to run the query.
+
+`ecs_mapping`:: (Optional, object) Maps Osquery result columns or static values to ECS fields.
+
+
+[[osquery-manager-saved-queries-api-update-request-codes]]
+==== Response code
+
+`200`::
+    Indicates a successful call.
+
+
+[[osquery-manager-saved-queries-api-update-example]]
+==== Examples
+
+Update a name of the <my_saved query> saved query:
+
+[source,sh]
+--------------------------------------------------
+$ curl -X PUT api/osquery/saved_queries/<id> \
+{
+  "id": "updated_my_saved_query_name",
+}
+
+--------------------------------------------------
+// KIBANA
+
+
+The API returns the saved query saved object:
+
+[source,sh]
+--------------------------------------------------
+{
+    "data": {...}
+}
+--------------------------------------------------

docs/user/api.asciidoc

@@ -102,6 +102,7 @@ include::{kib-repo-dir}/api/dashboard-api.asciidoc[]
 include::{kib-repo-dir}/api/logstash-configuration-management.asciidoc[]
 include::{kib-repo-dir}/api/machine-learning/ml_apis_v2_docs.asciidoc[]
 include::{kib-repo-dir}/api/machine-learning/ml_apis_v2_defs.asciidoc[leveloffset=+1]
+include::{kib-repo-dir}/api/osquery-manager.asciidoc[]
 include::{kib-repo-dir}/api/short-urls.asciidoc[]
 include::{kib-repo-dir}/api/task-manager/health.asciidoc[]
 include::{kib-repo-dir}/api/upgrade-assistant.asciidoc[]