github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[EDR Workflows][Osquery] OpenApi Missing Content (#212032)

Browse source 
Part of DW team effort -
https://github.com/elastic/security-team/issues/11804

This PR aligns the property/schema descriptions and examples in
AsciiDocs with OpenAPI schemas. The primary goal of this PR was not to
extend or enhance the documentation but to migrate from one system to
another.

Ascii docs -
https://www.elastic.co/guide/en/kibana/8.17/osquery-manager-api.html
OpenApi generated docs -
https://www.elastic.co/docs/api/doc/kibana/operation/operation-osqueryfindlivequeries

Changes:
1. Copied missing property descriptions from AsciiDoc to OpenApi
properties
2. Copied existing AsciiDoc examples for both requests and responses
3. Fixed falsy query object in some GET requests - in OpenApi it was
defined as an object, not as path query params.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
This commit is contained in:
Konrad Szwarc 2025-02-27 13:29:04 +01:00 committed by GitHub
parent 2f0bad7d39
commit 92867c697d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
35 changed files with 2745 additions and 715 deletions
Download patch file Download diff file Expand all files Collapse all files

598
oas_docs/output/kibana.serverless.yaml
View file

@ -37299,16 +37299,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -37328,7 +37348,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -37343,18 +37363,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -37369,23 +37386,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -37397,16 +37438,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -37426,7 +37482,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -37447,7 +37503,9 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -37467,7 +37525,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -37496,7 +37554,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -37508,16 +37566,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -37537,7 +37610,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -37578,7 +37651,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -37607,7 +37680,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -54045,6 +54118,7 @@ components:
- status_code
- message
Security_Osquery_API_ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem'
type: array
@ -54054,7 +54128,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -54066,37 +54140,51 @@ components:
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: When `true`, the query runs on all agents.
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -54107,11 +54195,64 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined'
Security_Osquery_API_CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
Security_Osquery_API_CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
name:
@ -54122,11 +54263,50 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -54134,7 +54314,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -54143,24 +54323,32 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_DefaultSuccessResponse:
type: object
properties: {}
Security_Osquery_API_Description:
type: string
Security_Osquery_API_DescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Description'
nullable: true
Security_Osquery_API_ECSMapping:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem'
description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields
example:
host.uptime:
field: total_seconds
type: object
Security_Osquery_API_ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -54170,71 +54358,197 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
nullable: true
Security_Osquery_API_Enabled:
description: Enables the pack.
example: true
type: boolean
Security_Osquery_API_EnabledOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
nullable: true
Security_Osquery_API_FindLiveQueryRequestQuery:
Security_Osquery_API_FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindPacksRequestQuery:
properties: {}
Security_Osquery_API_FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindSavedQueryRequestQuery:
properties: {}
Security_Osquery_API_FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_GetLiveQueryResultsRequestQuery:
properties: {}
Security_Osquery_API_FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_Id:
type: string
properties: {}
Security_Osquery_API_FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
Security_Osquery_API_FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
Security_Osquery_API_GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Security_Osquery_API_Interval:
description: An interval, in seconds, on which to run the query.
example: '60'
type: string
Security_Osquery_API_IntervalOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
nullable: true
Security_Osquery_API_KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
Security_Osquery_API_ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem'
description: An object of queries.
type: object
Security_Osquery_API_ObjectQueriesItem:
type: object
@ -54242,7 +54556,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -54255,25 +54569,45 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_PackDescription:
description: The pack description.
example: Pack description
type: string
Security_Osquery_API_PackDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
nullable: true
Security_Osquery_API_PackId:
description: The ID of the pack you want to run, retrieve, update, or delete.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_PackIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
nullable: true
Security_Osquery_API_PackName:
description: The pack name.
type: string
Security_Osquery_API_PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
Security_Osquery_API_PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Security_Osquery_API_Platform:
description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.
example: linux,darwin
type: string
Security_Osquery_API_PlatformOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
nullable: true
Security_Osquery_API_PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -54281,16 +54615,33 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
nullable: true
Security_Osquery_API_Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
Security_Osquery_API_QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_QueryOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Query'
nullable: true
Security_Osquery_API_Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
Security_Osquery_API_RemovedOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
nullable: true
Security_Osquery_API_SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
Security_Osquery_API_SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
nullable: true
Security_Osquery_API_SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_SavedQueryIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
@ -54298,42 +54649,82 @@ components:
Security_Osquery_API_Shards:
additionalProperties:
type: number
description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
example:
policy_id: 50
type: object
Security_Osquery_API_Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
Security_Osquery_API_SnapshotOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
nullable: true
Security_Osquery_API_SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
Security_Osquery_API_SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
Security_Osquery_API_UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -54341,7 +54732,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -54350,7 +54741,14 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_Version:
description: Uses the Osquery versions greater than or equal to the specified version string.
example: 1.0.0
type: string
Security_Osquery_API_VersionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Version'

598
oas_docs/output/kibana.yaml
View file

@ -39314,16 +39314,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -39342,7 +39362,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -39356,18 +39376,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -39381,23 +39398,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -39408,16 +39449,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -39436,7 +39492,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -39456,7 +39512,9 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -39475,7 +39533,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -39503,7 +39561,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -39514,16 +39572,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -39542,7 +39615,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -39581,7 +39654,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -39609,7 +39682,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -60812,6 +60885,7 @@ components:
- status_code
- message
Security_Osquery_API_ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem'
type: array
@ -60821,7 +60895,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -60833,37 +60907,51 @@ components:
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: When `true`, the query runs on all agents.
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -60874,11 +60962,64 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined'
Security_Osquery_API_CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
Security_Osquery_API_CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
name:
@ -60889,11 +61030,50 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -60901,7 +61081,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -60910,24 +61090,32 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_DefaultSuccessResponse:
type: object
properties: {}
Security_Osquery_API_Description:
type: string
Security_Osquery_API_DescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Description'
nullable: true
Security_Osquery_API_ECSMapping:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem'
description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields
example:
host.uptime:
field: total_seconds
type: object
Security_Osquery_API_ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -60937,71 +61125,197 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
nullable: true
Security_Osquery_API_Enabled:
description: Enables the pack.
example: true
type: boolean
Security_Osquery_API_EnabledOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
nullable: true
Security_Osquery_API_FindLiveQueryRequestQuery:
Security_Osquery_API_FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindPacksRequestQuery:
properties: {}
Security_Osquery_API_FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindSavedQueryRequestQuery:
properties: {}
Security_Osquery_API_FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_GetLiveQueryResultsRequestQuery:
properties: {}
Security_Osquery_API_FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_Id:
type: string
properties: {}
Security_Osquery_API_FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
Security_Osquery_API_FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
Security_Osquery_API_GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Security_Osquery_API_Interval:
description: An interval, in seconds, on which to run the query.
example: '60'
type: string
Security_Osquery_API_IntervalOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
nullable: true
Security_Osquery_API_KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
Security_Osquery_API_ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem'
description: An object of queries.
type: object
Security_Osquery_API_ObjectQueriesItem:
type: object
@ -61009,7 +61323,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -61022,25 +61336,45 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_PackDescription:
description: The pack description.
example: Pack description
type: string
Security_Osquery_API_PackDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
nullable: true
Security_Osquery_API_PackId:
description: The ID of the pack you want to run, retrieve, update, or delete.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_PackIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
nullable: true
Security_Osquery_API_PackName:
description: The pack name.
type: string
Security_Osquery_API_PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
Security_Osquery_API_PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Security_Osquery_API_Platform:
description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.
example: linux,darwin
type: string
Security_Osquery_API_PlatformOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
nullable: true
Security_Osquery_API_PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -61048,16 +61382,33 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
nullable: true
Security_Osquery_API_Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
Security_Osquery_API_QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_QueryOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Query'
nullable: true
Security_Osquery_API_Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
Security_Osquery_API_RemovedOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
nullable: true
Security_Osquery_API_SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
Security_Osquery_API_SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
nullable: true
Security_Osquery_API_SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_SavedQueryIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
@ -61065,42 +61416,82 @@ components:
Security_Osquery_API_Shards:
additionalProperties:
type: number
description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
example:
policy_id: 50
type: object
Security_Osquery_API_Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
Security_Osquery_API_SnapshotOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
nullable: true
Security_Osquery_API_SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
Security_Osquery_API_SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
Security_Osquery_API_UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -61108,7 +61499,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -61117,7 +61508,14 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_Version:
description: Uses the Osquery versions greater than or equal to the specified version string.
example: 1.0.0
type: string
Security_Osquery_API_VersionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Version'

6
x-pack/platform/plugins/shared/osquery/common/api/fleet_wrapper/fleet_wrapper.gen.ts
View file

@ -16,11 +16,9 @@
import { z } from '@kbn/zod';
import { Id } from '../model/schema/common_attributes.gen';
export type GetAgentDetailsRequestParams = z.infer<typeof GetAgentDetailsRequestParams>;
export const GetAgentDetailsRequestParams = z.object({
id: Id,
id: z.string(),
});
export type GetAgentDetailsRequestParamsInput = z.input<typeof GetAgentDetailsRequestParams>;
@ -35,7 +33,7 @@ export const GetAgentPoliciesResponse = z.object({});
export type GetAgentPolicyRequestParams = z.infer<typeof GetAgentPolicyRequestParams>;
export const GetAgentPolicyRequestParams = z.object({
id: Id,
id: z.string(),
});
export type GetAgentPolicyRequestParamsInput = z.input<typeof GetAgentPolicyRequestParams>;

4
x-pack/platform/plugins/shared/osquery/common/api/fleet_wrapper/fleet_wrapper.schema.yaml
View file

@ -37,7 +37,7 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
type: string
responses:
'200':
description: OK
@ -75,7 +75,7 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
type: string
responses:
'200':
description: OK

4
x-pack/platform/plugins/shared/osquery/common/api/fleet_wrapper/get_agent_status.gen.ts
View file

@ -16,7 +16,7 @@
import { z } from '@kbn/zod';
import { KueryOrUndefined, Id } from '../model/schema/common_attributes.gen';
import { KueryOrUndefined } from '../model/schema/common_attributes.gen';
export type GetAgentStatusRequestParams = z.infer<typeof GetAgentStatusRequestParams>;
export const GetAgentStatusRequestParams = z.object({});
@ -24,5 +24,5 @@ export const GetAgentStatusRequestParams = z.object({});
export type GetAgentStatusRequestQueryParams = z.infer<typeof GetAgentStatusRequestQueryParams>;
export const GetAgentStatusRequestQueryParams = z.object({
kuery: KueryOrUndefined.optional(),
policyId: Id.optional(),
policyId: z.string().optional(),
});

2
x-pack/platform/plugins/shared/osquery/common/api/fleet_wrapper/get_agent_status.schema.yaml
View file

@ -13,4 +13,4 @@ components:
kuery:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
policyId:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
type: string

27
x-pack/platform/plugins/shared/osquery/common/api/live_query/create_live_query.gen.ts
View file

@ -26,17 +26,44 @@ import {
export type CreateLiveQueryRequestBody = z.infer<typeof CreateLiveQueryRequestBody>;
export const CreateLiveQueryRequestBody = z.object({
/**
* A list of agent IDs to run the query on.
*/
agent_ids: z.array(z.string()).optional(),
/**
* When `true`, the query runs on all agents.
*/
agent_all: z.boolean().optional(),
/**
* A list of agent platforms to run the query on.
*/
agent_platforms: z.array(z.string()).optional(),
/**
* A list of agent policy IDs to run the query on.
*/
agent_policy_ids: z.array(z.string()).optional(),
query: QueryOrUndefined.optional(),
queries: ArrayQueries.optional(),
saved_query_id: SavedQueryIdOrUndefined.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
pack_id: PackIdOrUndefined.optional(),
/**
* A list of alert IDs associated with the live query.
*/
alert_ids: z.array(z.string()).optional(),
/**
* A list of case IDs associated with the live query.
*/
case_ids: z.array(z.string()).optional(),
/**
* A list of event IDs associated with the live query.
*/
event_ids: z.array(z.string()).optional(),
/**
* Custom metadata object associated with the live query.
*/
metadata: z.object({}).nullable().optional(),
});
export type CreateLiveQueryResponse = z.infer<typeof CreateLiveQueryResponse>;
export const CreateLiveQueryResponse = z.object({});

47
x-pack/platform/plugins/shared/osquery/common/api/live_query/create_live_query.schema.yaml
View file

@ -7,18 +7,28 @@ components:
schemas:
CreateLiveQueryRequestBody:
type: object
example:
query: 'select * from uptime;'
agent_all: true
ecs_mapping:
host.uptime:
field: 'total_seconds'
properties:
agent_ids:
description: 'A list of agent IDs to run the query on.'
type: array
items:
type: string
agent_all:
description: 'When `true`, the query runs on all agents.'
type: boolean
agent_platforms:
description: 'A list of agent platforms to run the query on.'
type: array
items:
type: string
agent_policy_ids:
description: 'A list of agent policy IDs to run the query on.'
type: array
items:
type: string
@ -33,17 +43,54 @@ components:
pack_id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackIdOrUndefined'
alert_ids:
description: 'A list of alert IDs associated with the live query.'
type: array
items:
type: string
case_ids:
description: 'A list of case IDs associated with the live query.'
type: array
items:
type: string
event_ids:
description: 'A list of event IDs associated with the live query.'
type: array
items:
type: string
metadata:
description: 'Custom metadata object associated with the live query.'
type: object
nullable: true
CreateLiveQueryResponse:
type: object
properties: { }
example:
data:
action_id: '3c42c847-eb30-4452-80e0-728584042334'
'@timestamp': '2022-07-26T09:59:32.220Z'
expiration: '2022-07-26T10:04:32.220Z'
type: 'INPUT_ACTION'
input_type: 'osquery'
agent_ids: [ ]
agent_all: true
agent_platforms: [ ]
agent_policy_ids: [ ]
agents:
- '16d7caf5-efd2-4212-9b62-73dafc91fa13'
user_id: 'elastic'
metadata:
execution_context:
name: 'osquery'
url: '/app/osquery/live_queries/new'
queries:
- action_id: '609c4c66-ba3d-43fa-afdd-53e244577aa0'
id: '6724a474-cbba-41ef-a1aa-66aebf0879e2'
query: 'select * from uptime;'
timeout: 120
ecs_mapping:
host.uptime:
field: 'total_seconds'
agents:
- '16d7caf5-efd2-4212-9b62-73dafc91fa13'

19
x-pack/platform/plugins/shared/osquery/common/api/live_query/find_live_query.gen.ts
View file

@ -16,19 +16,8 @@
import { z } from '@kbn/zod';
import {
KueryOrUndefined,
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type FindLiveQueryResponse = z.infer<typeof FindLiveQueryResponse>;
export const FindLiveQueryResponse = z.object({});
export type FindLiveQueryRequestQuery = z.infer<typeof FindLiveQueryRequestQuery>;
export const FindLiveQueryRequestQuery = z.object({
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type FindLiveQueryDetailsResponse = z.infer<typeof FindLiveQueryDetailsResponse>;
export const FindLiveQueryDetailsResponse = z.object({});

59
x-pack/platform/plugins/shared/osquery/common/api/live_query/find_live_query.schema.yaml
View file

@ -5,16 +5,51 @@ info:
paths: { }
components:
schemas:
FindLiveQueryRequestQuery:
FindLiveQueryResponse:
example:
data:
items:
- fields:
action_id: '3c42c847-eb30-4452-80e0-728584042334'
expiration: '2023-10-31T00:00:00Z'
"@timestamp": '2023-10-31T00:00:00Z'
agents: [ '16d7caf5-efd2-4212-9b62-73dafc91fa13' ]
user_id: 'elastic'
queries:
- action_id: "609c4c66-ba3d-43fa-afdd-53e244577aa0"
id: "6724a474-cbba-41ef-a1aa-66aebf0879e2"
query: "select * from uptime;"
saved_query_id: "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
ecs_mapping:
host.uptime:
field: "total_seconds"
agents: [ "16d7caf5-efd2-4212-9b62-73dafc91fa13" ]
type: object
properties:
kuery:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
properties: { }
FindLiveQueryDetailsResponse:
example:
data:
action_id: "3c42c847-eb30-4452-80e0-728584042334"
expiration: "2022-07-26T10:04:32.220Z"
"@timestamp": "2022-07-26T09:59:32.220Z"
agents: [ "16d7caf5-efd2-4212-9b62-73dafc91fa13" ]
user_id: "elastic"
queries:
- action_id: "609c4c66-ba3d-43fa-afdd-53e244577aa0"
id: "6724a474-cbba-41ef-a1aa-66aebf0879e2"
query: "select * from uptime;"
saved_query_id: "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
ecs_mapping:
host.uptime:
field: "total_seconds"
agents:
- "16d7caf5-efd2-4212-9b62-73dafc91fa13"
docs: 0 # results count
failed: 1 # failed queries
pending: 0 # pending agents
responded: 1 # total responded agents
successful: 0 # successful agents
status: "completed" # single query status
status: "completed" # global status of the live query (completed, pending)
type: object
properties: { }

21
x-pack/platform/plugins/shared/osquery/common/api/live_query/get_live_query_results.gen.ts
View file

@ -16,19 +16,8 @@
import { z } from '@kbn/zod';
import {
KueryOrUndefined,
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type GetLiveQueryResultsRequestQuery = z.infer<typeof GetLiveQueryResultsRequestQuery>;
export const GetLiveQueryResultsRequestQuery = z.object({
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
/**
* The response for getting live query results.
*/
export type GetLiveQueryResultsResponse = z.infer<typeof GetLiveQueryResultsResponse>;
export const GetLiveQueryResultsResponse = z.object({});

19
x-pack/platform/plugins/shared/osquery/common/api/live_query/get_live_query_results.schema.yaml
View file

@ -5,16 +5,11 @@ info:
paths: {}
components:
schemas:
GetLiveQueryResultsRequestQuery:
GetLiveQueryResultsResponse:
type: object
properties:
kuery:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
description: 'The response for getting live query results.'
properties: { }
example:
data:
total: 2
edges: [{}, {}]

49
x-pack/platform/plugins/shared/osquery/common/api/live_query/live_queries.gen.ts
View file

@ -16,10 +16,16 @@
import { z } from '@kbn/zod';
import { FindLiveQueryRequestQuery } from './find_live_query.gen';
import { DefaultSuccessResponse, Id } from '../model/schema/common_attributes.gen';
import { CreateLiveQueryRequestBody } from './create_live_query.gen';
import { GetLiveQueryResultsRequestQuery } from './get_live_query_results.gen';
import {
KueryOrUndefined,
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
import { FindLiveQueryResponse, FindLiveQueryDetailsResponse } from './find_live_query.gen';
import { CreateLiveQueryRequestBody, CreateLiveQueryResponse } from './create_live_query.gen';
import { GetLiveQueryResultsResponse } from './get_live_query_results.gen';
export type OsqueryCreateLiveQueryRequestBody = z.infer<typeof OsqueryCreateLiveQueryRequestBody>;
export const OsqueryCreateLiveQueryRequestBody = CreateLiveQueryRequestBody;
@ -28,44 +34,43 @@ export type OsqueryCreateLiveQueryRequestBodyInput = z.input<
>;
export type OsqueryCreateLiveQueryResponse = z.infer<typeof OsqueryCreateLiveQueryResponse>;
export const OsqueryCreateLiveQueryResponse = DefaultSuccessResponse;
export const OsqueryCreateLiveQueryResponse = CreateLiveQueryResponse;
export type OsqueryFindLiveQueriesRequestQuery = z.infer<typeof OsqueryFindLiveQueriesRequestQuery>;
export const OsqueryFindLiveQueriesRequestQuery = z.object({
query: FindLiveQueryRequestQuery,
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryFindLiveQueriesRequestQueryInput = z.input<
typeof OsqueryFindLiveQueriesRequestQuery
>;
export type OsqueryFindLiveQueriesResponse = z.infer<typeof OsqueryFindLiveQueriesResponse>;
export const OsqueryFindLiveQueriesResponse = DefaultSuccessResponse;
export type OsqueryGetLiveQueryDetailsRequestQuery = z.infer<
typeof OsqueryGetLiveQueryDetailsRequestQuery
>;
export const OsqueryGetLiveQueryDetailsRequestQuery = z.object({
query: z.object({}),
});
export type OsqueryGetLiveQueryDetailsRequestQueryInput = z.input<
typeof OsqueryGetLiveQueryDetailsRequestQuery
>;
export const OsqueryFindLiveQueriesResponse = FindLiveQueryResponse;
export type OsqueryGetLiveQueryDetailsRequestParams = z.infer<
typeof OsqueryGetLiveQueryDetailsRequestParams
>;
export const OsqueryGetLiveQueryDetailsRequestParams = z.object({
id: Id,
id: z.string(),
});
export type OsqueryGetLiveQueryDetailsRequestParamsInput = z.input<
typeof OsqueryGetLiveQueryDetailsRequestParams
>;
export type OsqueryGetLiveQueryDetailsResponse = z.infer<typeof OsqueryGetLiveQueryDetailsResponse>;
export const OsqueryGetLiveQueryDetailsResponse = DefaultSuccessResponse;
export const OsqueryGetLiveQueryDetailsResponse = FindLiveQueryDetailsResponse;
export type OsqueryGetLiveQueryResultsRequestQuery = z.infer<
typeof OsqueryGetLiveQueryResultsRequestQuery
>;
export const OsqueryGetLiveQueryResultsRequestQuery = z.object({
query: GetLiveQueryResultsRequestQuery,
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryGetLiveQueryResultsRequestQueryInput = z.input<
typeof OsqueryGetLiveQueryResultsRequestQuery
@ -75,12 +80,12 @@ export type OsqueryGetLiveQueryResultsRequestParams = z.infer<
typeof OsqueryGetLiveQueryResultsRequestParams
>;
export const OsqueryGetLiveQueryResultsRequestParams = z.object({
id: Id,
actionId: Id,
id: z.string(),
actionId: z.string(),
});
export type OsqueryGetLiveQueryResultsRequestParamsInput = z.input<
typeof OsqueryGetLiveQueryResultsRequestParams
>;
export type OsqueryGetLiveQueryResultsResponse = z.infer<typeof OsqueryGetLiveQueryResultsResponse>;
export const OsqueryGetLiveQueryResultsResponse = DefaultSuccessResponse;
export const OsqueryGetLiveQueryResultsResponse = GetLiveQueryResultsResponse;

77
x-pack/platform/plugins/shared/osquery/common/api/live_query/live_queries.schema.yaml
View file

@ -11,18 +11,38 @@ paths:
x-codegen-enabled: true
x-labels: [serverless, ess]
parameters:
- name: query
- name: kuery
in: query
required: true
required: false
schema:
$ref: './find_live_query.schema.yaml#/components/schemas/FindLiveQueryRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
- name: page
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_live_query.schema.yaml#/components/schemas/FindLiveQueryResponse'
post:
summary: Create a live query
@ -42,7 +62,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './create_live_query.schema.yaml#/components/schemas/CreateLiveQueryResponse'
/api/osquery/live_queries/{id}:
get:
@ -56,19 +76,16 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
- name: query
in: query
schema:
type: object
additionalProperties: true
description: 'The ID of the live query result you want to retrieve.'
type: string
example: '3c42c847-eb30-4452-80e0-728584042334'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_live_query.schema.yaml#/components/schemas/FindLiveQueryDetailsResponse'
/api/osquery/live_queries/{id}/results/{actionId}:
get:
@ -82,21 +99,45 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
example: '3c42c847-eb30-4452-80e0-728584042334'
description: 'The ID of the live query result you want to retrieve.'
type: string
- name: actionId
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
- name: query
example: '609c4c66-ba3d-43fa-afdd-53e244577aa0'
description: 'The ID of the query action that generated the live query results.'
type: string
- name: kuery
in: query
required: true
required: false
schema:
$ref: './get_live_query_results.schema.yaml#/components/schemas/GetLiveQueryResultsRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
- name: page
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './get_live_query_results.schema.yaml#/components/schemas/GetLiveQueryResultsResponse'

129
x-pack/platform/plugins/shared/osquery/common/api/model/schema/common_attributes.gen.ts
View file

@ -16,119 +16,150 @@
import { z } from '@kbn/zod';
export type Id = z.infer<typeof Id>;
export const Id = z.string();
/**
* The ID of the query.
*/
export type QueryId = z.infer<typeof QueryId>;
export const QueryId = z.string();
export type IdOrUndefined = z.infer<typeof IdOrUndefined>;
export const IdOrUndefined = Id.nullable();
/**
* The pack description.
*/
export type PackDescription = z.infer<typeof PackDescription>;
export const PackDescription = z.string();
export type AgentSelection = z.infer<typeof AgentSelection>;
export const AgentSelection = z.object({
agents: z.array(z.string()).optional(),
allAgentsSelected: z.boolean().optional(),
platformsSelected: z.array(z.string()).optional(),
policiesSelected: z.array(z.string()).optional(),
});
export type AgentSelectionOrUndefined = z.infer<typeof AgentSelectionOrUndefined>;
export const AgentSelectionOrUndefined = AgentSelection.nullable();
export type Description = z.infer<typeof Description>;
export const Description = z.string();
export type DescriptionOrUndefined = z.infer<typeof DescriptionOrUndefined>;
export const DescriptionOrUndefined = Description.nullable();
export type PackDescriptionOrUndefined = z.infer<typeof PackDescriptionOrUndefined>;
export const PackDescriptionOrUndefined = PackDescription.nullable();
/**
* Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.
*/
export type Platform = z.infer<typeof Platform>;
export const Platform = z.string();
export type PlatformOrUndefined = z.infer<typeof PlatformOrUndefined>;
export const PlatformOrUndefined = Platform.nullable();
/**
* The SQL query you want to run.
*/
export type Query = z.infer<typeof Query>;
export const Query = z.string();
export type QueryOrUndefined = z.infer<typeof QueryOrUndefined>;
export const QueryOrUndefined = Query.nullable();
/**
* Uses the Osquery versions greater than or equal to the specified version string.
*/
export type Version = z.infer<typeof Version>;
export const Version = z.string();
export type VersionOrUndefined = z.infer<typeof VersionOrUndefined>;
export const VersionOrUndefined = Version.nullable();
/**
* An interval, in seconds, on which to run the query.
*/
export type Interval = z.infer<typeof Interval>;
export const Interval = z.string();
export type IntervalOrUndefined = z.infer<typeof IntervalOrUndefined>;
export const IntervalOrUndefined = Interval.nullable();
/**
* Indicates whether the query is a snapshot.
*/
export type Snapshot = z.infer<typeof Snapshot>;
export const Snapshot = z.boolean();
export type SnapshotOrUndefined = z.infer<typeof SnapshotOrUndefined>;
export const SnapshotOrUndefined = Snapshot.nullable();
/**
* Indicates whether the query is removed.
*/
export type Removed = z.infer<typeof Removed>;
export const Removed = z.boolean();
export type RemovedOrUndefined = z.infer<typeof RemovedOrUndefined>;
export const RemovedOrUndefined = Removed.nullable();
/**
* The pack name.
*/
export type PackName = z.infer<typeof PackName>;
export const PackName = z.string();
/**
* The ID of a saved query.
*/
export type SavedQueryId = z.infer<typeof SavedQueryId>;
export const SavedQueryId = z.string();
export type SavedQueryIdOrUndefined = z.infer<typeof SavedQueryIdOrUndefined>;
export const SavedQueryIdOrUndefined = SavedQueryId.nullable();
/**
* The saved query description.
*/
export type SavedQueryDescription = z.infer<typeof SavedQueryDescription>;
export const SavedQueryDescription = z.string();
export type SavedQueryDescriptionOrUndefined = z.infer<typeof SavedQueryDescriptionOrUndefined>;
export const SavedQueryDescriptionOrUndefined = SavedQueryDescription.nullable();
/**
* The ID of the pack you want to run, retrieve, update, or delete.
*/
export type PackId = z.infer<typeof PackId>;
export const PackId = z.string();
export type PackIdOrUndefined = z.infer<typeof PackIdOrUndefined>;
export const PackIdOrUndefined = PackId.nullable();
/**
* Enables the pack.
*/
export type Enabled = z.infer<typeof Enabled>;
export const Enabled = z.boolean();
export type EnabledOrUndefined = z.infer<typeof EnabledOrUndefined>;
export const EnabledOrUndefined = Enabled.nullable();
/**
* A list of agents policy IDs.
*/
export type PolicyIds = z.infer<typeof PolicyIds>;
export const PolicyIds = z.array(z.string());
export type PolicyIdsOrUndefined = z.infer<typeof PolicyIdsOrUndefined>;
export const PolicyIdsOrUndefined = PolicyIds.nullable();
export type ExecutionContext = z.infer<typeof ExecutionContext>;
export const ExecutionContext = z.object({
name: z.string().nullable().optional(),
url: z.string().nullable().optional(),
});
export type ExecutionContextOrUndefined = z.infer<typeof ExecutionContextOrUndefined>;
export const ExecutionContextOrUndefined = ExecutionContext.nullable();
export type ECSMappingItem = z.infer<typeof ECSMappingItem>;
export const ECSMappingItem = z.object({
/**
* The ECS field to map to.
*/
field: z.string().optional(),
/**
* The value to map to the ECS field.
*/
value: z.union([z.string(), z.array(z.string())]).optional(),
});
/**
* Map osquery results columns or static values to Elastic Common Schema (ECS) fields
*/
export type ECSMapping = z.infer<typeof ECSMapping>;
export const ECSMapping = z.object({}).catchall(ECSMappingItem);
export type ECSMappingOrUndefined = z.infer<typeof ECSMappingOrUndefined>;
export const ECSMappingOrUndefined = ECSMapping.nullable();
export type StringArrayOrUndefined = z.infer<typeof StringArrayOrUndefined>;
export const StringArrayOrUndefined = z.array(z.string().nullable());
export type ArrayQueriesItem = z.infer<typeof ArrayQueriesItem>;
export const ArrayQueriesItem = z.object({
id: Id.optional(),
id: QueryId.optional(),
query: Query.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
@ -137,13 +168,16 @@ export const ArrayQueriesItem = z.object({
snapshot: SnapshotOrUndefined.optional(),
});
/**
* An array of queries to run.
*/
export type ArrayQueries = z.infer<typeof ArrayQueries>;
export const ArrayQueries = z.array(ArrayQueriesItem);
export type ObjectQueriesItem = z.infer<typeof ObjectQueriesItem>;
export const ObjectQueriesItem = z.object({
query: Query.optional(),
id: Id.optional(),
id: QueryId.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
platform: PlatformOrUndefined.optional(),
@ -152,6 +186,9 @@ export const ObjectQueriesItem = z.object({
snapshot: SnapshotOrUndefined.optional(),
});
/**
* An object of queries.
*/
export type ObjectQueries = z.infer<typeof ObjectQueries>;
export const ObjectQueries = z.object({}).catchall(ObjectQueriesItem);
@ -161,21 +198,41 @@ export const Queries = z.union([ArrayQueries, ObjectQueries]);
export type QueriesOrUndefined = z.infer<typeof QueriesOrUndefined>;
export const QueriesOrUndefined = Queries.nullable();
/**
* The kuery to filter the results by.
*/
export type KueryOrUndefined = z.infer<typeof KueryOrUndefined>;
export const KueryOrUndefined = z.string().nullable();
/**
* The page number to return. The default is 1.
*/
export type PageOrUndefined = z.infer<typeof PageOrUndefined>;
export const PageOrUndefined = z.number().int().nullable();
/**
* The number of results to return per page. The default is 20.
*/
export type PageSizeOrUndefined = z.infer<typeof PageSizeOrUndefined>;
export const PageSizeOrUndefined = z.number().int().nullable();
/**
* The field that is used to sort the results.
*/
export type SortOrUndefined = z.infer<typeof SortOrUndefined>;
export const SortOrUndefined = z.string().nullable();
export const SortOrUndefined = z.string().nullable().default('createdAt');
/**
* Specifies the sort order.
*/
export type SortOrderOrUndefined = z.infer<typeof SortOrderOrUndefined>;
export const SortOrderOrUndefined = z.union([z.string().nullable(), z.unknown()]);
export const SortOrderOrUndefined = z.enum(['asc', 'desc']);
export type SortOrderOrUndefinedEnum = typeof SortOrderOrUndefined.enum;
export const SortOrderOrUndefinedEnum = SortOrderOrUndefined.enum;
/**
* An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
*/
export type Shards = z.infer<typeof Shards>;
export const Shards = z.object({}).catchall(z.number());

135
x-pack/platform/plugins/shared/osquery/common/api/model/schema/common_attributes.schema.yaml
View file

@ -5,44 +5,24 @@ info:
paths: { }
components:
schemas:
Id:
type: string
IdOrUndefined:
$ref: '#/components/schemas/Id'
nullable: true
AgentSelection:
type: object
properties:
agents:
type: array
items:
type: string
allAgentsSelected:
type: boolean
platformsSelected:
type: array
items:
type: string
policiesSelected:
type: array
items:
type: string
AgentSelectionOrUndefined:
$ref: '#/components/schemas/AgentSelection'
nullable: true
Description:
QueryId:
description: 'The ID of the query.'
example: '3c42c847-eb30-4452-80e0-728584042334'
type: string
DescriptionOrUndefined:
$ref: '#/components/schemas/Description'
PackDescription:
description: 'The pack description.'
example: 'Pack description'
type: string
PackDescriptionOrUndefined:
$ref: '#/components/schemas/PackDescription'
nullable: true
Platform:
description: 'Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.'
example: 'linux,darwin'
type: string
PlatformOrUndefined:
@ -51,6 +31,8 @@ components:
Query:
description: 'The SQL query you want to run.'
example: 'select * from uptime;'
type: string
QueryOrUndefined:
@ -58,6 +40,8 @@ components:
nullable: true
Version:
description: 'Uses the Osquery versions greater than or equal to the specified version string.'
example: '1.0.0'
type: string
VersionOrUndefined:
@ -65,6 +49,8 @@ components:
nullable: true
Interval:
description: 'An interval, in seconds, on which to run the query.'
example: '60'
type: string
IntervalOrUndefined:
@ -72,6 +58,8 @@ components:
nullable: true
Snapshot:
description: 'Indicates whether the query is a snapshot.'
example: true
type: boolean
SnapshotOrUndefined:
@ -79,6 +67,8 @@ components:
nullable: true
Removed:
description: 'Indicates whether the query is removed.'
example: false
type: boolean
RemovedOrUndefined:
@ -86,17 +76,31 @@ components:
nullable: true
PackName:
description: 'The pack name.'
type: string
SavedQueryId:
description: 'The ID of a saved query.'
example: '3c42c847-eb30-4452-80e0-728584042334'
type: string
SavedQueryIdOrUndefined:
$ref: '#/components/schemas/SavedQueryId'
nullable: true
SavedQueryDescription:
description: 'The saved query description.'
example: 'Saved query description'
type: string
SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/SavedQueryDescription'
nullable: true
PackId:
description: 'The ID of the pack you want to run, retrieve, update, or delete.'
example: '3c42c847-eb30-4452-80e0-728584042334'
type: string
PackIdOrUndefined:
@ -104,6 +108,8 @@ components:
nullable: true
Enabled:
description: 'Enables the pack.'
example: true
type: boolean
EnabledOrUndefined:
@ -111,6 +117,10 @@ components:
nullable: true
PolicyIds:
description: 'A list of agents policy IDs.'
example:
- "policyId1"
- "policyId2"
type: array
items:
type: string
@ -119,28 +129,16 @@ components:
$ref: '#/components/schemas/PolicyIds'
nullable: true
ExecutionContext:
type: object
properties:
name:
type: string
nullable: true
url:
type: string
nullable: true
ExecutionContextOrUndefined:
$ref: '#/components/schemas/ExecutionContext'
nullable: true
ECSMappingItem:
type: object
properties:
field:
description: 'The ECS field to map to.'
example: 'host.uptime'
type: string
value:
description: 'The value to map to the ECS field.'
example: 'total_seconds'
oneOf:
- type: string
- type: array
@ -148,6 +146,10 @@ components:
type: string
ECSMapping:
description: 'Map osquery results columns or static values to Elastic Common Schema (ECS) fields'
example:
host.uptime:
field: 'total_seconds'
type: object
additionalProperties:
$ref: '#/components/schemas/ECSMappingItem'
@ -156,19 +158,11 @@ components:
$ref: '#/components/schemas/ECSMapping'
nullable: true
StringArrayOrUndefined:
type: array
items:
type: string
nullable: true
ArrayQueriesItem:
type: object
properties:
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
query:
$ref: '#/components/schemas/Query'
ecs_mapping:
@ -184,6 +178,7 @@ components:
ArrayQueries:
type: array
description: 'An array of queries to run.'
items:
$ref: '#/components/schemas/ArrayQueriesItem'
@ -193,7 +188,7 @@ components:
query:
$ref: '#/components/schemas/Query'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
version:
@ -209,6 +204,7 @@ components:
ObjectQueries:
type: object
description: 'An object of queries.'
additionalProperties:
$ref: '#/components/schemas/ObjectQueriesItem'
@ -223,29 +219,42 @@ components:
nullable: true
KueryOrUndefined:
description: 'The kuery to filter the results by.'
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
type: string
nullable: true
PageOrUndefined:
description: 'The page number to return. The default is 1.'
example: 1
type: integer
nullable: true
PageSizeOrUndefined:
description: 'The number of results to return per page. The default is 20.'
example: 20
type: integer
nullable: true
SortOrUndefined:
description: 'The field that is used to sort the results.'
example: 'createdAt'
default: createdAt
type: string
nullable: true
SortOrderOrUndefined:
oneOf:
- type: string
nullable: true
- enum: [ asc, desc ]
description: 'Specifies the sort order.'
example: 'desc'
enum:
- asc
- desc
type: string
Shards:
description: 'An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.'
example:
policy_id: 50
type: object
additionalProperties:
type: number

7
x-pack/platform/plugins/shared/osquery/common/api/packs/create_pack.gen.ts
View file

@ -18,7 +18,7 @@ import { z } from '@kbn/zod';
import {
PackName,
DescriptionOrUndefined,
PackDescriptionOrUndefined,
EnabledOrUndefined,
PolicyIdsOrUndefined,
Shards,
@ -28,9 +28,12 @@ import {
export type CreatePacksRequestBody = z.infer<typeof CreatePacksRequestBody>;
export const CreatePacksRequestBody = z.object({
name: PackName.optional(),
description: DescriptionOrUndefined.optional(),
description: PackDescriptionOrUndefined.optional(),
enabled: EnabledOrUndefined.optional(),
policy_ids: PolicyIdsOrUndefined.optional(),
shards: Shards.optional(),
queries: ObjectQueries.optional(),
});
export type CreatePacksResponse = z.infer<typeof CreatePacksResponse>;
export const CreatePacksResponse = z.object({});

52
x-pack/platform/plugins/shared/osquery/common/api/packs/create_pack.schema.yaml
View file

@ -7,11 +7,33 @@ components:
schemas:
CreatePacksRequestBody:
type: object
example:
name: "my_pack"
description: "My pack"
enabled: true
policy_ids:
- "my_policy_id"
- "fleet-server-policy"
shards:
my_policy_id: 35
fleet-server-policy: 58
queries:
my_query:
query: "SELECT * FROM listening_ports;"
interval: 60
timeout: 120
ecs_mapping:
client.port:
field: "port"
tags:
value:
- "tag1"
- "tag2"
properties:
name:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackName'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/EnabledOrUndefined'
policy_ids:
@ -21,3 +43,31 @@ components:
queries:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/ObjectQueries'
CreatePacksResponse:
type: object
properties: { }
example:
data:
name: my_pack
description: My pack
queries:
ports:
query: SELECT * FROM listening_ports;
interval: 60
snapshot: true
removed: false
timeout: 120
ecs_mapping:
client.port:
field: port
enabled: true
created_at: "2025-02-26T13:37:30.452Z"
created_by: elastic
updated_at: "2025-02-26T13:37:30.452Z"
updated_by: elastic
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856

17
x-pack/platform/plugins/shared/osquery/common/api/packs/find_packs.gen.ts
View file

@ -16,17 +16,8 @@
import { z } from '@kbn/zod';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type FindPacksResponse = z.infer<typeof FindPacksResponse>;
export const FindPacksResponse = z.object({});
export type FindPacksRequestQuery = z.infer<typeof FindPacksRequestQuery>;
export const FindPacksRequestQuery = z.object({
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type FindPackResponse = z.infer<typeof FindPackResponse>;
export const FindPackResponse = z.object({});

63
x-pack/platform/plugins/shared/osquery/common/api/packs/find_packs.schema.yaml
View file

@ -5,14 +5,57 @@ info:
paths: { }
components:
schemas:
FindPacksRequestQuery:
FindPacksResponse:
type: object
properties:
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
properties: { }
example:
page: 1
pageSize: 10
total: 1
data:
- type: 'osquery-pack'
id: '42ba9c50-0cc5-11ed-aa1d-2b27890bc90d'
namespaces:
- 'default'
attributes:
name: 'My Pack'
queries:
- query: 'select * from uptime;'
interval: '3600'
id: 'uptime'
ecs_mapping:
- host.uptime:
field: 'total_seconds'
enabled: true
created_at: '2023-10-31T00:00:00Z'
updated_at: '2023-10-31T00:00:00Z'
created_by: 'elastic'
updated_by: 'elastic'
description: 'My pack description'
policy_ids: []
FindPackResponse:
type: object
properties: { }
example:
data:
id: "3c42c847-eb30-4452-80e0-728584042334"
type: "osquery-pack"
namespaces:
- "default"
updated_at: "2022-07-25T20:12:01.455Z"
name: "test_pack"
queries:
uptime:
interval: 3600
query: "select * from uptime"
ecs_mapping:
message:
field: "days"
enabled: true
created_at: "2022-07-25T19:41:10.263Z"
created_by: "elastic"
updated_by: "elastic"
description: ""
policy_ids: [ ]
read_only: false # true for prebuilt packs

29
x-pack/platform/plugins/shared/osquery/common/api/packs/packs.gen.ts
View file

@ -16,17 +16,23 @@
import { z } from '@kbn/zod';
import { FindPacksRequestQuery } from './find_packs.gen';
import { DefaultSuccessResponse, PackId } from '../model/schema/common_attributes.gen';
import { CreatePacksRequestBody } from './create_pack.gen';
import { UpdatePacksRequestBody } from './update_packs.gen';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
PackId,
} from '../model/schema/common_attributes.gen';
import { FindPacksResponse, FindPackResponse } from './find_packs.gen';
import { CreatePacksRequestBody, CreatePacksResponse } from './create_pack.gen';
import { UpdatePacksRequestBody, UpdatePacksResponse } from './update_packs.gen';
export type OsqueryCreatePacksRequestBody = z.infer<typeof OsqueryCreatePacksRequestBody>;
export const OsqueryCreatePacksRequestBody = CreatePacksRequestBody;
export type OsqueryCreatePacksRequestBodyInput = z.input<typeof OsqueryCreatePacksRequestBody>;
export type OsqueryCreatePacksResponse = z.infer<typeof OsqueryCreatePacksResponse>;
export const OsqueryCreatePacksResponse = DefaultSuccessResponse;
export const OsqueryCreatePacksResponse = CreatePacksResponse;
export type OsqueryDeletePacksRequestParams = z.infer<typeof OsqueryDeletePacksRequestParams>;
export const OsqueryDeletePacksRequestParams = z.object({
@ -35,15 +41,18 @@ export const OsqueryDeletePacksRequestParams = z.object({
export type OsqueryDeletePacksRequestParamsInput = z.input<typeof OsqueryDeletePacksRequestParams>;
export type OsqueryDeletePacksResponse = z.infer<typeof OsqueryDeletePacksResponse>;
export const OsqueryDeletePacksResponse = DefaultSuccessResponse;
export const OsqueryDeletePacksResponse = z.object({});
export type OsqueryFindPacksRequestQuery = z.infer<typeof OsqueryFindPacksRequestQuery>;
export const OsqueryFindPacksRequestQuery = z.object({
query: FindPacksRequestQuery,
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryFindPacksRequestQueryInput = z.input<typeof OsqueryFindPacksRequestQuery>;
export type OsqueryFindPacksResponse = z.infer<typeof OsqueryFindPacksResponse>;
export const OsqueryFindPacksResponse = DefaultSuccessResponse;
export const OsqueryFindPacksResponse = FindPacksResponse;
export type OsqueryGetPacksDetailsRequestParams = z.infer<
typeof OsqueryGetPacksDetailsRequestParams
@ -56,7 +65,7 @@ export type OsqueryGetPacksDetailsRequestParamsInput = z.input<
>;
export type OsqueryGetPacksDetailsResponse = z.infer<typeof OsqueryGetPacksDetailsResponse>;
export const OsqueryGetPacksDetailsResponse = DefaultSuccessResponse;
export const OsqueryGetPacksDetailsResponse = FindPackResponse;
export type OsqueryUpdatePacksRequestParams = z.infer<typeof OsqueryUpdatePacksRequestParams>;
export const OsqueryUpdatePacksRequestParams = z.object({
@ -69,4 +78,4 @@ export const OsqueryUpdatePacksRequestBody = UpdatePacksRequestBody;
export type OsqueryUpdatePacksRequestBodyInput = z.input<typeof OsqueryUpdatePacksRequestBody>;
export type OsqueryUpdatePacksResponse = z.infer<typeof OsqueryUpdatePacksResponse>;
export const OsqueryUpdatePacksResponse = DefaultSuccessResponse;
export const OsqueryUpdatePacksResponse = UpdatePacksResponse;

33
x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml
View file

@ -11,18 +11,33 @@ paths:
x-codegen-enabled: true
x-labels: [serverless, ess]
parameters:
- name: query
- name: page
in: query
required: true
required: false
schema:
$ref: './find_packs.schema.yaml#/components/schemas/FindPacksRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_packs.schema.yaml#/components/schemas/FindPacksResponse'
post:
summary: Create a pack
description: Create a query pack.
@ -41,7 +56,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './create_pack.schema.yaml#/components/schemas/CreatePacksResponse'
/api/osquery/packs/{id}:
get:
summary: Get pack details
@ -61,7 +76,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_packs.schema.yaml#/components/schemas/FindPackResponse'
delete:
summary: Delete a pack
description: Delete a query pack using the pack ID.
@ -80,7 +95,9 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
type: object
properties: { }
example: { }
put:
summary: Update a pack
description: |
@ -108,4 +125,4 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './update_packs.schema.yaml#/components/schemas/UpdatePacksResponse'

11
x-pack/platform/plugins/shared/osquery/common/api/packs/update_packs.gen.ts
View file

@ -17,8 +17,8 @@
import { z } from '@kbn/zod';
import {
PackId,
DescriptionOrUndefined,
PackName,
PackDescriptionOrUndefined,
EnabledOrUndefined,
PolicyIdsOrUndefined,
Shards,
@ -27,10 +27,13 @@ import {
export type UpdatePacksRequestBody = z.infer<typeof UpdatePacksRequestBody>;
export const UpdatePacksRequestBody = z.object({
id: PackId.optional(),
description: DescriptionOrUndefined.optional(),
name: PackName.optional(),
description: PackDescriptionOrUndefined.optional(),
enabled: EnabledOrUndefined.optional(),
policy_ids: PolicyIdsOrUndefined.optional(),
shards: Shards.optional(),
queries: ObjectQueries.optional(),
});
export type UpdatePacksResponse = z.infer<typeof UpdatePacksResponse>;
export const UpdatePacksResponse = z.object({});

36
x-pack/platform/plugins/shared/osquery/common/api/packs/update_packs.schema.yaml
View file

@ -7,11 +7,13 @@ components:
schemas:
UpdatePacksRequestBody:
type: object
example:
name: 'updated_my_pack_name'
properties:
id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackId'
name:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackName'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/EnabledOrUndefined'
policy_ids:
@ -20,3 +22,31 @@ components:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Shards'
queries:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/ObjectQueries'
UpdatePacksResponse:
type: object
properties: { }
example:
data:
name: updated_my_pack_name
description: My pack
queries:
ports:
interval: 60
snapshot: true
removed: false
timeout: 120
query: SELECT * FROM listening_ports;
ecs_mapping:
client.port:
field: port
enabled: true
created_at: "2025-02-26T13:37:30.452Z"
created_by: elastic
updated_at: "2025-02-26T13:40:16.297Z"
updated_by: elastic
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856

11
x-pack/platform/plugins/shared/osquery/common/api/saved_query/create_saved_query.gen.ts
View file

@ -18,10 +18,11 @@ import { z } from '@kbn/zod';
import {
SavedQueryId,
DescriptionOrUndefined,
SavedQueryDescriptionOrUndefined,
QueryOrUndefined,
ECSMappingOrUndefined,
VersionOrUndefined,
PlatformOrUndefined,
Interval,
SnapshotOrUndefined,
RemovedOrUndefined,
@ -30,15 +31,15 @@ import {
export type CreateSavedQueryRequestBody = z.infer<typeof CreateSavedQueryRequestBody>;
export const CreateSavedQueryRequestBody = z.object({
id: SavedQueryId.optional(),
description: DescriptionOrUndefined.optional(),
description: SavedQueryDescriptionOrUndefined.optional(),
query: QueryOrUndefined.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
platform: DescriptionOrUndefined.optional(),
platform: PlatformOrUndefined.optional(),
interval: Interval.optional(),
snapshot: SnapshotOrUndefined.optional(),
removed: RemovedOrUndefined.optional(),
});
export type SuccessResponse = z.infer<typeof SuccessResponse>;
export const SuccessResponse = z.object({});
export type CreateSavedQueryResponse = z.infer<typeof CreateSavedQueryResponse>;
export const CreateSavedQueryResponse = z.object({});

22
x-pack/platform/plugins/shared/osquery/common/api/saved_query/create_saved_query.schema.yaml
View file

@ -7,11 +7,22 @@ components:
schemas:
CreateSavedQueryRequestBody:
type: object
example:
id: "saved_query_id"
description: "Saved query description"
query: "select * from uptime;"
interval: "60"
timeout: 120
version: "2.8.0"
platform: "linux,darwin"
ecs_mapping:
host.uptime:
field: "total_seconds"
properties:
id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryId'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryDescriptionOrUndefined'
query:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/QueryOrUndefined'
ecs_mapping:
@ -19,14 +30,15 @@ components:
version:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/VersionOrUndefined'
platform:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PlatformOrUndefined'
interval:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Interval'
snapshot:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SnapshotOrUndefined'
removed:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/RemovedOrUndefined'
SuccessResponse:
CreateSavedQueryResponse:
type: object
properties: {}
# Define properties for the success response if needed
properties: { }
example:
data: { }

17
x-pack/platform/plugins/shared/osquery/common/api/saved_query/find_saved_query.gen.ts
View file

@ -16,17 +16,8 @@
import { z } from '@kbn/zod';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type FindSavedQueryResponse = z.infer<typeof FindSavedQueryResponse>;
export const FindSavedQueryResponse = z.object({});
export type FindSavedQueryRequestQuery = z.infer<typeof FindSavedQueryRequestQuery>;
export const FindSavedQueryRequestQuery = z.object({
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type FindSavedQueryDetailResponse = z.infer<typeof FindSavedQueryDetailResponse>;
export const FindSavedQueryDetailResponse = z.object({});

65
x-pack/platform/plugins/shared/osquery/common/api/saved_query/find_saved_query.schema.yaml
View file

@ -5,14 +5,59 @@ info:
paths: { }
components:
schemas:
FindSavedQueryRequestQuery:
FindSavedQueryResponse:
type: object
properties: { }
example:
page: 1
per_page: 100
total: 11
data:
- type: "osquery-saved-query"
id: "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
namespaces:
- "default"
attributes:
id: "saved_query_id"
description: "Saved query description"
query: "select * from uptime;"
platform: "linux,darwin"
version: "2.8.0"
interval: "60"
ecs_mapping:
host.uptime:
field: "total_seconds"
created_by: "elastic"
created_at: "2022-07-26T09:28:08.597Z"
updated_by: "elastic"
updated_at: "2022-07-26T09:28:08.597Z"
prebuilt: false
FindSavedQueryDetailResponse:
type: object
properties:
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
properties: { }
example:
data:
id: "3c42c847-eb30-4452-80e0-728584042334"
type: "osquery-saved-query"
namespaces:
- "default"
updated_at: "2022-07-26T09:28:08.600Z"
version: "WzQzMTcsMV0="
attributes:
id: "saved_query_id"
description: "Saved query description"
query: "select * from uptime;"
platform: "linux,darwin"
version: "2.8.0"
interval: "60"
ecs_mapping:
host.uptime:
field: "total_seconds"
created_by: "elastic"
created_at: "2022-07-26T09:28:08.597Z"
updated_by: "elastic"
updated_at: "2022-07-26T09:28:08.597Z"
prebuilt: false
references: [ ]
coreMigrationVersion: "8.4.0"

28
x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.gen.ts
View file

@ -16,10 +16,17 @@
import { z } from '@kbn/zod';
import { FindSavedQueryRequestQuery } from './find_saved_query.gen';
import { DefaultSuccessResponse, SavedQueryId } from '../model/schema/common_attributes.gen';
import { CreateSavedQueryRequestBody } from './create_saved_query.gen';
import { UpdateSavedQueryRequestBody } from './update_saved_query.gen';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
SavedQueryId,
DefaultSuccessResponse,
} from '../model/schema/common_attributes.gen';
import { FindSavedQueryResponse, FindSavedQueryDetailResponse } from './find_saved_query.gen';
import { CreateSavedQueryRequestBody, CreateSavedQueryResponse } from './create_saved_query.gen';
import { UpdateSavedQueryRequestBody, UpdateSavedQueryResponse } from './update_saved_query.gen';
export type OsqueryCreateSavedQueryRequestBody = z.infer<typeof OsqueryCreateSavedQueryRequestBody>;
export const OsqueryCreateSavedQueryRequestBody = CreateSavedQueryRequestBody;
@ -28,7 +35,7 @@ export type OsqueryCreateSavedQueryRequestBodyInput = z.input<
>;
export type OsqueryCreateSavedQueryResponse = z.infer<typeof OsqueryCreateSavedQueryResponse>;
export const OsqueryCreateSavedQueryResponse = DefaultSuccessResponse;
export const OsqueryCreateSavedQueryResponse = CreateSavedQueryResponse;
export type OsqueryDeleteSavedQueryRequestParams = z.infer<
typeof OsqueryDeleteSavedQueryRequestParams
@ -46,14 +53,17 @@ export type OsqueryFindSavedQueriesRequestQuery = z.infer<
typeof OsqueryFindSavedQueriesRequestQuery
>;
export const OsqueryFindSavedQueriesRequestQuery = z.object({
query: FindSavedQueryRequestQuery,
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryFindSavedQueriesRequestQueryInput = z.input<
typeof OsqueryFindSavedQueriesRequestQuery
>;
export type OsqueryFindSavedQueriesResponse = z.infer<typeof OsqueryFindSavedQueriesResponse>;
export const OsqueryFindSavedQueriesResponse = DefaultSuccessResponse;
export const OsqueryFindSavedQueriesResponse = FindSavedQueryResponse;
export type OsqueryGetSavedQueryDetailsRequestParams = z.infer<
typeof OsqueryGetSavedQueryDetailsRequestParams
@ -68,7 +78,7 @@ export type OsqueryGetSavedQueryDetailsRequestParamsInput = z.input<
export type OsqueryGetSavedQueryDetailsResponse = z.infer<
typeof OsqueryGetSavedQueryDetailsResponse
>;
export const OsqueryGetSavedQueryDetailsResponse = DefaultSuccessResponse;
export const OsqueryGetSavedQueryDetailsResponse = FindSavedQueryDetailResponse;
export type OsqueryUpdateSavedQueryRequestParams = z.infer<
typeof OsqueryUpdateSavedQueryRequestParams
@ -87,4 +97,4 @@ export type OsqueryUpdateSavedQueryRequestBodyInput = z.input<
>;
export type OsqueryUpdateSavedQueryResponse = z.infer<typeof OsqueryUpdateSavedQueryResponse>;
export const OsqueryUpdateSavedQueryResponse = DefaultSuccessResponse;
export const OsqueryUpdateSavedQueryResponse = UpdateSavedQueryResponse;

29
x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml
View file

@ -11,18 +11,33 @@ paths:
x-codegen-enabled: true
x-labels: [serverless, ess]
parameters:
- name: query
- name: page
in: query
required: true
required: false
schema:
$ref: './find_saved_query.schema.yaml#/components/schemas/FindSavedQueryRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_saved_query.schema.yaml#/components/schemas/FindSavedQueryResponse'
post:
summary: Create a saved query
description: Create and run a saved query.
@ -41,7 +56,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './create_saved_query.schema.yaml#/components/schemas/CreateSavedQueryResponse'
/api/osquery/saved_queries/{id}:
get:
summary: Get saved query details
@ -61,7 +76,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_saved_query.schema.yaml#/components/schemas/FindSavedQueryDetailResponse'
delete:
summary: Delete a saved query
description: Delete a saved query using the query ID.
@ -108,4 +123,4 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './update_saved_query.schema.yaml#/components/schemas/UpdateSavedQueryResponse'

10
x-pack/platform/plugins/shared/osquery/common/api/saved_query/update_saved_query.gen.ts
View file

@ -18,10 +18,11 @@ import { z } from '@kbn/zod';
import {
SavedQueryId,
DescriptionOrUndefined,
SavedQueryDescriptionOrUndefined,
QueryOrUndefined,
ECSMappingOrUndefined,
VersionOrUndefined,
PlatformOrUndefined,
IntervalOrUndefined,
SnapshotOrUndefined,
RemovedOrUndefined,
@ -30,12 +31,15 @@ import {
export type UpdateSavedQueryRequestBody = z.infer<typeof UpdateSavedQueryRequestBody>;
export const UpdateSavedQueryRequestBody = z.object({
id: SavedQueryId.optional(),
description: DescriptionOrUndefined.optional(),
description: SavedQueryDescriptionOrUndefined.optional(),
query: QueryOrUndefined.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
platform: DescriptionOrUndefined.optional(),
platform: PlatformOrUndefined.optional(),
interval: IntervalOrUndefined.optional(),
snapshot: SnapshotOrUndefined.optional(),
removed: RemovedOrUndefined.optional(),
});
export type UpdateSavedQueryResponse = z.infer<typeof UpdateSavedQueryResponse>;
export const UpdateSavedQueryResponse = z.object({});

11
x-pack/platform/plugins/shared/osquery/common/api/saved_query/update_saved_query.schema.yaml
View file

@ -7,11 +7,13 @@ components:
schemas:
UpdateSavedQueryRequestBody:
type: object
example:
id: 'updated_my_saved_query_name'
properties:
id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryId'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryDescriptionOrUndefined'
query:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/QueryOrUndefined'
ecs_mapping:
@ -19,10 +21,15 @@ components:
version:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/VersionOrUndefined'
platform:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PlatformOrUndefined'
interval:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/IntervalOrUndefined'
snapshot:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SnapshotOrUndefined'
removed:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/RemovedOrUndefined'
UpdateSavedQueryResponse:
type: object
properties: { }
example:
data: { }

608
x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/FindLiveQueryRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -45,7 +65,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -59,18 +79,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -84,23 +101,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -111,16 +152,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindPacksRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -139,7 +195,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -159,7 +215,9 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -178,7 +236,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -206,7 +264,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -217,16 +275,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindSavedQueryRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -245,7 +318,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -284,7 +357,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -312,7 +385,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -320,6 +393,7 @@ paths:
components:
schemas:
ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/ArrayQueriesItem'
type: array
@ -329,7 +403,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -341,37 +415,51 @@ components:
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: When `true`, the query runs on all agents.
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -382,11 +470,64 @@ components:
$ref: '#/components/schemas/QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/SavedQueryIdOrUndefined'
CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
name:
@ -397,11 +538,50 @@ components:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -409,7 +589,7 @@ components:
interval:
$ref: '#/components/schemas/Interval'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -418,24 +598,34 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
DefaultSuccessResponse:
type: object
properties: {}
Description:
type: string
DescriptionOrUndefined:
$ref: '#/components/schemas/Description'
nullable: true
ECSMapping:
additionalProperties:
$ref: '#/components/schemas/ECSMappingItem'
description: >-
Map osquery results columns or static values to Elastic Common Schema
(ECS) fields
example:
host.uptime:
field: total_seconds
type: object
ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -445,71 +635,197 @@ components:
$ref: '#/components/schemas/ECSMapping'
nullable: true
Enabled:
description: Enables the pack.
example: true
type: boolean
EnabledOrUndefined:
$ref: '#/components/schemas/Enabled'
nullable: true
FindLiveQueryRequestQuery:
FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindPacksRequestQuery:
properties: {}
FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindSavedQueryRequestQuery:
properties: {}
FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
GetLiveQueryResultsRequestQuery:
properties: {}
FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
Id:
type: string
properties: {}
FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Interval:
description: An interval, in seconds, on which to run the query.
example: '60'
type: string
IntervalOrUndefined:
$ref: '#/components/schemas/Interval'
nullable: true
KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/ObjectQueriesItem'
description: An object of queries.
type: object
ObjectQueriesItem:
type: object
@ -517,7 +833,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -530,25 +846,48 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
PackDescription:
description: The pack description.
example: Pack description
type: string
PackDescriptionOrUndefined:
$ref: '#/components/schemas/PackDescription'
nullable: true
PackId:
description: The ID of the pack you want to run, retrieve, update, or delete.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
PackIdOrUndefined:
$ref: '#/components/schemas/PackId'
nullable: true
PackName:
description: The pack name.
type: string
PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Platform:
description: >-
Restricts the query to a specified platform. The default is all
platforms. To specify multiple platforms, use commas. For example,
`linux,darwin`.
example: linux,darwin
type: string
PlatformOrUndefined:
$ref: '#/components/schemas/Platform'
nullable: true
PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -556,16 +895,33 @@ components:
$ref: '#/components/schemas/PolicyIds'
nullable: true
Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
QueryOrUndefined:
$ref: '#/components/schemas/Query'
nullable: true
Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
RemovedOrUndefined:
$ref: '#/components/schemas/Removed'
nullable: true
SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/SavedQueryDescription'
nullable: true
SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
SavedQueryIdOrUndefined:
$ref: '#/components/schemas/SavedQueryId'
@ -573,42 +929,85 @@ components:
Shards:
additionalProperties:
type: number
description: >-
An object with shard configuration for policies included in the pack.
For each policy, set the shard configuration to a percentage (1100) of
target hosts.
example:
policy_id: 50
type: object
Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
SnapshotOrUndefined:
$ref: '#/components/schemas/Snapshot'
nullable: true
SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
id:
$ref: '#/components/schemas/PackId'
name:
$ref: '#/components/schemas/PackName'
policy_ids:
$ref: '#/components/schemas/PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -616,7 +1015,7 @@ components:
interval:
$ref: '#/components/schemas/IntervalOrUndefined'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -625,7 +1024,16 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Version:
description: >-
Uses the Osquery versions greater than or equal to the specified version
string.
example: 1.0.0
type: string
VersionOrUndefined:
$ref: '#/components/schemas/Version'

608
x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/FindLiveQueryRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -45,7 +65,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -59,18 +79,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -84,23 +101,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -111,16 +152,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindPacksRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -139,7 +195,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -159,7 +215,9 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -178,7 +236,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -206,7 +264,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -217,16 +275,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindSavedQueryRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -245,7 +318,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -284,7 +357,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -312,7 +385,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -320,6 +393,7 @@ paths:
components:
schemas:
ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/ArrayQueriesItem'
type: array
@ -329,7 +403,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -341,37 +415,51 @@ components:
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: When `true`, the query runs on all agents.
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -382,11 +470,64 @@ components:
$ref: '#/components/schemas/QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/SavedQueryIdOrUndefined'
CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
name:
@ -397,11 +538,50 @@ components:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -409,7 +589,7 @@ components:
interval:
$ref: '#/components/schemas/Interval'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -418,24 +598,34 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
DefaultSuccessResponse:
type: object
properties: {}
Description:
type: string
DescriptionOrUndefined:
$ref: '#/components/schemas/Description'
nullable: true
ECSMapping:
additionalProperties:
$ref: '#/components/schemas/ECSMappingItem'
description: >-
Map osquery results columns or static values to Elastic Common Schema
(ECS) fields
example:
host.uptime:
field: total_seconds
type: object
ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -445,71 +635,197 @@ components:
$ref: '#/components/schemas/ECSMapping'
nullable: true
Enabled:
description: Enables the pack.
example: true
type: boolean
EnabledOrUndefined:
$ref: '#/components/schemas/Enabled'
nullable: true
FindLiveQueryRequestQuery:
FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindPacksRequestQuery:
properties: {}
FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindSavedQueryRequestQuery:
properties: {}
FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
GetLiveQueryResultsRequestQuery:
properties: {}
FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
Id:
type: string
properties: {}
FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Interval:
description: An interval, in seconds, on which to run the query.
example: '60'
type: string
IntervalOrUndefined:
$ref: '#/components/schemas/Interval'
nullable: true
KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/ObjectQueriesItem'
description: An object of queries.
type: object
ObjectQueriesItem:
type: object
@ -517,7 +833,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -530,25 +846,48 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
PackDescription:
description: The pack description.
example: Pack description
type: string
PackDescriptionOrUndefined:
$ref: '#/components/schemas/PackDescription'
nullable: true
PackId:
description: The ID of the pack you want to run, retrieve, update, or delete.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
PackIdOrUndefined:
$ref: '#/components/schemas/PackId'
nullable: true
PackName:
description: The pack name.
type: string
PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Platform:
description: >-
Restricts the query to a specified platform. The default is all
platforms. To specify multiple platforms, use commas. For example,
`linux,darwin`.
example: linux,darwin
type: string
PlatformOrUndefined:
$ref: '#/components/schemas/Platform'
nullable: true
PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -556,16 +895,33 @@ components:
$ref: '#/components/schemas/PolicyIds'
nullable: true
Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
QueryOrUndefined:
$ref: '#/components/schemas/Query'
nullable: true
Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
RemovedOrUndefined:
$ref: '#/components/schemas/Removed'
nullable: true
SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/SavedQueryDescription'
nullable: true
SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
SavedQueryIdOrUndefined:
$ref: '#/components/schemas/SavedQueryId'
@ -573,42 +929,85 @@ components:
Shards:
additionalProperties:
type: number
description: >-
An object with shard configuration for policies included in the pack.
For each policy, set the shard configuration to a percentage (1100) of
target hosts.
example:
policy_id: 50
type: object
Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
SnapshotOrUndefined:
$ref: '#/components/schemas/Snapshot'
nullable: true
SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
id:
$ref: '#/components/schemas/PackId'
name:
$ref: '#/components/schemas/PackName'
policy_ids:
$ref: '#/components/schemas/PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -616,7 +1015,7 @@ components:
interval:
$ref: '#/components/schemas/IntervalOrUndefined'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -625,7 +1024,16 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Version:
description: >-
Uses the Osquery versions greater than or equal to the specified version
string.
example: 1.0.0
type: string
VersionOrUndefined:
$ref: '#/components/schemas/Version'

9
x-pack/test/api_integration/services/security_solution_osquery_api.gen.ts
View file

@ -31,10 +31,7 @@ import { OsqueryDeleteSavedQueryRequestParamsInput } from '@kbn/osquery-plugin/c
import { OsqueryFindLiveQueriesRequestQueryInput } from '@kbn/osquery-plugin/common/api/live_query/live_queries.gen';
import { OsqueryFindPacksRequestQueryInput } from '@kbn/osquery-plugin/common/api/packs/packs.gen';
import { OsqueryFindSavedQueriesRequestQueryInput } from '@kbn/osquery-plugin/common/api/saved_query/saved_query.gen';
import {
OsqueryGetLiveQueryDetailsRequestQueryInput,
OsqueryGetLiveQueryDetailsRequestParamsInput,
} from '@kbn/osquery-plugin/common/api/live_query/live_queries.gen';
import { OsqueryGetLiveQueryDetailsRequestParamsInput } from '@kbn/osquery-plugin/common/api/live_query/live_queries.gen';
import {
OsqueryGetLiveQueryResultsRequestQueryInput,
OsqueryGetLiveQueryResultsRequestParamsInput,
@ -213,8 +210,7 @@ export function SecuritySolutionApiProvider({ getService }: FtrProviderContext)
)
.set('kbn-xsrf', 'true')
.set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
.query(props.query);
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
},
/**
* Get the results of a live query using the query action ID.
@ -367,7 +363,6 @@ export interface OsqueryFindSavedQueriesProps {
query: OsqueryFindSavedQueriesRequestQueryInput;
}
export interface OsqueryGetLiveQueryDetailsProps {
query: OsqueryGetLiveQueryDetailsRequestQueryInput;
params: OsqueryGetLiveQueryDetailsRequestParamsInput;
}
export interface OsqueryGetLiveQueryResultsProps {