github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.16] [DOCS] Deletes asciidoc Osquery API docs (#216269) (#216433)

Browse source 
{defaultPrDescription}

<!--BACKPORT {commits} BACKPORT-->
This commit is contained in:
natasha-moore-elastic 2025-03-31 16:23:26 +01:00 committed by GitHub
parent 4deefffb00
commit a646c34ebe
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 0 additions and 1365 deletions
Download patch file Download diff file Expand all files Collapse all files

47
docs/api/osquery-manager.asciidoc
View file

@ -1,47 +0,0 @@
[[osquery-manager-api]]
== Osquery manager API
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Run live queries, manage packs and saved queries
Use the osquery manager APIs for managing packs and saved queries.
The following osquery manager APIs are available:
* Live queries
** <<osquery-manager-live-queries-api-get-all, Get all live queries API>> to retrieve a list of live queries
** <<osquery-manager-live-queries-api-get, Get live query API>> to retrieve a single live query
** <<osquery-manager-live-queries-api-create, Create live query API>> to create a live query
** <<osquery-manager-live-queries-api-get-results, Get live query results API>> to retrieve the results of a single live query
* Packs
** <<osquery-manager-packs-api-get-all, Get all packs API>> to retrieve a list of packs
** <<osquery-manager-packs-api-get, Get pack API>> to retrieve a pack
** <<osquery-manager-packs-api-create, Create pack API>> to create a pack
** <<osquery-manager-packs-api-update, Update pack API>> to partially update an existing pack
** <<osquery-manager-packs-api-delete, Delete pack API>> to delete a pack
* Saved queries
** <<osquery-manager-saved-queries-api-get-all, Get all saved queries API>> to retrieve a list of saved queries
** <<osquery-manager-saved-queries-api-get, Get saved query API>> to retrieve a saved query
** <<osquery-manager-saved-queries-api-create, Create saved query API>> to create a saved query
** <<osquery-manager-saved-queries-api-update, Update saved query API>> to partially update an existing saved query
** <<osquery-manager-saved-queries-api-delete, Delete saved query API>> to delete a saved query
include::osquery-manager/live-queries/get.asciidoc[]
include::osquery-manager/live-queries/get-all.asciidoc[]
include::osquery-manager/live-queries/get-results.asciidoc[]
include::osquery-manager/live-queries/create.asciidoc[]
include::osquery-manager/packs/get.asciidoc[]
include::osquery-manager/packs/get-all.asciidoc[]
include::osquery-manager/packs/create.asciidoc[]
include::osquery-manager/packs/update.asciidoc[]
include::osquery-manager/packs/delete.asciidoc[]
include::osquery-manager/saved-queries/get.asciidoc[]
include::osquery-manager/saved-queries/get-all.asciidoc[]
include::osquery-manager/saved-queries/create.asciidoc[]
include::osquery-manager/saved-queries/update.asciidoc[]
include::osquery-manager/saved-queries/delete.asciidoc[]

193
docs/api/osquery-manager/live-queries/create.asciidoc
View file

@ -1,193 +0,0 @@
[[osquery-manager-live-queries-api-create]]
=== Create live query API
++++
<titleabbrev>Create live query</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Create live queries.
[[osquery-manager-live-queries-api-create-request]]
==== Request
`POST <kibana host>:<port>/api/osquery/live_queries`
`POST <kibana host>:<port>/s/<space_id>/api/osquery/live_queries`
[[osquery-manager-live-queries-api-create-path-params]]
==== Path parameters
`space_id`::
(Optional, string) An identifier for the space. When `space_id` is not provided in the URL, the default space is used.
[[osquery-manager-live-queries-api-create-body-params]]
==== Request body
`agent_ids`:: (Optional, array) A list of agent IDs to run the query on.
`agent_all`:: (Optional, boolean) When `true`, the query runs on all agents.
`agent_platforms`:: (Optional, array) A list of agent platforms to run the query on.
`agent_policy_ids`:: (Optional, array) A list of agent policy IDs to run the query on.
`query`:: (Optional, string) The SQL query you want to run.
`saved_query_id`:: (Optional, string) The ID of a saved query.
`ecs_mapping`:: (Optional, object) Map osquery results columns or static values to Elastic Common Schema (ECS) fields.
`pack_id`:: (Optional, string) The ID of the pack you want to run.
`alert_ids`:: (Optional, array) A list of alert IDs associated to the live query.
`case_ids`:: (Optional, array) A list of case IDs associated to the live query.
`event_ids`:: (Optional, array) A list of event IDs associated to the live query.
`metadata`:: (Optional, object) Custom metadata object associated to the live query.
`timeout`:: (Optional, number) A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `900`.
[[osquery-manager-live-queries-api-create-request-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-live-queries-api-create-example]]
==== Examples
Run a live query on all supported agents:
TIP: `osquery_manager` integration has to be added to the agent policy.
[source,sh]
--------------------------------------------------
$ curl -X POST api/osquery/live_queries \
{
"query": "select * from uptime;",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"agent_all": true,
"timeout": 120
}
--------------------------------------------------
// KIBANA
The API returns the live query object:
[source,sh]
--------------------------------------------------
{
"data": {
"action_id": "3c42c847-eb30-4452-80e0-728584042334",
"@timestamp": "2022-07-26T09:59:32.220Z",
"expiration": "2022-07-26T10:04:32.220Z", # after this time no more agents will run the query
"type": "INPUT_ACTION",
"input_type": "osquery",
"agent_ids": [],
"agent_all": true,
"agent_platforms": [],
"agent_policy_ids": [],
"agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"], # stores the actual queried agent IDs
"user_id": "elastic",
"metadata": {
"execution_context": {
"name": "osquery",
"url": "/app/osquery/live_queries/new"
}
},
"queries": [
{
"action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0", # unique ID of the query, use it when querying the live query API to get the single query results
"id": "6724a474-cbba-41ef-a1aa-66aebf0879e2", # ID of the query, doesn't have to be unique
"query": "select * from uptime;",
"timeout": 120,
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"agents": [
"16d7caf5-efd2-4212-9b62-73dafc91fa13" # stores the actual queried agent IDs
]
}
]
}
}
--------------------------------------------------
Run a pack on Darwin-supported agents:
[source,sh]
--------------------------------------------------
$ curl -X POST api/osquery/live_queries \
{
"pack_id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832"
"agent_platforms": ["darwin"]
}
--------------------------------------------------
// KIBANA
The API returns the live query object:
[source,sh]
--------------------------------------------------
{
"data": {
"action_id": "3c42c847-eb30-4452-80e0-728584042334",
"@timestamp": "2022-07-26T09:59:32.220Z",
"expiration": "2022-07-26T10:04:32.220Z", # after this time no more agents will run the query
"type": "INPUT_ACTION",
"input_type": "osquery",
"agent_ids": [],
"agent_all": false,
"agent_platforms": ["darwin"],
"agent_policy_ids": [],
"agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"], # stores the actual queried agent IDs
"user_id": "elastic",
"pack_id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832",
"pack_name": "test_pack",
"pack_prebuilt": false,
"metadata": {
"execution_context": {
"name": "osquery",
"url": "/app/osquery/live_queries/new"
}
},
"queries": [
{
"action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0", # unique ID of the query, use it when querying the live query API to get the single query results
"id": "uptime", # ID of the query, doesn't have to be unique
"query": "select * from uptime;",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"agents": [
"16d7caf5-efd2-4212-9b62-73dafc91fa13" # stores the actual queried agent IDs
]
}
]
}
}
--------------------------------------------------

104
docs/api/osquery-manager/live-queries/get-all.asciidoc
View file

@ -1,104 +0,0 @@
[[osquery-manager-live-queries-api-get-all]]
=== Get live queries API
++++
<titleabbrev>Get live queries</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Get live queries.
[[osquery-manager-live-queries-api-get-all-request]]
==== Request
`GET <kibana host>:<port>/api/osquery/live_queries`
`GET <kibana host>:<port>/s/<space_id>/api/osquery/live_queries`
[[osquery-manager-live-queries-api-get-all-params]]
==== Path parameters
`space_id`::
(Optional, string) An identifier for the space. When `space_id` is not provided in the URL, the default space is used.
[[osquery-manager-live-queries-api-get-all-query-params]]
==== Query parameters
`page`::
(Optional, integer) The page number to return. The default is `1`.
`pageSize`::
(Optional, integer) The number of rules to return per page. The default is `20`.
`sort`::
(Optional, string) The field that is used to sort the results. Options include `createdAt` or `updatedAt`.
The default is `createdAt`.
+
NOTE: Even though the JSON case object uses `created_at` and `updated_at`
fields, you must use `createdAt` and `updatedAt` fields in the URL
query.
`sortOrder`::
(Optional, string) Specified the sort order. Options include `desc` or `asc`.
The default is `desc`.
[[osquery-manager-live-queries-api-get-all-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-live-queries-api-get-all-example]]
==== Example
Retrieve the last 10 live queries :
[source,sh]
--------------------------------------------------
$ curl -X GET api/osquery/live_queries?page=1&perPage=10
--------------------------------------------------
// KIBANA
The API returns a JSON object of the retrieved live queries:
[source,sh]
--------------------------------------------------
{
"page": 1,
"per_page": 10,
"total": 11,
"data": [
{
"action_id": "3c42c847-eb30-4452-80e0-728584042334",
"expiration": "2022-07-26T10:04:32.220Z",
"@timestamp": "2022-07-26T09:59:32.220Z",
"agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
"user_id": "elastic",
"queries": [
{
"action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
"id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
"query": "select * from uptime;",
"saved_query_id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
}
],
},
{...}
]
}
--------------------------------------------------

70
docs/api/osquery-manager/live-queries/get-results.asciidoc
View file

@ -1,70 +0,0 @@
[[osquery-manager-live-queries-api-get-results]]
=== Get live query results API
++++
<titleabbrev>Get live query results</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Retrieve a single live query result by ID.
[[osquery-manager-live-queries-api-get-results-request]]
==== Request
`GET <kibana host>:<port>/api/osquery/live_queries/<id>/results/<query_action_id>`
`GET <kibana host>:<port>/s/<space_id>/api/osquery/live_queries/<query_action_id>`
[[osquery-manager-live-queries-api-get-results-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the live query result you want to retrieve.
`query_action_id`::
(Required, string) The ID of the query action that generated the live query results.
[[osquery-manager-live-queries-api-get-results-codes]]
==== Response code
`200`::
Indicates a successful call.
`404`::
The specified live query or <query_action_id> doesn't exist.
[[osquery-manager-live-queries-api-get-results-example]]
==== Example
Retrieve the live query results for `3c42c847-eb30-4452-80e0-728584042334` ID and `609c4c66-ba3d-43fa-afdd-53e244577aa0` query action ID:
[source,sh]
--------------------------------------------------
$ curl -X GET api/osquery/live_queries/3c42c847-eb30-4452-80e0-728584042334/results/609c4c66-ba3d-43fa-afdd-53e244577aa0
--------------------------------------------------
// KIBANA
The API returns a live query action single query result:
[source,sh]
--------------------------------------------------
{
"data": {
"total": 2,
"edges": [{...}, {...}],
}
}
--------------------------------------------------

89
docs/api/osquery-manager/live-queries/get.asciidoc
View file

@ -1,89 +0,0 @@
[[osquery-manager-live-queries-api-get]]
=== Get live query API
++++
<titleabbrev>Get live query</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Retrieves a single live query by ID.
[[osquery-manager-live-queries-api-get-request]]
==== Request
`GET <kibana host>:<port>/api/osquery/live_queries/<id>`
`GET <kibana host>:<port>/s/<space_id>/api/osquery/live_queries/<id>`
[[osquery-manager-live-queries-api-get-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the live query you want to retrieve.
[[osquery-manager-live-queries-api-get-codes]]
==== Response code
`200`::
Indicates a successful call.
`404`::
The specified live query and ID doesn't exist.
[[osquery-manager-live-queries-api-get-example]]
==== Example
Retrieve the live query object with the `bbe5b070-0c51-11ed-b0f8-ad31b008e832` ID:
[source,sh]
--------------------------------------------------
$ curl -X GET api/osquery/live_queries/bbe5b070-0c51-11ed-b0f8-ad31b008e832
--------------------------------------------------
// KIBANA
The API returns a live query object:
[source,sh]
--------------------------------------------------
{
"data": {
"action_id": "3c42c847-eb30-4452-80e0-728584042334",
"expiration": "2022-07-26T10:04:32.220Z",
"@timestamp": "2022-07-26T09:59:32.220Z",
"agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
"user_id": "elastic",
"queries": [
{
"action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
"id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
"query": "select * from uptime;",
"saved_query_id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"agents": ["16d7caf5-efd2-4212-9b62-73dafc91fa13"],
"docs": 0, # results count
"failed": 1, # failed queries
"pending": 0, # pending agents
"responded": 1, # total responded agents
"successful": 0, # successful agents
"status": "completed" # single query status
}
],
"status": "completed" # global status of the live query (completed, pending)
}
}
--------------------------------------------------

105
docs/api/osquery-manager/packs/create.asciidoc
View file

@ -1,105 +0,0 @@
[[osquery-manager-packs-api-create]]
=== Create pack API
++++
<titleabbrev>Create pack</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Create packs.
[[osquery-manager-packs-api-create-request]]
==== Request
`POST <kibana host>:<port>/api/osquery/packs`
`POST <kibana host>:<port>/s/<space_id>/api/osquery/packs`
[[osquery-manager-packs-api-create-path-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
[[osquery-manager-packs-api-create-body-params]]
==== Request body
`name`:: (Required, string) The pack name.
`description`:: (Optional, string) The pack description.
`enabled`:: (Optional, boolean) Enables the pack.
`policy_ids`:: (Optional, array) A list of agents policy IDs.
`shards`:: (Optional, object) An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
`queries`:: (Required, object) An object of queries.
[[osquery-manager-packs-api-create-request-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-packs-api-create-example]]
==== Examples
Create a pack:
[source,sh]
--------------------------------------------------
$ curl -X POST api/osquery/packs \
{
"name": "my_pack",
"description": "My pack",
"enabled": true,
"policy_ids": [
"my_policy_id",
"fleet-server-policy"
],
"shards": {
"my_policy_id": 35,
"fleet-server-policy": 58
},
"queries": {
"my_query": {
"query": "SELECT * FROM listening_ports;",
"interval": 60,
"timeout": 120,
"ecs_mapping": {
"client.port": {
"field": "port"
},
"tags": {
"value": [
"tag1",
"tag2"
]
}
}
}
}
}
--------------------------------------------------
// KIBANA
The API returns the pack object:
[source,sh]
--------------------------------------------------
{
"data": {...}
}
--------------------------------------------------

51
docs/api/osquery-manager/packs/delete.asciidoc
View file

@ -1,51 +0,0 @@
[[osquery-manager-packs-api-delete]]
=== Delete pack API
++++
<titleabbrev>Delete pack</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Delete packs.
WARNING: Once you delete a pack, _it cannot be recovered_.
[[osquery-manager-packs-api-delete-request]]
==== Request
`DELETE <kibana host>:<port>/api/osquery/packs/<id>`
`DELETE <kibana host>:<port>/s/<space_id>/api/osquery/packs/<id>`
[[osquery-manager-packs-api-delete-path-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the pack you want to delete.
[[osquery-manager-packs-api-delete-response-codes]]
==== Response code
`200`::
Indicates that the pack is deleted. Returns an empty response body.
[[osquery-manager-packs-api-delete-example]]
==== Example
Delete a pack object with the `bbe5b070-0c51-11ed-b0f8-ad31b008e832` ID:
[source,sh]
--------------------------------------------------
$ curl -X DELETE api/osquery/packs/bbe5b070-0c51-11ed-b0f8-ad31b008e832
--------------------------------------------------
// KIBANA

113
docs/api/osquery-manager/packs/get-all.asciidoc
View file

@ -1,113 +0,0 @@
[[osquery-manager-packs-api-get-all]]
=== Get packs API
++++
<titleabbrev>Get packs</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Get packs.
[[osquery-manager-packs-api-get-all-request]]
==== Request
`GET <kibana host>:<port>/api/osquery/packs`
`GET <kibana host>:<port>/s/<space_id>/api/osquery/packs`
[[osquery-manager-packs-api-get-all-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
[[osquery-manager-packs-api-get-all-query-params]]
==== Query parameters
`page`::
(Optional, integer) The page number to return. The default is `1`.
`pageSize`::
(Optional, integer) The number of rules to return per page. The default is `20`.
`sort`::
(Optional, string) Specifies the field that sorts the results. Options include `createdAt` or `updatedAt`.
The default is `createdAt`.
+
NOTE: Even though the JSON case object uses the `created_at` and `updated_at`
fields, you must use `createdAt` and `updatedAt` fields in the URL
query.
`sortOrder`::
(Optional, string) Specifies the sort order. Options include `desc` or `asc`.
The default is `desc`.
[[osquery-manager-packs-api-get-all-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-packs-api-get-all-example]]
==== Example
Retrieve the first 10 packs:
[source,sh]
--------------------------------------------------
$ curl -X GET api/osquery/packs?page=1&perPage=10&sortField=updatedAt&sortOrder=asc
--------------------------------------------------
// KIBANA
The API returns a JSON object with the retrieved packs:
[source,sh]
--------------------------------------------------
{
"page": 1,
"per_page": 10,
"total": 11,
"data": [
{
"type": "osquery-pack",
"id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832",
"namespaces": ["default"],
"attributes": {
"name": "test_pack",
"queries": [
{
"query": "select * from uptime",
"interval": 3600,
"id": "uptime",
"ecs_mapping": [
{
"value": {
"field": "days"
},
"key": "message"
}
]
}
],
"enabled": true,
"created_at": "2022-07-25T19:41:10.263Z",
"created_by": "elastic",
"updated_at": "2022-07-25T20:12:01.455Z",
"updated_by": "elastic",
"description": ""
},
"policy_ids": []
},
{...}
]
}
}
--------------------------------------------------

88
docs/api/osquery-manager/packs/get.asciidoc
View file

@ -1,88 +0,0 @@
[[osquery-manager-packs-api-get]]
=== Get pack API
++++
<titleabbrev>Get pack</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Retrieve a single pack by ID.
[[osquery-manager-packs-api-get-request]]
==== Request
`GET <kibana host>:<port>/api/osquery/packs/<id>`
`GET <kibana host>:<port>/s/<space_id>/api/osquery/packs/<id>`
[[osquery-manager-packs-api-get-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the pack you want to retrieve.
[[osquery-manager-packs-api-get-codes]]
==== Response code
`200`::
Indicates a successful call.
`404`::
The specified pack and ID doesn't exist.
[[osquery-manager-packs-api-get-example]]
==== Example
Retrieve the pack object with the `bbe5b070-0c51-11ed-b0f8-ad31b008e832` ID:
[source,sh]
--------------------------------------------------
$ curl -X GET api/osquery/packs/bbe5b070-0c51-11ed-b0f8-ad31b008e832
--------------------------------------------------
// KIBANA
The API returns the pack object:
[source,sh]
--------------------------------------------------
{
"data": {
"id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832",
"type": "osquery-pack",
"namespaces": [
"default"
],
"updated_at": "2022-07-25T20:12:01.455Z",
"name": "test_pack",
"queries": {
"uptime": {
"interval": 3600,
"query": "select * from uptime",
"ecs_mapping": {
"message": {
"field": "days"
}
}
}
},
"enabled": true,
"created_at": "2022-07-25T19:41:10.263Z",
"created_by": "elastic",
"updated_by": "elastic",
"description": "",
"policy_ids": [],
"read_only": false # true for prebuilt packs
}
}
--------------------------------------------------

82
docs/api/osquery-manager/packs/update.asciidoc
View file

@ -1,82 +0,0 @@
[[osquery-manager-packs-api-update]]
=== Update pack API
++++
<titleabbrev>Update pack</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Update packs.
WARNING: You are unable to update a prebuilt pack (`read_only = true`).
[[osquery-manager-packs-api-update-request]]
==== Request
`PUT <kibana host>:<port>/api/osquery/packs/<id>`
`PUT <kibana host>:<port>/s/<space_id>/api/osquery/packs/<id>`
[[osquery-manager-packs-api-update-path-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the pack you want to update.
[[osquery-manager-packs-api-update-body-params]]
==== Request body
`name`:: (Optional, string) The pack name.
`description`:: (Optional, string) The pack description.
`enabled`:: (Optional, boolean) Enables the pack.
`policy_ids`:: (Optional, array) A list of agent policy IDs.
`shards`:: (Optional, object) An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
`queries`:: (Required, object) An object of queries.
[[osquery-manager-packs-api-update-request-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-packs-api-update-example]]
==== Examples
Update a name of the <my_pack> pack:
[source,sh]
--------------------------------------------------
$ curl -X PUT api/osquery/packs/<id> \
{
"name": "updated_my_pack_name",
}
--------------------------------------------------
// KIBANA
The API returns the pack saved object:
[source,sh]
--------------------------------------------------
{
"data": {...}
}
--------------------------------------------------

92
docs/api/osquery-manager/saved-queries/create.asciidoc
View file

@ -1,92 +0,0 @@
[[osquery-manager-saved-queries-api-create]]
=== Create saved query API
++++
<titleabbrev>Create saved query</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Create saved queries.
[[osquery-manager-saved-queries-api-create-request]]
==== Request
`POST <kibana host>:<port>/api/osquery/saved_queries`
`POST <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries`
[[osquery-manager-saved-queries-api-create-path-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
[[osquery-manager-saved-queries-api-create-body-params]]
==== Request body
`id`:: (Required, string) The saved query name.
`description`:: (Optional, string) The saved query description.
`platform`:: (Optional, string) Restricts the query to a specified platform. The default is 'all' platforms. To specify multiple platforms, use commas. For example, 'linux,darwin'.
`query`:: (Required, string) The SQL query you want to run.
`version`:: (Optional, string) Uses the Osquery versions greater than or equal to the specified version string.
`interval`:: (Optional, string) An interval, in seconds, on which to run the query.
`ecs_mapping`:: (Optional, object) Maps Osquery results columns or static values to ECS fields.
`timeout`:: (Optional, number) A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `900`.
[[osquery-manager-saved-queries-api-create-request-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-saved-queries-api-create-example]]
==== Examples
Create a saved query:
[source,sh]
--------------------------------------------------
$ curl -X POST api/osquery/saved_queries \
{
"id": "saved_query_id",
"description": "Saved query description",
"query": "select * from uptime;",
"interval": "60",
"timeout": 120,
"version": "2.8.0",
"platform": "linux,darwin",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
}
}
--------------------------------------------------
// KIBANA
The API returns the saved query object:
[source,sh]
--------------------------------------------------
{
"data": {...}
}
--------------------------------------------------

51
docs/api/osquery-manager/saved-queries/delete.asciidoc
View file

@ -1,51 +0,0 @@
[[osquery-manager-saved-queries-api-delete]]
=== Delete saved query API
++++
<titleabbrev>Delete saved query</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Delete saved queries.
WARNING: Once you delete a saved query, _it cannot be recovered_.
[[osquery-manager-saved-queries-api-delete-request]]
==== Request
`DELETE <kibana host>:<port>/api/osquery/saved_queries/<id>`
`DELETE <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries/<id>`
[[osquery-manager-saved-queries-api-delete-path-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the saved query you want to delete.
[[osquery-manager-saved-queries-api-delete-response-codes]]
==== Response code
`200`::
Indicates the saved query is deleted. Returns an empty response body.
[[osquery-manager-saved-queries-api-delete-example]]
==== Example
Delete a saved query object with the `42ba9c50-0cc5-11ed-aa1d-2b27890bc90d` ID:
[source,sh]
--------------------------------------------------
$ curl -X DELETE api/osquery/saved_queries/42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
--------------------------------------------------
// KIBANA

105
docs/api/osquery-manager/saved-queries/get-all.asciidoc
View file

@ -1,105 +0,0 @@
[[osquery-manager-saved-queries-api-get-all]]
=== Get saved-queries API
++++
<titleabbrev>Get saved-queries</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Get saved queries.
[[osquery-manager-saved-queries-api-get-all-request]]
==== Request
`GET <kibana host>:<port>/api/osquery/saved_queries`
`GET <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries`
[[osquery-manager-saved-queries-api-get-all-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
[[osquery-manager-saved-queries-api-get-all-query-params]]
==== Query parameters
`page`::
(Optional, integer) The page number to return. The default is `1`.
`pageSize`::
(Optional, integer) The number of rules to return per page. The default is `20`.
`sort`::
(Optional, string) Specifies the field that sorts the results.
Options include `createdAt` or `updatedAt`. The default is `createdAt`.
+
NOTE: Even though the JSON case object uses the `created_at` and `updated_at`
fields, you must use `createdAt` and `updatedAt` fields in the URL
query.
`sortOrder`::
(Optional, string) Determines the sort order. Options include `desc` or `asc`.
The default is `desc`.
[[osquery-manager-saved-queries-api-get-all-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-saved-queries-api-get-all-example]]
==== Example
Retrieve the first 10 saved queries:
[source,sh]
--------------------------------------------------
$ curl -X GET api/osquery/saved-queries?page=1&perPage=10&sortField=updatedAt&sortOrder=asc
--------------------------------------------------
// KIBANA
The API returns a JSON object of the retrieved saved queries:
[source,sh]
--------------------------------------------------
{
"page": 1,
"per_page": 100,
"total": 11,
"data": [
{
"type": "osquery-saved-query",
"id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
"namespaces": ["default"],
"attributes": {
"id": "saved_query_id",
"description": "Saved query description",
"query": "select * from uptime;",
"platform": "linux,darwin",
"version": "2.8.0",
"interval": "60",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"created_by": "elastic",
"created_at": "2022-07-26T09:28:08.597Z",
"updated_by": "elastic",
"updated_at": "2022-07-26T09:28:08.597Z",
"prebuilt": false
},
},
{...}
]
}
--------------------------------------------------

90
docs/api/osquery-manager/saved-queries/get.asciidoc
View file

@ -1,90 +0,0 @@
[[osquery-manager-saved-queries-api-get]]
=== Get saved query API
++++
<titleabbrev>Get saved query</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Retrieve a single saved query by ID.
[[osquery-manager-saved-queries-api-get-request]]
==== Request
`GET <kibana host>:<port>/api/osquery/saved_queries/<id>`
`GET <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries/<id>`
[[osquery-manager-saved-queries-api-get-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the saved query you want to retrieve.
[[osquery-manager-saved-queries-api-get-codes]]
==== Response code
`200`::
Indicates a successful call.
`404`::
The specified saved query and ID doesn't exist.
[[osquery-manager-saved-queries-api-get-example]]
==== Example
Retrieve the saved query object with the `42ba9c50-0cc5-11ed-aa1d-2b27890bc90d` ID:
[source,sh]
--------------------------------------------------
$ curl -X GET api/osquery/saved_queries/42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
--------------------------------------------------
// KIBANA
The API returns the saved query object:
[source,sh]
--------------------------------------------------
{
"data": {
"id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
"type": "osquery-saved-query",
"namespaces": [
"default"
],
"updated_at": "2022-07-26T09:28:08.600Z",
"version": "WzQzMTcsMV0=",
"attributes": {
"id": "saved_query_id",
"description": "Saved query description",
"query": "select * from uptime;",
"platform": "linux,darwin",
"version": "2.8.0",
"interval": "60",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"created_by": "elastic",
"created_at": "2022-07-26T09:28:08.597Z",
"updated_by": "elastic",
"updated_at": "2022-07-26T09:28:08.597Z",
"prebuilt": false
},
"references": [],
"coreMigrationVersion": "8.4.0"
}
}
--------------------------------------------------

84
docs/api/osquery-manager/saved-queries/update.asciidoc
View file

@ -1,84 +0,0 @@
[[osquery-manager-saved-queries-api-update]]
=== Update saved query API
++++
<titleabbrev>Update saved query</titleabbrev>
++++
.New API Reference
[sidebar]
--
For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-osquery-api[Osquery APIs].
--
experimental[] Update saved queries.
WARNING: You are unable to update a prebuilt saved query (`prebuilt = true`).
[[osquery-manager-saved-queries-api-update-request]]
==== Request
`PUT <kibana host>:<port>/api/osquery/saved_queries/<id>`
`PUT <kibana host>:<port>/s/<space_id>/api/osquery/saved_queries/<id>`
[[osquery-manager-saved-queries-api-update-path-params]]
==== Path parameters
`space_id`::
(Optional, string) The space identifier. When `space_id` is not provided in the URL, the default space is used.
`id`::
(Required, string) The ID of the saved query you want to update.
[[osquery-manager-saved-queries-api-update-body-params]]
==== Request body
`id`:: (Required, string) The saved query name.
`description`:: (Optional, string) The saved query description.
`platform`:: (Optional, string) Restricts the query to a specified platform. The default is 'all' platforms. To specify multiple platforms, use commas. For example, 'linux,darwin'.
`query`:: (Required, string) The SQL query you want to run.
`version`:: (Optional, string) Runs on Osquery versions greater than or equal to the specified version string.
`interval`:: (Optional, integer) The interval, in seconds, to run the query.
`ecs_mapping`:: (Optional, object) Maps Osquery result columns or static values to ECS fields.
[[osquery-manager-saved-queries-api-update-request-codes]]
==== Response code
`200`::
Indicates a successful call.
[[osquery-manager-saved-queries-api-update-example]]
==== Examples
Update a name of the <my_saved query> saved query:
[source,sh]
--------------------------------------------------
$ curl -X PUT api/osquery/saved_queries/<id> \
{
"id": "updated_my_saved_query_name",
}
--------------------------------------------------
// KIBANA
The API returns the saved query saved object:
[source,sh]
--------------------------------------------------
{
"data": {...}
}
--------------------------------------------------

1
docs/user/api.asciidoc
View file

@ -109,7 +109,6 @@ include::{kibana-root}/docs/api/cases.asciidoc[]
include::{kibana-root}/docs/api/dashboard-api.asciidoc[]
include::{kibana-root}/docs/api/logstash-configuration-management.asciidoc[]
include::{kibana-root}/docs/api/machine-learning.asciidoc[]
include::{kibana-root}/docs/api/osquery-manager.asciidoc[]
include::{kibana-root}/docs/api/short-urls.asciidoc[]
include::{kibana-root}/docs/api/task-manager/health.asciidoc[]
include::{kibana-root}/docs/api/upgrade-assistant.asciidoc[]