github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.16] [EDR Workflows][Osquery] OpenApi Missing Content (#212032) (#212639)

Browse source 
# Backport

This will backport the following commits from `main` to `8.16`:
- [[EDR Workflows][Osquery] OpenApi Missing Content
(#212032)](https://github.com/elastic/kibana/pull/212032)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"konrad.szwarc@elastic.co"},"sourceCommit":{"committedDate":"2025-02-27T12:29:04Z","message":"[EDR
Workflows][Osquery] OpenApi Missing Content (#212032)\n\nPart of DW team
effort -\nhttps://github.com/elastic/security-team/issues/11804\n\nThis
PR aligns the property/schema descriptions and examples in\nAsciiDocs
with OpenAPI schemas. The primary goal of this PR was not to\nextend or
enhance the documentation but to migrate from one system
to\nanother.\n\nAscii docs
-\nhttps://www.elastic.co/guide/en/kibana/8.17/osquery-manager-api.html\nOpenApi
generated docs
-\nhttps://www.elastic.co/docs/api/doc/kibana/operation/operation-osqueryfindlivequeries\n\nChanges:\n1.
Copied missing property descriptions from AsciiDoc to
OpenApi\nproperties\n2. Copied existing AsciiDoc examples for both
requests and responses\n3. Fixed falsy query object in some GET requests
- in OpenApi it was\ndefined as an object, not as path query
params.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
natasha-moore-elastic
<137783811+natasha-moore-elastic@users.noreply.github.com>","sha":"92867c697dc573867e6450249178d16110d34603","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","backport:prev-minor","backport:prev-major","v8.16.0","v8.17.0","v8.18.0","v9.1.0"],"title":"[EDR
Workflows][Osquery] OpenApi Missing
Content","number":212032,"url":"https://github.com/elastic/kibana/pull/212032","mergeCommit":{"message":"[EDR
Workflows][Osquery] OpenApi Missing Content (#212032)\n\nPart of DW team
effort -\nhttps://github.com/elastic/security-team/issues/11804\n\nThis
PR aligns the property/schema descriptions and examples in\nAsciiDocs
with OpenAPI schemas. The primary goal of this PR was not to\nextend or
enhance the documentation but to migrate from one system
to\nanother.\n\nAscii docs
-\nhttps://www.elastic.co/guide/en/kibana/8.17/osquery-manager-api.html\nOpenApi
generated docs
-\nhttps://www.elastic.co/docs/api/doc/kibana/operation/operation-osqueryfindlivequeries\n\nChanges:\n1.
Copied missing property descriptions from AsciiDoc to
OpenApi\nproperties\n2. Copied existing AsciiDoc examples for both
requests and responses\n3. Fixed falsy query object in some GET requests
- in OpenApi it was\ndefined as an object, not as path query
params.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
natasha-moore-elastic
<137783811+natasha-moore-elastic@users.noreply.github.com>","sha":"92867c697dc573867e6450249178d16110d34603"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.16","8.17","8.18"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/212032","number":212032,"mergeCommit":{"message":"[EDR
Workflows][Osquery] OpenApi Missing Content (#212032)\n\nPart of DW team
effort -\nhttps://github.com/elastic/security-team/issues/11804\n\nThis
PR aligns the property/schema descriptions and examples in\nAsciiDocs
with OpenAPI schemas. The primary goal of this PR was not to\nextend or
enhance the documentation but to migrate from one system
to\nanother.\n\nAscii docs
-\nhttps://www.elastic.co/guide/en/kibana/8.17/osquery-manager-api.html\nOpenApi
generated docs
-\nhttps://www.elastic.co/docs/api/doc/kibana/operation/operation-osqueryfindlivequeries\n\nChanges:\n1.
Copied missing property descriptions from AsciiDoc to
OpenApi\nproperties\n2. Copied existing AsciiDoc examples for both
requests and responses\n3. Fixed falsy query object in some GET requests
- in OpenApi it was\ndefined as an object, not as path query
params.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
natasha-moore-elastic
<137783811+natasha-moore-elastic@users.noreply.github.com>","sha":"92867c697dc573867e6450249178d16110d34603"}}]}]
BACKPORT-->

---------

Co-authored-by: Konrad Szwarc <konrad.szwarc@elastic.co>
This commit is contained in:
Kibana Machine 2025-02-28 01:47:12 +11:00 committed by GitHub
parent 0ffba3ab86
commit c44749f8f7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
35 changed files with 2745 additions and 715 deletions
Download patch file Download diff file Expand all files Collapse all files

598
oas_docs/output/kibana.serverless.yaml
View file

@ -36724,16 +36724,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -36753,7 +36773,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -36768,18 +36788,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -36794,23 +36811,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -36822,16 +36863,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -36851,7 +36907,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -36872,7 +36928,9 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -36892,7 +36950,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -36921,7 +36979,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -36933,16 +36991,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -36962,7 +37035,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -37003,7 +37076,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -37032,7 +37105,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -53364,6 +53437,7 @@ components:
- status_code
- message
Security_Osquery_API_ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem'
type: array
@ -53373,7 +53447,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -53385,37 +53459,51 @@ components:
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: When `true`, the query runs on all agents.
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -53426,11 +53514,64 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined'
Security_Osquery_API_CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
Security_Osquery_API_CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
name:
@ -53441,11 +53582,50 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -53453,7 +53633,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -53462,24 +53642,32 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_DefaultSuccessResponse:
type: object
properties: {}
Security_Osquery_API_Description:
type: string
Security_Osquery_API_DescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Description'
nullable: true
Security_Osquery_API_ECSMapping:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem'
description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields
example:
host.uptime:
field: total_seconds
type: object
Security_Osquery_API_ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -53489,71 +53677,197 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
nullable: true
Security_Osquery_API_Enabled:
description: Enables the pack.
example: true
type: boolean
Security_Osquery_API_EnabledOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
nullable: true
Security_Osquery_API_FindLiveQueryRequestQuery:
Security_Osquery_API_FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindPacksRequestQuery:
properties: {}
Security_Osquery_API_FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindSavedQueryRequestQuery:
properties: {}
Security_Osquery_API_FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_GetLiveQueryResultsRequestQuery:
properties: {}
Security_Osquery_API_FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_Id:
type: string
properties: {}
Security_Osquery_API_FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
Security_Osquery_API_FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
Security_Osquery_API_GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Security_Osquery_API_Interval:
description: An interval, in seconds, on which to run the query.
example: '60'
type: string
Security_Osquery_API_IntervalOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
nullable: true
Security_Osquery_API_KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
Security_Osquery_API_ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem'
description: An object of queries.
type: object
Security_Osquery_API_ObjectQueriesItem:
type: object
@ -53561,7 +53875,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -53574,25 +53888,45 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_PackDescription:
description: The pack description.
example: Pack description
type: string
Security_Osquery_API_PackDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
nullable: true
Security_Osquery_API_PackId:
description: The ID of the pack you want to run, retrieve, update, or delete.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_PackIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
nullable: true
Security_Osquery_API_PackName:
description: The pack name.
type: string
Security_Osquery_API_PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
Security_Osquery_API_PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Security_Osquery_API_Platform:
description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.
example: linux,darwin
type: string
Security_Osquery_API_PlatformOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
nullable: true
Security_Osquery_API_PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -53600,16 +53934,33 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
nullable: true
Security_Osquery_API_Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
Security_Osquery_API_QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_QueryOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Query'
nullable: true
Security_Osquery_API_Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
Security_Osquery_API_RemovedOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
nullable: true
Security_Osquery_API_SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
Security_Osquery_API_SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
nullable: true
Security_Osquery_API_SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_SavedQueryIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
@ -53617,42 +53968,82 @@ components:
Security_Osquery_API_Shards:
additionalProperties:
type: number
description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
example:
policy_id: 50
type: object
Security_Osquery_API_Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
Security_Osquery_API_SnapshotOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
nullable: true
Security_Osquery_API_SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
Security_Osquery_API_SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
Security_Osquery_API_UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -53660,7 +54051,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -53669,7 +54060,14 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_Version:
description: Uses the Osquery versions greater than or equal to the specified version string.
example: 1.0.0
type: string
Security_Osquery_API_VersionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Version'

598
oas_docs/output/kibana.yaml
View file

@ -19630,16 +19630,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -19658,7 +19678,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -19672,18 +19692,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -19697,23 +19714,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -19724,16 +19765,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -19752,7 +19808,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -19772,7 +19828,9 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -19791,7 +19849,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -19819,7 +19877,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -19830,16 +19888,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery'
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -19858,7 +19931,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -19897,7 +19970,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -19925,7 +19998,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
$ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -42170,6 +42243,7 @@ components:
- status_code
- message
Security_Osquery_API_ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem'
type: array
@ -42179,7 +42253,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -42191,37 +42265,51 @@ components:
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: When `true`, the query runs on all agents.
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -42232,11 +42320,64 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined'
Security_Osquery_API_CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
Security_Osquery_API_CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
name:
@ -42247,11 +42388,50 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -42259,7 +42439,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -42268,24 +42448,32 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_DefaultSuccessResponse:
type: object
properties: {}
Security_Osquery_API_Description:
type: string
Security_Osquery_API_DescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Description'
nullable: true
Security_Osquery_API_ECSMapping:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem'
description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields
example:
host.uptime:
field: total_seconds
type: object
Security_Osquery_API_ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -42295,71 +42483,197 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
nullable: true
Security_Osquery_API_Enabled:
description: Enables the pack.
example: true
type: boolean
Security_Osquery_API_EnabledOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
nullable: true
Security_Osquery_API_FindLiveQueryRequestQuery:
Security_Osquery_API_FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindPacksRequestQuery:
properties: {}
Security_Osquery_API_FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_FindSavedQueryRequestQuery:
properties: {}
Security_Osquery_API_FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_GetLiveQueryResultsRequestQuery:
properties: {}
Security_Osquery_API_FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
page:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
pageSize:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
Security_Osquery_API_Id:
type: string
properties: {}
Security_Osquery_API_FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
Security_Osquery_API_FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
Security_Osquery_API_GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Security_Osquery_API_Interval:
description: An interval, in seconds, on which to run the query.
example: '60'
type: string
Security_Osquery_API_IntervalOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
nullable: true
Security_Osquery_API_KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
Security_Osquery_API_ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem'
description: An object of queries.
type: object
Security_Osquery_API_ObjectQueriesItem:
type: object
@ -42367,7 +42681,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_Id'
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
@ -42380,25 +42694,45 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_PackDescription:
description: The pack description.
example: Pack description
type: string
Security_Osquery_API_PackDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
nullable: true
Security_Osquery_API_PackId:
description: The ID of the pack you want to run, retrieve, update, or delete.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_PackIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
nullable: true
Security_Osquery_API_PackName:
description: The pack name.
type: string
Security_Osquery_API_PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
Security_Osquery_API_PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Security_Osquery_API_Platform:
description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.
example: linux,darwin
type: string
Security_Osquery_API_PlatformOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
nullable: true
Security_Osquery_API_PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -42406,16 +42740,33 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
nullable: true
Security_Osquery_API_Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
Security_Osquery_API_QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_QueryOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Query'
nullable: true
Security_Osquery_API_Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
Security_Osquery_API_RemovedOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
nullable: true
Security_Osquery_API_SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
Security_Osquery_API_SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
nullable: true
Security_Osquery_API_SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_SavedQueryIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
@ -42423,42 +42774,82 @@ components:
Security_Osquery_API_Shards:
additionalProperties:
type: number
description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
example:
policy_id: 50
type: object
Security_Osquery_API_Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
Security_Osquery_API_SnapshotOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
nullable: true
Security_Osquery_API_SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
Security_Osquery_API_SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
Security_Osquery_API_UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
id:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
Security_Osquery_API_UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
id:
@ -42466,7 +42857,7 @@ components:
interval:
$ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined'
platform:
$ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
$ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
query:
$ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
removed:
@ -42475,7 +42866,14 @@ components:
$ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
version:
$ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
Security_Osquery_API_UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Security_Osquery_API_Version:
description: Uses the Osquery versions greater than or equal to the specified version string.
example: 1.0.0
type: string
Security_Osquery_API_VersionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Version'

6
x-pack/plugins/osquery/common/api/fleet_wrapper/fleet_wrapper.gen.ts
View file

@ -16,11 +16,9 @@
import { z } from '@kbn/zod';
import { Id } from '../model/schema/common_attributes.gen';
export type GetAgentDetailsRequestParams = z.infer<typeof GetAgentDetailsRequestParams>;
export const GetAgentDetailsRequestParams = z.object({
id: Id,
id: z.string(),
});
export type GetAgentDetailsRequestParamsInput = z.input<typeof GetAgentDetailsRequestParams>;
@ -35,7 +33,7 @@ export const GetAgentPoliciesResponse = z.object({});
export type GetAgentPolicyRequestParams = z.infer<typeof GetAgentPolicyRequestParams>;
export const GetAgentPolicyRequestParams = z.object({
id: Id,
id: z.string(),
});
export type GetAgentPolicyRequestParamsInput = z.input<typeof GetAgentPolicyRequestParams>;

4
x-pack/plugins/osquery/common/api/fleet_wrapper/fleet_wrapper.schema.yaml
View file

@ -37,7 +37,7 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
type: string
responses:
'200':
description: OK
@ -75,7 +75,7 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
type: string
responses:
'200':
description: OK

4
x-pack/plugins/osquery/common/api/fleet_wrapper/get_agent_status.gen.ts
View file

@ -16,7 +16,7 @@
import { z } from '@kbn/zod';
import { KueryOrUndefined, Id } from '../model/schema/common_attributes.gen';
import { KueryOrUndefined } from '../model/schema/common_attributes.gen';
export type GetAgentStatusRequestParams = z.infer<typeof GetAgentStatusRequestParams>;
export const GetAgentStatusRequestParams = z.object({});
@ -24,5 +24,5 @@ export const GetAgentStatusRequestParams = z.object({});
export type GetAgentStatusRequestQueryParams = z.infer<typeof GetAgentStatusRequestQueryParams>;
export const GetAgentStatusRequestQueryParams = z.object({
kuery: KueryOrUndefined.optional(),
policyId: Id.optional(),
policyId: z.string().optional(),
});

2
x-pack/plugins/osquery/common/api/fleet_wrapper/get_agent_status.schema.yaml
View file

@ -13,4 +13,4 @@ components:
kuery:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
policyId:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
type: string

27
x-pack/plugins/osquery/common/api/live_query/create_live_query.gen.ts
View file

@ -26,17 +26,44 @@ import {
export type CreateLiveQueryRequestBody = z.infer<typeof CreateLiveQueryRequestBody>;
export const CreateLiveQueryRequestBody = z.object({
/**
* A list of agent IDs to run the query on.
*/
agent_ids: z.array(z.string()).optional(),
/**
* When `true`, the query runs on all agents.
*/
agent_all: z.boolean().optional(),
/**
* A list of agent platforms to run the query on.
*/
agent_platforms: z.array(z.string()).optional(),
/**
* A list of agent policy IDs to run the query on.
*/
agent_policy_ids: z.array(z.string()).optional(),
query: QueryOrUndefined.optional(),
queries: ArrayQueries.optional(),
saved_query_id: SavedQueryIdOrUndefined.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
pack_id: PackIdOrUndefined.optional(),
/**
* A list of alert IDs associated with the live query.
*/
alert_ids: z.array(z.string()).optional(),
/**
* A list of case IDs associated with the live query.
*/
case_ids: z.array(z.string()).optional(),
/**
* A list of event IDs associated with the live query.
*/
event_ids: z.array(z.string()).optional(),
/**
* Custom metadata object associated with the live query.
*/
metadata: z.object({}).nullable().optional(),
});
export type CreateLiveQueryResponse = z.infer<typeof CreateLiveQueryResponse>;
export const CreateLiveQueryResponse = z.object({});

47
x-pack/plugins/osquery/common/api/live_query/create_live_query.schema.yaml
View file

@ -7,18 +7,28 @@ components:
schemas:
CreateLiveQueryRequestBody:
type: object
example:
query: 'select * from uptime;'
agent_all: true
ecs_mapping:
host.uptime:
field: 'total_seconds'
properties:
agent_ids:
description: 'A list of agent IDs to run the query on.'
type: array
items:
type: string
agent_all:
description: 'When `true`, the query runs on all agents.'
type: boolean
agent_platforms:
description: 'A list of agent platforms to run the query on.'
type: array
items:
type: string
agent_policy_ids:
description: 'A list of agent policy IDs to run the query on.'
type: array
items:
type: string
@ -33,17 +43,54 @@ components:
pack_id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackIdOrUndefined'
alert_ids:
description: 'A list of alert IDs associated with the live query.'
type: array
items:
type: string
case_ids:
description: 'A list of case IDs associated with the live query.'
type: array
items:
type: string
event_ids:
description: 'A list of event IDs associated with the live query.'
type: array
items:
type: string
metadata:
description: 'Custom metadata object associated with the live query.'
type: object
nullable: true
CreateLiveQueryResponse:
type: object
properties: { }
example:
data:
action_id: '3c42c847-eb30-4452-80e0-728584042334'
'@timestamp': '2022-07-26T09:59:32.220Z'
expiration: '2022-07-26T10:04:32.220Z'
type: 'INPUT_ACTION'
input_type: 'osquery'
agent_ids: [ ]
agent_all: true
agent_platforms: [ ]
agent_policy_ids: [ ]
agents:
- '16d7caf5-efd2-4212-9b62-73dafc91fa13'
user_id: 'elastic'
metadata:
execution_context:
name: 'osquery'
url: '/app/osquery/live_queries/new'
queries:
- action_id: '609c4c66-ba3d-43fa-afdd-53e244577aa0'
id: '6724a474-cbba-41ef-a1aa-66aebf0879e2'
query: 'select * from uptime;'
timeout: 120
ecs_mapping:
host.uptime:
field: 'total_seconds'
agents:
- '16d7caf5-efd2-4212-9b62-73dafc91fa13'

19
x-pack/plugins/osquery/common/api/live_query/find_live_query.gen.ts
View file

@ -16,19 +16,8 @@
import { z } from '@kbn/zod';
import {
KueryOrUndefined,
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type FindLiveQueryResponse = z.infer<typeof FindLiveQueryResponse>;
export const FindLiveQueryResponse = z.object({});
export type FindLiveQueryRequestQuery = z.infer<typeof FindLiveQueryRequestQuery>;
export const FindLiveQueryRequestQuery = z.object({
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type FindLiveQueryDetailsResponse = z.infer<typeof FindLiveQueryDetailsResponse>;
export const FindLiveQueryDetailsResponse = z.object({});

59
x-pack/plugins/osquery/common/api/live_query/find_live_query.schema.yaml
View file

@ -5,16 +5,51 @@ info:
paths: { }
components:
schemas:
FindLiveQueryRequestQuery:
FindLiveQueryResponse:
example:
data:
items:
- fields:
action_id: '3c42c847-eb30-4452-80e0-728584042334'
expiration: '2023-10-31T00:00:00Z'
"@timestamp": '2023-10-31T00:00:00Z'
agents: [ '16d7caf5-efd2-4212-9b62-73dafc91fa13' ]
user_id: 'elastic'
queries:
- action_id: "609c4c66-ba3d-43fa-afdd-53e244577aa0"
id: "6724a474-cbba-41ef-a1aa-66aebf0879e2"
query: "select * from uptime;"
saved_query_id: "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
ecs_mapping:
host.uptime:
field: "total_seconds"
agents: [ "16d7caf5-efd2-4212-9b62-73dafc91fa13" ]
type: object
properties:
kuery:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
properties: { }
FindLiveQueryDetailsResponse:
example:
data:
action_id: "3c42c847-eb30-4452-80e0-728584042334"
expiration: "2022-07-26T10:04:32.220Z"
"@timestamp": "2022-07-26T09:59:32.220Z"
agents: [ "16d7caf5-efd2-4212-9b62-73dafc91fa13" ]
user_id: "elastic"
queries:
- action_id: "609c4c66-ba3d-43fa-afdd-53e244577aa0"
id: "6724a474-cbba-41ef-a1aa-66aebf0879e2"
query: "select * from uptime;"
saved_query_id: "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
ecs_mapping:
host.uptime:
field: "total_seconds"
agents:
- "16d7caf5-efd2-4212-9b62-73dafc91fa13"
docs: 0 # results count
failed: 1 # failed queries
pending: 0 # pending agents
responded: 1 # total responded agents
successful: 0 # successful agents
status: "completed" # single query status
status: "completed" # global status of the live query (completed, pending)
type: object
properties: { }

21
x-pack/plugins/osquery/common/api/live_query/get_live_query_results.gen.ts
View file

@ -16,19 +16,8 @@
import { z } from '@kbn/zod';
import {
KueryOrUndefined,
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type GetLiveQueryResultsRequestQuery = z.infer<typeof GetLiveQueryResultsRequestQuery>;
export const GetLiveQueryResultsRequestQuery = z.object({
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
/**
* The response for getting live query results.
*/
export type GetLiveQueryResultsResponse = z.infer<typeof GetLiveQueryResultsResponse>;
export const GetLiveQueryResultsResponse = z.object({});

19
x-pack/plugins/osquery/common/api/live_query/get_live_query_results.schema.yaml
View file

@ -5,16 +5,11 @@ info:
paths: {}
components:
schemas:
GetLiveQueryResultsRequestQuery:
GetLiveQueryResultsResponse:
type: object
properties:
kuery:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
description: 'The response for getting live query results.'
properties: { }
example:
data:
total: 2
edges: [{}, {}]

49
x-pack/plugins/osquery/common/api/live_query/live_queries.gen.ts
View file

@ -16,10 +16,16 @@
import { z } from '@kbn/zod';
import { FindLiveQueryRequestQuery } from './find_live_query.gen';
import { DefaultSuccessResponse, Id } from '../model/schema/common_attributes.gen';
import { CreateLiveQueryRequestBody } from './create_live_query.gen';
import { GetLiveQueryResultsRequestQuery } from './get_live_query_results.gen';
import {
KueryOrUndefined,
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
import { FindLiveQueryResponse, FindLiveQueryDetailsResponse } from './find_live_query.gen';
import { CreateLiveQueryRequestBody, CreateLiveQueryResponse } from './create_live_query.gen';
import { GetLiveQueryResultsResponse } from './get_live_query_results.gen';
export type OsqueryCreateLiveQueryRequestBody = z.infer<typeof OsqueryCreateLiveQueryRequestBody>;
export const OsqueryCreateLiveQueryRequestBody = CreateLiveQueryRequestBody;
@ -28,44 +34,43 @@ export type OsqueryCreateLiveQueryRequestBodyInput = z.input<
>;
export type OsqueryCreateLiveQueryResponse = z.infer<typeof OsqueryCreateLiveQueryResponse>;
export const OsqueryCreateLiveQueryResponse = DefaultSuccessResponse;
export const OsqueryCreateLiveQueryResponse = CreateLiveQueryResponse;
export type OsqueryFindLiveQueriesRequestQuery = z.infer<typeof OsqueryFindLiveQueriesRequestQuery>;
export const OsqueryFindLiveQueriesRequestQuery = z.object({
query: FindLiveQueryRequestQuery,
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryFindLiveQueriesRequestQueryInput = z.input<
typeof OsqueryFindLiveQueriesRequestQuery
>;
export type OsqueryFindLiveQueriesResponse = z.infer<typeof OsqueryFindLiveQueriesResponse>;
export const OsqueryFindLiveQueriesResponse = DefaultSuccessResponse;
export type OsqueryGetLiveQueryDetailsRequestQuery = z.infer<
typeof OsqueryGetLiveQueryDetailsRequestQuery
>;
export const OsqueryGetLiveQueryDetailsRequestQuery = z.object({
query: z.object({}),
});
export type OsqueryGetLiveQueryDetailsRequestQueryInput = z.input<
typeof OsqueryGetLiveQueryDetailsRequestQuery
>;
export const OsqueryFindLiveQueriesResponse = FindLiveQueryResponse;
export type OsqueryGetLiveQueryDetailsRequestParams = z.infer<
typeof OsqueryGetLiveQueryDetailsRequestParams
>;
export const OsqueryGetLiveQueryDetailsRequestParams = z.object({
id: Id,
id: z.string(),
});
export type OsqueryGetLiveQueryDetailsRequestParamsInput = z.input<
typeof OsqueryGetLiveQueryDetailsRequestParams
>;
export type OsqueryGetLiveQueryDetailsResponse = z.infer<typeof OsqueryGetLiveQueryDetailsResponse>;
export const OsqueryGetLiveQueryDetailsResponse = DefaultSuccessResponse;
export const OsqueryGetLiveQueryDetailsResponse = FindLiveQueryDetailsResponse;
export type OsqueryGetLiveQueryResultsRequestQuery = z.infer<
typeof OsqueryGetLiveQueryResultsRequestQuery
>;
export const OsqueryGetLiveQueryResultsRequestQuery = z.object({
query: GetLiveQueryResultsRequestQuery,
kuery: KueryOrUndefined.optional(),
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryGetLiveQueryResultsRequestQueryInput = z.input<
typeof OsqueryGetLiveQueryResultsRequestQuery
@ -75,12 +80,12 @@ export type OsqueryGetLiveQueryResultsRequestParams = z.infer<
typeof OsqueryGetLiveQueryResultsRequestParams
>;
export const OsqueryGetLiveQueryResultsRequestParams = z.object({
id: Id,
actionId: Id,
id: z.string(),
actionId: z.string(),
});
export type OsqueryGetLiveQueryResultsRequestParamsInput = z.input<
typeof OsqueryGetLiveQueryResultsRequestParams
>;
export type OsqueryGetLiveQueryResultsResponse = z.infer<typeof OsqueryGetLiveQueryResultsResponse>;
export const OsqueryGetLiveQueryResultsResponse = DefaultSuccessResponse;
export const OsqueryGetLiveQueryResultsResponse = GetLiveQueryResultsResponse;

77
x-pack/plugins/osquery/common/api/live_query/live_queries.schema.yaml
View file

@ -11,18 +11,38 @@ paths:
x-codegen-enabled: true
x-labels: [serverless, ess]
parameters:
- name: query
- name: kuery
in: query
required: true
required: false
schema:
$ref: './find_live_query.schema.yaml#/components/schemas/FindLiveQueryRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
- name: page
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_live_query.schema.yaml#/components/schemas/FindLiveQueryResponse'
post:
summary: Create a live query
@ -42,7 +62,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './create_live_query.schema.yaml#/components/schemas/CreateLiveQueryResponse'
/api/osquery/live_queries/{id}:
get:
@ -56,19 +76,16 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
- name: query
in: query
schema:
type: object
additionalProperties: true
description: 'The ID of the live query result you want to retrieve.'
type: string
example: '3c42c847-eb30-4452-80e0-728584042334'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_live_query.schema.yaml#/components/schemas/FindLiveQueryDetailsResponse'
/api/osquery/live_queries/{id}/results/{actionId}:
get:
@ -82,21 +99,45 @@ paths:
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
example: '3c42c847-eb30-4452-80e0-728584042334'
description: 'The ID of the live query result you want to retrieve.'
type: string
- name: actionId
in: path
required: true
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Id'
- name: query
example: '609c4c66-ba3d-43fa-afdd-53e244577aa0'
description: 'The ID of the query action that generated the live query results.'
type: string
- name: kuery
in: query
required: true
required: false
schema:
$ref: './get_live_query_results.schema.yaml#/components/schemas/GetLiveQueryResultsRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/KueryOrUndefined'
- name: page
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './get_live_query_results.schema.yaml#/components/schemas/GetLiveQueryResultsResponse'

129
x-pack/plugins/osquery/common/api/model/schema/common_attributes.gen.ts
View file

@ -16,119 +16,150 @@
import { z } from '@kbn/zod';
export type Id = z.infer<typeof Id>;
export const Id = z.string();
/**
* The ID of the query.
*/
export type QueryId = z.infer<typeof QueryId>;
export const QueryId = z.string();
export type IdOrUndefined = z.infer<typeof IdOrUndefined>;
export const IdOrUndefined = Id.nullable();
/**
* The pack description.
*/
export type PackDescription = z.infer<typeof PackDescription>;
export const PackDescription = z.string();
export type AgentSelection = z.infer<typeof AgentSelection>;
export const AgentSelection = z.object({
agents: z.array(z.string()).optional(),
allAgentsSelected: z.boolean().optional(),
platformsSelected: z.array(z.string()).optional(),
policiesSelected: z.array(z.string()).optional(),
});
export type AgentSelectionOrUndefined = z.infer<typeof AgentSelectionOrUndefined>;
export const AgentSelectionOrUndefined = AgentSelection.nullable();
export type Description = z.infer<typeof Description>;
export const Description = z.string();
export type DescriptionOrUndefined = z.infer<typeof DescriptionOrUndefined>;
export const DescriptionOrUndefined = Description.nullable();
export type PackDescriptionOrUndefined = z.infer<typeof PackDescriptionOrUndefined>;
export const PackDescriptionOrUndefined = PackDescription.nullable();
/**
* Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.
*/
export type Platform = z.infer<typeof Platform>;
export const Platform = z.string();
export type PlatformOrUndefined = z.infer<typeof PlatformOrUndefined>;
export const PlatformOrUndefined = Platform.nullable();
/**
* The SQL query you want to run.
*/
export type Query = z.infer<typeof Query>;
export const Query = z.string();
export type QueryOrUndefined = z.infer<typeof QueryOrUndefined>;
export const QueryOrUndefined = Query.nullable();
/**
* Uses the Osquery versions greater than or equal to the specified version string.
*/
export type Version = z.infer<typeof Version>;
export const Version = z.string();
export type VersionOrUndefined = z.infer<typeof VersionOrUndefined>;
export const VersionOrUndefined = Version.nullable();
/**
* An interval, in seconds, on which to run the query.
*/
export type Interval = z.infer<typeof Interval>;
export const Interval = z.string();
export type IntervalOrUndefined = z.infer<typeof IntervalOrUndefined>;
export const IntervalOrUndefined = Interval.nullable();
/**
* Indicates whether the query is a snapshot.
*/
export type Snapshot = z.infer<typeof Snapshot>;
export const Snapshot = z.boolean();
export type SnapshotOrUndefined = z.infer<typeof SnapshotOrUndefined>;
export const SnapshotOrUndefined = Snapshot.nullable();
/**
* Indicates whether the query is removed.
*/
export type Removed = z.infer<typeof Removed>;
export const Removed = z.boolean();
export type RemovedOrUndefined = z.infer<typeof RemovedOrUndefined>;
export const RemovedOrUndefined = Removed.nullable();
/**
* The pack name.
*/
export type PackName = z.infer<typeof PackName>;
export const PackName = z.string();
/**
* The ID of a saved query.
*/
export type SavedQueryId = z.infer<typeof SavedQueryId>;
export const SavedQueryId = z.string();
export type SavedQueryIdOrUndefined = z.infer<typeof SavedQueryIdOrUndefined>;
export const SavedQueryIdOrUndefined = SavedQueryId.nullable();
/**
* The saved query description.
*/
export type SavedQueryDescription = z.infer<typeof SavedQueryDescription>;
export const SavedQueryDescription = z.string();
export type SavedQueryDescriptionOrUndefined = z.infer<typeof SavedQueryDescriptionOrUndefined>;
export const SavedQueryDescriptionOrUndefined = SavedQueryDescription.nullable();
/**
* The ID of the pack you want to run, retrieve, update, or delete.
*/
export type PackId = z.infer<typeof PackId>;
export const PackId = z.string();
export type PackIdOrUndefined = z.infer<typeof PackIdOrUndefined>;
export const PackIdOrUndefined = PackId.nullable();
/**
* Enables the pack.
*/
export type Enabled = z.infer<typeof Enabled>;
export const Enabled = z.boolean();
export type EnabledOrUndefined = z.infer<typeof EnabledOrUndefined>;
export const EnabledOrUndefined = Enabled.nullable();
/**
* A list of agents policy IDs.
*/
export type PolicyIds = z.infer<typeof PolicyIds>;
export const PolicyIds = z.array(z.string());
export type PolicyIdsOrUndefined = z.infer<typeof PolicyIdsOrUndefined>;
export const PolicyIdsOrUndefined = PolicyIds.nullable();
export type ExecutionContext = z.infer<typeof ExecutionContext>;
export const ExecutionContext = z.object({
name: z.string().nullable().optional(),
url: z.string().nullable().optional(),
});
export type ExecutionContextOrUndefined = z.infer<typeof ExecutionContextOrUndefined>;
export const ExecutionContextOrUndefined = ExecutionContext.nullable();
export type ECSMappingItem = z.infer<typeof ECSMappingItem>;
export const ECSMappingItem = z.object({
/**
* The ECS field to map to.
*/
field: z.string().optional(),
/**
* The value to map to the ECS field.
*/
value: z.union([z.string(), z.array(z.string())]).optional(),
});
/**
* Map osquery results columns or static values to Elastic Common Schema (ECS) fields
*/
export type ECSMapping = z.infer<typeof ECSMapping>;
export const ECSMapping = z.object({}).catchall(ECSMappingItem);
export type ECSMappingOrUndefined = z.infer<typeof ECSMappingOrUndefined>;
export const ECSMappingOrUndefined = ECSMapping.nullable();
export type StringArrayOrUndefined = z.infer<typeof StringArrayOrUndefined>;
export const StringArrayOrUndefined = z.array(z.string().nullable());
export type ArrayQueriesItem = z.infer<typeof ArrayQueriesItem>;
export const ArrayQueriesItem = z.object({
id: Id.optional(),
id: QueryId.optional(),
query: Query.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
@ -137,13 +168,16 @@ export const ArrayQueriesItem = z.object({
snapshot: SnapshotOrUndefined.optional(),
});
/**
* An array of queries to run.
*/
export type ArrayQueries = z.infer<typeof ArrayQueries>;
export const ArrayQueries = z.array(ArrayQueriesItem);
export type ObjectQueriesItem = z.infer<typeof ObjectQueriesItem>;
export const ObjectQueriesItem = z.object({
query: Query.optional(),
id: Id.optional(),
id: QueryId.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
platform: PlatformOrUndefined.optional(),
@ -152,6 +186,9 @@ export const ObjectQueriesItem = z.object({
snapshot: SnapshotOrUndefined.optional(),
});
/**
* An object of queries.
*/
export type ObjectQueries = z.infer<typeof ObjectQueries>;
export const ObjectQueries = z.object({}).catchall(ObjectQueriesItem);
@ -161,21 +198,41 @@ export const Queries = z.union([ArrayQueries, ObjectQueries]);
export type QueriesOrUndefined = z.infer<typeof QueriesOrUndefined>;
export const QueriesOrUndefined = Queries.nullable();
/**
* The kuery to filter the results by.
*/
export type KueryOrUndefined = z.infer<typeof KueryOrUndefined>;
export const KueryOrUndefined = z.string().nullable();
/**
* The page number to return. The default is 1.
*/
export type PageOrUndefined = z.infer<typeof PageOrUndefined>;
export const PageOrUndefined = z.number().int().nullable();
/**
* The number of results to return per page. The default is 20.
*/
export type PageSizeOrUndefined = z.infer<typeof PageSizeOrUndefined>;
export const PageSizeOrUndefined = z.number().int().nullable();
/**
* The field that is used to sort the results.
*/
export type SortOrUndefined = z.infer<typeof SortOrUndefined>;
export const SortOrUndefined = z.string().nullable();
export const SortOrUndefined = z.string().nullable().default('createdAt');
/**
* Specifies the sort order.
*/
export type SortOrderOrUndefined = z.infer<typeof SortOrderOrUndefined>;
export const SortOrderOrUndefined = z.union([z.string().nullable(), z.unknown()]);
export const SortOrderOrUndefined = z.enum(['asc', 'desc']);
export type SortOrderOrUndefinedEnum = typeof SortOrderOrUndefined.enum;
export const SortOrderOrUndefinedEnum = SortOrderOrUndefined.enum;
/**
* An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.
*/
export type Shards = z.infer<typeof Shards>;
export const Shards = z.object({}).catchall(z.number());

135
x-pack/plugins/osquery/common/api/model/schema/common_attributes.schema.yaml
View file

@ -5,44 +5,24 @@ info:
paths: { }
components:
schemas:
Id:
type: string
IdOrUndefined:
$ref: '#/components/schemas/Id'
nullable: true
AgentSelection:
type: object
properties:
agents:
type: array
items:
type: string
allAgentsSelected:
type: boolean
platformsSelected:
type: array
items:
type: string
policiesSelected:
type: array
items:
type: string
AgentSelectionOrUndefined:
$ref: '#/components/schemas/AgentSelection'
nullable: true
Description:
QueryId:
description: 'The ID of the query.'
example: '3c42c847-eb30-4452-80e0-728584042334'
type: string
DescriptionOrUndefined:
$ref: '#/components/schemas/Description'
PackDescription:
description: 'The pack description.'
example: 'Pack description'
type: string
PackDescriptionOrUndefined:
$ref: '#/components/schemas/PackDescription'
nullable: true
Platform:
description: 'Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.'
example: 'linux,darwin'
type: string
PlatformOrUndefined:
@ -51,6 +31,8 @@ components:
Query:
description: 'The SQL query you want to run.'
example: 'select * from uptime;'
type: string
QueryOrUndefined:
@ -58,6 +40,8 @@ components:
nullable: true
Version:
description: 'Uses the Osquery versions greater than or equal to the specified version string.'
example: '1.0.0'
type: string
VersionOrUndefined:
@ -65,6 +49,8 @@ components:
nullable: true
Interval:
description: 'An interval, in seconds, on which to run the query.'
example: '60'
type: string
IntervalOrUndefined:
@ -72,6 +58,8 @@ components:
nullable: true
Snapshot:
description: 'Indicates whether the query is a snapshot.'
example: true
type: boolean
SnapshotOrUndefined:
@ -79,6 +67,8 @@ components:
nullable: true
Removed:
description: 'Indicates whether the query is removed.'
example: false
type: boolean
RemovedOrUndefined:
@ -86,17 +76,31 @@ components:
nullable: true
PackName:
description: 'The pack name.'
type: string
SavedQueryId:
description: 'The ID of a saved query.'
example: '3c42c847-eb30-4452-80e0-728584042334'
type: string
SavedQueryIdOrUndefined:
$ref: '#/components/schemas/SavedQueryId'
nullable: true
SavedQueryDescription:
description: 'The saved query description.'
example: 'Saved query description'
type: string
SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/SavedQueryDescription'
nullable: true
PackId:
description: 'The ID of the pack you want to run, retrieve, update, or delete.'
example: '3c42c847-eb30-4452-80e0-728584042334'
type: string
PackIdOrUndefined:
@ -104,6 +108,8 @@ components:
nullable: true
Enabled:
description: 'Enables the pack.'
example: true
type: boolean
EnabledOrUndefined:
@ -111,6 +117,10 @@ components:
nullable: true
PolicyIds:
description: 'A list of agents policy IDs.'
example:
- "policyId1"
- "policyId2"
type: array
items:
type: string
@ -119,28 +129,16 @@ components:
$ref: '#/components/schemas/PolicyIds'
nullable: true
ExecutionContext:
type: object
properties:
name:
type: string
nullable: true
url:
type: string
nullable: true
ExecutionContextOrUndefined:
$ref: '#/components/schemas/ExecutionContext'
nullable: true
ECSMappingItem:
type: object
properties:
field:
description: 'The ECS field to map to.'
example: 'host.uptime'
type: string
value:
description: 'The value to map to the ECS field.'
example: 'total_seconds'
oneOf:
- type: string
- type: array
@ -148,6 +146,10 @@ components:
type: string
ECSMapping:
description: 'Map osquery results columns or static values to Elastic Common Schema (ECS) fields'
example:
host.uptime:
field: 'total_seconds'
type: object
additionalProperties:
$ref: '#/components/schemas/ECSMappingItem'
@ -156,19 +158,11 @@ components:
$ref: '#/components/schemas/ECSMapping'
nullable: true
StringArrayOrUndefined:
type: array
items:
type: string
nullable: true
ArrayQueriesItem:
type: object
properties:
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
query:
$ref: '#/components/schemas/Query'
ecs_mapping:
@ -184,6 +178,7 @@ components:
ArrayQueries:
type: array
description: 'An array of queries to run.'
items:
$ref: '#/components/schemas/ArrayQueriesItem'
@ -193,7 +188,7 @@ components:
query:
$ref: '#/components/schemas/Query'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
version:
@ -209,6 +204,7 @@ components:
ObjectQueries:
type: object
description: 'An object of queries.'
additionalProperties:
$ref: '#/components/schemas/ObjectQueriesItem'
@ -223,29 +219,42 @@ components:
nullable: true
KueryOrUndefined:
description: 'The kuery to filter the results by.'
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
type: string
nullable: true
PageOrUndefined:
description: 'The page number to return. The default is 1.'
example: 1
type: integer
nullable: true
PageSizeOrUndefined:
description: 'The number of results to return per page. The default is 20.'
example: 20
type: integer
nullable: true
SortOrUndefined:
description: 'The field that is used to sort the results.'
example: 'createdAt'
default: createdAt
type: string
nullable: true
SortOrderOrUndefined:
oneOf:
- type: string
nullable: true
- enum: [ asc, desc ]
description: 'Specifies the sort order.'
example: 'desc'
enum:
- asc
- desc
type: string
Shards:
description: 'An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1100) of target hosts.'
example:
policy_id: 50
type: object
additionalProperties:
type: number

7
x-pack/plugins/osquery/common/api/packs/create_pack.gen.ts
View file

@ -18,7 +18,7 @@ import { z } from '@kbn/zod';
import {
PackName,
DescriptionOrUndefined,
PackDescriptionOrUndefined,
EnabledOrUndefined,
PolicyIdsOrUndefined,
Shards,
@ -28,9 +28,12 @@ import {
export type CreatePacksRequestBody = z.infer<typeof CreatePacksRequestBody>;
export const CreatePacksRequestBody = z.object({
name: PackName.optional(),
description: DescriptionOrUndefined.optional(),
description: PackDescriptionOrUndefined.optional(),
enabled: EnabledOrUndefined.optional(),
policy_ids: PolicyIdsOrUndefined.optional(),
shards: Shards.optional(),
queries: ObjectQueries.optional(),
});
export type CreatePacksResponse = z.infer<typeof CreatePacksResponse>;
export const CreatePacksResponse = z.object({});

52
x-pack/plugins/osquery/common/api/packs/create_pack.schema.yaml
View file

@ -7,11 +7,33 @@ components:
schemas:
CreatePacksRequestBody:
type: object
example:
name: "my_pack"
description: "My pack"
enabled: true
policy_ids:
- "my_policy_id"
- "fleet-server-policy"
shards:
my_policy_id: 35
fleet-server-policy: 58
queries:
my_query:
query: "SELECT * FROM listening_ports;"
interval: 60
timeout: 120
ecs_mapping:
client.port:
field: "port"
tags:
value:
- "tag1"
- "tag2"
properties:
name:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackName'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/EnabledOrUndefined'
policy_ids:
@ -21,3 +43,31 @@ components:
queries:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/ObjectQueries'
CreatePacksResponse:
type: object
properties: { }
example:
data:
name: my_pack
description: My pack
queries:
ports:
query: SELECT * FROM listening_ports;
interval: 60
snapshot: true
removed: false
timeout: 120
ecs_mapping:
client.port:
field: port
enabled: true
created_at: "2025-02-26T13:37:30.452Z"
created_by: elastic
updated_at: "2025-02-26T13:37:30.452Z"
updated_by: elastic
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856

17
x-pack/plugins/osquery/common/api/packs/find_packs.gen.ts
View file

@ -16,17 +16,8 @@
import { z } from '@kbn/zod';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type FindPacksResponse = z.infer<typeof FindPacksResponse>;
export const FindPacksResponse = z.object({});
export type FindPacksRequestQuery = z.infer<typeof FindPacksRequestQuery>;
export const FindPacksRequestQuery = z.object({
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type FindPackResponse = z.infer<typeof FindPackResponse>;
export const FindPackResponse = z.object({});

63
x-pack/plugins/osquery/common/api/packs/find_packs.schema.yaml
View file

@ -5,14 +5,57 @@ info:
paths: { }
components:
schemas:
FindPacksRequestQuery:
FindPacksResponse:
type: object
properties:
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
properties: { }
example:
page: 1
pageSize: 10
total: 1
data:
- type: 'osquery-pack'
id: '42ba9c50-0cc5-11ed-aa1d-2b27890bc90d'
namespaces:
- 'default'
attributes:
name: 'My Pack'
queries:
- query: 'select * from uptime;'
interval: '3600'
id: 'uptime'
ecs_mapping:
- host.uptime:
field: 'total_seconds'
enabled: true
created_at: '2023-10-31T00:00:00Z'
updated_at: '2023-10-31T00:00:00Z'
created_by: 'elastic'
updated_by: 'elastic'
description: 'My pack description'
policy_ids: []
FindPackResponse:
type: object
properties: { }
example:
data:
id: "3c42c847-eb30-4452-80e0-728584042334"
type: "osquery-pack"
namespaces:
- "default"
updated_at: "2022-07-25T20:12:01.455Z"
name: "test_pack"
queries:
uptime:
interval: 3600
query: "select * from uptime"
ecs_mapping:
message:
field: "days"
enabled: true
created_at: "2022-07-25T19:41:10.263Z"
created_by: "elastic"
updated_by: "elastic"
description: ""
policy_ids: [ ]
read_only: false # true for prebuilt packs

29
x-pack/plugins/osquery/common/api/packs/packs.gen.ts
View file

@ -16,17 +16,23 @@
import { z } from '@kbn/zod';
import { FindPacksRequestQuery } from './find_packs.gen';
import { DefaultSuccessResponse, PackId } from '../model/schema/common_attributes.gen';
import { CreatePacksRequestBody } from './create_pack.gen';
import { UpdatePacksRequestBody } from './update_packs.gen';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
PackId,
} from '../model/schema/common_attributes.gen';
import { FindPacksResponse, FindPackResponse } from './find_packs.gen';
import { CreatePacksRequestBody, CreatePacksResponse } from './create_pack.gen';
import { UpdatePacksRequestBody, UpdatePacksResponse } from './update_packs.gen';
export type OsqueryCreatePacksRequestBody = z.infer<typeof OsqueryCreatePacksRequestBody>;
export const OsqueryCreatePacksRequestBody = CreatePacksRequestBody;
export type OsqueryCreatePacksRequestBodyInput = z.input<typeof OsqueryCreatePacksRequestBody>;
export type OsqueryCreatePacksResponse = z.infer<typeof OsqueryCreatePacksResponse>;
export const OsqueryCreatePacksResponse = DefaultSuccessResponse;
export const OsqueryCreatePacksResponse = CreatePacksResponse;
export type OsqueryDeletePacksRequestParams = z.infer<typeof OsqueryDeletePacksRequestParams>;
export const OsqueryDeletePacksRequestParams = z.object({
@ -35,15 +41,18 @@ export const OsqueryDeletePacksRequestParams = z.object({
export type OsqueryDeletePacksRequestParamsInput = z.input<typeof OsqueryDeletePacksRequestParams>;
export type OsqueryDeletePacksResponse = z.infer<typeof OsqueryDeletePacksResponse>;
export const OsqueryDeletePacksResponse = DefaultSuccessResponse;
export const OsqueryDeletePacksResponse = z.object({});
export type OsqueryFindPacksRequestQuery = z.infer<typeof OsqueryFindPacksRequestQuery>;
export const OsqueryFindPacksRequestQuery = z.object({
query: FindPacksRequestQuery,
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryFindPacksRequestQueryInput = z.input<typeof OsqueryFindPacksRequestQuery>;
export type OsqueryFindPacksResponse = z.infer<typeof OsqueryFindPacksResponse>;
export const OsqueryFindPacksResponse = DefaultSuccessResponse;
export const OsqueryFindPacksResponse = FindPacksResponse;
export type OsqueryGetPacksDetailsRequestParams = z.infer<
typeof OsqueryGetPacksDetailsRequestParams
@ -56,7 +65,7 @@ export type OsqueryGetPacksDetailsRequestParamsInput = z.input<
>;
export type OsqueryGetPacksDetailsResponse = z.infer<typeof OsqueryGetPacksDetailsResponse>;
export const OsqueryGetPacksDetailsResponse = DefaultSuccessResponse;
export const OsqueryGetPacksDetailsResponse = FindPackResponse;
export type OsqueryUpdatePacksRequestParams = z.infer<typeof OsqueryUpdatePacksRequestParams>;
export const OsqueryUpdatePacksRequestParams = z.object({
@ -69,4 +78,4 @@ export const OsqueryUpdatePacksRequestBody = UpdatePacksRequestBody;
export type OsqueryUpdatePacksRequestBodyInput = z.input<typeof OsqueryUpdatePacksRequestBody>;
export type OsqueryUpdatePacksResponse = z.infer<typeof OsqueryUpdatePacksResponse>;
export const OsqueryUpdatePacksResponse = DefaultSuccessResponse;
export const OsqueryUpdatePacksResponse = UpdatePacksResponse;

33
x-pack/plugins/osquery/common/api/packs/packs.schema.yaml
View file

@ -11,18 +11,33 @@ paths:
x-codegen-enabled: true
x-labels: [serverless, ess]
parameters:
- name: query
- name: page
in: query
required: true
required: false
schema:
$ref: './find_packs.schema.yaml#/components/schemas/FindPacksRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_packs.schema.yaml#/components/schemas/FindPacksResponse'
post:
summary: Create a pack
description: Create a query pack.
@ -41,7 +56,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './create_pack.schema.yaml#/components/schemas/CreatePacksResponse'
/api/osquery/packs/{id}:
get:
summary: Get pack details
@ -61,7 +76,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_packs.schema.yaml#/components/schemas/FindPackResponse'
delete:
summary: Delete a pack
description: Delete a query pack using the pack ID.
@ -80,7 +95,9 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
type: object
properties: { }
example: { }
put:
summary: Update a pack
description: |
@ -108,4 +125,4 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './update_packs.schema.yaml#/components/schemas/UpdatePacksResponse'

11
x-pack/plugins/osquery/common/api/packs/update_packs.gen.ts
View file

@ -17,8 +17,8 @@
import { z } from '@kbn/zod';
import {
PackId,
DescriptionOrUndefined,
PackName,
PackDescriptionOrUndefined,
EnabledOrUndefined,
PolicyIdsOrUndefined,
Shards,
@ -27,10 +27,13 @@ import {
export type UpdatePacksRequestBody = z.infer<typeof UpdatePacksRequestBody>;
export const UpdatePacksRequestBody = z.object({
id: PackId.optional(),
description: DescriptionOrUndefined.optional(),
name: PackName.optional(),
description: PackDescriptionOrUndefined.optional(),
enabled: EnabledOrUndefined.optional(),
policy_ids: PolicyIdsOrUndefined.optional(),
shards: Shards.optional(),
queries: ObjectQueries.optional(),
});
export type UpdatePacksResponse = z.infer<typeof UpdatePacksResponse>;
export const UpdatePacksResponse = z.object({});

36
x-pack/plugins/osquery/common/api/packs/update_packs.schema.yaml
View file

@ -7,11 +7,13 @@ components:
schemas:
UpdatePacksRequestBody:
type: object
example:
name: 'updated_my_pack_name'
properties:
id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackId'
name:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackName'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/EnabledOrUndefined'
policy_ids:
@ -20,3 +22,31 @@ components:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Shards'
queries:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/ObjectQueries'
UpdatePacksResponse:
type: object
properties: { }
example:
data:
name: updated_my_pack_name
description: My pack
queries:
ports:
interval: 60
snapshot: true
removed: false
timeout: 120
query: SELECT * FROM listening_ports;
ecs_mapping:
client.port:
field: port
enabled: true
created_at: "2025-02-26T13:37:30.452Z"
created_by: elastic
updated_at: "2025-02-26T13:40:16.297Z"
updated_by: elastic
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856

11
x-pack/plugins/osquery/common/api/saved_query/create_saved_query.gen.ts
View file

@ -18,10 +18,11 @@ import { z } from '@kbn/zod';
import {
SavedQueryId,
DescriptionOrUndefined,
SavedQueryDescriptionOrUndefined,
QueryOrUndefined,
ECSMappingOrUndefined,
VersionOrUndefined,
PlatformOrUndefined,
Interval,
SnapshotOrUndefined,
RemovedOrUndefined,
@ -30,15 +31,15 @@ import {
export type CreateSavedQueryRequestBody = z.infer<typeof CreateSavedQueryRequestBody>;
export const CreateSavedQueryRequestBody = z.object({
id: SavedQueryId.optional(),
description: DescriptionOrUndefined.optional(),
description: SavedQueryDescriptionOrUndefined.optional(),
query: QueryOrUndefined.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
platform: DescriptionOrUndefined.optional(),
platform: PlatformOrUndefined.optional(),
interval: Interval.optional(),
snapshot: SnapshotOrUndefined.optional(),
removed: RemovedOrUndefined.optional(),
});
export type SuccessResponse = z.infer<typeof SuccessResponse>;
export const SuccessResponse = z.object({});
export type CreateSavedQueryResponse = z.infer<typeof CreateSavedQueryResponse>;
export const CreateSavedQueryResponse = z.object({});

22
x-pack/plugins/osquery/common/api/saved_query/create_saved_query.schema.yaml
View file

@ -7,11 +7,22 @@ components:
schemas:
CreateSavedQueryRequestBody:
type: object
example:
id: "saved_query_id"
description: "Saved query description"
query: "select * from uptime;"
interval: "60"
timeout: 120
version: "2.8.0"
platform: "linux,darwin"
ecs_mapping:
host.uptime:
field: "total_seconds"
properties:
id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryId'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryDescriptionOrUndefined'
query:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/QueryOrUndefined'
ecs_mapping:
@ -19,14 +30,15 @@ components:
version:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/VersionOrUndefined'
platform:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PlatformOrUndefined'
interval:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/Interval'
snapshot:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SnapshotOrUndefined'
removed:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/RemovedOrUndefined'
SuccessResponse:
CreateSavedQueryResponse:
type: object
properties: {}
# Define properties for the success response if needed
properties: { }
example:
data: { }

17
x-pack/plugins/osquery/common/api/saved_query/find_saved_query.gen.ts
View file

@ -16,17 +16,8 @@
import { z } from '@kbn/zod';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
} from '../model/schema/common_attributes.gen';
export type FindSavedQueryResponse = z.infer<typeof FindSavedQueryResponse>;
export const FindSavedQueryResponse = z.object({});
export type FindSavedQueryRequestQuery = z.infer<typeof FindSavedQueryRequestQuery>;
export const FindSavedQueryRequestQuery = z.object({
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type FindSavedQueryDetailResponse = z.infer<typeof FindSavedQueryDetailResponse>;
export const FindSavedQueryDetailResponse = z.object({});

65
x-pack/plugins/osquery/common/api/saved_query/find_saved_query.schema.yaml
View file

@ -5,14 +5,59 @@ info:
paths: { }
components:
schemas:
FindSavedQueryRequestQuery:
FindSavedQueryResponse:
type: object
properties: { }
example:
page: 1
per_page: 100
total: 11
data:
- type: "osquery-saved-query"
id: "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
namespaces:
- "default"
attributes:
id: "saved_query_id"
description: "Saved query description"
query: "select * from uptime;"
platform: "linux,darwin"
version: "2.8.0"
interval: "60"
ecs_mapping:
host.uptime:
field: "total_seconds"
created_by: "elastic"
created_at: "2022-07-26T09:28:08.597Z"
updated_by: "elastic"
updated_at: "2022-07-26T09:28:08.597Z"
prebuilt: false
FindSavedQueryDetailResponse:
type: object
properties:
page:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
pageSize:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
properties: { }
example:
data:
id: "3c42c847-eb30-4452-80e0-728584042334"
type: "osquery-saved-query"
namespaces:
- "default"
updated_at: "2022-07-26T09:28:08.600Z"
version: "WzQzMTcsMV0="
attributes:
id: "saved_query_id"
description: "Saved query description"
query: "select * from uptime;"
platform: "linux,darwin"
version: "2.8.0"
interval: "60"
ecs_mapping:
host.uptime:
field: "total_seconds"
created_by: "elastic"
created_at: "2022-07-26T09:28:08.597Z"
updated_by: "elastic"
updated_at: "2022-07-26T09:28:08.597Z"
prebuilt: false
references: [ ]
coreMigrationVersion: "8.4.0"

28
x-pack/plugins/osquery/common/api/saved_query/saved_query.gen.ts
View file

@ -16,10 +16,17 @@
import { z } from '@kbn/zod';
import { FindSavedQueryRequestQuery } from './find_saved_query.gen';
import { DefaultSuccessResponse, SavedQueryId } from '../model/schema/common_attributes.gen';
import { CreateSavedQueryRequestBody } from './create_saved_query.gen';
import { UpdateSavedQueryRequestBody } from './update_saved_query.gen';
import {
PageOrUndefined,
PageSizeOrUndefined,
SortOrUndefined,
SortOrderOrUndefined,
SavedQueryId,
DefaultSuccessResponse,
} from '../model/schema/common_attributes.gen';
import { FindSavedQueryResponse, FindSavedQueryDetailResponse } from './find_saved_query.gen';
import { CreateSavedQueryRequestBody, CreateSavedQueryResponse } from './create_saved_query.gen';
import { UpdateSavedQueryRequestBody, UpdateSavedQueryResponse } from './update_saved_query.gen';
export type OsqueryCreateSavedQueryRequestBody = z.infer<typeof OsqueryCreateSavedQueryRequestBody>;
export const OsqueryCreateSavedQueryRequestBody = CreateSavedQueryRequestBody;
@ -28,7 +35,7 @@ export type OsqueryCreateSavedQueryRequestBodyInput = z.input<
>;
export type OsqueryCreateSavedQueryResponse = z.infer<typeof OsqueryCreateSavedQueryResponse>;
export const OsqueryCreateSavedQueryResponse = DefaultSuccessResponse;
export const OsqueryCreateSavedQueryResponse = CreateSavedQueryResponse;
export type OsqueryDeleteSavedQueryRequestParams = z.infer<
typeof OsqueryDeleteSavedQueryRequestParams
@ -46,14 +53,17 @@ export type OsqueryFindSavedQueriesRequestQuery = z.infer<
typeof OsqueryFindSavedQueriesRequestQuery
>;
export const OsqueryFindSavedQueriesRequestQuery = z.object({
query: FindSavedQueryRequestQuery,
page: PageOrUndefined.optional(),
pageSize: PageSizeOrUndefined.optional(),
sort: SortOrUndefined.optional(),
sortOrder: SortOrderOrUndefined.optional(),
});
export type OsqueryFindSavedQueriesRequestQueryInput = z.input<
typeof OsqueryFindSavedQueriesRequestQuery
>;
export type OsqueryFindSavedQueriesResponse = z.infer<typeof OsqueryFindSavedQueriesResponse>;
export const OsqueryFindSavedQueriesResponse = DefaultSuccessResponse;
export const OsqueryFindSavedQueriesResponse = FindSavedQueryResponse;
export type OsqueryGetSavedQueryDetailsRequestParams = z.infer<
typeof OsqueryGetSavedQueryDetailsRequestParams
@ -68,7 +78,7 @@ export type OsqueryGetSavedQueryDetailsRequestParamsInput = z.input<
export type OsqueryGetSavedQueryDetailsResponse = z.infer<
typeof OsqueryGetSavedQueryDetailsResponse
>;
export const OsqueryGetSavedQueryDetailsResponse = DefaultSuccessResponse;
export const OsqueryGetSavedQueryDetailsResponse = FindSavedQueryDetailResponse;
export type OsqueryUpdateSavedQueryRequestParams = z.infer<
typeof OsqueryUpdateSavedQueryRequestParams
@ -87,4 +97,4 @@ export type OsqueryUpdateSavedQueryRequestBodyInput = z.input<
>;
export type OsqueryUpdateSavedQueryResponse = z.infer<typeof OsqueryUpdateSavedQueryResponse>;
export const OsqueryUpdateSavedQueryResponse = DefaultSuccessResponse;
export const OsqueryUpdateSavedQueryResponse = UpdateSavedQueryResponse;

29
x-pack/plugins/osquery/common/api/saved_query/saved_query.schema.yaml
View file

@ -11,18 +11,33 @@ paths:
x-codegen-enabled: true
x-labels: [serverless, ess]
parameters:
- name: query
- name: page
in: query
required: true
required: false
schema:
$ref: './find_saved_query.schema.yaml#/components/schemas/FindSavedQueryRequestQuery'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageOrUndefined'
- name: pageSize
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PageSizeOrUndefined'
- name: sort
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrUndefined'
- name: sortOrder
in: query
required: false
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SortOrderOrUndefined'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_saved_query.schema.yaml#/components/schemas/FindSavedQueryResponse'
post:
summary: Create a saved query
description: Create and run a saved query.
@ -41,7 +56,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './create_saved_query.schema.yaml#/components/schemas/CreateSavedQueryResponse'
/api/osquery/saved_queries/{id}:
get:
summary: Get saved query details
@ -61,7 +76,7 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './find_saved_query.schema.yaml#/components/schemas/FindSavedQueryDetailResponse'
delete:
summary: Delete a saved query
description: Delete a saved query using the query ID.
@ -108,4 +123,4 @@ paths:
content:
application/json:
schema:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DefaultSuccessResponse'
$ref: './update_saved_query.schema.yaml#/components/schemas/UpdateSavedQueryResponse'

10
x-pack/plugins/osquery/common/api/saved_query/update_saved_query.gen.ts
View file

@ -18,10 +18,11 @@ import { z } from '@kbn/zod';
import {
SavedQueryId,
DescriptionOrUndefined,
SavedQueryDescriptionOrUndefined,
QueryOrUndefined,
ECSMappingOrUndefined,
VersionOrUndefined,
PlatformOrUndefined,
IntervalOrUndefined,
SnapshotOrUndefined,
RemovedOrUndefined,
@ -30,12 +31,15 @@ import {
export type UpdateSavedQueryRequestBody = z.infer<typeof UpdateSavedQueryRequestBody>;
export const UpdateSavedQueryRequestBody = z.object({
id: SavedQueryId.optional(),
description: DescriptionOrUndefined.optional(),
description: SavedQueryDescriptionOrUndefined.optional(),
query: QueryOrUndefined.optional(),
ecs_mapping: ECSMappingOrUndefined.optional(),
version: VersionOrUndefined.optional(),
platform: DescriptionOrUndefined.optional(),
platform: PlatformOrUndefined.optional(),
interval: IntervalOrUndefined.optional(),
snapshot: SnapshotOrUndefined.optional(),
removed: RemovedOrUndefined.optional(),
});
export type UpdateSavedQueryResponse = z.infer<typeof UpdateSavedQueryResponse>;
export const UpdateSavedQueryResponse = z.object({});

11
x-pack/plugins/osquery/common/api/saved_query/update_saved_query.schema.yaml
View file

@ -7,11 +7,13 @@ components:
schemas:
UpdateSavedQueryRequestBody:
type: object
example:
id: 'updated_my_saved_query_name'
properties:
id:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryId'
description:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SavedQueryDescriptionOrUndefined'
query:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/QueryOrUndefined'
ecs_mapping:
@ -19,10 +21,15 @@ components:
version:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/VersionOrUndefined'
platform:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/DescriptionOrUndefined'
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/PlatformOrUndefined'
interval:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/IntervalOrUndefined'
snapshot:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/SnapshotOrUndefined'
removed:
$ref: '../model/schema/common_attributes.schema.yaml#/components/schemas/RemovedOrUndefined'
UpdateSavedQueryResponse:
type: object
properties: { }
example:
data: { }

608
x-pack/plugins/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/FindLiveQueryRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -45,7 +65,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -59,18 +79,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -84,23 +101,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -111,16 +152,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindPacksRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -139,7 +195,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -159,7 +215,9 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -178,7 +236,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -206,7 +264,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -217,16 +275,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindSavedQueryRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -245,7 +318,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -284,7 +357,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -312,7 +385,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -320,6 +393,7 @@ paths:
components:
schemas:
ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/ArrayQueriesItem'
type: array
@ -329,7 +403,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -341,37 +415,51 @@ components:
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: 'When `true`, the query runs on all agents.'
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -382,11 +470,64 @@ components:
$ref: '#/components/schemas/QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/SavedQueryIdOrUndefined'
CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
name:
@ -397,11 +538,50 @@ components:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: 'linux,darwin'
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -409,7 +589,7 @@ components:
interval:
$ref: '#/components/schemas/Interval'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -418,24 +598,34 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
DefaultSuccessResponse:
type: object
properties: {}
Description:
type: string
DescriptionOrUndefined:
$ref: '#/components/schemas/Description'
nullable: true
ECSMapping:
additionalProperties:
$ref: '#/components/schemas/ECSMappingItem'
description: >-
Map osquery results columns or static values to Elastic Common Schema
(ECS) fields
example:
host.uptime:
field: total_seconds
type: object
ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -445,71 +635,197 @@ components:
$ref: '#/components/schemas/ECSMapping'
nullable: true
Enabled:
description: Enables the pack.
example: true
type: boolean
EnabledOrUndefined:
$ref: '#/components/schemas/Enabled'
nullable: true
FindLiveQueryRequestQuery:
FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindPacksRequestQuery:
properties: {}
FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindSavedQueryRequestQuery:
properties: {}
FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
GetLiveQueryResultsRequestQuery:
properties: {}
FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
Id:
type: string
properties: {}
FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: 'linux,darwin'
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: 'linux,darwin'
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Interval:
description: 'An interval, in seconds, on which to run the query.'
example: '60'
type: string
IntervalOrUndefined:
$ref: '#/components/schemas/Interval'
nullable: true
KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/ObjectQueriesItem'
description: An object of queries.
type: object
ObjectQueriesItem:
type: object
@ -517,7 +833,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -530,25 +846,48 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
PackDescription:
description: The pack description.
example: Pack description
type: string
PackDescriptionOrUndefined:
$ref: '#/components/schemas/PackDescription'
nullable: true
PackId:
description: 'The ID of the pack you want to run, retrieve, update, or delete.'
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
PackIdOrUndefined:
$ref: '#/components/schemas/PackId'
nullable: true
PackName:
description: The pack name.
type: string
PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Platform:
description: >-
Restricts the query to a specified platform. The default is all
platforms. To specify multiple platforms, use commas. For example,
`linux,darwin`.
example: 'linux,darwin'
type: string
PlatformOrUndefined:
$ref: '#/components/schemas/Platform'
nullable: true
PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -556,16 +895,33 @@ components:
$ref: '#/components/schemas/PolicyIds'
nullable: true
Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
QueryOrUndefined:
$ref: '#/components/schemas/Query'
nullable: true
Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
RemovedOrUndefined:
$ref: '#/components/schemas/Removed'
nullable: true
SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/SavedQueryDescription'
nullable: true
SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
SavedQueryIdOrUndefined:
$ref: '#/components/schemas/SavedQueryId'
@ -573,42 +929,85 @@ components:
Shards:
additionalProperties:
type: number
description: >-
An object with shard configuration for policies included in the pack.
For each policy, set the shard configuration to a percentage (1100) of
target hosts.
example:
policy_id: 50
type: object
Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
SnapshotOrUndefined:
$ref: '#/components/schemas/Snapshot'
nullable: true
SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
id:
$ref: '#/components/schemas/PackId'
name:
$ref: '#/components/schemas/PackName'
policy_ids:
$ref: '#/components/schemas/PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -616,7 +1015,7 @@ components:
interval:
$ref: '#/components/schemas/IntervalOrUndefined'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -625,7 +1024,16 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Version:
description: >-
Uses the Osquery versions greater than or equal to the specified version
string.
example: 1.0.0
type: string
VersionOrUndefined:
$ref: '#/components/schemas/Version'

608
x-pack/plugins/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,36 @@ paths:
operationId: OsqueryFindLiveQueries
parameters:
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/FindLiveQueryRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryResponse'
description: OK
summary: Get live queries
tags:
@ -45,7 +65,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateLiveQueryResponse'
description: OK
summary: Create a live query
tags:
@ -59,18 +79,15 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
- in: query
name: query
schema:
additionalProperties: true
type: object
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindLiveQueryDetailsResponse'
description: OK
summary: Get live query details
tags:
@ -84,23 +101,47 @@ paths:
name: id
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- in: path
name: actionId
required: true
schema:
$ref: '#/components/schemas/Id'
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- in: query
name: query
required: true
name: kuery
required: false
schema:
$ref: '#/components/schemas/GetLiveQueryResultsRequestQuery'
$ref: '#/components/schemas/KueryOrUndefined'
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/GetLiveQueryResultsResponse'
description: OK
summary: Get live query results
tags:
@ -111,16 +152,31 @@ paths:
operationId: OsqueryFindPacks
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindPacksRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPacksResponse'
description: OK
summary: Get packs
tags:
@ -139,7 +195,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreatePacksResponse'
description: OK
summary: Create a pack
tags:
@ -159,7 +215,9 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
example: {}
type: object
properties: {}
description: OK
summary: Delete a pack
tags:
@ -178,7 +236,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindPackResponse'
description: OK
summary: Get pack details
tags:
@ -206,7 +264,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdatePacksResponse'
description: OK
summary: Update a pack
tags:
@ -217,16 +275,31 @@ paths:
operationId: OsqueryFindSavedQueries
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/FindSavedQueryRequestQuery'
$ref: '#/components/schemas/PageOrUndefined'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSizeOrUndefined'
- in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/SortOrUndefined'
- in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryResponse'
description: OK
summary: Get saved queries
tags:
@ -245,7 +318,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/CreateSavedQueryResponse'
description: OK
summary: Create a saved query
tags:
@ -284,7 +357,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/FindSavedQueryDetailResponse'
description: OK
summary: Get saved query details
tags:
@ -312,7 +385,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/DefaultSuccessResponse'
$ref: '#/components/schemas/UpdateSavedQueryResponse'
description: OK
summary: Update a saved query
tags:
@ -320,6 +393,7 @@ paths:
components:
schemas:
ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/ArrayQueriesItem'
type: array
@ -329,7 +403,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -341,37 +415,51 @@ components:
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: 'When `true`, the query runs on all agents.'
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
@ -382,11 +470,64 @@ components:
$ref: '#/components/schemas/QueryOrUndefined'
saved_query_id:
$ref: '#/components/schemas/SavedQueryIdOrUndefined'
CreateLiveQueryResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties: {}
CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
name:
@ -397,11 +538,50 @@ components:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
CreatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties: {}
CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: 'linux,darwin'
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -409,7 +589,7 @@ components:
interval:
$ref: '#/components/schemas/Interval'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -418,24 +598,34 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
CreateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
DefaultSuccessResponse:
type: object
properties: {}
Description:
type: string
DescriptionOrUndefined:
$ref: '#/components/schemas/Description'
nullable: true
ECSMapping:
additionalProperties:
$ref: '#/components/schemas/ECSMappingItem'
description: >-
Map osquery results columns or static values to Elastic Common Schema
(ECS) fields
example:
host.uptime:
field: total_seconds
type: object
ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
@ -445,71 +635,197 @@ components:
$ref: '#/components/schemas/ECSMapping'
nullable: true
Enabled:
description: Enables the pack.
example: true
type: boolean
EnabledOrUndefined:
$ref: '#/components/schemas/Enabled'
nullable: true
FindLiveQueryRequestQuery:
FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindPacksRequestQuery:
properties: {}
FindLiveQueryResponse:
example:
data:
items:
- fields:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
user_id: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
FindSavedQueryRequestQuery:
properties: {}
FindPackResponse:
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
id: 3c42c847-eb30-4452-80e0-728584042334
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
type: object
properties:
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
GetLiveQueryResultsRequestQuery:
properties: {}
FindPacksResponse:
example:
data:
- attributes:
created_at: '2023-10-31T00:00:00Z'
created_by: elastic
description: My pack description
enabled: true
name: My Pack
queries:
- ecs_mapping:
- host.uptime:
field: total_seconds
id: uptime
interval: '3600'
query: select * from uptime;
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-pack
page: 1
pageSize: 10
policy_ids: []
total: 1
type: object
properties:
kuery:
$ref: '#/components/schemas/KueryOrUndefined'
page:
$ref: '#/components/schemas/PageOrUndefined'
pageSize:
$ref: '#/components/schemas/PageSizeOrUndefined'
sort:
$ref: '#/components/schemas/SortOrUndefined'
sortOrder:
$ref: '#/components/schemas/SortOrderOrUndefined'
Id:
type: string
properties: {}
FindSavedQueryDetailResponse:
example:
data:
attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: 'linux,darwin'
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
coreMigrationVersion: 8.4.0
id: 3c42c847-eb30-4452-80e0-728584042334
namespaces:
- default
references: []
type: osquery-saved-query
updated_at: '2022-07-26T09:28:08.600Z'
version: WzQzMTcsMV0=
type: object
properties: {}
FindSavedQueryResponse:
example:
data:
- attributes:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: 'linux,darwin'
prebuilt: false
query: select * from uptime;
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
namespaces:
- default
type: osquery-saved-query
page: 1
per_page: 100
total: 11
type: object
properties: {}
GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- {}
- {}
total: 2
type: object
properties: {}
Interval:
description: 'An interval, in seconds, on which to run the query.'
example: '60'
type: string
IntervalOrUndefined:
$ref: '#/components/schemas/Interval'
nullable: true
KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/ObjectQueriesItem'
description: An object of queries.
type: object
ObjectQueriesItem:
type: object
@ -517,7 +833,7 @@ components:
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
$ref: '#/components/schemas/Id'
$ref: '#/components/schemas/QueryId'
platform:
$ref: '#/components/schemas/PlatformOrUndefined'
query:
@ -530,25 +846,48 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
PackDescription:
description: The pack description.
example: Pack description
type: string
PackDescriptionOrUndefined:
$ref: '#/components/schemas/PackDescription'
nullable: true
PackId:
description: 'The ID of the pack you want to run, retrieve, update, or delete.'
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
PackIdOrUndefined:
$ref: '#/components/schemas/PackId'
nullable: true
PackName:
description: The pack name.
type: string
PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Platform:
description: >-
Restricts the query to a specified platform. The default is all
platforms. To specify multiple platforms, use commas. For example,
`linux,darwin`.
example: 'linux,darwin'
type: string
PlatformOrUndefined:
$ref: '#/components/schemas/Platform'
nullable: true
PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
@ -556,16 +895,33 @@ components:
$ref: '#/components/schemas/PolicyIds'
nullable: true
Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
QueryOrUndefined:
$ref: '#/components/schemas/Query'
nullable: true
Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
RemovedOrUndefined:
$ref: '#/components/schemas/Removed'
nullable: true
SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/SavedQueryDescription'
nullable: true
SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
SavedQueryIdOrUndefined:
$ref: '#/components/schemas/SavedQueryId'
@ -573,42 +929,85 @@ components:
Shards:
additionalProperties:
type: number
description: >-
An object with shard configuration for policies included in the pack.
For each policy, set the shard configuration to a percentage (1100) of
target hosts.
example:
policy_id: 50
type: object
Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
SnapshotOrUndefined:
$ref: '#/components/schemas/Snapshot'
nullable: true
SortOrderOrUndefined:
oneOf:
- nullable: true
type: string
- enum:
- asc
- desc
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PackDescriptionOrUndefined'
enabled:
$ref: '#/components/schemas/EnabledOrUndefined'
id:
$ref: '#/components/schemas/PackId'
name:
$ref: '#/components/schemas/PackName'
policy_ids:
$ref: '#/components/schemas/PolicyIdsOrUndefined'
queries:
$ref: '#/components/schemas/ObjectQueries'
shards:
$ref: '#/components/schemas/Shards'
UpdatePacksResponse:
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
- key: 47638692-7c4c-4053-aa3e-7186f28df349
value: 35
- key: 5e267651-fe50-443e-8d3f-3bbc9171b618
value: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
type: object
properties: {}
UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/SavedQueryDescriptionOrUndefined'
ecs_mapping:
$ref: '#/components/schemas/ECSMappingOrUndefined'
id:
@ -616,7 +1015,7 @@ components:
interval:
$ref: '#/components/schemas/IntervalOrUndefined'
platform:
$ref: '#/components/schemas/DescriptionOrUndefined'
$ref: '#/components/schemas/PlatformOrUndefined'
query:
$ref: '#/components/schemas/QueryOrUndefined'
removed:
@ -625,7 +1024,16 @@ components:
$ref: '#/components/schemas/SnapshotOrUndefined'
version:
$ref: '#/components/schemas/VersionOrUndefined'
UpdateSavedQueryResponse:
example:
data: {}
type: object
properties: {}
Version:
description: >-
Uses the Osquery versions greater than or equal to the specified version
string.
example: 1.0.0
type: string
VersionOrUndefined:
$ref: '#/components/schemas/Version'

9
x-pack/test/api_integration/services/security_solution_osquery_api.gen.ts
View file

@ -31,10 +31,7 @@ import { OsqueryDeleteSavedQueryRequestParamsInput } from '@kbn/osquery-plugin/c
import { OsqueryFindLiveQueriesRequestQueryInput } from '@kbn/osquery-plugin/common/api/live_query/live_queries.gen';
import { OsqueryFindPacksRequestQueryInput } from '@kbn/osquery-plugin/common/api/packs/packs.gen';
import { OsqueryFindSavedQueriesRequestQueryInput } from '@kbn/osquery-plugin/common/api/saved_query/saved_query.gen';
import {
OsqueryGetLiveQueryDetailsRequestQueryInput,
OsqueryGetLiveQueryDetailsRequestParamsInput,
} from '@kbn/osquery-plugin/common/api/live_query/live_queries.gen';
import { OsqueryGetLiveQueryDetailsRequestParamsInput } from '@kbn/osquery-plugin/common/api/live_query/live_queries.gen';
import {
OsqueryGetLiveQueryResultsRequestQueryInput,
OsqueryGetLiveQueryResultsRequestParamsInput,
@ -213,8 +210,7 @@ export function SecuritySolutionApiProvider({ getService }: FtrProviderContext)
)
.set('kbn-xsrf', 'true')
.set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
.query(props.query);
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
},
/**
* Get the results of a live query using the query action ID.
@ -367,7 +363,6 @@ export interface OsqueryFindSavedQueriesProps {
query: OsqueryFindSavedQueriesRequestQueryInput;
}
export interface OsqueryGetLiveQueryDetailsProps {
query: OsqueryGetLiveQueryDetailsRequestQueryInput;
params: OsqueryGetLiveQueryDetailsRequestParamsInput;
}
export interface OsqueryGetLiveQueryResultsProps {