IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Create pack API
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Create pack API
edit[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. Create packs.
Request
editPOST <kibana host>:<port>/api/osquery/packs
POST <kibana host>:<port>/s/<space_id>/api/osquery/packs
Path parameters
edit-
space_id -
(Optional, string) The space identifier. When
space_idis not provided in the URL, the default space is used.
Request body
edit-
name - (Required, string) The pack name.
-
description - (Optional, string) The pack description.
-
enabled - (Optional, boolean) Enables the pack.
-
policy_ids - (Optional, array) A list of agents policy IDs.
-
shards - (Optional, object) An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
-
queries - (Required, object) An object of queries.
Response code
edit-
200 - Indicates a successful call.
Examples
editCreate a pack:
$ curl -X POST api/osquery/packs \
{
"name": "my_pack",
"description": "My pack",
"enabled": true,
"policy_ids": [
"my_policy_id",
"fleet-server-policy"
],
"shards": {
"my_policy_id": 35,
"fleet-server-policy": 58
},
"queries": {
"my_query": {
"query": "SELECT * FROM listening_ports;",
"interval": 60,
"timeout": 120,
"ecs_mapping": {
"client.port": {
"field": "port"
},
"tags": {
"value": [
"tag1",
"tag2"
]
}
}
}
}
}
The API returns the pack object:
{
"data": {...}
}