Create a live query

POST /api/osquery/live_queries
Api key auth Basic auth

Create and run a live query.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • agent_all boolean

    When true, the query runs on all agents.

  • agent_ids array[string]

    A list of agent IDs to run the query on.

  • agent_platforms array[string]

    A list of agent platforms to run the query on.

  • agent_policy_ids array[string]

    A list of agent policy IDs to run the query on.

  • alert_ids array[string]

    A list of alert IDs associated with the live query.

  • case_ids array[string]

    A list of case IDs associated with the live query.

  • ecs_mapping object | null

    Map osquery results columns or static values to Elastic Common Schema (ECS) fields

    Hide ecs_mapping attribute Show ecs_mapping attribute object | null
  • event_ids array[string]

    A list of event IDs associated with the live query.

  • metadata object | null

    Custom metadata object associated with the live query.

    Additional properties are allowed.

  • pack_id string | null

    The ID of the pack you want to run, retrieve, update, or delete.

  • queries array[object]

    An array of queries to run.

    Hide queries attributes Show queries attributes object
    • ecs_mapping object | null

      Map osquery results columns or static values to Elastic Common Schema (ECS) fields

      Hide ecs_mapping attribute Show ecs_mapping attribute object | null
    • id string

      The ID of the query.

    • platform string | null

      Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

    • query string

      The SQL query you want to run.

    • removed boolean | null

      Indicates whether the query is removed.

    • snapshot boolean | null

      Indicates whether the query is a snapshot.

    • version string | null

      Uses the Osquery versions greater than or equal to the specified version string.

  • query string

    The SQL query you want to run.

  • saved_query_id string | null

    The ID of a saved query.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    OK

    Additional properties are allowed.
POST /api/osquery/live_queries 
curl \
 --request POST https://localhost:5601/api/osquery/live_queries \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request example 
{
  "query": "select * from uptime;",
  "agent_all": true,
  "ecs_mapping": {
    "host.uptime": {
      "field": "total_seconds"
    }
  }
}
Response examples (200) 
{
  "data": {
    "type": "INPUT_ACTION",
    "agents": [
      "16d7caf5-efd2-4212-9b62-73dafc91fa13"
    ],
    "queries": [
      {
        "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
        "query": "select * from uptime;",
        "agents": [
          "16d7caf5-efd2-4212-9b62-73dafc91fa13"
        ],
        "timeout": 120,
        "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
        "ecs_mapping": {
          "host.uptime": {
            "field": "total_seconds"
          }
        }
      }
    ],
    "user_id": "elastic",
    "metadata": {
      "execution_context": {
        "url": "/app/osquery/live_queries/new",
        "name": "osquery"
      }
    },
    "action_id": "3c42c847-eb30-4452-80e0-728584042334",
    "agent_all": true,
    "agent_ids": [],
    "@timestamp": "2022-07-26T09:59:32.220Z",
    "expiration": "2022-07-26T10:04:32.220Z",
    "input_type": "osquery",
    "agent_platforms": [],
    "agent_policy_ids": []
  }
}