Create a pack

POST /api/osquery/packs
Api key auth Basic auth

Create a query pack.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • description string | null

    The pack description.

  • enabled boolean | null

    Enables the pack.

  • name string

    The pack name.

  • policy_ids array[string] | null

    A list of agents policy IDs.

  • queries object

    An object of queries.

    Hide queries attribute Show queries attribute object
    • * object Additional properties

      Additional properties are allowed.

      Hide * attributes Show * attributes object
      • ecs_mapping object | null

        Map osquery results columns or static values to Elastic Common Schema (ECS) fields

        Hide ecs_mapping attribute Show ecs_mapping attribute object | null
      • id string

        The ID of the query.

      • platform string | null

        Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

      • query string

        The SQL query you want to run.

      • removed boolean | null

        Indicates whether the query is removed.

      • saved_query_id string | null

        The ID of a saved query.

      • snapshot boolean | null

        Indicates whether the query is a snapshot.

      • version string | null

        Uses the Osquery versions greater than or equal to the specified version string.

  • shards object

    An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.

    Hide shards attribute Show shards attribute object
    • * number Additional properties

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    OK

    Additional properties are allowed.
POST /api/osquery/packs 
curl \
 --request POST https://localhost:5601/api/osquery/packs \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request example 
{
  "name": "my_pack",
  "shards": {
    "my_policy_id": 35,
    "fleet-server-policy": 58
  },
  "enabled": true,
  "queries": {
    "my_query": {
      "query": "SELECT * FROM listening_ports;",
      "timeout": 120,
      "interval": 60,
      "ecs_mapping": {
        "tags": {
          "value": [
            "tag1",
            "tag2"
          ]
        },
        "client.port": {
          "field": "port"
        }
      }
    }
  },
  "policy_ids": [
    "my_policy_id",
    "fleet-server-policy"
  ],
  "description": "My pack"
}
Response examples (200) 
{
  "data": {
    "name": "my_pack",
    "shards": [
      {
        "key": "47638692-7c4c-4053-aa3e-7186f28df349",
        "value": 35
      },
      {
        "key": "5e267651-fe50-443e-8d3f-3bbc9171b618",
        "value": 58
      }
    ],
    "enabled": true,
    "queries": {
      "ports": {
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "timeout": 120,
        "interval": 60,
        "snapshot": true,
        "ecs_mapping": {
          "client.port": {
            "field": "port"
          }
        }
      }
    },
    "created_at": "2025-02-26T13:37:30.452Z",
    "created_by": "elastic",
    "updated_at": "2025-02-26T13:37:30.452Z",
    "updated_by": "elastic",
    "description": "My pack",
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856"
  }
}