Update a pack

PUT /api/osquery/packs/{id}
Api key auth Basic auth

Update a query pack using the pack ID.

You cannot update a prebuilt pack.

Path parameters

  • id string | null Required

    The ID of the pack you want to run, retrieve, update, or delete.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • description string | null

    The pack description.

  • enabled boolean | null

    Enables the pack.

  • name string

    The pack name.

  • policy_ids array[string] | null

    A list of agents policy IDs.

  • queries object

    An object of queries.

    Hide queries attribute Show queries attribute object
    • * object Additional properties

      Additional properties are allowed.

      Hide * attributes Show * attributes object
      • ecs_mapping object | null

        Map osquery results columns or static values to Elastic Common Schema (ECS) fields

        Hide ecs_mapping attribute Show ecs_mapping attribute object | null
      • id string

        The ID of the query.

      • platform string | null

        Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

      • query string

        The SQL query you want to run.

      • removed boolean | null

        Indicates whether the query is removed.

      • saved_query_id string | null

        The ID of a saved query.

      • snapshot boolean | null

        Indicates whether the query is a snapshot.

      • version string | null

        Uses the Osquery versions greater than or equal to the specified version string.

  • shards object

    An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.

    Hide shards attribute Show shards attribute object
    • * number Additional properties

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    OK

    Additional properties are allowed.
PUT /api/osquery/packs/{id} 
curl \
 --request PUT https://localhost:5601/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334 \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request example 
{
  "name": "updated_my_pack_name"
}
Response examples (200) 
{
  "data": {
    "name": "updated_my_pack_name",
    "shards": [
      {
        "key": "47638692-7c4c-4053-aa3e-7186f28df349",
        "value": 35
      },
      {
        "key": "5e267651-fe50-443e-8d3f-3bbc9171b618",
        "value": 58
      }
    ],
    "enabled": true,
    "queries": {
      "ports": {
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "timeout": 120,
        "interval": 60,
        "snapshot": true,
        "ecs_mapping": {
          "client.port": {
            "field": "port"
          }
        }
      }
    },
    "created_at": "2025-02-26T13:37:30.452Z",
    "created_by": "elastic",
    "updated_at": "2025-02-26T13:40:16.297Z",
    "updated_by": "elastic",
    "description": "My pack",
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856"
  }
}