Create a live query

POST /api/osquery/live_queries
Api key auth

Create and run a live query.

application/json

Body Required

  • agent_all boolean

    When true, the query runs on all agents.

  • agent_ids array[string]

    A list of agent IDs to run the query on.

  • agent_platforms array[string]

    A list of agent platforms to run the query on.

  • agent_policy_ids array[string]

    A list of agent policy IDs to run the query on.

  • alert_ids array[string]

    A list of alert IDs associated with the live query.

  • case_ids array[string]

    A list of case IDs associated with the live query.

  • ecs_mapping object | null

    Map osquery results columns or static values to Elastic Common Schema (ECS) fields

    Hide ecs_mapping attribute Show ecs_mapping attribute object | null
    • * object Additional properties
      Hide * attributes Show * attributes object
  • event_ids array[string]

    A list of event IDs associated with the live query.

  • metadata object | null

    Custom metadata object associated with the live query.

  • pack_id string | null

    The ID of the pack you want to run, retrieve, update, or delete.

  • queries array[object]

    An array of queries to run.

    Hide queries attributes Show queries attributes object
    • ecs_mapping object | null

      Map osquery results columns or static values to Elastic Common Schema (ECS) fields

      Hide ecs_mapping attribute Show ecs_mapping attribute object | null
      • * object Additional properties
        Hide * attributes Show * attributes object
    • id string

      The ID of the query.

    • platform string | null

      Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

    • query string

      The SQL query you want to run.

    • removed boolean | null

      Indicates whether the query is removed.

    • snapshot boolean | null

      Indicates whether the query is a snapshot.

    • version string | null

      Uses the Osquery versions greater than or equal to the specified version string.

  • query string

    The SQL query you want to run.

  • saved_query_id string | null

    The ID of a saved query.

Responses

  • 200 application/json

    OK
POST /api/osquery/live_queries 
curl \ --request POST 'https://<KIBANA_URL>/api/osquery/live_queries' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"query":"select * from uptime;","agent_all":true,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}}}'
Request example 
{ "query": "select * from uptime;", "agent_all": true, "ecs_mapping": { "host.uptime": { "field": "total_seconds" } } }
Response examples (200) 
{ "data": { "type": "INPUT_ACTION", "agents": [ "16d7caf5-efd2-4212-9b62-73dafc91fa13" ], "queries": [ { "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2", "query": "select * from uptime;", "agents": [ "16d7caf5-efd2-4212-9b62-73dafc91fa13" ], "timeout": 120, "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0", "ecs_mapping": { "host.uptime": { "field": "total_seconds" } } } ], "user_id": "elastic", "metadata": { "execution_context": { "url": "/app/osquery/live_queries/new", "name": "osquery" } }, "action_id": "3c42c847-eb30-4452-80e0-728584042334", "agent_all": true, "agent_ids": [], "@timestamp": "2022-07-26T09:59:32.220Z", "expiration": "2022-07-26T10:04:32.220Z", "input_type": "osquery", "agent_platforms": [], "agent_policy_ids": [] } }