Create a live query

POST /api/osquery/live_queries

Api key auth

Create and run a live query.

application/json

Body Required

agent_all boolean

When true, the query runs on all agents.
agent_ids array[string]

A list of agent IDs to run the query on.
agent_platforms array[string]

A list of agent platforms to run the query on.
agent_policy_ids array[string]

A list of agent policy IDs to run the query on.
alert_ids array[string]

A list of alert IDs associated with the live query.
case_ids array[string]

A list of case IDs associated with the live query.
ecs_mapping object

Map osquery results columns or static values to Elastic Common Schema (ECS) fields
Hide ecs_mapping attribute Show ecs_mapping attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
event_ids array[string]

A list of event IDs associated with the live query.
metadata object | null

Custom metadata object associated with the live query.
pack_id string

The ID of the pack you want to run, retrieve, update, or delete.
queries array[object]

An array of queries to run.
Hide queries attributes Show queries attributes object
- ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
- id string
  
  The ID of the query.
- platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
- query string
  
  The SQL query you want to run.
- removed boolean
  
  Indicates whether the query is removed.
- snapshot boolean
  
  Indicates whether the query is a snapshot.
- version string
  
  Uses the Osquery versions greater than or equal to the specified version string.
query string

The SQL query you want to run.
saved_query_id string

The ID of a saved query.

Responses

200 application/json

OK

POST /api/osquery/live_queries

curl \
 --request POST 'https://<KIBANA_URL>/api/osquery/live_queries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":"select * from uptime;","agent_all":true,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}}}'

Create a live query

Body Required

value string | array[string]

value string | array[string]

Responses