Body Required

• description string

  The pack description.

• enabled boolean

  Enables the pack.

• name string

  The pack name.

• policy_ids array[string]

  A list of agents policy IDs.

• queries object

  An object of queries.

  Hide queries attribute Show queries attribute object

  • * object Additional properties
    Hide * attributes Show * attributes object

    • ecs_mapping object

      Map osquery results columns or static values to Elastic Common Schema (ECS) fields

      Hide ecs_mapping attribute Show ecs_mapping attribute object

      • * object Additional properties
        Hide * attributes Show * attributes object

        • field string

          The ECS field to map to.

        • value string | array[string]

          The value to map to the ECS field.

          One of:

          string-1 string array-2 array[string]
    • id string

      The ID of the query.

    • platform string

      Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

    • query string

      The SQL query you want to run.

    • removed boolean

      Indicates whether the query is removed.

    • saved_query_id string

      The ID of a saved query.

    • snapshot boolean

      Indicates whether the query is a snapshot.

    • version string

      Uses the Osquery versions greater than or equal to the specified version string.

• shards object

  An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.

  Hide shards attribute Show shards attribute object

  • * number Additional properties