Get pack API

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. Retrieve a single pack by ID.

Request

edit

GET <kibana host>:<port>/api/osquery/packs/<id>

GET <kibana host>:<port>/s/<space_id>/api/osquery/packs/<id>

Path parameters

edit
space_id
(Optional, string) The space identifier. When space_id is not provided in the URL, the default space is used.
id
(Required, string) The ID of the pack you want to retrieve.

Response code

edit
200
Indicates a successful call.
404
The specified pack and ID doesn’t exist.

Example

edit

Retrieve the pack object with the bbe5b070-0c51-11ed-b0f8-ad31b008e832 ID:

$ curl -X GET api/osquery/packs/bbe5b070-0c51-11ed-b0f8-ad31b008e832

The API returns the pack object:

{
  "data": {
    "id": "bbe5b070-0c51-11ed-b0f8-ad31b008e832",
    "type": "osquery-pack",
    "namespaces": [
      "default"
    ],
    "updated_at": "2022-07-25T20:12:01.455Z",
    "name": "test_pack",
    "queries": {
      "uptime": {
        "interval": 3600,
        "query": "select * from uptime",
        "ecs_mapping": {
          "message": {
            "field": "days"
          }
        }
      }
    },
    "enabled": true,
    "created_at": "2022-07-25T19:41:10.263Z",
    "created_by": "elastic",
    "updated_by": "elastic",
    "description": "",
    "policy_ids": [],
    "read_only": false # true for prebuilt packs
  }
}