From 06509ab7b96f5399ae00a383ad8b5c43f690f941 Mon Sep 17 00:00:00 2001 From: Konrad Szwarc Date: Sat, 11 Apr 2026 01:34:36 -0600 Subject: [PATCH 1/7] [DO NOT MERGE][Osquery] FF Enabled for Osquery 9.4 rework (#258935) Do not merge. Testing CI and getting ready for GA. --------- Co-authored-by: Tomasz Ciecierski Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> --- .../osquery/common/experimental_features.ts | 4 +- .../cypress/e2e/all/add_integration.cy.ts | 2 +- .../all/alerts_automated_action_results.cy.ts | 32 +++------- .../osquery/cypress/e2e/all/cases.cy.ts | 18 +----- .../cypress/e2e/all/custom_space.cy.ts | 2 +- .../cypress/e2e/all/ecs_mappings.cy.ts | 4 +- .../cypress/e2e/all/edit_saved_queries.cy.ts | 8 ++- .../osquery/cypress/e2e/all/live_query.cy.ts | 8 +-- .../cypress/e2e/all/live_query_packs.cy.ts | 17 ++---- .../cypress/e2e/all/live_query_run.cy.ts | 34 +++-------- .../cypress/e2e/all/packs_create_edit.cy.ts | 4 +- .../cypress/e2e/all/packs_integration.cy.ts | 2 +- .../cypress/e2e/all/saved_queries.cy.ts | 38 +++++++----- .../osquery/cypress/e2e/roles/reader.cy.ts | 10 ++-- .../cypress/e2e/roles/t1_and_t2_analyst.cy.ts | 17 +++--- .../shared/osquery/cypress/screens/packs.ts | 3 + .../osquery/cypress/tasks/live_query.ts | 15 ++--- .../public/routes/packs/list/index.tsx | 4 +- .../public/routes/packs/list/packs_table.tsx | 1 + .../map_live_hit_to_row.test.ts | 58 +++++++++++++++++++ 20 files changed, 142 insertions(+), 139 deletions(-) diff --git a/x-pack/platform/plugins/shared/osquery/common/experimental_features.ts b/x-pack/platform/plugins/shared/osquery/common/experimental_features.ts index 80670e28dd67b..d33ec571abc05 100644 --- a/x-pack/platform/plugins/shared/osquery/common/experimental_features.ts +++ b/x-pack/platform/plugins/shared/osquery/common/experimental_features.ts @@ -19,12 +19,12 @@ export const allowedExperimentalValues = Object.freeze({ * - Introduces search input and users filter * - Introduces scheduled responses support */ - queryHistoryRework: false, + queryHistoryRework: true, /** * Replaces the legacy EuiDataGrid results table with UnifiedDataTable, * adding KQL search, document flyout, per-row actions, and column curation. */ - unifiedDataTable: false, + unifiedDataTable: true, }); type ExperimentalFeatures = { [K in keyof typeof allowedExperimentalValues]: boolean }; diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/add_integration.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/add_integration.cy.ts index 7f2f5f5dc9fd9..106aea127c76e 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/add_integration.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/add_integration.cy.ts @@ -147,7 +147,7 @@ describe('ALL - Add Integration', { tags: ['@ess', '@serverless'] }, () => { policyContainsIntegration(integrationName, policyName); checkDataStreamsInPolicyDetails(); cy.visit(OSQUERY); - cy.contains('Live queries history'); + cy.contains('History'); } ); }); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/alerts_automated_action_results.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/alerts_automated_action_results.cy.ts index c4e8b7cf33b8c..e0f0c95263148 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/alerts_automated_action_results.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/alerts_automated_action_results.cy.ts @@ -7,7 +7,7 @@ import { initializeDataViews } from '../../tasks/login'; import { cleanupRule, loadRule } from '../../tasks/api_fixtures'; -import { checkActionItemsInResults, loadRuleAlerts, navigateToRule } from '../../tasks/live_query'; +import { loadRuleAlerts, navigateToRule } from '../../tasks/live_query'; const UUID_REGEX = '[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}'; @@ -41,13 +41,9 @@ describe( cy.getBySel('securitySolutionFlyoutResponseSectionHeader').click(); cy.getBySel('securitySolutionFlyoutResponseButton').click(); cy.getBySel('responseActionsViewWrapper').should('exist'); - checkActionItemsInResults({ - lens: true, - discover: true, - cases: true, - timeline: true, - }); - cy.contains('View in Discover') + cy.getBySel('osquery-results-comment').first().should('exist'); + cy.get('[aria-label="View in Discover"]') + .first() .should('exist') .should('have.attr', 'href') .then(($href) => { @@ -66,12 +62,7 @@ describe( cy.getBySel('securitySolutionFlyoutResponseSectionHeader').click(); cy.getBySel('securitySolutionFlyoutResponseButton').click(); cy.getBySel('responseActionsViewWrapper').should('exist'); - checkActionItemsInResults({ - lens: true, - discover: true, - cases: true, - timeline: true, - }); + cy.getBySel('osquery-results-comment').first().should('exist'); cy.getBySel('osquery-results-comment') .first() .within(() => { @@ -104,21 +95,12 @@ describe( cy.getBySel('securitySolutionFlyoutResponseSectionHeader').click(); cy.getBySel('securitySolutionFlyoutResponseButton').click(); cy.getBySel('responseActionsViewWrapper').should('exist'); - checkActionItemsInResults({ - lens: true, - discover: true, - cases: true, - timeline: true, - }); cy.getBySel('osquery-results-comment') .first() .within(() => { - cy.get('.euiTableRow') - .first() - .within(() => { - cy.getBySel('add-to-timeline').click(); - }); + cy.get('[data-test-subj^="packQueriesTableKebab-"]').first().click(); }); + cy.getBySel('add-to-timeline').click(); cy.contains(timelineRegex); cy.getBySel('securitySolutionFlyoutNavigationCollapseDetailButton').click(); cy.getBySel('timeline-bottom-bar').contains('Untitled timeline').click(); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/cases.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/cases.cy.ts index 00047913118c6..6b5359f63ae4b 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/cases.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/cases.cy.ts @@ -7,11 +7,7 @@ import { ServerlessRoleName } from '../../support/roles'; import { initializeDataViews } from '../../tasks/login'; -import { - addLiveQueryToCase, - checkActionItemsInResults, - viewRecentCaseAndCheckResults, -} from '../../tasks/live_query'; +import { addLiveQueryToCase, viewRecentCaseAndCheckResults } from '../../tasks/live_query'; import { navigateTo } from '../../tasks/navigation'; import { loadLiveQuery, loadCase, cleanupCase } from '../../tasks/api_fixtures'; @@ -52,12 +48,6 @@ describe('Add to Cases', () => { viewRecentCaseAndCheckResults(); cy.contains(liveQueryQuery); - checkActionItemsInResults({ - lens: true, - discover: true, - cases: false, - timeline: false, - }); }); }); @@ -84,12 +74,6 @@ describe('Add to Cases', () => { viewRecentCaseAndCheckResults(); cy.contains('SELECT * FROM os_version;'); - checkActionItemsInResults({ - lens: true, - discover: true, - cases: false, - timeline: false, - }); }); }); }); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/custom_space.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/custom_space.cy.ts index f8e95c64eb7e2..215c835bb7031 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/custom_space.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/custom_space.cy.ts @@ -74,7 +74,7 @@ describe('ALL - Custom space', () => { }); it('Discover should be opened in new tab in results table', { tags: testSpace.tags }, () => { - cy.contains('New live query').click(); + cy.contains('Run query').click(); selectAllAgents(); inputQuery('select * from uptime;'); submitQuery(); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/ecs_mappings.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/ecs_mappings.cy.ts index 4bafc3d173156..8064022080aab 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/ecs_mappings.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/ecs_mappings.cy.ts @@ -25,7 +25,7 @@ describe('EcsMapping', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] } it('should properly show static values in form and results', () => { navigateTo('/app/osquery'); - cy.contains('New live query').click(); + cy.contains('Run query').click(); selectAllAgents(); inputQuery('select * from processes;'); getAdvancedButton().click(); @@ -53,7 +53,7 @@ describe('EcsMapping', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] } it('should hide and show ecs mappings on Advanced accordion click', () => { navigateTo('/app/osquery'); - cy.contains('New live query').click(); + cy.contains('Run query').click(); selectAllAgents(); cy.getBySel('savedQuerySelect').within(() => { cy.getBySel('comboBoxInput').type('processes_elastic{downArrow}{enter}'); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/edit_saved_queries.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/edit_saved_queries.cy.ts index 75a720327f5ef..694bda015cab5 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/edit_saved_queries.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/edit_saved_queries.cy.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { customActionEditSavedQuerySelector, UPDATE_QUERY_BUTTON } from '../../screens/packs'; +import { rowActionsMenuSelector, UPDATE_QUERY_BUTTON } from '../../screens/packs'; import { navigateTo } from '../../tasks/navigation'; import { loadSavedQuery, cleanupSavedQuery } from '../../tasks/api_fixtures'; import { ServerlessRoleName } from '../../support/roles'; @@ -31,7 +31,8 @@ describe('ALL - Edit saved query', { tags: ['@ess', '@serverless'] }, () => { }); it('by changing ecs mappings and platforms', () => { - cy.get(customActionEditSavedQuerySelector(savedQueryName)).click(); + cy.get(rowActionsMenuSelector(savedQueryName)).click(); + cy.contains('Edit query').click(); cy.contains('Custom key/value pairs.').should('exist'); cy.contains('Hours of uptime').should('exist'); cy.get('[data-test-subj="ECSMappingEditorForm"]') @@ -52,7 +53,8 @@ describe('ALL - Edit saved query', { tags: ['@ess', '@serverless'] }, () => { cy.wait(5000); - cy.get(customActionEditSavedQuerySelector(savedQueryName)).click(); + cy.get(rowActionsMenuSelector(savedQueryName)).click(); + cy.contains('Edit query').click(); cy.contains('Custom key/value pairs').should('not.exist'); cy.contains('Hours of uptime').should('not.exist'); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query.cy.ts index 6b71ddfb9df89..f2be6941ea9b8 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query.cy.ts @@ -26,7 +26,7 @@ describe('ALL - Live Query', { tags: ['@ess', '@serverless'] }, () => { }); it('should validate the form', () => { - cy.contains('New live query').click(); + cy.contains('Run query').click(); submitQuery(); cy.contains('Agents is a required field'); cy.contains('Query is a required field'); @@ -58,10 +58,6 @@ describe('ALL - Live Query', { tags: ['@ess', '@serverless'] }, () => { expect(interception.response?.body.data.queries[0]).to.have.property('timeout', 890); }); checkResults(); - const firstCell = '[data-gridcell-column-index="0"][data-gridcell-row-index="0"]'; - cy.get(firstCell).should('exist'); - cy.get(firstCell).find('[data-euigrid-tab-managed="true"]').click(); - cy.url().should('include', 'app/fleet/agents/'); }); it('should run multiline query', () => { @@ -82,7 +78,7 @@ describe('ALL - Live Query', { tags: ['@ess', '@serverless'] }, () => { ' on pos.pid=p.pid{esc}{shift+enter}' + "where pos.remote_port !='0' {shift+enter}" + 'limit 1000;'; - cy.contains('New live query').click(); + cy.contains('Run query').click(); cy.getBySel(LIVE_QUERY_EDITOR).invoke('height').and('be.gt', 99).and('be.lt', 110); cy.getBySel(LIVE_QUERY_EDITOR).click().invoke('val', multilineQuery); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_packs.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_packs.cy.ts index 68b5e2c8a5fa3..d77583f7e2489 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_packs.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_packs.cy.ts @@ -8,7 +8,6 @@ import { navigateTo } from '../../tasks/navigation'; import { addToCase, - checkActionItemsInResults, checkResults, selectAllAgents, submitQuery, @@ -68,7 +67,7 @@ describe('ALL - Live Query Packs', { tags: ['@ess', '@serverless'] }, () => { }); it('should run live pack', () => { - cy.contains('New live query').click(); + cy.contains('Run query').click(); cy.contains('Run a set of queries in a pack.').click(); cy.getBySel(LIVE_QUERY_EDITOR).should('not.exist'); cy.getBySel('select-live-pack').click().type(`${packName}{downArrow}{enter}`); @@ -79,17 +78,11 @@ describe('ALL - Live Query Packs', { tags: ['@ess', '@serverless'] }, () => { submitQuery(); cy.getBySel('toggleIcon-system_memory_linux_elastic').click(); checkResults(); - checkActionItemsInResults({ - lens: true, - discover: true, - cases: true, - timeline: false, - }); cy.contains('Status').click(); - cy.getBySel('tableHeaderCell_status_0').should('exist'); - cy.getBySel('tableHeaderCell_fields.agent_id[0]_1').should('exist'); - cy.getBySel('tableHeaderCell__source.action_response.osquery.count_2').should('exist'); - cy.getBySel('tableHeaderCell_fields.error[0]_3').should('exist'); + cy.getBySel('dataGridHeaderCell-status').should('exist'); + cy.getBySel('dataGridHeaderCell-agent_id').should('exist'); + cy.getBySel('dataGridHeaderCell-action_response.osquery.count').should('exist'); + cy.getBySel('dataGridHeaderCell-error').should('exist'); cy.getBySel('toggleIcon-system_memory_linux_elastic').click(); cy.getBySel('toggleIcon-failingQuery').click(); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_run.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_run.cy.ts index 9ea72070c4984..cbedff078697f 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_run.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/live_query_run.cy.ts @@ -8,7 +8,6 @@ import { SAVED_QUERY_DROPDOWN_SELECT } from '../../screens/packs'; import { navigateTo } from '../../tasks/navigation'; import { - checkActionItemsInResults, checkResults, fillInQueryTimeout, inputQuery, @@ -18,7 +17,7 @@ import { typeInOsqueryFieldInput, verifyQueryTimeout, } from '../../tasks/live_query'; -import { LIVE_QUERY_EDITOR, RESULTS_TABLE, RESULTS_TABLE_BUTTON } from '../../screens/live_query'; +import { LIVE_QUERY_EDITOR, RESULTS_TABLE } from '../../screens/live_query'; import { getAdvancedButton } from '../../screens/integrations'; import { loadSavedQuery, cleanupSavedQuery } from '../../tasks/api_fixtures'; import { ServerlessRoleName } from '../../support/roles'; @@ -52,25 +51,16 @@ describe( it('should run query and enable ecs mapping', () => { const cmd = Cypress.platform === 'darwin' ? '{meta}{enter}' : '{ctrl}{enter}'; - cy.contains('New live query').click(); + cy.contains('Run query').click(); selectAllAgents(); inputQuery('select * from uptime;'); cy.wait(500); // checking submit by clicking cmd+enter inputQuery(cmd); checkResults(); - checkActionItemsInResults({ - lens: true, - discover: true, - cases: true, - timeline: false, + cy.getBySel(RESULTS_TABLE).within(() => { + cy.get('[data-test-subj^="dataGridHeaderCell-"]').should('have.length.greaterThan', 0); }); - cy.get( - '[data-gridcell-column-index="1"][data-test-subj="dataGridHeaderCell-osquery.days.number"]' - ).should('exist'); - cy.get( - '[data-gridcell-column-index="2"][data-test-subj="dataGridHeaderCell-osquery.hours.number"]' - ).should('exist'); getAdvancedButton().click(); typeInECSFieldInput('message{downArrow}{enter}'); @@ -79,22 +69,12 @@ describe( checkResults(); cy.getBySel(RESULTS_TABLE).within(() => { - cy.getBySel(RESULTS_TABLE_BUTTON).should('exist'); + cy.get('[data-test-subj="dataGridHeaderCell-message"]').should('exist'); }); - cy.get( - '[data-gridcell-column-index="1"][data-test-subj="dataGridHeaderCell-message"]' - ).should('exist'); - cy.get( - '[data-gridcell-column-index="2"][data-test-subj="dataGridHeaderCell-osquery.days.number"]' - ) - .should('exist') - .within(() => { - cy.get(`.euiToolTipAnchor`); - }); }); it('should run customized saved query', () => { - cy.contains('New live query').click(); + cy.contains('Run query').click(); selectAllAgents(); cy.getBySel(SAVED_QUERY_DROPDOWN_SELECT).type(`${savedQueryName}{downArrow}{enter}`); inputQuery('{selectall}{backspace}select * from users;'); @@ -111,7 +91,7 @@ describe( it('should open query details by clicking the details icon', () => { cy.get('[aria-label="Details"]').first().should('be.visible').click(); - cy.contains('Live query details'); + cy.contains('View history'); cy.contains('select * from users;'); }); } diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_create_edit.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_create_edit.cy.ts index 00cf96a25885e..d9ccac097e6f6 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_create_edit.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_create_edit.cy.ts @@ -196,9 +196,7 @@ describe( cy.getBySel(UPDATE_PACK_BUTTON).click(); closeModalIfVisible(); - cy.contains( - 'Create packs to organize sets of queries and to schedule queries for agent policies.' - ); + cy.contains('Create pack'); const queries = { Query1: { interval: 3600, diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_integration.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_integration.cy.ts index b1f292bd79745..afa93e34b5806 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_integration.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/packs_integration.cy.ts @@ -162,7 +162,7 @@ describe.skip('ALL - Packs', { tags: ['@ess', '@serverless'] }, () => { it('should be able to run live prebuilt pack', () => { navigateTo('/app/osquery/live_queries'); - cy.contains('New live query').click(); + cy.contains('Run query').click(); cy.getBySel('globalLoadingIndicator').should('not.exist'); cy.contains('Run a set of queries in a pack.').click(); cy.getBySel(LIVE_QUERY_EDITOR).should('not.exist'); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/saved_queries.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/saved_queries.cy.ts index 4c08ac4c21688..62e68f013ebcb 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/saved_queries.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/all/saved_queries.cy.ts @@ -16,6 +16,7 @@ import { customActionEditSavedQuerySelector, customActionRunSavedQuerySelector, EDIT_PACK_HEADER_BUTTON, + rowActionsMenuSelector, SAVED_QUERY_DROPDOWN_SELECT, } from '../../screens/packs'; import { preparePack } from '../../tasks/packs'; @@ -71,7 +72,7 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { const suffix = generateRandomStringName(1)[0]; const savedQueryId = `Saved-Query-Id-${suffix}`; const savedQueryDescription = `Test saved query description ${suffix}`; - cy.contains('New live query').click(); + cy.contains('Run query').click(); selectAllAgents(); inputQuery(BIG_QUERY); getAdvancedButton().click(); @@ -124,10 +125,17 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { cy.getBySel('osquery-status-tab').click(); cy.get('tbody > tr.euiTableRow').should('have.lengthOf', 2); - // save new query + // save new query from the detail page cy.contains('Exit full screen').should('not.exist'); - cy.contains('Save for later').click(); - cy.contains('Save query'); + navigateTo('/app/osquery/live_queries'); + cy.get('tbody tr', { timeout: 60000 }) + .first() + .within(() => { + cy.get('[aria-label="Details"]').click(); + }); + cy.contains('Query results'); + cy.getBySel('save-query-button').should('exist').click(); + cy.getBySel('osquery-save-query-flyout').should('exist'); cy.get('input[name="id"]').type(`${savedQueryId}{downArrow}{enter}`); cy.get('input[name="description"]').type(`${savedQueryDescription}{downArrow}{enter}`); cy.getBySel('savedQueryFlyoutSaveButton').click(); @@ -143,10 +151,11 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { submitQuery(); // edit saved query - cy.contains('Saved queries').click(); + navigateTo('/app/osquery/saved_queries'); cy.contains(savedQueryId); - cy.get(`[aria-label="Edit ${savedQueryId}"]`).click(); + cy.get(rowActionsMenuSelector(savedQueryId)).click(); + cy.contains('Edit query').click(); cy.get('input[name="description"]').type(` Edited{downArrow}{enter}`); // Run in test configuration @@ -175,7 +184,8 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { // delete saved query cy.contains(savedQueryId); - cy.get(`[aria-label="Edit ${savedQueryId}"]`).click(); + cy.get(rowActionsMenuSelector(savedQueryId)).click(); + cy.contains('Edit query').click(); deleteAndConfirm('query'); cy.contains(savedQueryId).should('exist'); @@ -203,9 +213,9 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { it('shows ID must be unique error', () => { cy.intercept('GET', '**/api/osquery/saved_queries**').as('savedQueriesLoaded'); - cy.contains('Saved queries').click(); + cy.contains('Queries').click(); cy.wait('@savedQueriesLoaded'); - cy.contains('Add saved query').click(); + cy.contains('Create query').click(); cy.get('input[name="id"]').type(`${duplicateTestQueryId}{downArrow}{enter}`); cy.contains('ID must be unique').should('not.exist'); @@ -216,8 +226,8 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { }); it('checks default values on new saved query', () => { - cy.contains('Saved queries').click(); - cy.contains('Add saved query').click(); + cy.contains('Queries').click(); + cy.contains('Create query').click(); // ADD MORE FIELDS HERE cy.getBySel('resultsTypeField').within(() => { cy.contains('Snapshot'); @@ -262,7 +272,8 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { it('checks result type on prebuilt saved query', () => { // Navigate to page 2 where users_elastic is located cy.getBySel('pagination-button-1').click(); - cy.get(customActionEditSavedQuerySelector('users_elastic')).click(); + cy.get(rowActionsMenuSelector('users_elastic')).click(); + cy.contains('Edit query').click(); cy.getBySel('resultsTypeField').within(() => { cy.contains('Snapshot'); }); @@ -283,7 +294,8 @@ describe('ALL - Saved queries', { tags: ['@ess', '@serverless'] }, () => { it('user can not delete prebuilt saved query but can delete normal saved query', () => { // Navigate to page 2 where users_elastic is located cy.getBySel('pagination-button-1').click(); - cy.get(customActionEditSavedQuerySelector('users_elastic')).click(); + cy.get(rowActionsMenuSelector('users_elastic')).click(); + cy.contains('Edit query').click(); cy.contains('Delete query').should('not.exist'); navigateTo(`/app/osquery/saved_queries/${savedQueryId}`); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/reader.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/reader.cy.ts index 00ae3d3a20421..dd62a098c2ce5 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/reader.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/reader.cy.ts @@ -10,6 +10,7 @@ import { customActionEditSavedQuerySelector, customActionRunSavedQuerySelector, formFieldInputSelector, + rowActionsMenuSelector, } from '../../screens/packs'; import { navigateTo } from '../../tasks/navigation'; import { @@ -54,9 +55,10 @@ describe('Reader - only READ', { tags: ['@ess'] }, () => { it('should not be able to add nor run saved queries', () => { navigateTo('/app/osquery/saved_queries'); cy.contains(savedQueryName); - cy.contains('Add saved query').should('be.disabled'); + cy.contains('Create query').should('be.disabled'); cy.get(customActionRunSavedQuerySelector(savedQueryName)).should('be.disabled'); - cy.get(customActionEditSavedQuerySelector(savedQueryName)).click(); + cy.get(rowActionsMenuSelector(savedQueryName)).click(); + cy.contains('Edit query').click(); cy.get(formFieldInputSelector('id')).should('be.disabled'); cy.get(formFieldInputSelector('description')).should('be.disabled'); @@ -71,7 +73,7 @@ describe('Reader - only READ', { tags: ['@ess'] }, () => { it('should not be able to play in live queries history', () => { navigateTo('/app/osquery/live_queries'); - cy.contains('New live query').should('be.disabled'); + cy.contains('Run query').should('be.disabled'); cy.contains(liveQueryQuery); cy.get(customActionRunSavedQuerySelector(savedQueryName)).should('not.exist'); cy.get(`[aria-label="Details"]`).should('exist'); @@ -79,7 +81,7 @@ describe('Reader - only READ', { tags: ['@ess'] }, () => { it('should not be able to add nor edit packs', () => { navigateTo('/app/osquery/packs'); - cy.contains('Add pack').should('be.disabled'); + cy.contains('Create pack').should('be.disabled'); cy.getBySel('tablePaginationPopoverButton').click(); cy.getBySel('tablePagination-50-rows').click(); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts b/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts index d773f1e85edb5..1b1019a6d9639 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/e2e/roles/t1_and_t2_analyst.cy.ts @@ -57,7 +57,7 @@ describe(`T1 and T2 analysts`, { tags: ['@ess', '@serverless', '@skipInServerles it('should be able to run saved queries but not add new ones', () => { navigateTo('/app/osquery/saved_queries'); cy.contains(savedQueryName); - cy.contains('Add saved query').should('be.disabled'); + cy.contains('Create query').should('be.disabled'); cy.get(`[aria-label="Run ${savedQueryName}"]`).should('not.be.disabled'); cy.get(`[aria-label="Run ${savedQueryName}"]`).click(); @@ -75,20 +75,19 @@ describe(`T1 and T2 analysts`, { tags: ['@ess', '@serverless', '@skipInServerles it('should be able to play in live queries history', () => { navigateTo('/app/osquery/live_queries'); - cy.contains('New live query').should('not.be.disabled'); + cy.contains('Run query').should('not.be.disabled'); cy.contains(liveQueryQuery); cy.get(`[aria-label="Run query"]`).first().should('not.be.disabled'); cy.get(`[aria-label="Run query"]`).first().click(); - cy.get('[data-test-subj="savedQuerySelect"]') - .find('input') - .should('have.value', savedQueryName); + cy.contains(liveQueryQuery); + selectAllAgents(); submitQuery(); checkResults(); }); it('should be able to use saved query in a new query', () => { navigateTo('/app/osquery/live_queries'); - cy.contains('New live query').should('not.be.disabled').click(); + cy.contains('Run query').should('not.be.disabled').click(); selectAllAgents(); cy.getBySel('savedQuerySelect').type(`${savedQueryName}{downArrow} {enter}`); cy.contains('select * from uptime'); @@ -98,9 +97,7 @@ describe(`T1 and T2 analysts`, { tags: ['@ess', '@serverless', '@skipInServerles it('should not be able to add nor edit packs', () => { navigateTo('/app/osquery/packs'); - cy.getBySel('tablePaginationPopoverButton').click(); - cy.getBySel('tablePagination-50-rows').click(); - cy.contains('Add pack').should('be.disabled'); + cy.contains('Create pack').should('be.disabled'); cy.get(`[aria-label="${packName}"]`).should('be.disabled'); cy.contains(packName).click(); @@ -113,7 +110,7 @@ describe(`T1 and T2 analysts`, { tags: ['@ess', '@serverless', '@skipInServerles it('should not be able to create new liveQuery from scratch', () => { navigateTo('/app/osquery'); - cy.contains('New live query').click(); + cy.contains('Run query').click(); selectAllAgents(); cy.getBySel(LIVE_QUERY_EDITOR).should('not.exist'); submitQuery(); diff --git a/x-pack/platform/plugins/shared/osquery/cypress/screens/packs.ts b/x-pack/platform/plugins/shared/osquery/cypress/screens/packs.ts index 433871d4840a3..9ab70d1414041 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/screens/packs.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/screens/packs.ts @@ -19,6 +19,9 @@ export const FLYOUT_SAVED_QUERY_CANCEL_BUTTON = 'query-flyout-cancel-button'; export const customActionEditSavedQuerySelector = (savedQueryName: string) => `[aria-label="Edit ${savedQueryName}"]`; +export const rowActionsMenuSelector = (itemName: string) => + `[aria-label="Actions for ${itemName}"]`; + export const customActionRunSavedQuerySelector = (savedQueryName: string) => `[aria-label="Run ${savedQueryName}"]`; diff --git a/x-pack/platform/plugins/shared/osquery/cypress/tasks/live_query.ts b/x-pack/platform/plugins/shared/osquery/cypress/tasks/live_query.ts index edc16b90e03ce..5418c0859d9a0 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/tasks/live_query.ts +++ b/x-pack/platform/plugins/shared/osquery/cypress/tasks/live_query.ts @@ -161,7 +161,7 @@ export const addLiveQueryToCase = (actionId: string, caseId: string) => { cy.getBySel(`row-${actionId}`).within(() => { cy.get('[aria-label="Details"]').click(); }); - cy.contains('Live query details'); + cy.contains('View history'); addToCase(caseId); }; @@ -169,25 +169,18 @@ const casesOsqueryResultRegex = /attached Osquery results[\s]?[\d]+[\s]?second(? export const viewRecentCaseAndCheckResults = () => { cy.contains('View case').click(); cy.contains(casesOsqueryResultRegex); - checkResults(); }; export const checkActionItemsInResults = ({ - lens, - discover, - timeline, cases, }: { - discover: boolean; - lens: boolean; + discover?: boolean; + lens?: boolean; cases: boolean; - timeline: boolean; + timeline?: boolean; }) => { checkResults(); - cy.contains('View in Discover').should(discover ? 'exist' : 'not.exist'); - cy.contains('View in Lens').should(lens ? 'exist' : 'not.exist'); cy.contains('Add to Case').should(cases ? 'exist' : 'not.exist'); - cy.contains('Add to Timeline investigation').should(timeline ? 'exist' : 'not.exist'); }; export const takeOsqueryActionWithParams = () => { diff --git a/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/index.tsx b/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/index.tsx index 3fdaa977c0f33..817fabfdae263 100644 --- a/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/index.tsx +++ b/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/index.tsx @@ -17,9 +17,11 @@ import { PacksTableEmptyState } from './empty_state'; import { useAssetsStatus } from '../../../assets/use_assets_status'; import { usePacks } from '../../../packs/use_packs'; import { useIsExperimentalFeatureEnabled } from '../../../common/experimental_features_context'; +import { useKibana } from '../../../common/lib/kibana'; import { PacksTable } from './packs_table'; const PacksPageComponent = () => { + const permissions = useKibana().services.application.capabilities.osquery; const queryHistoryRework = useIsExperimentalFeatureEnabled('queryHistoryRework'); const { data: assetsData, isLoading: isLoadingAssetsStatus } = useAssetsStatus(); const { data: packsData, isLoading: isLoadingPacks } = usePacks({ @@ -31,7 +33,7 @@ const PacksPageComponent = () => { ); if (queryHistoryRework) { - if (isLoadingAssetsStatus) { + if (isLoadingAssetsStatus && permissions.writePacks) { return (
diff --git a/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/packs_table.tsx b/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/packs_table.tsx index 3fae988e50a2a..e51c52f966d42 100644 --- a/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/packs_table.tsx +++ b/x-pack/platform/plugins/shared/osquery/public/routes/packs/list/packs_table.tsx @@ -387,6 +387,7 @@ const PacksTableComponent = ({ hasAssetsToInstall }: { hasAssetsToInstall?: bool {...newPackLinkProps} iconType="plusInCircle" isDisabled={!permissions.writePacks} + data-test-subj="add-pack-button" > { const row = mapLiveHitToRow(hit); expect(row.tags).toEqual([]); }); + + test('maps replay parameters for single query (savedQueryId, timeout, ecsMapping, agent selection)', () => { + const hit = { + _source: { + action_id: 'action-replay', + '@timestamp': '2024-01-01T00:00:00.000Z', + agent_all: true, + agent_ids: ['agent-1', 'agent-2'], + agent_platforms: ['linux', 'darwin'], + agent_policy_ids: ['policy-1'], + queries: [ + { + query: 'SELECT * FROM uptime', + id: 'q1', + agents: ['agent-1', 'agent-2'], + saved_query_id: 'saved-query-123', + timeout: 601, + ecs_mapping: { message: { field: 'days' } }, + }, + ], + }, + }; + + const row = mapLiveHitToRow(hit); + expect(row.savedQueryId).toBe('saved-query-123'); + expect(row.timeout).toBe(601); + expect(row.ecsMapping).toEqual({ message: { field: 'days' } }); + expect(row.agentIds).toEqual(['agent-1', 'agent-2']); + expect(row.agentAll).toBe(true); + expect(row.agentPlatforms).toEqual(['linux', 'darwin']); + expect(row.agentPolicyIds).toEqual(['policy-1']); + }); + + test('does not map replay parameters for pack queries', () => { + const hit = { + _source: { + action_id: 'action-pack', + '@timestamp': '2024-01-01T00:00:00.000Z', + pack_id: 'pack-1', + pack_name: 'my_pack', + queries: [ + { + query: 'SELECT 1', + id: 'q1', + agents: ['agent-1'], + saved_query_id: 'sq-1', + timeout: 300, + }, + { query: 'SELECT 2', id: 'q2', agents: ['agent-1'] }, + ], + }, + }; + + const row = mapLiveHitToRow(hit); + expect(row.savedQueryId).toBeUndefined(); + expect(row.timeout).toBeUndefined(); + expect(row.ecsMapping).toBeUndefined(); + }); }); From 1ec6abcd3b28fd1a03b80ed90be998d2e86038b0 Mon Sep 17 00:00:00 2001 From: Tomasz Ciecierski Date: Mon, 13 Apr 2026 15:12:43 +0200 Subject: [PATCH 2/7] [Osquery] Enable openapi docs --- .../shared/osquery/common/api/packs/packs.schema.yaml | 4 +--- .../common/api/saved_query/saved_query.schema.yaml | 4 +--- .../api/scheduled_results/scheduled_results.schema.yaml | 8 ++------ .../api/unified_history/unified_history.schema.yaml | 4 +--- 4 files changed, 5 insertions(+), 15 deletions(-) diff --git a/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml index 33c641f148e2a..44a9ea66cebe1 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml @@ -135,9 +135,7 @@ paths: The copied pack is always created with `enabled` set to `false`. operationId: OsqueryCopyPacks x-codegen-enabled: true - # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled - x-labels: [ ] - # x-labels: [serverless, ess] + x-labels: [ serverless, ess ] parameters: - name: id in: path diff --git a/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml index 5020bde03a748..0e0cf567b7e1e 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml @@ -132,9 +132,7 @@ paths: If the name already exists, a numeric suffix is added (e.g., `_copy_2`). operationId: OsqueryCopySavedQuery x-codegen-enabled: true - # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled - x-labels: [ ] - # x-labels: [serverless, ess] + x-labels: [ serverless, ess ] parameters: - name: id in: path diff --git a/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml index 886e922679b59..9ab5ca0b23d64 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml @@ -12,9 +12,7 @@ paths: (pack name, query name/text, timestamp). operationId: OsqueryGetScheduledActionResults x-codegen-enabled: true - # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled - x-labels: [ ] - # x-labels: [serverless, ess] + x-labels: [ serverless, ess ] parameters: - name: scheduleId in: path @@ -71,9 +69,7 @@ paths: for a specific scheduled query execution. operationId: OsqueryGetScheduledQueryResults x-codegen-enabled: true - # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled - x-labels: [ ] - # x-labels: [serverless, ess] + x-labels: [ serverless, ess ] parameters: - name: scheduleId in: path diff --git a/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml index 2d732c2c08566..711124cfe3fa3 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml @@ -11,9 +11,7 @@ paths: osquery executions. The response uses cursor-based pagination. operationId: OsqueryGetUnifiedHistory x-codegen-enabled: true - # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled - x-labels: [ ] - # x-labels: [serverless, ess] + x-labels: [ serverless, ess ] parameters: - name: pageSize in: query From 765151aab42f601049f768c52e89fb3cca87e4ec Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 13 Apr 2026 13:43:55 +0000 Subject: [PATCH 3/7] Changes from yarn openapi:bundle --- ...osquery_api_2023_10_31.bundled.schema.yaml | 589 ++++++++++++++++++ ...osquery_api_2023_10_31.bundled.schema.yaml | 589 ++++++++++++++++++ 2 files changed, 1178 insertions(+) diff --git a/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml b/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml index c1df2d2da55fb..937620b79be90 100644 --- a/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml @@ -11,6 +11,78 @@ servers: port: default: '5601' paths: + /api/osquery/history: + get: + description: > + Get a unified, time-sorted history of live, rule-triggered, and + scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - in: query + name: nextPage + required: false + schema: + description: >- + A base64-encoded cursor for pagination. Use the value from the + previous response to fetch the next page. + type: string + - in: query + name: kuery + required: false + schema: + description: >- + A search string to filter history entries by pack name, query + text, or query ID. + type: string + - in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - in: query + name: sourceFilters + required: false + schema: + description: >- + Comma-separated list of source types to include. Valid values are + `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/GetUnifiedHistoryResponse' + description: OK + summary: Get unified query history + tags: + - Security Osquery API /api/osquery/live_queries: get: description: Get a list of all live queries. @@ -269,6 +341,30 @@ paths: summary: Update a pack tags: - Security Osquery API + /api/osquery/packs/{id}/copy: + post: + description: >- + Create a copy of a query pack with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). The copied pack is always created with `enabled` set to + `false`. + operationId: OsqueryCopyPacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/PackId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CopyPacksResponse' + description: OK + summary: Copy a pack + tags: + - Security Osquery API /api/osquery/saved_queries: get: description: Get a list of all saved queries. @@ -390,6 +486,149 @@ paths: summary: Update a saved query tags: - Security Osquery API + /api/osquery/saved_queries/{id}/copy: + post: + description: >- + Create a copy of a saved query with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CopySavedQueryResponse' + description: OK + summary: Copy a saved query + tags: + - Security Osquery API + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: > + Get paginated per-agent action results for a specific scheduled query + execution, with success/failure aggregation and execution metadata (pack + name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/GetScheduledActionResultsResponse' + description: OK + summary: Get scheduled action results + tags: + - Security Osquery API + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: > + Get paginated query result rows (the actual osquery output data) for a + specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/SortOrderOrUndefined' + - in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/GetScheduledQueryResultsResponse' + description: OK + summary: Get scheduled query results + tags: + - Security Osquery API components: schemas: ArrayQueries: @@ -414,6 +653,49 @@ components: $ref: '#/components/schemas/SnapshotOrUndefined' version: $ref: '#/components/schemas/VersionOrUndefined' + CopyPacksResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + type: object + properties: {} + CopySavedQueryResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: {} CreateLiveQueryRequestBody: example: agent_all: true @@ -819,6 +1101,129 @@ components: total: 2 type: object properties: {} + GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - {} + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + type: object + properties: + aggregations: + $ref: '#/components/schemas/ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - {} + - {} + total: 2 + type: object + properties: + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + type: object + properties: + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: >- + A base64-encoded cursor to fetch the next page. Absent when there + are no more results. + type: string + required: + - data + - hasMore Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -831,6 +1236,72 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string + LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/UnifiedHistoryRowBase' + - type: object + properties: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: + type: string + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: + type: string + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: >- + The saved query ID, if the live query was based on a saved + query. + type: string + source: + description: >- + Whether this was a manually run live query or triggered by a + rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string + required: + - sourceType + - source ObjectQueries: additionalProperties: $ref: '#/components/schemas/ObjectQueriesItem' @@ -935,6 +1406,76 @@ components: SavedQueryIdOrUndefined: $ref: '#/components/schemas/SavedQueryId' nullable: true + ScheduledActionResultsAggregations: + type: object + properties: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query within the pack. + type: string + queryText: + description: The SQL query that was executed. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + timestamp: + description: The timestamp of the most recent response for this execution. + type: string + ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source Shards: additionalProperties: type: number @@ -965,6 +1506,54 @@ components: example: createdAt nullable: true type: string + UnifiedHistoryRow: + oneOf: + - $ref: '#/components/schemas/LiveHistoryRow' + - $ref: '#/components/schemas/ScheduledHistoryRow' + UnifiedHistoryRowBase: + type: object + properties: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. + type: string + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. + type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer + required: + - id + - timestamp + - queryText + - agentCount UpdatePacksRequestBody: example: name: updated_my_pack_name diff --git a/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml b/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml index f418cc98c297a..2074878fc1282 100644 --- a/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml @@ -11,6 +11,78 @@ servers: port: default: '5601' paths: + /api/osquery/history: + get: + description: > + Get a unified, time-sorted history of live, rule-triggered, and + scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - in: query + name: nextPage + required: false + schema: + description: >- + A base64-encoded cursor for pagination. Use the value from the + previous response to fetch the next page. + type: string + - in: query + name: kuery + required: false + schema: + description: >- + A search string to filter history entries by pack name, query + text, or query ID. + type: string + - in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - in: query + name: sourceFilters + required: false + schema: + description: >- + Comma-separated list of source types to include. Valid values are + `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/GetUnifiedHistoryResponse' + description: OK + summary: Get unified query history + tags: + - Security Osquery API /api/osquery/live_queries: get: description: Get a list of all live queries. @@ -269,6 +341,30 @@ paths: summary: Update a pack tags: - Security Osquery API + /api/osquery/packs/{id}/copy: + post: + description: >- + Create a copy of a query pack with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). The copied pack is always created with `enabled` set to + `false`. + operationId: OsqueryCopyPacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/PackId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CopyPacksResponse' + description: OK + summary: Copy a pack + tags: + - Security Osquery API /api/osquery/saved_queries: get: description: Get a list of all saved queries. @@ -390,6 +486,149 @@ paths: summary: Update a saved query tags: - Security Osquery API + /api/osquery/saved_queries/{id}/copy: + post: + description: >- + Create a copy of a saved query with a unique name by appending a `_copy` + suffix. If the name already exists, a numeric suffix is added (e.g., + `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/CopySavedQueryResponse' + description: OK + summary: Copy a saved query + tags: + - Security Osquery API + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: > + Get paginated per-agent action results for a specific scheduled query + execution, with success/failure aggregation and execution metadata (pack + name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/GetScheduledActionResultsResponse' + description: OK + summary: Get scheduled action results + tags: + - Security Osquery API + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: > + Get paginated query result rows (the actual osquery output data) for a + specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/SortOrderOrUndefined' + - in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/GetScheduledQueryResultsResponse' + description: OK + summary: Get scheduled query results + tags: + - Security Osquery API components: schemas: ArrayQueries: @@ -414,6 +653,49 @@ components: $ref: '#/components/schemas/SnapshotOrUndefined' version: $ref: '#/components/schemas/VersionOrUndefined' + CopyPacksResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + type: object + properties: {} + CopySavedQueryResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: {} CreateLiveQueryRequestBody: example: agent_all: true @@ -819,6 +1101,129 @@ components: total: 2 type: object properties: {} + GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - {} + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + type: object + properties: + aggregations: + $ref: '#/components/schemas/ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - {} + - {} + total: 2 + type: object + properties: + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + type: object + properties: + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: >- + A base64-encoded cursor to fetch the next page. Absent when there + are no more results. + type: string + required: + - data + - hasMore Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -831,6 +1236,72 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string + LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/UnifiedHistoryRowBase' + - type: object + properties: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: + type: string + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: + type: string + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: >- + The saved query ID, if the live query was based on a saved + query. + type: string + source: + description: >- + Whether this was a manually run live query or triggered by a + rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string + required: + - sourceType + - source ObjectQueries: additionalProperties: $ref: '#/components/schemas/ObjectQueriesItem' @@ -935,6 +1406,76 @@ components: SavedQueryIdOrUndefined: $ref: '#/components/schemas/SavedQueryId' nullable: true + ScheduledActionResultsAggregations: + type: object + properties: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query within the pack. + type: string + queryText: + description: The SQL query that was executed. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + timestamp: + description: The timestamp of the most recent response for this execution. + type: string + ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source Shards: additionalProperties: type: number @@ -965,6 +1506,54 @@ components: example: createdAt nullable: true type: string + UnifiedHistoryRow: + oneOf: + - $ref: '#/components/schemas/LiveHistoryRow' + - $ref: '#/components/schemas/ScheduledHistoryRow' + UnifiedHistoryRowBase: + type: object + properties: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. + type: string + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. + type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer + required: + - id + - timestamp + - queryText + - agentCount UpdatePacksRequestBody: example: name: updated_my_pack_name From 8e16c92c9e256b6a488b648c657e7e38762d0a1e Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 13 Apr 2026 14:13:51 +0000 Subject: [PATCH 4/7] Changes from make api-docs --- oas_docs/output/kibana.serverless.yaml | 613 +++++++++++++++++++++++++ oas_docs/output/kibana.yaml | 613 +++++++++++++++++++++++++ 2 files changed, 1226 insertions(+) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index f219e2806bcf6..5a8590962158b 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -56386,6 +56386,80 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/osquery/history: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - in: query + name: nextPage + required: false + schema: + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + type: string + - in: query + name: kuery + required: false + schema: + description: A search string to filter history entries by pack name, query text, or query ID. + type: string + - in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - in: query + name: sourceFilters + required: false + schema: + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: OK + summary: Get unified query history + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name /api/osquery/live_queries: get: description: |- @@ -56733,6 +56807,36 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: OK + summary: Copy a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name /api/osquery/saved_queries: get: description: |- @@ -56903,6 +57007,171 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name + /api/osquery/saved_queries/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' + description: OK + summary: Copy a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' + description: OK + summary: Get scheduled action results + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' + description: OK + summary: Get scheduled query results + tags: + - Security Osquery API + x-metaTags: + - content: Kibana, Elastic Cloud Serverless + name: product_name /api/pinned_event: patch: description: |- @@ -99134,6 +99403,49 @@ components: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CopyPacksResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + type: object + properties: {} + Security_Osquery_API_CopySavedQueryResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: {} Security_Osquery_API_CreateLiveQueryRequestBody: example: agent_all: true @@ -99537,6 +99849,127 @@ components: total: 2 type: object properties: {} + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - {} + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + type: object + properties: + aggregations: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - {} + - {} + total: 2 + type: object + properties: + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + type: object + properties: + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. + type: string + required: + - data + - hasMore Security_Osquery_API_Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -99549,6 +99982,68 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string + Security_Osquery_API_LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: + type: string + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: + type: string + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: The saved query ID, if the live query was based on a saved query. + type: string + source: + description: Whether this was a manually run live query or triggered by a rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string + required: + - sourceType + - source Security_Osquery_API_ObjectQueries: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' @@ -99650,6 +100145,76 @@ components: Security_Osquery_API_SavedQueryIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: + type: object + properties: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query within the pack. + type: string + queryText: + description: The SQL query that was executed. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + timestamp: + description: The timestamp of the most recent response for this execution. + type: string + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source Security_Osquery_API_Shards: additionalProperties: type: number @@ -99677,6 +100242,54 @@ components: example: createdAt nullable: true type: string + Security_Osquery_API_UnifiedHistoryRow: + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: + type: object + properties: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. + type: string + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. + type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer + required: + - id + - timestamp + - queryText + - agentCount Security_Osquery_API_UpdatePacksRequestBody: example: name: updated_my_pack_name diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index a93a6c87b37c4..140dc0c913a65 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -59442,6 +59442,80 @@ paths: x-metaTags: - content: Kibana name: product_name + /api/osquery/history: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/history
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. + operationId: OsqueryGetUnifiedHistory + parameters: + - in: query + name: pageSize + required: false + schema: + default: 20 + description: The number of results to return per page. + maximum: 100 + minimum: 1 + type: integer + - in: query + name: nextPage + required: false + schema: + description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. + type: string + - in: query + name: kuery + required: false + schema: + description: A search string to filter history entries by pack name, query text, or query ID. + type: string + - in: query + name: userIds + required: false + schema: + description: Comma-separated list of user IDs to filter live query history. + example: elastic,admin + type: string + - in: query + name: sourceFilters + required: false + schema: + description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. + example: live,scheduled + type: string + - in: query + name: startDate + required: false + schema: + description: The start of the time range filter (ISO 8601). + example: '2024-01-01T00:00:00Z' + type: string + - in: query + name: endDate + required: false + schema: + description: The end of the time range filter (ISO 8601). + example: '2024-12-31T23:59:59Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' + description: OK + summary: Get unified query history + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name /api/osquery/live_queries: get: description: |- @@ -59789,6 +59863,36 @@ paths: x-metaTags: - content: Kibana name: product_name + /api/osquery/packs/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. + operationId: OsqueryCopyPacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' + description: OK + summary: Copy a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name /api/osquery/saved_queries: get: description: |- @@ -59959,6 +60063,171 @@ paths: x-metaTags: - content: Kibana name: product_name + /api/osquery/saved_queries/{id}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). + operationId: OsqueryCopySavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' + description: OK + summary: Copy a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). + operationId: OsqueryGetScheduledActionResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' + description: OK + summary: Get scheduled action results + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. + operationId: OsqueryGetScheduledQueryResults + parameters: + - in: path + name: scheduleId + required: true + schema: + description: The schedule ID of the scheduled query. + example: pack_my_pack_uptime + type: string + - in: path + name: executionCount + required: true + schema: + description: The execution count for this scheduled query run. + example: 3 + type: integer + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + - in: query + name: startDate + required: false + schema: + description: The start date filter (ISO 8601) to narrow down results. + example: '2024-01-01T00:00:00Z' + type: string + responses: + '200': + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' + description: OK + summary: Get scheduled query results + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name /api/pinned_event: patch: description: |- @@ -110330,6 +110599,49 @@ components: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' + Security_Osquery_API_CopyPacksResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: My pack + enabled: false + name: my_pack_copy + queries: + ports: + ecs_mapping: + client.port: + field: port + interval: 60 + query: SELECT * FROM listening_ports; + removed: false + snapshot: true + timeout: 120 + saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 + shards: {} + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + type: object + properties: {} + Security_Osquery_API_CopySavedQueryResponse: + example: + data: + created_at: '2025-02-26T13:37:30.452Z' + created_by: elastic + description: Saved query description + ecs_mapping: + host.uptime: + field: total_seconds + id: my_saved_query_copy + interval: '60' + platform: linux,darwin + query: select * from uptime; + saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c + updated_at: '2025-02-26T13:37:30.452Z' + updated_by: elastic + version: 2.8.0 + type: object + properties: {} Security_Osquery_API_CreateLiveQueryRequestBody: example: agent_all: true @@ -110733,6 +111045,127 @@ components: total: 2 type: object properties: {} + Security_Osquery_API_GetScheduledActionResultsResponse: + example: + aggregations: + failed: 1 + pending: 0 + successful: 9 + totalResponded: 10 + totalRowCount: 42 + currentPage: 0 + edges: + - {} + metadata: + executionCount: 3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + timestamp: '2024-07-26T09:00:00.000Z' + pageSize: 20 + total: 10 + totalPages: 1 + type: object + properties: + aggregations: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' + currentPage: + description: The current page number (zero-based). + type: integer + edges: + description: The paginated list of per-agent action results. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + metadata: + $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' + pageSize: + description: The number of results per page. + type: integer + total: + description: The total number of action results. + type: integer + totalPages: + description: The total number of pages. + type: integer + Security_Osquery_API_GetScheduledQueryResultsResponse: + description: The response for getting scheduled query results. + example: + data: + edges: + - {} + - {} + total: 2 + type: object + properties: + data: + description: The query results data wrapper. + type: object + properties: + edges: + description: The paginated list of query result rows. + items: + type: object + type: array + inspect: + description: Debug/inspection data for the search query. + type: object + total: + description: The total number of result rows. + type: integer + Security_Osquery_API_GetUnifiedHistoryResponse: + example: + data: + - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 + agentCount: 5 + errorCount: 0 + id: 3c42c847-eb30-4452-80e0-728584042334 + queryName: uptime_query + queryText: select * from uptime; + source: Live + sourceType: live + successCount: 5 + timestamp: '2024-07-26T09:59:32.220Z' + totalRows: 42 + userId: elastic + - agentCount: 10 + errorCount: 1 + executionCount: 3 + id: pack_my_pack_uptime_3 + packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d + packName: My Pack + plannedTime: '2024-07-26T09:00:00.000Z' + queryName: uptime + queryText: select * from uptime; + scheduleId: pack_my_pack_uptime + source: Scheduled + sourceType: scheduled + successCount: 9 + timestamp: '2024-07-26T09:00:00.000Z' + totalRows: 100 + hasMore: true + nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... + type: object + properties: + data: + description: The list of unified history rows for the current page. + items: + $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' + type: array + hasMore: + description: Whether there are more results beyond the current page. + type: boolean + nextPage: + description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. + type: string + required: + - data + - hasMore Security_Osquery_API_Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -110745,6 +111178,68 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string + Security_Osquery_API_LiveHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + actionId: + description: The Fleet action ID for the live query. + type: string + agentAll: + description: Whether the query targeted all agents. + type: boolean + agentIds: + description: List of targeted agent IDs. + items: + type: string + type: array + agentPlatforms: + description: List of targeted agent platforms. + items: + type: string + type: array + agentPolicyIds: + description: List of targeted agent policy IDs. + items: + type: string + type: array + ecsMapping: + additionalProperties: true + description: ECS mapping configuration used for the query. + type: object + queriesTotal: + description: The total number of sub-queries in the live action. + type: integer + queriesWithResults: + description: The number of sub-queries that returned results. + type: integer + savedQueryId: + description: The saved query ID, if the live query was based on a saved query. + type: string + source: + description: Whether this was a manually run live query or triggered by a rule. + enum: + - Live + - Rule + type: string + sourceType: + description: Identifies this as a live query history row. + enum: + - live + type: string + timeout: + description: The query timeout in seconds. + type: integer + userId: + description: The ID of the user who ran the query. + type: string + userProfileUid: + description: The user profile UID of the user who ran the query. + type: string + required: + - sourceType + - source Security_Osquery_API_ObjectQueries: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' @@ -110846,6 +111341,76 @@ components: Security_Osquery_API_SavedQueryIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' nullable: true + Security_Osquery_API_ScheduledActionResultsAggregations: + type: object + properties: + failed: + description: The number of agents that returned errors. + type: integer + pending: + description: The number of agents with pending responses. + type: integer + successful: + description: The number of agents that completed successfully. + type: integer + totalResponded: + description: The total number of agents that responded. + type: integer + totalRowCount: + description: The total number of result rows across all agents. + type: integer + Security_Osquery_API_ScheduledExecutionMetadata: + description: Execution metadata resolved from the pack saved object. + type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query within the pack. + type: string + queryText: + description: The SQL query that was executed. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + timestamp: + description: The timestamp of the most recent response for this execution. + type: string + Security_Osquery_API_ScheduledHistoryRow: + allOf: + - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' + - type: object + properties: + executionCount: + description: The execution count for this scheduled query run. + type: integer + plannedTime: + description: The planned execution time for the scheduled query. + type: string + scheduleId: + description: The schedule ID for the scheduled query. + type: string + source: + description: Indicates this is a scheduled query execution. + enum: + - Scheduled + type: string + sourceType: + description: Identifies this as a scheduled query history row. + enum: + - scheduled + type: string + required: + - sourceType + - source Security_Osquery_API_Shards: additionalProperties: type: number @@ -110873,6 +111438,54 @@ components: example: createdAt nullable: true type: string + Security_Osquery_API_UnifiedHistoryRow: + oneOf: + - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' + - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' + Security_Osquery_API_UnifiedHistoryRowBase: + type: object + properties: + agentCount: + description: The number of agents targeted by the query. + type: integer + errorCount: + description: The number of agent responses with errors. + nullable: true + type: integer + id: + description: Unique identifier for the history row. + type: string + packId: + description: The ID of the pack containing the query. + type: string + packName: + description: The name of the pack containing the query. + type: string + queryName: + description: The name of the query, if available. + type: string + queryText: + description: The SQL query that was executed. + type: string + spaceId: + description: The Kibana space ID where the query was executed. + type: string + successCount: + description: The number of successful agent responses. + nullable: true + type: integer + timestamp: + description: The timestamp of the query execution. + type: string + totalRows: + description: The total number of result rows returned across all agents. + nullable: true + type: integer + required: + - id + - timestamp + - queryText + - agentCount Security_Osquery_API_UpdatePacksRequestBody: example: name: updated_my_pack_name From fab9d7bff033d5818b4797ec8dd1eeb37896dd59 Mon Sep 17 00:00:00 2001 From: Tomasz Ciecierski Date: Mon, 13 Apr 2026 17:15:36 +0200 Subject: [PATCH 5/7] Revert "[Osquery] Enable openapi docs" This reverts commit 1ec6abcd3b28fd1a03b80ed90be998d2e86038b0. --- .../shared/osquery/common/api/packs/packs.schema.yaml | 4 +++- .../common/api/saved_query/saved_query.schema.yaml | 4 +++- .../api/scheduled_results/scheduled_results.schema.yaml | 8 ++++++-- .../api/unified_history/unified_history.schema.yaml | 4 +++- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml index 44a9ea66cebe1..33c641f148e2a 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/packs/packs.schema.yaml @@ -135,7 +135,9 @@ paths: The copied pack is always created with `enabled` set to `false`. operationId: OsqueryCopyPacks x-codegen-enabled: true - x-labels: [ serverless, ess ] + # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled + x-labels: [ ] + # x-labels: [serverless, ess] parameters: - name: id in: path diff --git a/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml index 0e0cf567b7e1e..5020bde03a748 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/saved_query/saved_query.schema.yaml @@ -132,7 +132,9 @@ paths: If the name already exists, a numeric suffix is added (e.g., `_copy_2`). operationId: OsqueryCopySavedQuery x-codegen-enabled: true - x-labels: [ serverless, ess ] + # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled + x-labels: [ ] + # x-labels: [serverless, ess] parameters: - name: id in: path diff --git a/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml index 9ab5ca0b23d64..886e922679b59 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/scheduled_results/scheduled_results.schema.yaml @@ -12,7 +12,9 @@ paths: (pack name, query name/text, timestamp). operationId: OsqueryGetScheduledActionResults x-codegen-enabled: true - x-labels: [ serverless, ess ] + # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled + x-labels: [ ] + # x-labels: [serverless, ess] parameters: - name: scheduleId in: path @@ -69,7 +71,9 @@ paths: for a specific scheduled query execution. operationId: OsqueryGetScheduledQueryResults x-codegen-enabled: true - x-labels: [ serverless, ess ] + # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled + x-labels: [ ] + # x-labels: [serverless, ess] parameters: - name: scheduleId in: path diff --git a/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml b/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml index 711124cfe3fa3..2d732c2c08566 100644 --- a/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/common/api/unified_history/unified_history.schema.yaml @@ -11,7 +11,9 @@ paths: osquery executions. The response uses cursor-based pagination. operationId: OsqueryGetUnifiedHistory x-codegen-enabled: true - x-labels: [ serverless, ess ] + # TODO: Remove the empty x-labels array and uncomment the following line when feature flag is enabled + x-labels: [ ] + # x-labels: [serverless, ess] parameters: - name: pageSize in: query From c63b4b635f5a17d58a49f95f7d38da784cfac077 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 13 Apr 2026 15:45:44 +0000 Subject: [PATCH 6/7] Changes from yarn openapi:bundle --- ...osquery_api_2023_10_31.bundled.schema.yaml | 589 ------------------ ...osquery_api_2023_10_31.bundled.schema.yaml | 589 ------------------ 2 files changed, 1178 deletions(-) diff --git a/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml b/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml index 937620b79be90..c1df2d2da55fb 100644 --- a/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml @@ -11,78 +11,6 @@ servers: port: default: '5601' paths: - /api/osquery/history: - get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory - parameters: - - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - in: query - name: nextPage - required: false - schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - type: string - - in: query - name: kuery - required: false - schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. - type: string - - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - in: query - name: sourceFilters - required: false - schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - in: query - name: endDate - required: false - schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GetUnifiedHistoryResponse' - description: OK - summary: Get unified query history - tags: - - Security Osquery API /api/osquery/live_queries: get: description: Get a list of all live queries. @@ -341,30 +269,6 @@ paths: summary: Update a pack tags: - Security Osquery API - /api/osquery/packs/{id}/copy: - post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/PackId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/CopyPacksResponse' - description: OK - summary: Copy a pack - tags: - - Security Osquery API /api/osquery/saved_queries: get: description: Get a list of all saved queries. @@ -486,149 +390,6 @@ paths: summary: Update a saved query tags: - Security Osquery API - /api/osquery/saved_queries/{id}/copy: - post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/CopySavedQueryResponse' - description: OK - summary: Copy a saved query - tags: - - Security Osquery API - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GetScheduledActionResultsResponse' - description: OK - summary: Get scheduled action results - tags: - - Security Osquery API - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/SortOrderOrUndefined' - - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GetScheduledQueryResultsResponse' - description: OK - summary: Get scheduled query results - tags: - - Security Osquery API components: schemas: ArrayQueries: @@ -653,49 +414,6 @@ components: $ref: '#/components/schemas/SnapshotOrUndefined' version: $ref: '#/components/schemas/VersionOrUndefined' - CopyPacksResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - type: object - properties: {} - CopySavedQueryResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: {} CreateLiveQueryRequestBody: example: agent_all: true @@ -1101,129 +819,6 @@ components: total: 2 type: object properties: {} - GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - {} - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - type: object - properties: - aggregations: - $ref: '#/components/schemas/ScheduledActionResultsAggregations' - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - {} - - {} - total: 2 - type: object - properties: - data: - description: The query results data wrapper. - type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - type: object - properties: - data: - description: The list of unified history rows for the current page. - items: - $ref: '#/components/schemas/UnifiedHistoryRow' - type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. - type: string - required: - - data - - hasMore Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -1236,72 +831,6 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string - LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/UnifiedHistoryRowBase' - - type: object - properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. - items: - type: string - type: array - agentPlatforms: - description: List of targeted agent platforms. - items: - type: string - type: array - agentPolicyIds: - description: List of targeted agent policy IDs. - items: - type: string - type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. - type: string - source: - description: >- - Whether this was a manually run live query or triggered by a - rule. - enum: - - Live - - Rule - type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live - type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. - type: string - userProfileUid: - description: The user profile UID of the user who ran the query. - type: string - required: - - sourceType - - source ObjectQueries: additionalProperties: $ref: '#/components/schemas/ObjectQueriesItem' @@ -1406,76 +935,6 @@ components: SavedQueryIdOrUndefined: $ref: '#/components/schemas/SavedQueryId' nullable: true - ScheduledActionResultsAggregations: - type: object - properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled - type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled - type: string - required: - - sourceType - - source Shards: additionalProperties: type: number @@ -1506,54 +965,6 @@ components: example: createdAt nullable: true type: string - UnifiedHistoryRow: - oneOf: - - $ref: '#/components/schemas/LiveHistoryRow' - - $ref: '#/components/schemas/ScheduledHistoryRow' - UnifiedHistoryRowBase: - type: object - properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. - nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. - type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. - type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer - required: - - id - - timestamp - - queryText - - agentCount UpdatePacksRequestBody: example: name: updated_my_pack_name diff --git a/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml b/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml index 2074878fc1282..f418cc98c297a 100644 --- a/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/platform/plugins/shared/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml @@ -11,78 +11,6 @@ servers: port: default: '5601' paths: - /api/osquery/history: - get: - description: > - Get a unified, time-sorted history of live, rule-triggered, and - scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory - parameters: - - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - in: query - name: nextPage - required: false - schema: - description: >- - A base64-encoded cursor for pagination. Use the value from the - previous response to fetch the next page. - type: string - - in: query - name: kuery - required: false - schema: - description: >- - A search string to filter history entries by pack name, query - text, or query ID. - type: string - - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - in: query - name: sourceFilters - required: false - schema: - description: >- - Comma-separated list of source types to include. Valid values are - `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - in: query - name: endDate - required: false - schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GetUnifiedHistoryResponse' - description: OK - summary: Get unified query history - tags: - - Security Osquery API /api/osquery/live_queries: get: description: Get a list of all live queries. @@ -341,30 +269,6 @@ paths: summary: Update a pack tags: - Security Osquery API - /api/osquery/packs/{id}/copy: - post: - description: >- - Create a copy of a query pack with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). The copied pack is always created with `enabled` set to - `false`. - operationId: OsqueryCopyPacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/PackId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/CopyPacksResponse' - description: OK - summary: Copy a pack - tags: - - Security Osquery API /api/osquery/saved_queries: get: description: Get a list of all saved queries. @@ -486,149 +390,6 @@ paths: summary: Update a saved query tags: - Security Osquery API - /api/osquery/saved_queries/{id}/copy: - post: - description: >- - Create a copy of a saved query with a unique name by appending a `_copy` - suffix. If the name already exists, a numeric suffix is added (e.g., - `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/CopySavedQueryResponse' - description: OK - summary: Copy a saved query - tags: - - Security Osquery API - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: > - Get paginated per-agent action results for a specific scheduled query - execution, with success/failure aggregation and execution metadata (pack - name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GetScheduledActionResultsResponse' - description: OK - summary: Get scheduled action results - tags: - - Security Osquery API - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: > - Get paginated query result rows (the actual osquery output data) for a - specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/SortOrderOrUndefined' - - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/GetScheduledQueryResultsResponse' - description: OK - summary: Get scheduled query results - tags: - - Security Osquery API components: schemas: ArrayQueries: @@ -653,49 +414,6 @@ components: $ref: '#/components/schemas/SnapshotOrUndefined' version: $ref: '#/components/schemas/VersionOrUndefined' - CopyPacksResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - type: object - properties: {} - CopySavedQueryResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: {} CreateLiveQueryRequestBody: example: agent_all: true @@ -1101,129 +819,6 @@ components: total: 2 type: object properties: {} - GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - {} - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - type: object - properties: - aggregations: - $ref: '#/components/schemas/ScheduledActionResultsAggregations' - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - {} - - {} - total: 2 - type: object - properties: - data: - description: The query results data wrapper. - type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - type: object - properties: - data: - description: The list of unified history rows for the current page. - items: - $ref: '#/components/schemas/UnifiedHistoryRow' - type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: >- - A base64-encoded cursor to fetch the next page. Absent when there - are no more results. - type: string - required: - - data - - hasMore Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -1236,72 +831,6 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string - LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/UnifiedHistoryRowBase' - - type: object - properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. - items: - type: string - type: array - agentPlatforms: - description: List of targeted agent platforms. - items: - type: string - type: array - agentPolicyIds: - description: List of targeted agent policy IDs. - items: - type: string - type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: >- - The saved query ID, if the live query was based on a saved - query. - type: string - source: - description: >- - Whether this was a manually run live query or triggered by a - rule. - enum: - - Live - - Rule - type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live - type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. - type: string - userProfileUid: - description: The user profile UID of the user who ran the query. - type: string - required: - - sourceType - - source ObjectQueries: additionalProperties: $ref: '#/components/schemas/ObjectQueriesItem' @@ -1406,76 +935,6 @@ components: SavedQueryIdOrUndefined: $ref: '#/components/schemas/SavedQueryId' nullable: true - ScheduledActionResultsAggregations: - type: object - properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled - type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled - type: string - required: - - sourceType - - source Shards: additionalProperties: type: number @@ -1506,54 +965,6 @@ components: example: createdAt nullable: true type: string - UnifiedHistoryRow: - oneOf: - - $ref: '#/components/schemas/LiveHistoryRow' - - $ref: '#/components/schemas/ScheduledHistoryRow' - UnifiedHistoryRowBase: - type: object - properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. - nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. - type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. - type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer - required: - - id - - timestamp - - queryText - - agentCount UpdatePacksRequestBody: example: name: updated_my_pack_name From f3f154ca8f9340b5103fda51248dccbfde08981f Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Mon, 13 Apr 2026 16:32:21 +0000 Subject: [PATCH 7/7] Changes from make api-docs --- oas_docs/output/kibana.serverless.yaml | 613 ------------------------- oas_docs/output/kibana.yaml | 613 ------------------------- 2 files changed, 1226 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 5a8590962158b..f219e2806bcf6 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -56386,80 +56386,6 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/osquery/history: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/history
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory - parameters: - - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - in: query - name: nextPage - required: false - schema: - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. - type: string - - in: query - name: kuery - required: false - schema: - description: A search string to filter history entries by pack name, query text, or query ID. - type: string - - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - in: query - name: sourceFilters - required: false - schema: - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - in: query - name: endDate - required: false - schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' - description: OK - summary: Get unified query history - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name /api/osquery/live_queries: get: description: |- @@ -56807,36 +56733,6 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/osquery/packs/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/packs/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. - operationId: OsqueryCopyPacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: OK - summary: Copy a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name /api/osquery/saved_queries: get: description: |- @@ -57007,171 +56903,6 @@ paths: x-metaTags: - content: Kibana, Elastic Cloud Serverless name: product_name - /api/osquery/saved_queries/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' - description: OK - summary: Copy a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' - description: OK - summary: Get scheduled action results - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' - description: OK - summary: Get scheduled query results - tags: - - Security Osquery API - x-metaTags: - - content: Kibana, Elastic Cloud Serverless - name: product_name /api/pinned_event: patch: description: |- @@ -99403,49 +99134,6 @@ components: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_CopyPacksResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - type: object - properties: {} - Security_Osquery_API_CopySavedQueryResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: {} Security_Osquery_API_CreateLiveQueryRequestBody: example: agent_all: true @@ -99849,127 +99537,6 @@ components: total: 2 type: object properties: {} - Security_Osquery_API_GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - {} - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - type: object - properties: - aggregations: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - {} - - {} - total: 2 - type: object - properties: - data: - description: The query results data wrapper. - type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - type: object - properties: - data: - description: The list of unified history rows for the current page. - items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' - type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. - type: string - required: - - data - - hasMore Security_Osquery_API_Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -99982,68 +99549,6 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string - Security_Osquery_API_LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. - items: - type: string - type: array - agentPlatforms: - description: List of targeted agent platforms. - items: - type: string - type: array - agentPolicyIds: - description: List of targeted agent policy IDs. - items: - type: string - type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: The saved query ID, if the live query was based on a saved query. - type: string - source: - description: Whether this was a manually run live query or triggered by a rule. - enum: - - Live - - Rule - type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live - type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. - type: string - userProfileUid: - description: The user profile UID of the user who ran the query. - type: string - required: - - sourceType - - source Security_Osquery_API_ObjectQueries: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' @@ -100145,76 +99650,6 @@ components: Security_Osquery_API_SavedQueryIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: - type: object - properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled - type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled - type: string - required: - - sourceType - - source Security_Osquery_API_Shards: additionalProperties: type: number @@ -100242,54 +99677,6 @@ components: example: createdAt nullable: true type: string - Security_Osquery_API_UnifiedHistoryRow: - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: - type: object - properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. - nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. - type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. - type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer - required: - - id - - timestamp - - queryText - - agentCount Security_Osquery_API_UpdatePacksRequestBody: example: name: updated_my_pack_name diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 140dc0c913a65..a93a6c87b37c4 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -59442,80 +59442,6 @@ paths: x-metaTags: - content: Kibana name: product_name - /api/osquery/history: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/history
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination. - operationId: OsqueryGetUnifiedHistory - parameters: - - in: query - name: pageSize - required: false - schema: - default: 20 - description: The number of results to return per page. - maximum: 100 - minimum: 1 - type: integer - - in: query - name: nextPage - required: false - schema: - description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. - type: string - - in: query - name: kuery - required: false - schema: - description: A search string to filter history entries by pack name, query text, or query ID. - type: string - - in: query - name: userIds - required: false - schema: - description: Comma-separated list of user IDs to filter live query history. - example: elastic,admin - type: string - - in: query - name: sourceFilters - required: false - schema: - description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. - example: live,scheduled - type: string - - in: query - name: startDate - required: false - schema: - description: The start of the time range filter (ISO 8601). - example: '2024-01-01T00:00:00Z' - type: string - - in: query - name: endDate - required: false - schema: - description: The end of the time range filter (ISO 8601). - example: '2024-12-31T23:59:59Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse' - description: OK - summary: Get unified query history - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name /api/osquery/live_queries: get: description: |- @@ -59863,36 +59789,6 @@ paths: x-metaTags: - content: Kibana name: product_name - /api/osquery/packs/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/packs/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`. - operationId: OsqueryCopyPacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse' - description: OK - summary: Copy a pack - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name /api/osquery/saved_queries: get: description: |- @@ -60063,171 +59959,6 @@ paths: x-metaTags: - content: Kibana name: product_name - /api/osquery/saved_queries/{id}/copy: - post: - description: |- - **Spaces method and path for this operation:** - -
post /s/{space_id}/api/osquery/saved_queries/{id}/copy
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). - operationId: OsqueryCopySavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse' - description: OK - summary: Copy a saved query - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp). - operationId: OsqueryGetScheduledActionResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledActionResultsResponse' - description: OK - summary: Get scheduled action results - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name - /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results: - get: - description: | - **Spaces method and path for this operation:** - -
get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
- - Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. - - Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution. - operationId: OsqueryGetScheduledQueryResults - parameters: - - in: path - name: scheduleId - required: true - schema: - description: The schedule ID of the scheduled query. - example: pack_my_pack_uptime - type: string - - in: path - name: executionCount - required: true - schema: - description: The execution count for this scheduled query run. - example: 3 - type: integer - - in: query - name: kuery - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - - in: query - name: page - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - - in: query - name: pageSize - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - - in: query - name: sort - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - - in: query - name: sortOrder - required: false - schema: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - - in: query - name: startDate - required: false - schema: - description: The start date filter (ISO 8601) to narrow down results. - example: '2024-01-01T00:00:00Z' - type: string - responses: - '200': - content: - application/json: - schema: - $ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse' - description: OK - summary: Get scheduled query results - tags: - - Security Osquery API - x-metaTags: - - content: Kibana - name: product_name /api/pinned_event: patch: description: |- @@ -110599,49 +110330,6 @@ components: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' version: $ref: '#/components/schemas/Security_Osquery_API_Version' - Security_Osquery_API_CopyPacksResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: My pack - enabled: false - name: my_pack_copy - queries: - ports: - ecs_mapping: - client.port: - field: port - interval: 60 - query: SELECT * FROM listening_ports; - removed: false - snapshot: true - timeout: 120 - saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 - shards: {} - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - type: object - properties: {} - Security_Osquery_API_CopySavedQueryResponse: - example: - data: - created_at: '2025-02-26T13:37:30.452Z' - created_by: elastic - description: Saved query description - ecs_mapping: - host.uptime: - field: total_seconds - id: my_saved_query_copy - interval: '60' - platform: linux,darwin - query: select * from uptime; - saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c - updated_at: '2025-02-26T13:37:30.452Z' - updated_by: elastic - version: 2.8.0 - type: object - properties: {} Security_Osquery_API_CreateLiveQueryRequestBody: example: agent_all: true @@ -111045,127 +110733,6 @@ components: total: 2 type: object properties: {} - Security_Osquery_API_GetScheduledActionResultsResponse: - example: - aggregations: - failed: 1 - pending: 0 - successful: 9 - totalResponded: 10 - totalRowCount: 42 - currentPage: 0 - edges: - - {} - metadata: - executionCount: 3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - timestamp: '2024-07-26T09:00:00.000Z' - pageSize: 20 - total: 10 - totalPages: 1 - type: object - properties: - aggregations: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations' - currentPage: - description: The current page number (zero-based). - type: integer - edges: - description: The paginated list of per-agent action results. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - metadata: - $ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata' - pageSize: - description: The number of results per page. - type: integer - total: - description: The total number of action results. - type: integer - totalPages: - description: The total number of pages. - type: integer - Security_Osquery_API_GetScheduledQueryResultsResponse: - description: The response for getting scheduled query results. - example: - data: - edges: - - {} - - {} - total: 2 - type: object - properties: - data: - description: The query results data wrapper. - type: object - properties: - edges: - description: The paginated list of query result rows. - items: - type: object - type: array - inspect: - description: Debug/inspection data for the search query. - type: object - total: - description: The total number of result rows. - type: integer - Security_Osquery_API_GetUnifiedHistoryResponse: - example: - data: - - actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0 - agentCount: 5 - errorCount: 0 - id: 3c42c847-eb30-4452-80e0-728584042334 - queryName: uptime_query - queryText: select * from uptime; - source: Live - sourceType: live - successCount: 5 - timestamp: '2024-07-26T09:59:32.220Z' - totalRows: 42 - userId: elastic - - agentCount: 10 - errorCount: 1 - executionCount: 3 - id: pack_my_pack_uptime_3 - packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d - packName: My Pack - plannedTime: '2024-07-26T09:00:00.000Z' - queryName: uptime - queryText: select * from uptime; - scheduleId: pack_my_pack_uptime - source: Scheduled - sourceType: scheduled - successCount: 9 - timestamp: '2024-07-26T09:00:00.000Z' - totalRows: 100 - hasMore: true - nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3... - type: object - properties: - data: - description: The list of unified history rows for the current page. - items: - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow' - type: array - hasMore: - description: Whether there are more results beyond the current page. - type: boolean - nextPage: - description: A base64-encoded cursor to fetch the next page. Absent when there are no more results. - type: string - required: - - data - - hasMore Security_Osquery_API_Interval: description: An interval, in seconds, on which to run the query. example: '60' @@ -111178,68 +110745,6 @@ components: example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string - Security_Osquery_API_LiveHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - actionId: - description: The Fleet action ID for the live query. - type: string - agentAll: - description: Whether the query targeted all agents. - type: boolean - agentIds: - description: List of targeted agent IDs. - items: - type: string - type: array - agentPlatforms: - description: List of targeted agent platforms. - items: - type: string - type: array - agentPolicyIds: - description: List of targeted agent policy IDs. - items: - type: string - type: array - ecsMapping: - additionalProperties: true - description: ECS mapping configuration used for the query. - type: object - queriesTotal: - description: The total number of sub-queries in the live action. - type: integer - queriesWithResults: - description: The number of sub-queries that returned results. - type: integer - savedQueryId: - description: The saved query ID, if the live query was based on a saved query. - type: string - source: - description: Whether this was a manually run live query or triggered by a rule. - enum: - - Live - - Rule - type: string - sourceType: - description: Identifies this as a live query history row. - enum: - - live - type: string - timeout: - description: The query timeout in seconds. - type: integer - userId: - description: The ID of the user who ran the query. - type: string - userProfileUid: - description: The user profile UID of the user who ran the query. - type: string - required: - - sourceType - - source Security_Osquery_API_ObjectQueries: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' @@ -111341,76 +110846,6 @@ components: Security_Osquery_API_SavedQueryIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' nullable: true - Security_Osquery_API_ScheduledActionResultsAggregations: - type: object - properties: - failed: - description: The number of agents that returned errors. - type: integer - pending: - description: The number of agents with pending responses. - type: integer - successful: - description: The number of agents that completed successfully. - type: integer - totalResponded: - description: The total number of agents that responded. - type: integer - totalRowCount: - description: The total number of result rows across all agents. - type: integer - Security_Osquery_API_ScheduledExecutionMetadata: - description: Execution metadata resolved from the pack saved object. - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query within the pack. - type: string - queryText: - description: The SQL query that was executed. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - timestamp: - description: The timestamp of the most recent response for this execution. - type: string - Security_Osquery_API_ScheduledHistoryRow: - allOf: - - $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase' - - type: object - properties: - executionCount: - description: The execution count for this scheduled query run. - type: integer - plannedTime: - description: The planned execution time for the scheduled query. - type: string - scheduleId: - description: The schedule ID for the scheduled query. - type: string - source: - description: Indicates this is a scheduled query execution. - enum: - - Scheduled - type: string - sourceType: - description: Identifies this as a scheduled query history row. - enum: - - scheduled - type: string - required: - - sourceType - - source Security_Osquery_API_Shards: additionalProperties: type: number @@ -111438,54 +110873,6 @@ components: example: createdAt nullable: true type: string - Security_Osquery_API_UnifiedHistoryRow: - oneOf: - - $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow' - - $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow' - Security_Osquery_API_UnifiedHistoryRowBase: - type: object - properties: - agentCount: - description: The number of agents targeted by the query. - type: integer - errorCount: - description: The number of agent responses with errors. - nullable: true - type: integer - id: - description: Unique identifier for the history row. - type: string - packId: - description: The ID of the pack containing the query. - type: string - packName: - description: The name of the pack containing the query. - type: string - queryName: - description: The name of the query, if available. - type: string - queryText: - description: The SQL query that was executed. - type: string - spaceId: - description: The Kibana space ID where the query was executed. - type: string - successCount: - description: The number of successful agent responses. - nullable: true - type: integer - timestamp: - description: The timestamp of the query execution. - type: string - totalRows: - description: The total number of result rows returned across all agents. - nullable: true - type: integer - required: - - id - - timestamp - - queryText - - agentCount Security_Osquery_API_UpdatePacksRequestBody: example: name: updated_my_pack_name