stack kb security-osquery-api osquery-create-live-query cli command

elastic stack kb security-osquery-api osquery-create-live-query [options]
		

Create a live query

Behaviour flags:

--dry-run — validate all inputs and exit without performing any action

--[no-]agent-all

When true, the query runs on all agents.

--agent-ids string[]

A list of agent IDs to run the query on.

--agent-platforms string[]

A list of agent platforms to run the query on.

--agent-policy-ids string[]

A list of agent policy IDs to run the query on.

--alert-ids string[]

A list of alert IDs associated with the live query.

--case-ids string[]

A list of case IDs associated with the live query.

--ecs-mapping string

Map osquery results columns or static values to Elastic Common Schema (ECS) fields

--event-ids string[]

A list of event IDs associated with the live query.

--metadata string

Custom metadata object associated with the live query.

--pack-id string

The ID of the pack you want to run, retrieve, update, or delete.

--queries string[]

An array of queries to run.

--query string

The SQL query you want to run.

--saved-query-id string

The ID of a saved query.

--input-file string

path to a JSON file to use as command input

--[no-]dry-run

validate all inputs and exit without performing any action (preview changes without applying them)

--[no-]json

output as JSON