Osquery Manager Feedback - OSQuery manager API needed for automatically downloading Elastic packs

joedissmeyer · September 15, 2022, 8:13pm

Hello!

Is there a Kibana API I can use to automatically download and install the Elastic created OSquery manager packs? There are several APIs available documented here, Osquery manager API | Kibana Guide [8.4] | Elastic, but none achieve my goal of downloading the Elastic packs automatically.

For context: Without having an API to trigger automatically loading OSquery packs I will not be able to automate this step when enabling Elastic Security and the OSquery manager integration on 24 of my production clusters. Instead I will have to manually log into each individual cluster Kibana UI, manage the OSquery manager integration, then click the "load elastic created packs" button. Minor annoyance, but not a deal breaker.

James_B · September 16, 2022, 5:24pm

Hey Joe,

I spoke with the team and tested out (using curl) an authenticated POST to https://<kibana_url>/internal/osquery/assets/update. That POST requested installed the packages that are shipped by Elastic's OSquery manager integration so you wouldn't have to log into all of your clusters.

A sample response that I received from the POST:
{"install":[{"id":"osquery_manager-07fe8000-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-35f10af0-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-1fc03210-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-135ccf10-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-3b28cc10-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-0c09a800-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-0f652f10-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-190860a0-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-03e88290-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"},{"id":"osquery_manager-3f96fba0-a6df-11ec-b2f9-c732a3845c54","type":"osquery-pack-asset"}],"update":[],"upToDate":[]}

Thanks for reaching out! Let us know if you have any other questions.

joedissmeyer · September 16, 2022, 7:36pm

Thank you for this!

system · October 14, 2022, 7:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.