Create Live Query - Orbital API

{"type":"api","title":"Create Live Query","meta":{"id":"/apps/pubhub/media/orbital-api/eae5ef1abc124f2d904b17b1697b2df180e92067/6031b5a0-67fa-3480-bf75-857e24b55963","info":{"description":"Documentation of the Orbital API\n\nTo authenticate:\n\n\nFollow steps 1 through 3 from the SecureX Authorization section of this article to generate a SecureX Token.\nhttps://developer.cisco.com/docs/secure-endpoint/#!authentication\n\n\nclick \"Authorize\" button\nIn \"Value\" - enter token from above, prefixed with \"Bearer \" (no quotes)\nClick \"Authorize\", followed by \"Close\"\n\nNow the \"Try it out\" button can work","title":"Orbital API","version":"0.0.1"},"security":[{"AuthorizationHeader":[]}],"openapi":"3.0.3","servers":[{"description":"North America","url":"https://enterprise.orbital.amp.cisco.com/v0"},{"description":"Asia, Pacific, Japan, and China","url":"https://apjc.orbital.amp.cisco.com/v0"},{"description":"Europe","url":"https://eu.orbital.amp.cisco.com/v0"}],"securitySchemes":{"AuthorizationHeader":{"description":"Ex: Bearer \\\u003ctoken\\\u003e","in":"header","name":"authorization","type":"apiKey"}}},"spec":{"description":"Create Live Query","operationId":"idOfLiveQuery","requestBody":{"content":{"application/json":{"schema":{"properties":{"allowOS":{"properties":{"StringArray":{"description":"StringArray allows us to marshal a []string to PostgresQL","items":{"type":"string"},"type":"array","$$ref":"#/components/schemas/StringArray"}},"type":"object","$$ref":"#/components/schemas/AllowOSArray"},"cidr":{"description":"SQL provides an OSQuery SQL statement to evaluate.","example":"172.29.123.123/3","type":"string"},"expiryInMinutes":{"description":"Expiry in Minutes for the query.(if not provided default value is set to 10 minutes)","example":"54","type":"string"},"name":{"description":"Name for Probe Query.","example":"testprobequery","type":"string"},"nodes":{"items":{"type":"string"},"type":"array","$$ref":"#/components/schemas/Nodes"},"nodeversions":{"description":"Versions allows us to marshal a []string to PostgresQL","items":{"type":"string"},"type":"array","$$ref":"#/components/schemas/Versions"},"os":{"items":{"type":"string"},"type":"array","$$ref":"#/components/schemas/OSArray"},"osQuery":{"description":"OSQueries allows us to marshal a []OSQuery to PostgresQL","items":{"properties":{"bookkeeping":{"description":"Bookkeeping is a flag set when the SQL is internal to orbital and the result (if no error)\nis to be discarded","example":true,"type":"boolean"},"label":{"description":"Label is an optional user-provided identifier to associate an OSQuery with its OSQueryResult.","example":"get all the processes","type":"string"},"name":{"description":"Name is an optional user-provided human readable description to associate an OSQuery with its OSQueryResult.","example":"fetch process","type":"string"},"sql":{"description":"SQL provides an OSQuery SQL statement to evaluate.","example":"select * from processes","type":"string"},"types":{"description":"Types provides the CTIM observable types for each of the columns in the result table. If Types\nare omitted, the column should be considered untyped.","example":["process","query"],"items":{"description":"Observable Type\nA Type of Observable is an annotation used to document that the value is one with a specific meaning in the intelligence model.","type":"string","$$ref":"#/components/schemas/Type"},"type":"array"}},"type":"object","$$ref":"#/components/schemas/OSQuery"},"type":"array","$$ref":"#/components/schemas/OSQueries"},"osqueryversions":{"description":"Versions allows us to marshal a []string to PostgresQL","items":{"type":"string"},"type":"array","$$ref":"#/components/schemas/Versions"},"stock":{"description":"Stock","example":"uptime_based_search","type":"string"},"stockArgs":{"additionalProperties":{"items":{"type":"string"},"type":"array"},"type":"object","$$ref":"#/components/schemas/Args"}},"type":"object","$$ref":"#/components/schemas/LiveQueryRequest"}}},"description":"Parameter required to create livequery","x-originalParamName":"Body"},"responses":{"200":{"content":{"application/json":{"schema":{"properties":{"errors":{"items":{"type":"string"},"type":"array"},"results":{"items":{"properties":{"activeIp":{"type":"string"},"ampuuid":{"type":"string"},"hostName":{"type":"string"},"nodeId":{"type":"string"},"queryResult":{"items":{"properties":{"error":{"type":"string"},"queryResultRow":{"properties":{"columns":{"description":"Columns labels the columns of values.","items":{"type":"string"},"type":"array"},"values":{"description":"Values contains actual data.","items":{"type":"string"},"type":"array"}},"type":"object","$$ref":"#/components/schemas/QueryResultRow"}},"type":"object","$$ref":"#/components/schemas/QueryResult"},"type":"array"},"reported":{"format":"date-time","type":"string"},"rowCount":{"format":"int64","type":"integer"}},"type":"object","$$ref":"#/components/schemas/LiveQueryOutput"},"type":"array"}},"type":"object","$$ref":"#/components/schemas/LiveQueryOutputResponse"}}},"description":"livequery.","$$ref":"#/components/responses/LiveQueryResponse"},"400":{"content":{"application/json":{"schema":{"properties":{"errors":{"example":["expiry in minutes should be a number","expiry in minutes should not be zero (0) or negative","nodes should not be empty","there should be either stock or osquery, not both","Probes do not support webhooks."],"items":{"type":"string"},"type":"array"}},"type":"object","$$ref":"#/components/schemas/ErrorMsg400LiveQuery"}}},"description":"Live Query Error 400 Post Response","$$ref":"#/components/responses/ErrorMsg400LiveQuery"},"500":{"content":{"application/json":{"schema":{"properties":{"errors":{"example":["Internal error."],"items":{"type":"string"},"type":"array"}},"type":"object","$$ref":"#/components/schemas/ErrorMsg500InternalServerError"}}},"description":"Live Query Internal Error 500 Post Response","$$ref":"#/components/responses/ErrorMsg500LiveQuery"}},"security":[{"AuthorizationHeader":[]}],"summary":"Create Live Query","tags":["Queries"],"__originalOperationId":"idOfLiveQuery","method":"post","path":"/query/run"}}