naftiko: 1.0.0-alpha2 info: label: Kibana APIs — Security Osquery API description: 'Kibana APIs — Security Osquery API. 19 operations. Lead operation: Get unified query history. Self-contained Naftiko capability covering one Kibana business surface.' tags: - Kibana - Security Osquery API created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: KIBANA_API_KEY: KIBANA_API_KEY capability: consumes: - type: http namespace: kibana-security-osquery-api baseUri: https://{kibana_url} description: Kibana APIs — Security Osquery API business capability. Self-contained, no shared references. resources: - name: api-osquery-history path: /api/osquery/history operations: - name: osquerygetunifiedhistory method: GET description: Get unified query history outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: pageSize in: query type: integer description: The number of results to return per page. - name: nextPage in: query type: string description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page. - name: kuery in: query type: string description: A search string to filter history entries by pack name, query text, or query ID. - name: userIds in: query type: string description: Comma-separated list of user IDs to filter live query history. - name: sourceFilters in: query type: string description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`. - name: startDate in: query type: string description: The start of the time range filter (ISO 8601). - name: endDate in: query type: string description: The end of the time range filter (ISO 8601). - name: api-osquery-live_queries path: /api/osquery/live_queries operations: - name: osqueryfindlivequeries method: GET description: Get live queries outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: kuery in: query type: string description: A KQL search string to filter live queries. - name: page in: query type: string description: The page number to return. - name: pageSize in: query type: string description: The number of results to return per page. - name: sort in: query type: string description: The field to sort results by. - name: sortOrder in: query type: string description: The sort order. - name: osquerycreatelivequery method: POST description: Create a live query outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-osquery-live_queries-id path: /api/osquery/live_queries/{id} operations: - name: osquerygetlivequerydetails method: GET description: Get live query details outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The ID of the live query. required: true - name: api-osquery-live_queries-id-results-actionId path: /api/osquery/live_queries/{id}/results/{actionId} operations: - name: osquerygetlivequeryresults method: GET description: Get live query results outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The ID of the live query. required: true - name: actionId in: path type: string description: The ID of the query action. required: true - name: kuery in: query type: string description: A KQL search string to filter results. - name: page in: query type: string description: The page number to return. - name: pageSize in: query type: string description: The number of results to return per page. - name: sort in: query type: string description: The field to sort results by. - name: sortOrder in: query type: string description: The sort order. - name: api-osquery-packs path: /api/osquery/packs operations: - name: osqueryfindpacks method: GET description: Get packs outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: page in: query type: string description: The page number to return. - name: pageSize in: query type: string description: The number of results to return per page. - name: sort in: query type: string description: The field to sort results by. - name: sortOrder in: query type: string description: The sort order. - name: osquerycreatepacks method: POST description: Create a pack outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-osquery-packs-id path: /api/osquery/packs/{id} operations: - name: osquerydeletepacks method: DELETE description: Delete a pack outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The pack ID. required: true - name: osquerygetpacksdetails method: GET description: Get pack details outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The pack ID. required: true - name: osqueryupdatepacks method: PUT description: Update a pack outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The pack ID. required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-osquery-packs-id-copy path: /api/osquery/packs/{id}/copy operations: - name: osquerycopypacks method: POST description: Copy a pack outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The ID of the pack to copy. required: true - name: api-osquery-saved_queries path: /api/osquery/saved_queries operations: - name: osqueryfindsavedqueries method: GET description: Get saved queries outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: page in: query type: string description: The page number to return. - name: pageSize in: query type: string description: The number of results to return per page. - name: sort in: query type: string description: The field to sort results by. - name: sortOrder in: query type: string description: The sort order. - name: osquerycreatesavedquery method: POST description: Create a saved query outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-osquery-saved_queries-id path: /api/osquery/saved_queries/{id} operations: - name: osquerydeletesavedquery method: DELETE description: Delete a saved query outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The saved query ID. required: true - name: osquerygetsavedquerydetails method: GET description: Get saved query details outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The saved query ID. required: true - name: osqueryupdatesavedquery method: PUT description: Update a saved query outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The saved query ID. required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-osquery-saved_queries-id-copy path: /api/osquery/saved_queries/{id}/copy operations: - name: osquerycopysavedquery method: POST description: Copy a saved query outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The ID of the saved query to copy. required: true - name: api-osquery-scheduled_results-scheduleId-executionCount path: /api/osquery/scheduled_results/{scheduleId}/{executionCount} operations: - name: osquerygetscheduledactionresults method: GET description: Get scheduled action results outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scheduleId in: path type: string description: The schedule ID of the scheduled query. required: true - name: executionCount in: path type: integer description: The execution count for this scheduled query run. required: true - name: kuery in: query type: string description: The kuery to filter the results by. - name: page in: query type: string description: The page number to return. The default is 1. - name: pageSize in: query type: string description: The number of results to return per page. The default is 20. - name: sort in: query type: string description: The field that is used to sort the results. - name: sortOrder in: query type: string description: Specifies the sort order. - name: api-osquery-scheduled_results-scheduleId-executionCount-results path: /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results operations: - name: osquerygetscheduledqueryresults method: GET description: Get scheduled query results outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: scheduleId in: path type: string description: The schedule ID of the scheduled query. required: true - name: executionCount in: path type: integer description: The execution count for this scheduled query run. required: true - name: kuery in: query type: string description: The kuery to filter the results by. - name: page in: query type: string description: The page number to return. The default is 1. - name: pageSize in: query type: string description: The number of results to return per page. The default is 20. - name: sort in: query type: string description: The field that is used to sort the results. - name: sortOrder in: query type: string description: Specifies the sort order. - name: startDate in: query type: string description: The start date filter (ISO 8601) to narrow down results. authentication: type: apikey key: Authorization value: '{{env.KIBANA_API_KEY}}' placement: header exposes: - type: rest namespace: kibana-security-osquery-api-rest port: 8080 description: REST adapter for Kibana APIs — Security Osquery API. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/api/osquery/history name: api-osquery-history description: REST surface for api-osquery-history. operations: - method: GET name: osquerygetunifiedhistory description: Get unified query history call: kibana-security-osquery-api.osquerygetunifiedhistory with: pageSize: rest.pageSize nextPage: rest.nextPage kuery: rest.kuery userIds: rest.userIds sourceFilters: rest.sourceFilters startDate: rest.startDate endDate: rest.endDate outputParameters: - type: object mapping: $. - path: /v1/api/osquery/live-queries name: api-osquery-live-queries description: REST surface for api-osquery-live_queries. operations: - method: GET name: osqueryfindlivequeries description: Get live queries call: kibana-security-osquery-api.osqueryfindlivequeries with: kuery: rest.kuery page: rest.page pageSize: rest.pageSize sort: rest.sort sortOrder: rest.sortOrder outputParameters: - type: object mapping: $. - method: POST name: osquerycreatelivequery description: Create a live query call: kibana-security-osquery-api.osquerycreatelivequery with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/osquery/live-queries/{id} name: api-osquery-live-queries-id description: REST surface for api-osquery-live_queries-id. operations: - method: GET name: osquerygetlivequerydetails description: Get live query details call: kibana-security-osquery-api.osquerygetlivequerydetails with: id: rest.id outputParameters: - type: object mapping: $. - path: /v1/api/osquery/live-queries/{id}/results/{actionid} name: api-osquery-live-queries-id-results-actionid description: REST surface for api-osquery-live_queries-id-results-actionId. operations: - method: GET name: osquerygetlivequeryresults description: Get live query results call: kibana-security-osquery-api.osquerygetlivequeryresults with: id: rest.id actionId: rest.actionId kuery: rest.kuery page: rest.page pageSize: rest.pageSize sort: rest.sort sortOrder: rest.sortOrder outputParameters: - type: object mapping: $. - path: /v1/api/osquery/packs name: api-osquery-packs description: REST surface for api-osquery-packs. operations: - method: GET name: osqueryfindpacks description: Get packs call: kibana-security-osquery-api.osqueryfindpacks with: page: rest.page pageSize: rest.pageSize sort: rest.sort sortOrder: rest.sortOrder outputParameters: - type: object mapping: $. - method: POST name: osquerycreatepacks description: Create a pack call: kibana-security-osquery-api.osquerycreatepacks with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/osquery/packs/{id} name: api-osquery-packs-id description: REST surface for api-osquery-packs-id. operations: - method: DELETE name: osquerydeletepacks description: Delete a pack call: kibana-security-osquery-api.osquerydeletepacks with: id: rest.id outputParameters: - type: object mapping: $. - method: GET name: osquerygetpacksdetails description: Get pack details call: kibana-security-osquery-api.osquerygetpacksdetails with: id: rest.id outputParameters: - type: object mapping: $. - method: PUT name: osqueryupdatepacks description: Update a pack call: kibana-security-osquery-api.osqueryupdatepacks with: id: rest.id body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/osquery/packs/{id}/copy name: api-osquery-packs-id-copy description: REST surface for api-osquery-packs-id-copy. operations: - method: POST name: osquerycopypacks description: Copy a pack call: kibana-security-osquery-api.osquerycopypacks with: id: rest.id outputParameters: - type: object mapping: $. - path: /v1/api/osquery/saved-queries name: api-osquery-saved-queries description: REST surface for api-osquery-saved_queries. operations: - method: GET name: osqueryfindsavedqueries description: Get saved queries call: kibana-security-osquery-api.osqueryfindsavedqueries with: page: rest.page pageSize: rest.pageSize sort: rest.sort sortOrder: rest.sortOrder outputParameters: - type: object mapping: $. - method: POST name: osquerycreatesavedquery description: Create a saved query call: kibana-security-osquery-api.osquerycreatesavedquery with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/osquery/saved-queries/{id} name: api-osquery-saved-queries-id description: REST surface for api-osquery-saved_queries-id. operations: - method: DELETE name: osquerydeletesavedquery description: Delete a saved query call: kibana-security-osquery-api.osquerydeletesavedquery with: id: rest.id outputParameters: - type: object mapping: $. - method: GET name: osquerygetsavedquerydetails description: Get saved query details call: kibana-security-osquery-api.osquerygetsavedquerydetails with: id: rest.id outputParameters: - type: object mapping: $. - method: PUT name: osqueryupdatesavedquery description: Update a saved query call: kibana-security-osquery-api.osqueryupdatesavedquery with: id: rest.id body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/osquery/saved-queries/{id}/copy name: api-osquery-saved-queries-id-copy description: REST surface for api-osquery-saved_queries-id-copy. operations: - method: POST name: osquerycopysavedquery description: Copy a saved query call: kibana-security-osquery-api.osquerycopysavedquery with: id: rest.id outputParameters: - type: object mapping: $. - path: /v1/api/osquery/scheduled-results/{scheduleid}/{executioncount} name: api-osquery-scheduled-results-scheduleid-executioncount description: REST surface for api-osquery-scheduled_results-scheduleId-executionCount. operations: - method: GET name: osquerygetscheduledactionresults description: Get scheduled action results call: kibana-security-osquery-api.osquerygetscheduledactionresults with: scheduleId: rest.scheduleId executionCount: rest.executionCount kuery: rest.kuery page: rest.page pageSize: rest.pageSize sort: rest.sort sortOrder: rest.sortOrder outputParameters: - type: object mapping: $. - path: /v1/api/osquery/scheduled-results/{scheduleid}/{executioncount}/results name: api-osquery-scheduled-results-scheduleid-executioncount-results description: REST surface for api-osquery-scheduled_results-scheduleId-executionCount-results. operations: - method: GET name: osquerygetscheduledqueryresults description: Get scheduled query results call: kibana-security-osquery-api.osquerygetscheduledqueryresults with: scheduleId: rest.scheduleId executionCount: rest.executionCount kuery: rest.kuery page: rest.page pageSize: rest.pageSize sort: rest.sort sortOrder: rest.sortOrder startDate: rest.startDate outputParameters: - type: object mapping: $. - type: mcp namespace: kibana-security-osquery-api-mcp port: 9090 transport: http description: MCP adapter for Kibana APIs — Security Osquery API. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: get-unified-query-history description: Get unified query history hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osquerygetunifiedhistory with: pageSize: tools.pageSize nextPage: tools.nextPage kuery: tools.kuery userIds: tools.userIds sourceFilters: tools.sourceFilters startDate: tools.startDate endDate: tools.endDate outputParameters: - type: object mapping: $. - name: get-live-queries description: Get live queries hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osqueryfindlivequeries with: kuery: tools.kuery page: tools.page pageSize: tools.pageSize sort: tools.sort sortOrder: tools.sortOrder outputParameters: - type: object mapping: $. - name: create-live-query description: Create a live query hints: readOnly: true destructive: false idempotent: false call: kibana-security-osquery-api.osquerycreatelivequery with: body: tools.body outputParameters: - type: object mapping: $. - name: get-live-query-details description: Get live query details hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osquerygetlivequerydetails with: id: tools.id outputParameters: - type: object mapping: $. - name: get-live-query-results description: Get live query results hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osquerygetlivequeryresults with: id: tools.id actionId: tools.actionId kuery: tools.kuery page: tools.page pageSize: tools.pageSize sort: tools.sort sortOrder: tools.sortOrder outputParameters: - type: object mapping: $. - name: get-packs description: Get packs hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osqueryfindpacks with: page: tools.page pageSize: tools.pageSize sort: tools.sort sortOrder: tools.sortOrder outputParameters: - type: object mapping: $. - name: create-pack description: Create a pack hints: readOnly: false destructive: false idempotent: false call: kibana-security-osquery-api.osquerycreatepacks with: body: tools.body outputParameters: - type: object mapping: $. - name: delete-pack description: Delete a pack hints: readOnly: false destructive: true idempotent: true call: kibana-security-osquery-api.osquerydeletepacks with: id: tools.id outputParameters: - type: object mapping: $. - name: get-pack-details description: Get pack details hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osquerygetpacksdetails with: id: tools.id outputParameters: - type: object mapping: $. - name: update-pack description: Update a pack hints: readOnly: false destructive: false idempotent: true call: kibana-security-osquery-api.osqueryupdatepacks with: id: tools.id body: tools.body outputParameters: - type: object mapping: $. - name: copy-pack description: Copy a pack hints: readOnly: false destructive: false idempotent: false call: kibana-security-osquery-api.osquerycopypacks with: id: tools.id outputParameters: - type: object mapping: $. - name: get-saved-queries description: Get saved queries hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osqueryfindsavedqueries with: page: tools.page pageSize: tools.pageSize sort: tools.sort sortOrder: tools.sortOrder outputParameters: - type: object mapping: $. - name: create-saved-query description: Create a saved query hints: readOnly: true destructive: false idempotent: false call: kibana-security-osquery-api.osquerycreatesavedquery with: body: tools.body outputParameters: - type: object mapping: $. - name: delete-saved-query description: Delete a saved query hints: readOnly: false destructive: true idempotent: true call: kibana-security-osquery-api.osquerydeletesavedquery with: id: tools.id outputParameters: - type: object mapping: $. - name: get-saved-query-details description: Get saved query details hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osquerygetsavedquerydetails with: id: tools.id outputParameters: - type: object mapping: $. - name: update-saved-query description: Update a saved query hints: readOnly: false destructive: false idempotent: true call: kibana-security-osquery-api.osqueryupdatesavedquery with: id: tools.id body: tools.body outputParameters: - type: object mapping: $. - name: copy-saved-query description: Copy a saved query hints: readOnly: true destructive: false idempotent: false call: kibana-security-osquery-api.osquerycopysavedquery with: id: tools.id outputParameters: - type: object mapping: $. - name: get-scheduled-action-results description: Get scheduled action results hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osquerygetscheduledactionresults with: scheduleId: tools.scheduleId executionCount: tools.executionCount kuery: tools.kuery page: tools.page pageSize: tools.pageSize sort: tools.sort sortOrder: tools.sortOrder outputParameters: - type: object mapping: $. - name: get-scheduled-query-results description: Get scheduled query results hints: readOnly: true destructive: false idempotent: true call: kibana-security-osquery-api.osquerygetscheduledqueryresults with: scheduleId: tools.scheduleId executionCount: tools.executionCount kuery: tools.kuery page: tools.page pageSize: tools.pageSize sort: tools.sort sortOrder: tools.sortOrder startDate: tools.startDate outputParameters: - type: object mapping: $.