peteharverson
diff --git a/‎packages/kbn-check-saved-objects-cli/current_fields.json‎
Lines changed: 3 additions & 0 deletions b/‎packages/kbn-check-saved-objects-cli/current_fields.json‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎packages/kbn-check-saved-objects-cli/current_mappings.json‎
Lines changed: 11 additions & 1 deletion b/‎packages/kbn-check-saved-objects-cli/current_mappings.json‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎packages/kbn-check-saved-objects-cli/src/migrations/__fixtures__/osquery-pack/10.3.0.json‎
Lines changed: 40 additions & 0 deletions b/‎packages/kbn-check-saved-objects-cli/src/migrations/__fixtures__/osquery-pack/10.3.0.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts‎
Lines changed: 6 additions & 5 deletions b/‎src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎x-pack/platform/plugins/shared/osquery/common/experimental_features.ts‎
Lines changed: 9 additions & 0 deletions b/‎x-pack/platform/plugins/shared/osquery/common/experimental_features.ts‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎x-pack/platform/plugins/shared/osquery/common/index.ts‎
Lines changed: 2 additions & 0 deletions b/‎x-pack/platform/plugins/shared/osquery/common/index.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎x-pack/platform/plugins/shared/osquery/common/schedule.ts‎
Lines changed: 55 additions & 0 deletions b/‎x-pack/platform/plugins/shared/osquery/common/schedule.ts‎
Lines changed: 55 additions & 0 deletions
@@ -1064,6 +1064,7 @@
     "created_by_profile_uid",
     "description",
     "enabled",
+    "interval",
     "name",
     "queries",
     "queries.ecs_mapping",
@@ -1073,6 +1074,8 @@
     "queries.query",
     "queries.timeout",
     "queries.version",
+    "rrule_schedule",
+    "schedule_type",
     "shards",
     "updated_at",
     "updated_by",
 
@@ -337,7 +337,6 @@
       "createdBy": {
         "type": "keyword"
       },
-
       "description": {
         "fields": {
           "keyword": {
@@ -3550,6 +3549,9 @@
       "enabled": {
         "type": "boolean"
       },
+      "interval": {
+        "type": "integer"
+      },
       "name": {
         "type": "text"
       },
@@ -3580,6 +3582,14 @@
           }
         }
       },
+      "rrule_schedule": {
+        "dynamic": false,
+        "properties": {}
+      },
+      "schedule_type": {
+        "ignore_above": 1024,
+        "type": "keyword"
+      },
       "shards": {
         "dynamic": false,
         "properties": {}
 
@@ -0,0 +1,40 @@
+{
+  "10.2.0": [
+    {
+      "name": "test-pack-1",
+      "description": "A test pack",
+      "queries": {
+        "query1": {
+          "id": "query1",
+          "query": "select * from processes;",
+          "interval": 3600,
+          "timeout": 300
+        }
+      },
+      "enabled": true,
+      "created_at": "2024-01-01T00:00:00.000Z",
+      "created_by": "elastic",
+      "updated_at": "2024-01-01T00:00:00.000Z",
+      "updated_by": "elastic"
+    }
+  ],
+  "10.3.0": [
+    {
+      "name": "test-pack-1",
+      "description": "A test pack",
+      "queries": {
+        "query1": {
+          "id": "query1",
+          "query": "select * from processes;",
+          "interval": 3600,
+          "timeout": 300
+        }
+      },
+      "enabled": true,
+      "created_at": "2024-01-01T00:00:00.000Z",
+      "created_by": "elastic",
+      "updated_at": "2024-01-01T00:00:00.000Z",
+      "updated_by": "elastic"
+    }
+  ]
+}
@@ -150,7 +150,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "oauth_state": "4d7f9d29a0d49146a54cbc7580fbd317ad709048a79cc994c7e83d84ebfc9a85",
         "observability-onboarding-state": "2495563e6b20ce1be160ec0c3143a4aee920cad1d6e5c478452470ccb7bd2753",
         "osquery-manager-usage-metric": "8833b9f812e9179897444c395761f9911945cfb77de9869c4e9b6ee6eeb0f573",
-        "osquery-pack": "9cb5096182b6490fe2364d740cf9a23fa5562153d8c4a416303b7a82b9d37f21",
+        "osquery-pack": "ed35a71e98489dd9a5acc476188648c7280deedb55fd596aa6a53d40d587678d",
         "osquery-pack-asset": "fb48358a1ecbe00b7a4e670b47e301e86f9fdc392f403a64dbe207b1884e8784",
         "osquery-saved-query": "a66139a460e1fc80611ffe392fab4db7db48e5a81691ba306a258bd70008a6d1",
         "policy-settings-protection-updates-note": "d91301a012aa934229958cbbb2bffa72c9ce2532fbe67fa00a6f255ff60571b6",
@@ -1092,9 +1092,10 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "osquery-manager-usage-metric|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
         "==============================================================================",
         "osquery-pack|global: 2d5e5413c0bdbc80e7127c3a57f6be15e5078dbe",
-        "osquery-pack|mappings: bce366d537668509ca94beac2250664b3a6b62ea",
+        "osquery-pack|mappings: 78077a573dfb4f0d6c42c6c02ae5fe3a5bacb4b7",
         "osquery-pack|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
-        "osquery-pack|10.2.0: 3814752beb1760b29d858991c55e488b0005166668cd51dd61a806359236d04b",
+        "osquery-pack|10.3.0: 80c6ea83536c342f97734b289264bf74e457b2f6f604a596d6857d161416d018",
+        "osquery-pack|10.2.0: fcd4b94ad161b8463b4de2f15fc2a7dae820dc84878db67e25b7261892432706",
         "osquery-pack|10.1.0: 98a6593772eecbe42b9dd8d007af5fbcaf6cd7adbf037857f9686307cdb771c1",
         "=====================================================================================",
         "osquery-pack-asset|global: 6ae0ad3ceac166af2a7b4d9b0b0afffd2d315cda",
@@ -1568,7 +1569,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "oauth_state": "10.1.0",
         "observability-onboarding-state": "10.2.0",
         "osquery-manager-usage-metric": "10.0.0",
-        "osquery-pack": "10.2.0",
+        "osquery-pack": "10.3.0",
         "osquery-pack-asset": "10.1.0",
         "osquery-saved-query": "10.2.0",
         "policy-settings-protection-updates-note": "10.0.0",
@@ -1741,7 +1742,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
         "oauth_state": "10.1.0",
         "observability-onboarding-state": "10.2.0",
         "osquery-manager-usage-metric": "0.0.0",
-        "osquery-pack": "10.2.0",
+        "osquery-pack": "10.3.0",
         "osquery-pack-asset": "10.1.0",
         "osquery-saved-query": "10.2.0",
         "policy-settings-protection-updates-note": "0.0.0",
 
@@ -30,6 +30,15 @@ export const allowedExperimentalValues = Object.freeze({
    * for downloading osquery results as NDJSON, JSON, or CSV files.
    */
   exportResults: false,
+  /**
+   * Enables RFC 5545 RRULE-based recurrence scheduling for packs and pack queries
+   * as an alternative to native interval-based scheduling. When enabled, the
+   * pack form and pack query flyout expose a Schedule section, the API accepts
+   * `schedule_type` / `interval` (pack-level) / `rrule_schedule` fields, and the
+   * Fleet config fans the pack-level schedule onto each query that doesn't have
+   * its own override. Requires osquerybeat with RRULE support.
+   */
+  rruleScheduling: false,
 });
 
 type ExperimentalFeatures = { [K in keyof typeof allowedExperimentalValues]: boolean };
 
@@ -12,6 +12,8 @@ export {
   getExperimentalAllowedValues,
 } from './experimental_features';
 export type { ExperimentalFeatures } from './experimental_features';
+export type { ScheduleType, RRuleScheduleConfig } from './schedule';
+export { MAX_SPLAY_SECONDS } from './schedule';
 
 export const PLUGIN_ID = 'osquery';
 export const PLUGIN_NAME = 'Osquery';
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/**
+ * Maximum allowed splay duration in seconds (12 hours). Aligned with osquerybeat's
+ * `MaxSplay = 12 * time.Hour` constant.
+ */
+export const MAX_SPLAY_SECONDS = 43200;
+
+/**
+ * Discriminator for which scheduling mode a pack or pack query uses.
+ *
+ * - `'interval'`: native osqueryd interval scheduling (seconds). Mutually
+ *   exclusive with `rrule_schedule`.
+ * - `'rrule'`: osquerybeat RRULE-based recurrence scheduling. Mutually
+ *   exclusive with `interval`.
+ *
+ * Absence of the field on a pack means no pack-level schedule is set: each
+ * query uses its own per-query `interval` and there is no default to inherit.
+ */
+export type ScheduleType = 'interval' | 'rrule';
+
+/**
+ * RRULE schedule configuration consumed by osquerybeat. The `rrule` field is
+ * the fully serialized RFC 5545 string (e.g. `"FREQ=WEEKLY;BYDAY=MO,WE,FR"`),
+ * not a structured object — osquerybeat's `teambition/rrule-go` parser speaks
+ * strings directly. DTSTART is NOT included in the RRULE string; osquerybeat
+ * uses the separate `start_date` field.
+ */
+export interface RRuleScheduleConfig {
+  /** RFC 5545 RRULE string. */
+  rrule: string;
+  /** RFC 3339 datetime string for the schedule's start. Required. */
+  start_date: string;
+  /** Optional RFC 3339 datetime string for the schedule's end. */
+  end_date?: string;
+  /**
+   * Optional Go duration string for splay (random execution delay).
+   * Single-unit only on write: suffix `s` (seconds), `m` (minutes), or `h`
+   * (hours) — e.g. `"30s"`, `"5m"`, `"1h"`. Compound durations like `"1h30m"`
+   * are tolerated only on read (osquerybeat parses via `time.ParseDuration`
+   * and may emit compound strings). Maximum 12 hours ({@link MAX_SPLAY_SECONDS}).
+   */
+  splay?: string;
+  /**
+   * Optional query execution timeout, in **seconds**. Field name is `timeout`
+   * to match osquerybeat's wire field (`RRuleScheduleConfig.Timeout int`
+   * in `elastic/beats#48767`). Default in beats is 60s when absent.
+   */
+  timeout?: number;
+}