Skip to content
Mimir

Bundled packs

Bundled packs

A bundled pack is a query pack that ships inside the Mimir server binary itself — not uploaded by an operator, not stored as a YAML file your team maintains. Mimir loads them at startup, registers their queries against every connected agent, and surfaces their results the same way it surfaces results from packs you upload yourself. On the Packs list and on each pack’s detail page they’re tagged with a small bundled source label so the distinction is obvious.

What you get

Bundled packs cover the load-bearing osquery work Mimir relies on for features that wouldn’t function without them:

  • File hashes — collects SHA256/MD5/SHA1 hashes for binaries the agent observes, so that newly-imported IOCs can be matched against 90 days of historical activity (see the threat-feeds overview for how that historical scan is wired up).
  • Network IOC monitor — pulls socket_events and dns_lookup_events on a tight cadence so IP and domain indicators can be matched in real time, not just when osquery happens to snapshot the running process table.

The exact set of bundled packs evolves with the server version. Any release-note entry that mentions IOC matching, hunts, or compliance policy coverage is usually backed by a pack you didn’t have to enable.

How a bundled pack is different from a custom pack

From the operator’s perspective the two are similar by design — same list page, same detail view, same enable/disable toggle, same scheduled-query table. The differences are:

BundledCustom
Where the YAML livesCompiled into the server binaryStored in the database from your upload
Survives a server restartAlways (re-emitted from the binary on boot)Yes, but only because the row stays in the database
Edit the YAMLNo — change it in source and rebuildYes — re-upload via the modal
Delete from the UIYes, with a “will not reappear on restart” warningYes
Re-appears after upgradeIf the new server version still ships itNever re-appears unless re-uploaded

On both the list page and the detail page, the small bundled / custom label next to the pack’s name is the only structural difference rendered to you.

Why a pack ships bundled

Three reasons a pack ends up baked into the binary:

  1. The product depends on its data. IOC historical matching and real-time network matching both need the bundled packs running. Shipping them inside the binary makes “did the operator forget to add them?” not a possible failure mode.

  2. Coverage shouldn’t drift between deployments. Two tenants on the same Mimir version run the same bundled set, so a fleet that’s working correctly in one place will also be working correctly in another.

  3. Upgrades are the right delivery channel. Improvements to a load-bearing query land in a release alongside any server-side changes that depend on them.

How to use the detail page on a bundled pack

  1. From the Packs list, click the pack name. The detail page loads at /packs/:id.
  2. The header strip shows the same fields as the list row plus a · bundled tag so you can confirm what you’re looking at.
  3. The Queries table is the load-bearing view: one row per scheduled query, with the columns:
    • Name and (if different) a one-line description.
    • PlatformAll, Windows, Linux, macOS, or BSD.
    • Interval — how often this query runs.
    • Last Result — when any host last reported a row for this query. A long-stale timestamp is the signal a query is failing.
    • Rows 24h and Hosts 24h — same idea as the list-page counters but per-query.
  4. The Source YAML card at the bottom of the page is hidden for bundled packs — there’s no editable YAML to show. Use the Custom packs page if you need to know what that card looks like for uploaded packs.

Deleting a bundled pack

You can delete a bundled pack from the UI. The confirmation modal spells out the consequence:

Bundled packs will not reappear on restart.

In other words, the deletion is durable in the database and is not reset by a server restart or an upgrade. To restore a deleted bundled pack, deploy a server build that ships it, or re-upload its YAML as a custom pack. There is no “reset to factory bundled set” admin action.

Bundled packs that other features depend on (IOC historical matching, real-time network matching) will degrade silently if their pack is deleted — Mimir won’t refuse the deletion, but you’ll see the downstream features stop working until you bring an equivalent pack back. If you don’t have a specific reason to delete a bundled pack, just disable it instead — the toggle is reversible.

Permissions

Listing and viewing bundled packs is gated by withAnyAuth — any signed-in user can read them. Disabling and deleting are admin-only. There is no per-pack ACL: the deployment is the tenancy boundary, as with the rest of Mimir’s fleet view.

Where to next

  • Query packs overview — the list page, the health dot, and the 24h counters.
  • Custom packs — the upload modal, the Source YAML card, and the YAML schema validation.
  • Hosts — pack results land on each host’s detail view, grouped by pack section.