Agentless Security Integrations Release - Phase II #14186
Description
Description
Building on the completion of Phase I (#11810), this Epic describes enabling agentless deployment for the next wave of security integrations. Phase I delivered 15+ integrations including Office 365, Okta, AWS Security Hub and others.
Phase II expands agentless support to additional high-priority security integrations based on customer demand/usage.
Security integrations targeted for Phase II release:
| Integration | Input | Owner |
|---|---|---|
| ti_anomali | cel | @elastic/security-service-integrations |
| ti_crowdstrike | cel | @elastic/security-service-integrations |
| carbon_black_cloud | cel, httpjson | @elastic/security-service-integrations |
| proofpoint_tap | httpjson | @elastic/security-service-integrations |
| mimecast | cel, httpjson | @elastic/security-service-integrations |
| checkpoint_harmony_endpoint | cel | @elastic/security-service-integrations |
| checkpoint_email | cel | @elastic/security-service-integrations |
| cisco_duo | cel, httpjson | @elastic/security-service-integrations |
| trend_micro_vision_one | httpjson | @elastic/security-service-integrations |
| guardduty | httpjson | @elastic/security-service-integrations |
| inspector | httpjson | @elastic/security-service-integrations |
| cloudflare | httpjson | @elastic/security-service-integrations |
| imperva_cloud_waf | cel | @elastic/security-service-integrations |
| auth0 | cel | @elastic/security-service-integrations |
| 1password | httpjson | @elastic/security-service-integrations |
| github | httpjson | @elastic/security-service-integrations |
| slack | httpjson | @elastic/security-service-integrations |
| ti_rapid7_threat_command | httpjson | @elastic/security-service-integrations |
| tenable_sc | httpjson | @elastic/security-service-integrations |
| snyk | cel, httpjson | @elastic/security-service-integrations |
| abnormal_security | cel | @elastic/security-service-integrations |
| digital_guardian | cel | @elastic/security-service-integrations |
| ti_recordedfuture | httpjson | @elastic/security-service-integrations |
| ping_one | httpjson | @elastic/security-service-integrations |
Requirements
Following the established Phase I pattern, for each integration see the Onboarding Integration Guide.
1. Technical implementation
- Update integration manifest.yml to enable agentless deployment mode ()
- Update integration documentation with agentless deployment instructions
- Update changelog.md
Example reference: #13367
2. Performance documentation
- Test and document throughput in agentless (requires access to vendor environment and/or sample data)
- Document specific metrics for each integration. For example/where possible:
- API response time: Average time for vendor API calls to complete
- Events processed per minute: How many log entries/events the integration can handle
- Error rates: Percentage of failed API calls or data processing errors
- Container resource usage: CPU and memory consumption under typical load
- Vendor-specific limits: Rate limiting thresholds and API quotas
Example documentation format: "Crowdstrike Falcon Intelligence: 200ms avg API response, 5,000 events/min, 0.1% error rate, 512MB RAM/0.5CPU, 1000 API calls/hour limit"
Dependencies
- Agentless infrastructure GA readiness (still in beta)
- Input compatibility: Currently agentless is optimized for httpjson and cel inputs
- UX enhancement: Add agentless deployment filter/toggle to integrations catalog page for better discoverability