Skip to content

[Epic] Adding Agentless support to Security Integrations  #17973

Open
16 of 31 issues completed
Open
[Epic] Adding Agentless support to Security Integrations #17973
16 of 31 issues completed
Assignees
moxarth-rathodmohitjha-elastic
Labels
9.5 candidateEpicTeam:SDE-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]
@cpascale43

Description

@cpascale43
cpascale43
opened on Mar 23, 2026

Description

Building on the completion of Phases I and II, this Epic describes enabling agentless deployment for the next wave of security integrations - currently limited to httpjson and cel.

Security integrations targeted for Phase III release:

Integration Input Owner Agentless
admin_by_request_epm cel @elastic/security-service-integrations
atlassian_bitbucket httpjson @elastic/security-service-integrations
atlassian_confluence httpjson @elastic/security-service-integrations
atlassian_jira httpjson @elastic/security-service-integrations
authentik cel @elastic/security-service-integrations
beyondinsight_password_safe cel @elastic/security-service-integrations
bitdefender cel @elastic/security-service-integrations
bitsight cel @elastic/security-service-integrations
bitwarden httpjson @elastic/security-service-integrations
blacklens httpjson @elastic/security-service-integrations
box_events httpjson @elastic/security-service-integrations
cisa_kevs cel @elastic/security-service-integrations
cisco_secure_endpoint httpjson @elastic/security-service-integrations
claroty_ctd cel @elastic/security-service-integrations
cloudflare cel @elastic/security-service-integrations
cyberark_epm cel @elastic/security-service-integrations
cybereason cel @elastic/security-service-integrations
darktrace httpjson @elastic/security-service-integrations
entro cel @elastic/security-service-integrations
eset_protect cel @elastic/security-service-integrations
first_epss cel @elastic/security-service-integrations
forgerock httpjson @elastic/security-service-integrations
jumpcloud httpjson @elastic/security-service-integrations
lastpass httpjson @elastic/security-service-integrations
lumos httpjson @elastic/security-service-integrations
menlo cel @elastic/security-service-integrations
microsoft_exchange_online_message_trace cel @elastic/security-service-integrations
miniflux cel @elastic/security-service-integrations
nextron_thor_apt_scanner cel @elastic/security-service-integrations
sailpoint_identity_sc cel @elastic/security-service-integrations
servicenow cel @elastic/security-service-integrations
sophos_central httpjson @elastic/security-service-integrations
spycloud cel @elastic/security-service-integrations
swimlane cel @elastic/security-service-integrations
symantec_endpoint_security cel @elastic/security-service-integrations
sysdig cel @elastic/security-service-integrations
tenable_ot_security cel @elastic/security-service-integrations
ti_anyrun cel @elastic/security-service-integrations
ti_cif3 httpjson @elastic/security-service-integrations
ti_custom cel @elastic/security-service-integrations
ti_cybersixgill httpjson @elastic/security-service-integrations
ti_domaintools cel @elastic/security-service-integrations
ti_eclecticiq cel @elastic/security-service-integrations
ti_eset httpjson @elastic/security-service-integrations
ti_maltiverse httpjson @elastic/security-service-integrations
ti_mandiant_advantage httpjson @elastic/security-service-integrations
ti_misp httpjson @elastic/security-service-integrations
ti_opencti cel @elastic/security-service-integrations
ti_otx cel, httpjson @elastic/security-service-integrations
ti_threatconnect cel @elastic/security-service-integrations
tines httpjson @elastic/security-service-integrations
trellix_epo_cloud cel @elastic/security-service-integrations
trend_micro_vision_one cel @elastic/security-service-integrations
withsecure_elements cel @elastic/security-service-integrations
zerofox httpjson @elastic/security-service-integrations
zeronetworks httpjson @elastic/security-service-integrations

Edit 4.8.26 - removed akamai, entityanalytics_ad, entityanalytics_entra_id, entityanalytics_okta from the Phase III scope

Requirements

Following the established Phase I and II patterns, for each integration see the Onboarding Integration Guide.

1. Technical implementation

  • Update integration manifest.yml to enable agentless deployment mode
  • Update integration documentation with agentless deployment instructions
  • Update changelog.md

Example reference: #13367

2. Performance documentation

  • Test and document throughput in agentless (requires access to vendor environment and/or sample data)
  • Document specific metrics for each integration. For example/where possible:
    • API response time: Average time for vendor API calls to complete
    • Events processed per minute: How many log entries/events the integration can handle
    • Error rates: Percentage of failed API calls or data processing errors
    • Container resource usage: CPU and memory consumption under typical load
    • Vendor-specific limits: Rate limiting thresholds and API quotas

Example documentation format: "Crowdstrike Falcon Intelligence: 200ms avg API response, 5,000 events/min, 0.1% error rate, 512MB RAM/0.5CPU, 1000 API calls/hour limit"

Dependencies

  • Agentless infrastructure GA readiness (still in beta)
  • Input compatibility: Currently agentless is optimized for httpjson and cel inputs

References

Metadata

Metadata

Assignees

Labels

9.5 candidateEpicTeam:SDE-CrestCrest developers on the Security Integrations team [elastic/sit-crest-contractors]Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions