From a2ad6974cc5744481578d03044e2b5349260835d Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Wed, 5 Mar 2025 21:22:43 +0530 Subject: [PATCH] microsoft_sentinel: Add agentless deployment (#12586) As part of onboarding integrations into agentless deployments, this PR adds agentless deployment to Microsoft Sentinel integration. Ref: - https://docs.elastic.dev/security-solution/cloud-security/agentless/onboard-integration --- .../microsoft_sentinel/_dev/build/docs/README.md | 9 +++++++-- packages/microsoft_sentinel/changelog.yml | 5 +++++ packages/microsoft_sentinel/docs/README.md | 8 ++++++-- packages/microsoft_sentinel/manifest.yml | 14 +++++++++++--- 4 files changed, 29 insertions(+), 7 deletions(-) diff --git a/packages/microsoft_sentinel/_dev/build/docs/README.md b/packages/microsoft_sentinel/_dev/build/docs/README.md index 5ba1bc740e..284e8b050f 100644 --- a/packages/microsoft_sentinel/_dev/build/docs/README.md +++ b/packages/microsoft_sentinel/_dev/build/docs/README.md @@ -6,6 +6,11 @@ Use the Microsoft Sentinel integration to collect and parse Alerts and Incidents from Microsoft Sentinel REST API and Events from the Microsoft Azure Event Hub, then visualise the data in Kibana. +## Agentless Enabled Integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Data streams The Microsoft Sentinel integration collects logs for three types of events: Alert, Event and Incident. @@ -18,7 +23,7 @@ The Microsoft Sentinel integration collects logs for three types of events: Aler ## Requirements -Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). +Unless you choose `Agentless` deployment, the Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). ### Installing and managing an Elastic Agent: @@ -101,4 +106,4 @@ This is the `Incident` dataset. {{event "incident"}} -{{fields "incident"}} +{{fields "incident"}} \ No newline at end of file diff --git a/packages/microsoft_sentinel/changelog.yml b/packages/microsoft_sentinel/changelog.yml index d12797da36..178af9f2ab 100644 --- a/packages/microsoft_sentinel/changelog.yml +++ b/packages/microsoft_sentinel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.0" + changes: + - description: Add support for agentless deployment. + type: enhancement + link: https://github.com/elastic/integrations/pull/12586 - version: "0.4.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/microsoft_sentinel/docs/README.md b/packages/microsoft_sentinel/docs/README.md index 67188742ab..cbcaf3fdbc 100644 --- a/packages/microsoft_sentinel/docs/README.md +++ b/packages/microsoft_sentinel/docs/README.md @@ -6,6 +6,11 @@ Use the Microsoft Sentinel integration to collect and parse Alerts and Incidents from Microsoft Sentinel REST API and Events from the Microsoft Azure Event Hub, then visualise the data in Kibana. +## Agentless Enabled Integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Data streams The Microsoft Sentinel integration collects logs for three types of events: Alert, Event and Incident. @@ -18,7 +23,7 @@ The Microsoft Sentinel integration collects logs for three types of events: Aler ## Requirements -Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). +Unless you choose `Agentless` deployment, the Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). ### Installing and managing an Elastic Agent: @@ -484,4 +489,3 @@ An example event for `incident` looks as following: | observer.product | | constant_keyword | | observer.vendor | | constant_keyword | | tags | User defined tags. | keyword | - diff --git a/packages/microsoft_sentinel/manifest.yml b/packages/microsoft_sentinel/manifest.yml index 9c5acef730..82631021ec 100644 --- a/packages/microsoft_sentinel/manifest.yml +++ b/packages/microsoft_sentinel/manifest.yml @@ -1,7 +1,7 @@ -format_version: 3.2.1 +format_version: 3.2.3 name: microsoft_sentinel title: Microsoft Sentinel -version: "0.4.0" +version: "0.5.0" description: Collect logs from Microsoft Sentinel with Elastic Agent. type: integration categories: @@ -10,7 +10,7 @@ categories: - edr_xdr conditions: kibana: - version: "^8.14.0 || ^9.0.0" + version: "^8.18.0 || ^9.0.0" elastic: subscription: basic screenshots: @@ -35,6 +35,14 @@ policy_templates: - name: microsoft_sentinel title: Microsoft Sentinel Logs description: Collect logs from Microsoft Sentinel. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: security + division: engineering + team: security-service-integrations inputs: - type: cel title: Collect Microsoft Sentinel logs via API