From a14b2b15723028907f8203f59150ef879c28c9a5 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 3 Feb 2025 16:08:13 +0530 Subject: [PATCH 1/6] Add agentless deployment --- packages/microsoft_sentinel/changelog.yml | 5 +++++ packages/microsoft_sentinel/manifest.yml | 10 +++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/packages/microsoft_sentinel/changelog.yml b/packages/microsoft_sentinel/changelog.yml index 9fc7f01f6ef..a693d5e6824 100644 --- a/packages/microsoft_sentinel/changelog.yml +++ b/packages/microsoft_sentinel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.4.0" + changes: + - description: Add support for agentless deployment. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "0.3.0" changes: - description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error". diff --git a/packages/microsoft_sentinel/manifest.yml b/packages/microsoft_sentinel/manifest.yml index 49234267f66..b51aa5db64f 100644 --- a/packages/microsoft_sentinel/manifest.yml +++ b/packages/microsoft_sentinel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.1 name: microsoft_sentinel title: Microsoft Sentinel -version: 0.3.0 +version: 0.4.0 description: Collect logs from Microsoft Sentinel with Elastic Agent. type: integration categories: @@ -35,6 +35,14 @@ policy_templates: - name: microsoft_sentinel title: Microsoft Sentinel Logs description: Collect logs from Microsoft Sentinel. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + organization: elastic + division: engineering + team: security-service-integrations inputs: - type: cel title: Collect Microsoft Sentinel logs via API From 67f844a734d3c58a78b8423d063cd63604bf2269 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 5 Feb 2025 16:48:21 +0530 Subject: [PATCH 2/6] update pr number --- packages/microsoft_sentinel/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/microsoft_sentinel/changelog.yml b/packages/microsoft_sentinel/changelog.yml index a693d5e6824..9216b18d352 100644 --- a/packages/microsoft_sentinel/changelog.yml +++ b/packages/microsoft_sentinel/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Add support for agentless deployment. type: enhancement - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/12586 - version: "0.3.0" changes: - description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error". From 393c46a1a7cab5a896a50c6ec295ffdbd726e3cf Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 5 Feb 2025 18:51:34 +0530 Subject: [PATCH 3/6] update organization --- packages/microsoft_sentinel/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/microsoft_sentinel/manifest.yml b/packages/microsoft_sentinel/manifest.yml index b51aa5db64f..28ef04960a8 100644 --- a/packages/microsoft_sentinel/manifest.yml +++ b/packages/microsoft_sentinel/manifest.yml @@ -40,7 +40,7 @@ policy_templates: enabled: true agentless: enabled: true - organization: elastic + organization: security division: engineering team: security-service-integrations inputs: From 1fcf2296cefc38936f2591e7d4cf63d8d5666aa2 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 12 Feb 2025 22:29:38 +0530 Subject: [PATCH 4/6] Address PR comments. - Update kibana.version: "^8.18.0 || ^9.0.0" - Update format_version to 3.2.3 --- packages/microsoft_sentinel/manifest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/microsoft_sentinel/manifest.yml b/packages/microsoft_sentinel/manifest.yml index 28ef04960a8..e5c5fd1f2d6 100644 --- a/packages/microsoft_sentinel/manifest.yml +++ b/packages/microsoft_sentinel/manifest.yml @@ -1,4 +1,4 @@ -format_version: 3.2.1 +format_version: 3.2.3 name: microsoft_sentinel title: Microsoft Sentinel version: 0.4.0 @@ -10,7 +10,7 @@ categories: - edr_xdr conditions: kibana: - version: ^8.14.0 + version: "^8.18.0 || ^9.0.0" elastic: subscription: basic screenshots: From b388c013c7a9c33350d2bf92c5e45fa6dd784e92 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Fri, 14 Feb 2025 00:45:13 +0530 Subject: [PATCH 5/6] Update documentation for agentless support and limitation to API --- .../_dev/build/docs/README.md | 18 ++++++++++++++---- packages/microsoft_sentinel/docs/README.md | 18 ++++++++++++++---- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/packages/microsoft_sentinel/_dev/build/docs/README.md b/packages/microsoft_sentinel/_dev/build/docs/README.md index 5ba1bc740e5..e99483d1adc 100644 --- a/packages/microsoft_sentinel/_dev/build/docs/README.md +++ b/packages/microsoft_sentinel/_dev/build/docs/README.md @@ -18,21 +18,31 @@ The Microsoft Sentinel integration collects logs for three types of events: Aler ## Requirements +### Agentless deployment + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. + +For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) + +> Note: Currently Agentless support for Microsoft Sentinel integration is limited to API and not supported for Azure Event Hub input. + +### Agent-based deployment + Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -### Installing and managing an Elastic Agent: +#### Installing and managing an Elastic Agent: There are several options for installing and managing Elastic Agent: -### Install a Fleet-managed Elastic Agent (recommended): +#### Install a Fleet-managed Elastic Agent (recommended): With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. -### Install Elastic Agent in standalone mode (advanced users): +#### Install Elastic Agent in standalone mode (advanced users): With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. -### Install Elastic Agent in a containerized environment: +#### Install Elastic Agent in a containerized environment: You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. diff --git a/packages/microsoft_sentinel/docs/README.md b/packages/microsoft_sentinel/docs/README.md index 67188742aba..ed58602531c 100644 --- a/packages/microsoft_sentinel/docs/README.md +++ b/packages/microsoft_sentinel/docs/README.md @@ -18,21 +18,31 @@ The Microsoft Sentinel integration collects logs for three types of events: Aler ## Requirements +### Agentless deployment + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. + +For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) + +> Note: Currently Agentless support for Microsoft Sentinel integration is limited to API and not supported for Azure Event Hub input. + +### Agent-based deployment + Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -### Installing and managing an Elastic Agent: +#### Installing and managing an Elastic Agent: There are several options for installing and managing Elastic Agent: -### Install a Fleet-managed Elastic Agent (recommended): +#### Install a Fleet-managed Elastic Agent (recommended): With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. -### Install Elastic Agent in standalone mode (advanced users): +#### Install Elastic Agent in standalone mode (advanced users): With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. -### Install Elastic Agent in a containerized environment: +#### Install Elastic Agent in a containerized environment: You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. From bb589a593ac4f38da0b3c396d3c3388d3be3c54c Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 4 Mar 2025 13:31:16 +0530 Subject: [PATCH 6/6] Update README for agentless --- .../_dev/build/docs/README.md | 27 ++++++++----------- packages/microsoft_sentinel/docs/README.md | 26 +++++++----------- 2 files changed, 21 insertions(+), 32 deletions(-) diff --git a/packages/microsoft_sentinel/_dev/build/docs/README.md b/packages/microsoft_sentinel/_dev/build/docs/README.md index e99483d1adc..284e8b050f3 100644 --- a/packages/microsoft_sentinel/_dev/build/docs/README.md +++ b/packages/microsoft_sentinel/_dev/build/docs/README.md @@ -6,6 +6,11 @@ Use the Microsoft Sentinel integration to collect and parse Alerts and Incidents from Microsoft Sentinel REST API and Events from the Microsoft Azure Event Hub, then visualise the data in Kibana. +## Agentless Enabled Integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Data streams The Microsoft Sentinel integration collects logs for three types of events: Alert, Event and Incident. @@ -18,31 +23,21 @@ The Microsoft Sentinel integration collects logs for three types of events: Aler ## Requirements -### Agentless deployment - -Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. - -For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) - -> Note: Currently Agentless support for Microsoft Sentinel integration is limited to API and not supported for Azure Event Hub input. - -### Agent-based deployment - -Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). +Unless you choose `Agentless` deployment, the Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -#### Installing and managing an Elastic Agent: +### Installing and managing an Elastic Agent: There are several options for installing and managing Elastic Agent: -#### Install a Fleet-managed Elastic Agent (recommended): +### Install a Fleet-managed Elastic Agent (recommended): With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. -#### Install Elastic Agent in standalone mode (advanced users): +### Install Elastic Agent in standalone mode (advanced users): With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. -#### Install Elastic Agent in a containerized environment: +### Install Elastic Agent in a containerized environment: You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. @@ -111,4 +106,4 @@ This is the `Incident` dataset. {{event "incident"}} -{{fields "incident"}} +{{fields "incident"}} \ No newline at end of file diff --git a/packages/microsoft_sentinel/docs/README.md b/packages/microsoft_sentinel/docs/README.md index ed58602531c..cbcaf3fdbc9 100644 --- a/packages/microsoft_sentinel/docs/README.md +++ b/packages/microsoft_sentinel/docs/README.md @@ -6,6 +6,11 @@ Use the Microsoft Sentinel integration to collect and parse Alerts and Incidents from Microsoft Sentinel REST API and Events from the Microsoft Azure Event Hub, then visualise the data in Kibana. +## Agentless Enabled Integration +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). + +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Data streams The Microsoft Sentinel integration collects logs for three types of events: Alert, Event and Incident. @@ -18,31 +23,21 @@ The Microsoft Sentinel integration collects logs for three types of events: Aler ## Requirements -### Agentless deployment - -Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it. - -For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html) +Unless you choose `Agentless` deployment, the Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). -> Note: Currently Agentless support for Microsoft Sentinel integration is limited to API and not supported for Azure Event Hub input. - -### Agent-based deployment - -Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). - -#### Installing and managing an Elastic Agent: +### Installing and managing an Elastic Agent: There are several options for installing and managing Elastic Agent: -#### Install a Fleet-managed Elastic Agent (recommended): +### Install a Fleet-managed Elastic Agent (recommended): With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. -#### Install Elastic Agent in standalone mode (advanced users): +### Install Elastic Agent in standalone mode (advanced users): With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. -#### Install Elastic Agent in a containerized environment: +### Install Elastic Agent in a containerized environment: You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. @@ -494,4 +489,3 @@ An example event for `incident` looks as following: | observer.product | | constant_keyword | | observer.vendor | | constant_keyword | | tags | User defined tags. | keyword | -