[ti_google_threat_intelligence] Add Agentless deployment

packages/ti_google_threat_intelligence/_dev/build/docs/README.md

@@ -34,6 +34,12 @@ Data collection is available for all nine feed types: `cryptominer`, `first_stag
 
 ## Requirements
 
+### Agentless-enabled integration
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
 Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
 
 ## Setup
@@ -145,7 +151,7 @@ The following transform and its associated pipelines are used to filter relevant
    - Prefix the pipeline name with the integration version.
      For example:
      ```
-     0.2.0-ti_google_threat_intelligence-latest_ip_ioc-transform-pipeline
+     {package_version}-ti_google_threat_intelligence-latest_ip_ioc-transform-pipeline
      ```
    - Click **Update** to save the changes.
 5. Click the **three dots** again next to the transform and select **Start** to activate it.

packages/ti_google_threat_intelligence/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: 0.4.0
+  changes:
+    - description: Enable Agentless deployment.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14511
 - version: 0.3.0
   changes:
     - description: Add data streams - linux, malicious_network_infrastructure, malware, mobile, osx.

packages/ti_google_threat_intelligence/data_stream/cryptominer/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/cryptominer/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/first_stage_delivery_vectors/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/first_stage_delivery_vectors/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/infostealer/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/infostealer/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/iot/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/iot/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/linux/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/linux/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/malicious_network_infrastructure/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/malicious_network_infrastructure/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/malware/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/malware/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/mobile/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/mobile/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/data_stream/osx/agent/stream/cel.yml.hbs

@@ -33,7 +33,7 @@ program: |
         ?"query": has(state.query) ? optional.of([state.query]) : optional.none(),
         "limit": ["4000"],
         "x-tool": ["Elastic"],
-        "User-Agent": ["v0.3.0"], // Keep this in sync with 'version' in package level manifest.yml.
+        "User-Agent": ["v0.4.0"], // Keep this in sync with 'version' in package level manifest.yml.
       }.format_query()
     ).with({
       "Header": {

packages/ti_google_threat_intelligence/data_stream/osx/elasticsearch/ingest_pipeline/default.yml

@@ -12,6 +12,17 @@ processors:
   - drop:
       if: ctx.message == 'retry'
       tag: drop_retry_events
+  - remove:
+      field:
+        - organization
+        - division
+        - team
+      ignore_missing: true
+      if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+      tag: remove_agentless_tags
+      description: >-
+        Removes the fields added by Agentless as metadata,
+        as they can collide with ECS fields.
   - rename:
       field: message
       tag: rename_message_to_event_original

packages/ti_google_threat_intelligence/docs/README.md

@@ -34,6 +34,12 @@ Data collection is available for all nine feed types: `cryptominer`, `first_stag
 
 ## Requirements
 
+### Agentless-enabled integration
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+### Agent-based installation
 Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md).
 
 ## Setup
@@ -145,7 +151,7 @@ The following transform and its associated pipelines are used to filter relevant
    - Prefix the pipeline name with the integration version.
      For example:
      ```
-     0.2.0-ti_google_threat_intelligence-latest_ip_ioc-transform-pipeline
+     {package_version}-ti_google_threat_intelligence-latest_ip_ioc-transform-pipeline
      ```
    - Click **Update** to save the changes.
 5. Click the **three dots** again next to the transform and select **Start** to activate it.

packages/ti_google_threat_intelligence/elasticsearch/transform/domain_ioc/transform.yml

@@ -54,7 +54,7 @@ _meta:
   managed: false
   # Bump this version to delete, reinstall, and restart the transform during
   # package installation.
-  fleet_transform_version: 0.3.0
+  fleet_transform_version: 0.4.0
   # We are currently using multiple source indices in this transform because system tests do not support
   # executing queries defined within the transform. This causes test failures, so we've raised the issue here:
   # https://github.com/elastic/elastic-package/issues/2676

packages/ti_google_threat_intelligence/elasticsearch/transform/file_ioc/transform.yml

@@ -54,7 +54,7 @@ _meta:
   managed: false
   # Bump this version to delete, reinstall, and restart the transform during
   # package installation.
-  fleet_transform_version: 0.3.0
+  fleet_transform_version: 0.4.0
   # We are currently using multiple source indices in this transform because system tests do not support
   # executing queries defined within the transform. This causes test failures, so we've raised the issue here:
   # https://github.com/elastic/elastic-package/issues/2676

packages/ti_google_threat_intelligence/elasticsearch/transform/ip_ioc/transform.yml

@@ -54,7 +54,7 @@ _meta:
   managed: false
   # Bump this version to delete, reinstall, and restart the transform during
   # package installation.
-  fleet_transform_version: 0.3.0
+  fleet_transform_version: 0.4.0
   # We are currently using multiple source indices in this transform because system tests do not support
   # executing queries defined within the transform. This causes test failures, so we've raised the issue here:
   # https://github.com/elastic/elastic-package/issues/2676

packages/ti_google_threat_intelligence/elasticsearch/transform/rule/transform.yml

@@ -42,5 +42,5 @@ _meta:
   managed: false
   # Bump this version to delete, reinstall, and restart the transform during
   # package installation.
-  fleet_transform_version: 0.3.0
+  fleet_transform_version: 0.4.0
   run_as_kibana_system: false

packages/ti_google_threat_intelligence/elasticsearch/transform/url_ioc/transform.yml

@@ -54,7 +54,7 @@ _meta:
   managed: false
   # Bump this version to delete, reinstall, and restart the transform during
   # package installation.
-  fleet_transform_version: 0.3.0
+  fleet_transform_version: 0.4.0
   # We are currently using multiple source indices in this transform because system tests do not support
   # executing queries defined within the transform. This causes test failures, so we've raised the issue here:
   # https://github.com/elastic/elastic-package/issues/2676

packages/ti_google_threat_intelligence/kibana/dashboard/ti_google_threat_intelligence-0b0fb6b4-d250-4e31-a56a-bb872e4c7c4a.json

@@ -826,9 +826,8 @@
         "version": 2
     },
     "coreMigrationVersion": "8.8.0",
-    "created_at": "2025-06-03T08:45:20.592Z",
+    "created_at": "2025-07-11T07:54:47.115Z",
     "id": "ti_google_threat_intelligence-0b0fb6b4-d250-4e31-a56a-bb872e4c7c4a",
-    "managed": false,
     "references": [
         {
             "id": "logs-*",
@@ -922,6 +921,5 @@
         }
     ],
     "type": "dashboard",
-    "typeMigrationVersion": "10.2.0",
-    "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+    "typeMigrationVersion": "10.2.0"
 }