Skip to content

[Auth0] Add agentless deployment #18141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
moxarth-rathod wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Auth0] Add agentless deployment #18141

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6f58df1
[Auth0] Add agentless deployment
moxarth-rathod Mar 31, 2026
66020be
Update packages/auth0/changelog.yml
moxarth-rathod Apr 3, 2026
542d7f1
Address PR comments
moxarth-rathod Apr 6, 2026
a517e02
update `enabled: false`in manifest
moxarth-rathod Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/auth0/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,13 @@

## Compatibility

The package collects log events either sent via log stream webhooks, or by API request to the Auth0 v2 API.

Check warning on line 7 in packages/auth0/_dev/build/docs/README.md

View workflow job for this annotation

GitHub Actions / Lint Documentation 

Elastic.Latinisms: Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.

## Agentless Enabled Integration

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

## Enabling the integration in Elastic

1. In Kibana go to **Management > Integrations**
Expand Down
5 changes: 5 additions & 0 deletions packages/auth0/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.24.0"
changes:
- description: Enable Agentless deployment.
type: enhancement
link: https://github.com/elastic/integrations/pull/1
Comment thread
moxarth-rathod marked this conversation as resolved.
Outdated
- version: "1.23.1"
changes:
- description: Remove duplicate security-solution-default tag references
Expand Down
11 changes: 11 additions & 0 deletions packages/auth0/data_stream/logs/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,17 @@ processors:
- set:
field: auth0.logs.data
copy_from: json.data
- remove:
field:
- organization
- division
- team
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not be needed if the minimum kibana matches where elastic/kibana#230479 was applied.

Copy link
Copy Markdown
Contributor Author

@moxarth-rathod moxarth-rathod Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need the minimum kibana version - 8.19.2 to fix elastic/kibana#230479.

Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was the minimum version selected as ^8.18.0? I think we can safely move to at least 8.19.2, and drop this remove processor.

The 8.18 Elastic stack is unsupported / unmaintained. And it has been since 9.2 was released (Oct 23 2025)1.

Footnotes

  1. https://www.elastic.co/support/eol

Copy link
Copy Markdown
Contributor Author

@moxarth-rathod moxarth-rathod Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, Thanks for the suggestions!

ignore_missing: true
if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
tag: remove_agentless_tags
description: >-
Removes the fields added by Agentless as metadata,
as they can collide with ECS fields.
- date:
field: auth0.logs.data.date
formats:
Expand Down
2 changes: 0 additions & 2 deletions packages/auth0/data_stream/logs/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ streams:
- input: http_endpoint
title: Auth0 log events via Webhooks
description: Receives log events from Auth0 via Webhooks
enabled: false
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this change?

Copy link
Copy Markdown
Contributor Author

@moxarth-rathod moxarth-rathod Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This prevents a UI bug in serverless where having all available options disabled causes an issue. I'll create a separate issue for it and attach it here.

Copy link
Copy Markdown
Contributor Author

@moxarth-rathod moxarth-rathod Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue link: https://github.com/elastic/beats/issues/49942

Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this is a workaround for a UI bug? There needs to be a UI bug issue (elastic/kibana) associated as well.

I think the reason both inputs are disabled is to make the user choose their ingestion method. Changing the enabled default value does affect new users experience the onboarding flow, both in the UI and especially via the package_policy API.

Let's say you are an API user who was only configuring the CEL input in their requests. Then the http_endpoint becomes enabled by default in the integration package. The next time you try to reproduce an API request for auth0 you will get new behavior. They might not notice it in this case because there are no mandatory variables for the http_endpoint stream, but their agents will now have an HTTP server listening which is very surprising.

Or let's say, they were using the http_endpoint only. Now the CEL input becomes enabled by default. This is different from the earlier case because the CEL input does have two mandatory variables, client_id and client_secret, so now the package_policy API request that they used to make fails because they did not set the mandatory variables. This will be confusing because their request didn't ask for the CEL input at all.

All of this is to say that changing enabled can impact users.

If we must have a workaround and the requirement is to have an input enabled, then it should only enable the CEL input. The http_endpoint input is not supported in agentless. And ideally we should return the integration back to its original state (enabled=false) after Kibana addresses the UX issue.

Copy link
Copy Markdown
Contributor

@efd6 efd6 Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is #18157 which looks related (though auth0 is not listed in that issue) and which links to elastic/kibana#260500.

template_path: http_endpoint.yml.hbs
vars:
- name: listen_address
Expand Down Expand Up @@ -78,7 +77,6 @@ streams:
- input: cel
title: Auth0 log events via API requests
description: Collects log events from Auth0 via API requests.
enabled: false
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kibana has addressed elastic/kibana#261788. Let's revert this change.

Copy link
Copy Markdown
Contributor Author

@moxarth-rathod moxarth-rathod Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, let me check

Copy link
Copy Markdown
Collaborator

@mohitjha-elastic mohitjha-elastic Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh
The PR has been merged with the 9.5.0 label, and the backport has been skipped. As per the current schedule, this 9.5.0 is planned for the July release. Shall we proceed with the workaround until then, as reverting the changes may cause the issue in the current serverless setup?
Let me know your thoughts on this.

template_path: cel.yml.hbs
vars:
- name: url
Expand Down
5 changes: 5 additions & 0 deletions packages/auth0/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,13 @@

## Compatibility

The package collects log events either sent via log stream webhooks, or by API request to the Auth0 v2 API.

Check warning on line 7 in packages/auth0/docs/README.md

View workflow job for this annotation

GitHub Actions / Lint Documentation 

Elastic.Latinisms: Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'.

## Agentless Enabled Integration

Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.

## Enabling the integration in Elastic

1. In Kibana go to **Management > Integrations**
Expand Down
14 changes: 11 additions & 3 deletions packages/auth0/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
format_version: "3.0.2"
format_version: "3.3.2"
name: auth0
title: "Auth0"
version: "1.23.1"
version: "1.24.0"
description: Collect logs from Auth0 with Elastic Agent.
type: integration
categories:
- security
- iam
conditions:
kibana:
version: "^8.13.0 || ^9.0.0"
version: "^8.18.0 || ^9.0.0"
screenshots:
- src: /img/auth0-screenshot.png
title: Auth0 Dashboard
Expand All @@ -24,6 +24,14 @@ policy_templates:
- name: auth0_events
title: Auth0 log stream events
description: Collect Auth0 log streams events.
deployment_modes:
default:
enabled: true
agentless:
enabled: true
organization: security
division: engineering
team: security-service-integrations
inputs:
- type: http_endpoint
title: Collect Auth0 log streams events via Webhooks
Expand Down
Loading