feat: add Agentless Hello World integration

.github/CODEOWNERS

@@ -13,6 +13,7 @@
 /packages/abnormal_security @elastic/security-service-integrations
 /packages/activemq @elastic/obs-infraobs-integrations
 /packages/admin_by_request_epm @elastic/security-service-integrations
+/packages/agentless_hello_world @elastic/agentless-team
 /packages/airflow @elastic/obs-infraobs-integrations
 /packages/airlock_digital @elastic/security-service-integrations
 /packages/akamai @elastic/security-service-integrations

packages/agentless_hello_world/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/agentless_hello_world/changelog.yml

@@ -0,0 +1,5 @@
+- version: "0.1.0"
+  changes:
+    - description: Initial release.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15729

packages/agentless_hello_world/data_stream/generic/agent/stream/cel.yml.hbs

@@ -0,0 +1,36 @@
+config_version: 2
+interval: 1m
+resource.url: https://epr.elastic.co
+program: |
+  request("GET", "https://epr.elastic.co")
+    .do_request()
+    .as(resp, resp.StatusCode == 200 ?
+      {
+        "events": [{
+          "message": {
+            "state": "ok",
+            "result": bytes(resp.Body).decode_json()
+          }.encode_json()
+        }]
+      }
+    :
+      {
+        "events": [{
+          "message": {
+            "state": "error",
+            "error": {
+              "code": string(resp.StatusCode),
+              "message": "GET: https://epr.elastic.co - " + (
+                size(resp.Body) != 0 ?
+                  string(resp.Body)
+                :
+                  string(resp.Status) + " (" + string(resp.StatusCode) + ")"
+              )
+            }
+          }.encode_json()
+        }]
+      }
+    )
+tags:
+  - agentless-hello-world
+publisher_pipeline.disable_host: true

packages/agentless_hello_world/data_stream/generic/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,72 @@
+---
+description: Pipeline for processing Agentless Hello World generic logs.
+processors:
+  - set:
+      field: ecs.version
+      value: '8.11.0'
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+      if: ctx.event?.original == null
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - rename:
+      field: json.state
+      target_field: agentless_hello_world.generic.state
+      ignore_missing: true
+  - rename:
+      field: json.result
+      target_field: agentless_hello_world.generic.result
+      ignore_missing: true
+  - set:
+      field: event.kind
+      value: event
+  - set:
+      field: event.type
+      value: [info]
+  - set:
+      field: event.category
+      value: [web]
+  - remove:
+      field: json
+      ignore_missing: true
+  - remove:
+      field: message
+      if: ctx.event?.original != null
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
+      ignore_failure: true
+      ignore_missing: true
+  - script:
+      lang: painless
+      description: This script processor iterates over the whole document to remove fields with null values.
+      source: |
+        void handleMap(Map map) {
+          for (def x : map.values()) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+          }
+          map.values().removeIf(v -> v == null);
+        }
+        void handleList(List list) {
+          for (def x : list) {
+              if (x instanceof Map) {
+                  handleMap(x);
+              } else if (x instanceof List) {
+                  handleList(x);
+              }
+          }
+        }
+        handleMap(ctx);
+on_failure:
+  - set:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'

packages/agentless_hello_world/data_stream/generic/fields/base-fields.yml

@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: agentless_hello_world
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: agentless_hello_world.generic
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.

packages/agentless_hello_world/data_stream/generic/fields/fields.yml

@@ -0,0 +1,10 @@
+- name: agentless_hello_world.generic
+  type: group
+  fields:
+    - name: state
+      type: keyword
+      description: State of the request (always "ok").
+    - name: result
+      type: object
+      object_type: keyword
+      description: The JSON response from the EPR endpoint.

packages/agentless_hello_world/data_stream/generic/manifest.yml

@@ -0,0 +1,7 @@
+title: Generic logs
+type: logs
+streams:
+  - input: cel
+    title: Generic logs
+    description: Collect generic logs from EPR endpoint.
+    template_path: cel.yml.hbs

packages/agentless_hello_world/data_stream/generic/sample_event.json

@@ -0,0 +1,4 @@
+{
+    "message": "{\"state\":\"ok\",\"result\":{\"service\":\"package-registry\",\"version\":\"1.0.0\"}}",
+    "@timestamp": "2025-10-22T12:00:00.000Z"
+}

packages/agentless_hello_world/docs/README.md

@@ -0,0 +1,55 @@
+# Agentless Hello World
+
+This is a sample integration designed to exercise the Agentless infrastructure. It periodically fetches data from `https://epr.elastic.co` every minute to demonstrate basic agentless functionality.
+
+## Overview
+
+The Agentless Hello World integration is a minimal example that:
+- Fetches data from the Elastic Package Registry (EPR) endpoint
+- Runs every 1 minute
+- Requires no user configuration
+
+## Configuration
+
+This integration requires no configuration from the user. All settings are pre-configured:
+- **Endpoint**: `https://epr.elastic.co`
+- **Interval**: 1 minute
+- **Deployment mode**: Agentless by default
+
+## Data Collection
+
+The integration makes HTTP GET requests to `https://epr.elastic.co` and stores:
+- **state**: Always set to "ok" for successful requests
+- **result**: The JSON response body from the EPR endpoint
+
+## Requirements
+
+### Agentless-enabled integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+## Logs
+
+### Generic
+
+The generic data stream collects responses from the EPR endpoint.
+
+**ECS Field Reference**
+
+Please refer to the following document for detailed information on ECS fields:
+- [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html)
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| agentless_hello_world.generic.result | The JSON response from the EPR endpoint. | object |
+| agentless_hello_world.generic.state | State of the request (always "ok"). | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.module | Event module | constant_keyword |

packages/agentless_hello_world/manifest.yml

@@ -0,0 +1,39 @@
+format_version: 3.3.2
+name: agentless_hello_world
+title: Agentless Hello World
+version: "0.1.0"
+description: A sample integration to exercise the Agentless infrastructure by fetching https://epr.elastic.co every minute.
+type: integration
+categories:
+  - observability
+conditions:
+  kibana:
+    version: "^8.18.0 || ^9.0.0"
+  elastic:
+    subscription: "basic"
+icons:
+  - src: /img/icon.svg
+    title: Agentless Hello World
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: agentless_hello_world
+    title: Agentless Hello World
+    description: Collect data from EPR endpoint every minute.
+    deployment_modes:
+      default:
+        enabled: true
+      agentless:
+        enabled: true
+        is_default: true
+        organization: observability
+        division: engineering
+        team: agentless-team
+    inputs:
+      - type: cel
+        title: Collect data from EPR endpoint
+        description: Fetches https://epr.elastic.co every minute.
+        vars: []
+owner:
+  github: elastic/agentless-team
+  type: elastic