[ti_recordedfuture] Add Support for Playbook and Triggered Alerts (elastic#13494)

This adds support for the Playbook and Triggered Alerts event type as two new data streams to
enhance the overall visibility of threat data in the Recorded Future integration.

This changes also includes updating ecs version to 8.17.0 in all existing data streams.

Sanitized test case inputs were obtained from the Recorded Future API for Playbook Alerts[1]
and from the Recorded Future Connect API for Triggered Alerts[2].

[1] https://api.recordedfuture.com/playbook-alert
[2] https://api.recordedfuture.com/v2/#!/Alerts/Alert_Notification_Search

Author: mohitjha-elastic

packages/ti_recordedfuture/_dev/build/build.yml

@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: "git@v8.11.0"
+    reference: "git@v8.17.0"

packages/ti_recordedfuture/_dev/build/docs/README.md

@@ -10,15 +10,52 @@ from multiple entities, it's necessary to define one integration for each.
 Alternatively, it's also possible to use the integration to fetch custom Fusion files
 by supplying the URL to the CSV file as the _Custom_ _URL_ configuration option.
 
+It also fetches [Playbook Alerts](https://api.recordedfuture.com/playbook-alert) from the Recorded Future API, and [Triggered Alerts](https://api.recordedfuture.com/v2/#!/Alerts/Alert_Notification_Search) via the Recorded Future Connect API, ensuring comprehensive threat intelligence coverage.
+This allows for streamlined alert management and improved security monitoring.
+By accessing both alert types, it provides deeper insights into potential threats.
+
 ### Expiration of Indicators of Compromise (IOCs)
 The ingested IOCs expire after certain duration. An [Elastic Transform](https://www.elastic.co/guide/en/elasticsearch/reference/current/transforms.html) is created to faciliate only active IOCs be available to the end users. This transform creates a destination index named `logs-ti_recordedfuture_latest.threat-1` which only contains active and unexpired IOCs. The destination index also has an alias `logs-ti_recordedfuture_latest.threat`. When setting up indicator match rules, use this latest destination index to avoid false positives from expired IOCs. Please read [ILM Policy](#ilm-policy) below which is added to avoid unbounded growth on source `.ds-logs-ti_recordedfuture.threat-*` indices.
 
 ### ILM Policy
-To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_recordedfuture.threat-*` are allowed to contain duplicates from each polling interval. ILM policy is added to these source indices so it doesn't lead to unbounded growth. This means data in these source indices will be deleted after `5 days` from ingested date. 
-
+To facilitate IOC expiration, source datastream-backed indices `.ds-logs-ti_recordedfuture.threat-*` are allowed to contain duplicates from each polling interval. ILM policy is added to these source indices so it doesn't lead to unbounded growth. This means data in these source indices will be deleted after `5 days` from ingested date.
 
 **NOTE:** For large risklist downloads, adjust the timeout setting so that the Agent has enough time to download and process the risklist.
 
+## Agentless Enabled Integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments.  This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+## Logs reference
+
+### threat
+
+This is the `threat` dataset.
+
+#### Example
+
 {{event "threat"}}
 
 {{fields "threat"}}
+
+### triggered_alert
+
+This is the `triggered_alert` dataset.
+
+#### Example
+
+{{event "triggered_alert"}}
+
+{{fields "triggered_alert"}}
+
+### playbook_alert
+
+This is the `playbook_alert` dataset.
+
+#### Example
+
+{{event "playbook_alert"}}
+
+{{fields "playbook_alert"}}

packages/ti_recordedfuture/_dev/deploy/docker/docker-compose.yml

@@ -30,3 +30,16 @@ services:
       - ./sample_logs:/sample_logs:ro
       - ${SERVICE_LOGS_DIR}:/var/log
     command: /bin/sh -c "cp /sample_logs/* /var/log/"
+  recordedfuture-cel:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    hostname: recordedfuture
+    ports:
+      - 8090
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: '8090'
+    command:
+      - http-server
+      - --addr=:8090
+      - --config=/files/config-cel.yml