[Website]: Update data ingestion section to reflect Elastic Agent-first approach #4453
Description
Type of issue
None
What documentation page is affected
https://www.elastic.co/docs/solutions/security/get-started/ingest-data-to-elastic-security
What happened?
Suggestion: Update data ingestion section to reflect Elastic Agent-first approach
Description
The "Install Beats shippers" section in the Elastic Security documentation currently states:
"To add hosts and populate Elastic Security with network security events, you need to install and configure Beats on the hosts from which you want to ingest security events"
This phrasing suggests that standalone Beats installation is the primary (or only) method for collecting network security events and other telemetry. However, the recommended approach is now Elastic Agent with integrations, which provides equivalent functionality with the added benefits of Fleet management.
Suggestion
Consider updating this section to lead with the Elastic Agent + Integrations approach, with standalone Beats mentioned as an alternative for specific use cases. For example:
- Network Packet Capture integration → network traffic analysis
- Windows integration → Windows event logs
- Auditd integration → Linux audit events
- Custom Logs integration → log forwarding
Why this matters
Customers new to Elastic Security may follow the current guidance and deploy standalone Beats, missing out on the centralised management and simpler deployment that Fleet and Elastic Agent provide. Aligning the docs with the Agent-first approach would help guide users toward the recommended architecture.
Location
https://www.elastic.co/docs/solutions/security/get-started/ingest-data-to-elastic-security
(Under the "Install Beats shippers" section)
Additional info
No response