The Remote Agents module provides a secure way to connect a local Chronicle SOAR instance to remote sites. This provides MSSP and enterprise security operations centers with a variety of capabilities:

  • Executing actions and playbooks on remote sites directly from Siemplify
  • Pulling alerts and security data from remote sites with remote connectors
  • Connecting to separate networks to pull data for incident response purposes

The Remote Agents infrastructure consists of 3 main components:

Chronicle SOAR Platform
Deployment of Siemplify platform to consolidate all security alerts in one place, and orchestrate security and network products with automated workflows.

Chronicle SOAR Publisher
A proxy component that receives and holds commands from the Chronicle SOAR Platform. The publisher accepts only incoming communication from the platform and the Agents. The Publisher is used to transfer data in a secure way without any direct access to the remote site.

Chronicle SOAR Agent
A lite agent deployed on the remote site. The agent pulls new tasks from the Publisher, executes locally (on the remote\separate network) and updates the Publisher with the results.
The agent is easily distributed, which allows MSSP end customers deploy it by themselves.
The agent uses only outgoing communication to the publisher.