Remote Agents
The Remote Agents module provides a secure way to connect a local Chronicle SOAR instance to remote sites. This provides MSSP and enterprise security operations centers with a variety of capabilities:
- Executing actions and playbooks on remote sites directly from Siemplify
- Pulling alerts and security data from remote sites with remote connectors
- Connecting to separate networks to pull data for incident response purposes
The Remote Agents infrastructure consists of 3 main components:
Chronicle SOAR Platform
Deployment of Siemplify platform to consolidate all security alerts in
one place, and orchestrate security and network products with automated
workflows.
Chronicle SOAR Publisher
A
proxy component that receives and holds commands from the Chronicle SOAR
Platform. The publisher accepts only incoming communication from the platform
and the Agents. The Publisher is used to transfer data in a secure way without
any direct access to the remote site.
Chronicle SOAR Agent
A lite
agent deployed on the remote site. The agent pulls new tasks from the
Publisher, executes locally (on the remote\separate network) and updates the
Publisher with the results.
The agent is easily distributed, which
allows MSSP end customers deploy it by themselves.
The agent
uses only outgoing communication to the publisher.