The Remote Agents module provides a secure way to connect a local Chronicle SOAR instance to remote sites. This provides MSSP and enterprise Security Operations Centers with a variety of capabilities:

  • Execute actions and playbooks on remote sites directly from Chronicle SOAR
  • Pulling alerts and security data from remote sites with remote connectors
  • Connect to separate networks to pull data for incident response purposes

The Remote Agents infrastructure consists of 3 main components:

Chronicle SOAR Platform
Deployment of Chronicle SOAR platform to consolidate all security alerts in one place, and orchestrate security and network products with automated workflows.

Chronicle SOAR Publisher
A proxy component that receives and holds tasks from Chronicle SOAR Platform, is polled for new tasks by the Remote Agents, gets new alerts and data from the Remote Agents and sends it back to Chronicle SOAR upon request.
This component enables one sided communication only, It cannot initiate any communication, only gets new commands from Chronicle SOAR / gets new alerts from the Remote Agent, and per request, send new commands to the Remote Agents and new alerts to Chronicle SOAR.

Chronicle SOAR Agent
A remote agent deployed on the remote site. The agent pulls new tasks from the Publisher, executes locally (on the remote\separate network) and updates the Publisher with the results.
The agent is easily deployed and allows both enterprise and MSSP end customers to deploy it by themselves.
The agent can initiate communication with the Publisher to get new commands and to send new alerts and data.