Remote Agents Overview
The Remote Agents module provides a secure way to connect a local Chronicle SOAR instance to remote sites. This provides MSSP and enterprise Security Operations Centers with a variety of capabilities:
- Execute actions and playbooks on remote sites directly from Chronicle SOAR
- Pulling alerts and security data from remote sites with remote connectors
- Connect to separate networks to pull data for incident response purposes
The Remote Agents infrastructure consists of 3 main components:
Chronicle SOAR Platform
Deployment of Chronicle SOAR platform to consolidate all security
alerts in one place, and orchestrate security and network products with
automated workflows.
Chronicle SOAR Publisher
A
proxy component that receives and holds tasks from Chronicle SOAR Platform, is
polled for new tasks by the Remote Agents, gets new alerts and data from the
Remote Agents and sends it back to Chronicle SOAR upon request.
This
component enables one sided communication only, It cannot initiate any
communication, only gets new commands from Chronicle SOAR / gets new alerts
from the Remote Agent, and per request, send new commands to the Remote Agents
and new alerts to Chronicle SOAR.
Chronicle SOAR Agent
A remote
agent deployed on the remote site. The agent pulls new tasks from the
Publisher, executes locally (on the remote\separate network) and updates the
Publisher with the results.
The agent is easily deployed and allows both
enterprise and MSSP end customers to deploy it by themselves.
The
agent can initiate communication with the Publisher to get new commands and to
send new alerts and data.