General:

1. All data from Chronicle SOAR to Publisher and to the agent is encrypted:
2. Data is signed by the agent
3. All agents have a unique app key, and the Publisher has an allow list of agents that can communicate with it. No other agent can communicate with the Publisher.
4. All communication is one-sided. Chronicle SOAR and Agents have no entry port so the publisher cannot initiate communication unless it was polled by either Chronicle SOAR or an Agent.
5. All data is deleted from agent publisher after a configurable period of time (3 days by default).
6. Customers are advised to protect the publisher as they protect any other web server.
7. Penetration testing has been performed on both the Publisher and the Agent.

Collecting tasks from an agent:

1. Chronicle SOAR server publishes remote tasks and pushes it to the publisher.
2. Agent polls for new tasks and collects the new task from the publisher.
3. The new task’s data is collected by the agent and pushed to the publisher.
4. Chronicle SOAR server polls the publisher for new data and pulls the new task data to Chronicle SOAR.

Encryption flow:

The symmetric key is generated for each job.
Chronicle SOAR holds the private key and the Agent holds the public key. The Publisher has no key and only transforms encrypted data.

Jobs polling:
The Remote Agent performs polling every 5 seconds (to get all pending jobs).
The job details are removed after execution.