Communication - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Learn about agent-initiated and server-initiated communication between Cortex XDR and its agents.

To stay up to date with the latest policy and endpoint status, Cortex XDR communicates regularly with your Cortex XDR agents. For example, when you upgrade your endpoints to the latest release, Cortex XDR creates an installation package and distributes it to the agent on their next communication. Similarly, the agent can send back data from the endpoint to Cortex XDR, such as data gathered on the endpoint or tech support files. In Cortex XDR, there are two types of communication:

Cortex XDR collects your agent logs to improve the agent stability. Collection of the logs is enabled by default and is recommended by Cortex XDR. You can choose to disable in SettingsGeneralAgent ConfigurationsCortex XDR Log Collection section.

Agent-Initiated Communication

The Cortex XDR agent initiates communication with Cortex XDR every five minutes by sending a heartbeat to the server. An agent heartbeat includes data about the Cortex XDR agent, and information gathered by the agent on the endpoint. For example, policy updates are performed via heartbeat: in each heartbeat the Cortex XDR agent sends to the Cortex XDR server the content version it uses. The Cortex XDR server compares this number with the number of latest content in use, and sends the agent a message to download newer content if it exists.

However not all agent-server communication is sent over the five-minute heartbeat. If a security event occurs on the endpoint, the agent immediately sends the server a security event message so you can respond immediately to the event and initiate investigation and remediation actions on the endpoint. If the message is not critical, such as status reports, the agent sends them once an hour.

Cortex XDR agents support secure communication with Cortex XDR using Transport Layer Security (TLS) 1.2 only.

Server-Initiated Communication

(Traps agent 6.1 and later releases) Cortex XDR can initiate some actions immediately on the endpoint through a web socket that is maintained between Cortex XDR and the Cortex XDR agent, improving the response action time and preventing delays. Examples of these actions include:

  • Quarantine file and restore file

  • Terminate process

  • Isolate endpoint and cancel endpoint isolation

  • Initiate Live Terminal

  • Set endpoint proxy disable endpoint proxy

  • Retrieve endpoint files

  • Retrieve security event data

  • Retrieve support file

  • Perform heartbeat

Note

The actions that can be performed via web socket are only actions that your current agent version already supports.

If the web socket communication fails, the action will be executed on the next successful Cortex XDR agent heartbeat. You can use Cytool to display the current web socket connection status by running the websocket command on the endpoint.