Learn about agent-initiated and server-initiated communication between Cortex XDR and its agents.
To stay up to date with the latest policy and endpoint status, Cortex XDR communicates regularly with your Cortex XDR agents. For example, when you upgrade your endpoints to the latest release, Cortex XDR creates an installation package and distributes it to the agent on their next communication. Similarly, the agent can send back data from the endpoint to Cortex XDR, such as data gathered on the endpoint or tech support files. In Cortex XDR, there are two types of communication:
Cortex XDR collects your agent logs to improve the agent stability. Collection of the logs is enabled by default and is recommended by Cortex XDR. You can choose to disable in → → → section.
Agent-Initiated Communication
The Cortex XDR agent initiates communication with Cortex XDR every five minutes by sending a heartbeat to the server. An agent heartbeat includes data about the Cortex XDR agent, and information gathered by the agent on the endpoint. For example, policy updates are performed via heartbeat: in each heartbeat the Cortex XDR agent sends to the Cortex XDR server the content version it uses. The Cortex XDR server compares this number with the number of latest content in use, and sends the agent a message to download newer content if it exists.
However not all agent-server communication is sent over the five-minute heartbeat. If a security event occurs on the endpoint, the agent immediately sends the server a security event message so you can respond immediately to the event and initiate investigation and remediation actions on the endpoint. If the message is not critical, such as status reports, the agent sends them once an hour.
Cortex XDR agents support secure communication with Cortex XDR using Transport Layer Security (TLS) 1.2 only.
Server-Initiated Communication
(Traps agent 6.1 and later releases) Cortex XDR can initiate some actions immediately on the endpoint through a web socket that is maintained between Cortex XDR and the Cortex XDR agent, improving the response action time and preventing delays. Examples of these actions include:
Quarantine file and restore file
Terminate process
Isolate endpoint and cancel endpoint isolation
Initiate Live Terminal
Set endpoint proxy disable endpoint proxy
Retrieve endpoint files
Retrieve security event data
Retrieve support file
Perform heartbeat
Note
The actions that can be performed via web socket are only actions that your current agent version already supports.
If the web socket communication fails, the action will be executed on the next successful Cortex XDR agent heartbeat. You can use Cytool to display the current web socket connection status by running the websocket
command on the endpoint.