Communication - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-17
Category
Administrator Guide
Abstract

Learn about agent-initiated and server-initiated communication between Cortex XSIAM and its agents.

To stay up to date with the latest policy and endpoint status, Cortex XSIAM communicates regularly with your Cortex XDR agents. For example, when you upgrade your endpoints to the latest release, Cortex XSIAM creates an installation package and distributes it to the agent on their next communication. Similarly, the agent can send back data from the endpoint to Cortex XSIAM, such as data gathered on the endpoint or tech support files. In Cortex XSIAM, there are two types of communication:

Cortex XSIAM collects your agent logs to improve the agent stability. Collection of the logs is enabled by default and is recommended by Cortex XSIAM. You can choose to disable in SettingsGeneralAgent ConfigurationsCortex XSIAM Log Collection section.

Agent-Initiated Communication

The Cortex XDR agent initiates communication with Cortex XSIAM every five minutes by sending a heartbeat to the server. An agent heartbeat includes data about the Cortex XDR agent, and information gathered by the agent on the endpoint. For example, policy updates are performed via heartbeat: in each heartbeat the Cortex XDR agent sends to the Cortex XSIAM server the content version it uses. The Cortex XSIAM server compares this number with the number of latest content in use, and sends the agent a message to download newer content if it exists.

However not all agent-server communication is sent over the five-minute heartbeat. If a security event occurs on the endpoint, the agent immediately sends the server a security event message so you can respond immediately to the event and initiate investigation and remediation actions on the endpoint. If the message is not critical, such as status reports, the agent sends them once an hour.

Cortex XDR agents support secure communication with Cortex XSIAM using Transport Layer Security (TLS) 1.2 only.

Server-Initiated Communication

(Traps agent 6.1 and later releases) Cortex XSIAM can initiate some actions immediately on the endpoint through a web socket that is maintained between Cortex XSIAM and the Cortex XDR agent, improving the response action time and preventing delays. Examples of these actions include:

  • Quarantine file and restore file

  • Terminate process

  • Isolate endpoint and cancel endpoint isolation

  • Initiate Live Terminal

  • Set endpoint proxy disable endpoint proxy

  • Retrieve endpoint files

  • Retrieve security event data

  • Retrieve support file

  • Perform heartbeat

Note

The actions that can be performed via web socket are only actions that your current agent version already supports.

If the web socket communication fails, the action will be executed on the next successful Cortex XDR agent heartbeat. You can use Cytool to display the current web socket connection status by running the websocket command on the endpoint.