Engines Overview - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Understand engine architecture, load balancing groups, installation and configurations.

Engines are installed in a remote network and allow communication between the remote network and Cortex XSIAM. You can run integration commands on an engine. It is possible to install a single engine or multiple engines.

You can install multiple engines on the same machine (Shell installation only) where you do not want to have numerous engines in different environments and to manage those machines.

Note

You cannot share a multiple-engine installation with a single-engine installation.

An engine is used for the following purposes:

Engine Proxy

Engines enable to access internal or external services that are otherwise blocked by a firewall or a proxy, etc. For example, if a firewall blocks external communication and you want to run the Rasterize integration, you need to install an engine to access the Internet.

Engine Architecture

Within the network, you need to allow the engine to access the Cortex XSIAM’s IP address and listening port (by default, TCP 443). The engine always initiates the communication to Cortex XSIAM.

Engine Load-Balancing

Engines can be part of a load-balancing group, which enables the distribution of the command execution load. The load-balancing group uses an algorithm to efficiently share the workload for integrations that the group is assigned to, thereby speeding up execution time. In general, heavy workloads are caused by playbooks that run a high number of commands.

Before configuring an integration to run using multiple engines in a load-balancing group, it is recommended that you test the integration using a single engine in the load-balancing group.

Note

When you add an engine to a load-balancing group, you cannot use that engine separately. The engine does not appear in the engines drop-down menu when configuring an integration instance.

Engine Installation and Configuration

After installing the engine, you can Configure Engines, such as log levels, add/remove servers to a load-balancing group, use as a web proxy, etc. You can also Manage Engines, such as getting logs, add/remove engines, delete engines, remove engines, etc.