The remote agent architecture is built from 3 main components:

Siemplify

  • Communicates with the Publisher on port 443 under TLS
  • Has no direct access to remote agents

Publisher

  • Binding to port 443 for communication with the other components
  • Stores temporary execution data and metadata (encrypted)
  • Keeps scripts and dependencies relevant for execution (encrypted)
  • Keeps log records (no sensitive data)

Remote Agent

  • Communicates with the Publisher on port 443 under TLS
  • Communicates with all third party security products in the remote network in order to run the relevant actions and pull alerts
  • Stores connector information (Gzip) and a config file

Once an integration or a connector is configured to run remotely, the data flow is as follows:

  1. Siemplify publishes a new task on the Publisher Server.
  2. The Agent which is installed on the remote Environment keeps querying the publisher for new tasks (to pull alerts by a remote connector or to perform remote actions.)
  3. Once the Remote Agent finds a new task to execute, it fetches all the task data and starts executing it. The task contains all the alert context data and the relevant action execution data.
  4. The Remote Agent publishes the action results, its attachments, and the operations performed, back to the Publisher.
  5. The Siemplify server polls the publisher, and when a task is finished, Siemplify retrieves the result data and attachments and performs any residual tasks on the Siemplify server.
  6. When data is getting into Siemplify, it returns an ACK to the Publisher and from the Publisher to the Agent. The ACK means that the data flow is completed, and the files can be deleted from the Publisher and Agent.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment