Data flows and protocols
The remote agent architecture is built from 3 main components:
Google Security Operations
- Communicates with the Publisher on port 443 under TLS
- Has no direct access to remote agents
Publisher (managed by Google Security Operations)
- Binding to port 443 for communication with the other components
- Stores temporary execution data and metadata (encrypted)
- Keeps scripts and dependencies relevant for execution (encrypted)
- Keeps log records (no sensitive data)
Remote Agent
- Communicates with the Publisher on port 443 under TLS
- Communicates with all third party security products in the remote network in order to run the relevant actions and pull alerts
- Stores connector information (Gzip) and a config file
Once an integration or a connector is configured to run remotely, the data flow is as follows:
- Google Security Operations publishes a new task on the Publisher Server.
- The Agent which is installed on the remote Environment keeps querying the publisher for new tasks (to pull alerts by a remote connector or to perform remote actions.)
- Once the Remote Agent finds a new task to execute, it fetches all the task data and starts executing it. The task contains all the alert context data and the relevant action execution data.
- The Remote Agent publishes the action results, its attachments, and the operations performed, back to the Publisher.
- The Google Security Operations server polls the publisher, and when a task is finished, Google Security Operations retrieves the result data and attachments and performs any residual tasks on the server.
- When data is being ingested into Google Security Operations, it returns an ACK to the Publisher and from the Publisher to the Agent. The ACK means that the data flow is completed, and the files can be deleted from the Publisher and Agent.