Data flows and protocols
This document details the architecture of the Remote Agent solution, defining the roles of the three core components and illustrating the TLS-secured, asynchronous data flow used for remote action execution and alert ingestion.
Component architecture
The Remote Agent architecture is built from the following three main components:
Component | Functionality and security | Communication |
---|---|---|
Google SecOps | Initiates tasks and retrieves final results. Doesn't communicate directly with the Remote Agent. | Communicates with the Publisher over TLS on port 443. |
Publisher | Managed service (by Google SecOps) acting as a secure intermediary. Stores temporary, encrypted execution data, metadata, and scripts/dependencies. Logs records (non-sensitive). | Binds to port 443 for communication with Google SecOps and the Remote Agent. |
Remote Agent | Deployed in the remote environment. Communicates with third-party security products to execute actions and pull alerts. Stores connector information (Gzip) and a local config file. | Communicates with the Publisher over TLS on port 443. |
Remote data flow (task execution)
When you configure an integration or connector to run remotely, the data flow is asynchronous and task-based:
- Task publication: Google SecOps publishes a new task to the Publisher Server.
- Task query: The Remote Agent (installed in the remote environment) continuously queries the Publisher for new tasks (either for remote actions or remote connector alert pulls).
- Task execution: When the Remote Agent finds a new task, it fetches the complete task data (containing alert context and action execution data) and begins execution.
- Result publication: The Remote Agent publishes the action results, including generated attachments, and operations performed, back to the Publisher.
- Result retrieval: The Google SecOps server polls the Publisher. Once the task status is marked complete, Google SecOps retrieves the final result data and attachments, performing any necessary server-side residual tasks.
- Cleanup (ACK): When data is successfully ingested into Google SecOps, an Acknowledgment (ACK) is returned to the Publisher and then relayed to the agent. This ACK confirms data flow completion, triggering file deletion on both the Publisher and the agent.
Need more help? Get answers from Community members and Google SecOps professionals.