Data flows and protocols

The remote agent architecture is built from 3 main components:

Google Security Operations

• Communicates with the Publisher on port 443 under TLS
• Has no direct access to remote agents

Publisher (managed by Google SecOps)

• Binding to port 443 for communication with the other components
• Stores temporary execution data and metadata (encrypted)
• Keeps scripts and dependencies relevant for execution (encrypted)
• Keeps log records (no sensitive data)

Remote Agent

• Communicates with the Publisher on port 443 under TLS
• Communicates with all third party security products in the remote network in order to run the relevant actions and pull alerts
• Stores connector information (Gzip) and a config file

Once an integration or a connector is configured to run remotely, the data flow is as follows:

1. Google SecOps publishes a new task on the Publisher Server.
2. The Agent which is installed on the remote Environment keeps querying the publisher for new tasks (to pull alerts by a remote connector or to perform remote actions.)
3. Once the Remote Agent finds a new task to execute, it fetches all the task data and starts executing it. The task contains all the alert context data and the relevant action execution data.
4. The Remote Agent publishes the action results, its attachments, and the operations performed, back to the Publisher.
5. The Google SecOps server polls the publisher, and when a task is finished, Google SecOps retrieves the result data and attachments and performs any residual tasks on the server.
6. When data is being ingested into Google SecOps, it returns an ACK to the Publisher and from the Publisher to the Agent. The ACK means that the data flow is completed, and the files can be deleted from the Publisher and Agent.