The remote agent architecture is built from 3 main components:
Google Security Operations
Communicates with the Publisher on port 443 under TLS
Has no direct access to remote agents
Publisher (managed by Google SecOps)
Binding to port 443 for communication with the other components
Stores temporary execution data and metadata (encrypted)
Keeps scripts and dependencies relevant for execution (encrypted)
Keeps log records (no sensitive data)
Remote Agent
Communicates with the Publisher on port 443 under TLS
Communicates with all third party security products in the remote network in
order to run the relevant actions and pull alerts
Stores connector information (Gzip) and a config file
Once an integration or a connector is configured to run remotely, the data
flow is as follows:
Google SecOps publishes a new task on the Publisher Server.
The Agent which is installed on the remote Environment keeps querying the
publisher for new tasks (to pull alerts by a remote connector or to perform
remote actions.)
Once the Remote Agent finds a new task to execute, it fetches all the task
data and starts executing it. The task contains all the alert context data
and the relevant action execution data.
The Remote Agent publishes the action results, its attachments, and the
operations performed, back to the Publisher.
The Google SecOps server polls the publisher, and when a task is finished,
Google SecOps retrieves the result data and attachments and performs any
residual tasks on the server.
When data is being ingested into Google SecOps, it returns an ACK to the
Publisher and from the Publisher to the Agent. The ACK means that the data
flow is completed, and the files can be deleted from the Publisher and
Agent.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-24 UTC."],[[["\u003cp\u003eGoogle SecOps utilizes a remote agent architecture consisting of Google Security Operations, a Publisher, and a Remote Agent to manage data flows and protocols.\u003c/p\u003e\n"],["\u003cp\u003eThe Publisher, managed by Google SecOps, acts as a central hub, communicating with both Google Security Operations and Remote Agents over port 443, and storing encrypted temporary execution data.\u003c/p\u003e\n"],["\u003cp\u003eRemote Agents, installed in remote environments, interact with third-party security products, query the Publisher for new tasks, execute those tasks, and return results and attachments.\u003c/p\u003e\n"],["\u003cp\u003eData flows begin with Google SecOps publishing a task, followed by the Remote Agent fetching and executing it, and concluding with Google SecOps retrieving the results and confirming data ingestion with an acknowledgment (ACK) signal.\u003c/p\u003e\n"],["\u003cp\u003eAll communication between Google SecOps, the Publisher, and Remote Agents occurs over port 443 using TLS encryption.\u003c/p\u003e\n"]]],[],null,[]]
