Learn about agent-initiated and server-initiated communication
between Cortex® XDR™ and its agents.
To stay up to date with the latest policy and endpoint
status, Cortex XDR communicates regularly with your Cortex XDR agents.
For example, when you upgrade your endpoints to the latest release,
Cortex XDR creates an installation package and distributes it to
the agent on their next communication. Similarly, the agent can
send back data from the endpoint to Cortex XDR, such as data gathered
on the endpoint or tech support files. In Cortex XDR, there are
two types of communication:
The Cortex XDR agent initiates communication with Cortex
XDR every five minutes by sending a heartbeat to the server. An
agent heartbeat includes data about the Cortex XDR agent, and information
gathered by the agent on the endpoint. For example, policy updates
are performed via heartbeat: in each heartbeat the Cortex XDR agent
sends to the Cortex XDR server the content version it uses. The
Cortex XDR server compares this number with the number of latest
content in use, and sends the agent a message to download newer
content if it exists.
However not all agent-server communication is sent over the five-minute
heartbeat. If a security event occurs on the endpoint, the agent
immediately sends the server a security event message so you can
respond immediately to the event and initiate investigation and
remediation actions on the endpoint. If the message is not critical,
such as status reports, the agent sends them once an hour.
Traps agent 6.1 and later releases
XDR can initiate some actions immediately on the endpoint through
a web socket that is maintained between Cortex XDR and the Cortex
XDR agent, improving the response action time and preventing delays.
Examples of these actions include:
Quarantine file and restore file
Isolate endpoint and cancel endpoint isolation
Initiate Live Terminal
Set endpoint proxy disable endpoint proxy
Retrieve endpoint files
Retrieve security event data
Retrieve support file
The actions that can be performed via web socket are only
actions that your current agent version already supports.
If the web socket communication fails, the action will be executed
on the next successful Cortex XDR agent heartbeat. You can use Cytool
to display the current web socket connection status by running the