Communication Between Cortex XDR and Agents

To stay up to date with the latest policy and endpoint status, Cortex XDR communicates regularly with your Cortex XDR agents. For example, when you upgrade your endpoints to the latest release, Cortex XDR creates an installation package and distributes it to the agent on their next communication. Similarly, the agent can send back data from the endpoint to Cortex XDR, such as data gathered on the endpoint or tech support files. In Cortex XDR, there are two types of communication:

Agent-Initiated Communication

The Cortex XDR agent initiates communication with Cortex XDR every five minutes by sending a heartbeat to the server. An agent heartbeat includes data about the Cortex XDR agent, and information gathered by the agent on the endpoint. For example, policy updates are performed via heartbeat: in each heartbeat the Cortex XDR agent sends to the Cortex XDR server the content version it uses. The Cortex XDR server compares this number with the number of latest content in use, and sends the agent a message to download newer content if it exists.
However not all agent-server communication is sent over the five-minute heartbeat. If a security event occurs on the endpoint, the agent immediately sends the server a security event message so you can respond immediately to the event and initiate investigation and remediation actions on the endpoint. If the message is not critical, such as status reports, the agent sends them once an hour.

Server-Initiated Communication

(
Traps agent 6.1 and later releases
) Cortex XDR can initiate some actions immediately on the endpoint through a web socket that is maintained between Cortex XDR and the Cortex XDR agent, improving the response action time and preventing delays. Examples of these actions include:
  • Quarantine file and restore file
  • Terminate process
  • Isolate endpoint and cancel endpoint isolation
  • Initiate Live Terminal
  • Set endpoint proxy disable endpoint proxy
  • Retrieve endpoint files
  • Retrieve security event data
  • Retrieve support file
  • Perform heartbeat
The actions that can be performed via web socket are only actions that your current agent version already supports.
If the web socket communication fails, the action will be executed on the next successful Cortex XDR agent heartbeat. You can use Cytool to display the current web socket connection status by running the
websocket
command on the endpoint.

Recommended For You