This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Google SecOps Remote Agent (SOAR) Network Requirements

Posted on 01-29-2025 11:58 PM
tnxtr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

I couldn’t find any information regarding the network requirements for firewall rules related to the Remote Agent. Could someone provide the necessary addresses and details?

Thanks in advance!

Solved Solved
0 4 431
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
tnxtr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

When I checked the agent’s Docker container logs, I noticed that it couldn’t reach <customerid>.siemplify-soar.com. After allowing access to this address, the issue was resolved. It seems that each Chronicle instance has its own dedicated Siemplify SOAR endpoint.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
kentphelps
Staff
Reply posted on --/--/---- --:-- AM

Please take a look at this doc to see if it helps.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
tnxtr
Bronze 4
Bronze 4
In response to kentphelps
Reply posted on --/--/---- --:-- AM

Hi, I’ve seen this document before, but unfortunately, it doesn’t provide the URLs or IP addresses. Therefore, it won’t be helpful for me to configure my firewall rules.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rupinderv
Staff
Reply posted on --/--/---- --:-- AM

Hi @tnxtr , Specific URLs, For both SIEM and SOAR agents:

  • Port 443 (TCP): This port is used for communication between the agent and the Google Security Operations Publisher (a proxy server managed by Google). You will need to allow outbound connections on this port to the following Google Cloud hosts:
  • malachiteingestion-pa.googleapis.com
  • Regional variations of malachiteingestion-pa.googleapis.com (e.g., asia-northeast1-malachiteingestion-pa.googleapis.comeurope-west2-malachiteingestion-pa.googleapis.com, etc.). The specific regional endpoints will depend on your Google Cloud region.
  • accounts.google.com
  • oauth2.googleapis.com.   Additional URLs for SOAR agents:
    Depending on the specific integrations and connectors used with your SOAR agents, additional URLs may be required. The documentation does not provide a comprehensive list of all possible URLs, but it does mention that connectors support proxies. You should consult the documentation for each specific integration to determine any additional URLs or ports that need to be allowed.
    Proxy Configuration:
    The SecOps remote agents support proxy configurations. The exact method for configuring a proxy depends on whether you are using the installer or Docker agent. Refer to the documentation on "Installer and Docker agent configuration" for detailed instructions on how to configure proxy settings for your specific agent type. The documentation mentions using environment variables like PROXY_ADDRESSHTTP_PROXYHTTPS_PROXY, and NO_PROXY.

Jump to Solution

Posted on --/--/---- --:-- AM
tnxtr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

When I checked the agent’s Docker container logs, I noticed that it couldn’t reach <customerid>.siemplify-soar.com. After allowing access to this address, the issue was resolved. It seems that each Chronicle instance has its own dedicated Siemplify SOAR endpoint.

Jump to Solution
Top Solution Authors
View all