Agent status indicator overview

This article will explain the various status indicators regarding agent connectivity displayed in the RocketCyber console.

How does the RocketAgent communicate with the cloud?

The RocketAgent utilizes two different communication channels to connect with the RocketCyber cloud:

1. WebSocket via Port 443/SSL

The RocketAgent maintains a persistent connection with the RocketCyber cloud via a WebSocket connection. This communication channel is used for the following types of communication:

  • Agent Status Indication
  • Threat Intelligence Request / Response
  • Command & Control Actions (Log Uploads/Agent Restart/Check For Updates/Isolation etc)

2. REST Endpoints via HTTPS

The RocketAgent utilizes various REST API Endpoints to perform tasks such as the following:

  • Posting detections from RocketApps
  • Downloading updates
  • Retrieving settings

What are the different status indicators?

Icon Color Name Description
     Screen_Shot_2021-06-16_at_11.09.34_AM.png  Green ONLINE This indicates the agent has a persistent WebSocket connection to the RocketCyber Cloud.
   Screen_Shot_2021-06-16_at_11.14.34_AM.png Yellow OFFLINE This indicates the agent has lost its WebSocket connection to the server. 
     Screen_Shot_2021-06-16_at_11.20.14_AM.png Red ISOLATED This indicates the agent has been isolated from communicating on the network except for its connection to the RocketCyber Cloud.

What can cause an agent to go offline?

Agents can display an offline status in the dashboard for various reasons:

  • The machine/operating system has been powered down or suspended.
  • The agent has been stopped or uninstalled.
  • There are network connectivity issues.
  • The agent is in the process of installing updates and restarting.

What happens when the agent shows an offline status?

If the agent goes offline due to network connectivity issues but the agent service is still running, rest assured that it is still actively monitoring the system for threats. The agent is designed to recover from any network connectivity issues automatically, so there should be no manual intervention required to bring it back online.

If the network connectivity issue is only related to the WebSocket connection, then the agent will continue to post detections to the cloud as they are encountered. Command and control operations such as log requests, agent updates, and isolation will be queued until the device re-establishes its WebSocket connection. Once the connection is re-established, the queued messages will be delivered to the agent.

If the network connectivity issues inhibit the posting of detections to the RocketCyber cloud via the REST endpoint APIs, detections will be cached locally and posted to the cloud as soon as connectivity is restored.