Solved: Difference between Connectors Testing using Remote...

nthida_libersky

What are the difference between Connectors and explain the goals and tasks of that respectively.

・Connector in that flow ：IDE >Create IDE>Create Connector(For Test ,Add values in Parameter Setting)

・Connector in that flow ：Setting >Connectors>Add Connectors(created connector in IDE)

・Check to the 'Remote Connector'

・After Test , Press Load To System button and where can I check the result of Loaded to system.

And Does the above flows correspond action of the second capabilities of Remote Agent?

1.Execute actions and playbooks on remote sites directly from Chronicle

2.Pulling alerts and security data from remote sites with remote connectors

3.Connect to separate networks to pull data for incident response purposes

And how can I test the third capability of the Remote Agent?

f3rz

@nthida_libersky , if I understand you correctly:

1. Difference between Connector tests (IDE vs Settings -> Ingestion -> Connectors):
IDE test (Testing tab) is more designed to test something while you are developing code, while "Run Connector Once" in Testing Tab in Settings -> Ingestion -> Connectors is designed to test the already created connector instance.

Not only does it test already created connector instances, but it also allows you to Load To System a test alert. This feature empowers you to prepare playbooks, views, and more, before enabling ingestion from the connector.

2. Remote Agent allows you to run Connectors (Remote Connectors) and Actions on the remote sites/restricted networks behind NAT/PAT.

The 3rd point that you are trying to test is partially equal to 1st point where it allows you to execute Actions on the remote site. Therefore, to test it, you can find any action that matches your requirements and needs to be executed on the remote site only. Test it by running this action.

View solution in original post

f3rz

@nthida_libersky , if I understand you correctly:

1. Difference between Connector tests (IDE vs Settings -> Ingestion -> Connectors):
IDE test (Testing tab) is more designed to test something while you are developing code, while "Run Connector Once" in Testing Tab in Settings -> Ingestion -> Connectors is designed to test the already created connector instance.

Not only does it test already created connector instances, but it also allows you to Load To System a test alert. This feature empowers you to prepare playbooks, views, and more, before enabling ingestion from the connector.

2. Remote Agent allows you to run Connectors (Remote Connectors) and Actions on the remote sites/restricted networks behind NAT/PAT.

The 3rd point that you are trying to test is partially equal to 1st point where it allows you to execute Actions on the remote site. Therefore, to test it, you can find any action that matches your requirements and needs to be executed on the remote site only. Test it by running this action.

dnehoda

Just to add on here to the remote agent piece.

Most of our connectors at this point are cloud based so this typically will not come into play unless you have a custom connector and the application lives in an on prem data center of yours.

The most typical application of the remote agent is when trying to do some kind of enrichment within a playbook where the management console resides on prem in one of your data centers. For example, CheckPoint mgmtor Palo Alto Panorama is typically on prem, so in order to use the enrichment capabilties you would need a remote device with the agent installed to pull that data back into Chronicle SOAR.

Hope that clarifies a little further.

Difference between Connectors Testing using Remote Agent