The status of SOC.OS agents installed in your network is displayed on all pages of the SOC.OS tool. This allows the ingestion of alerts from on-premise security tools to be monitored.
The combined status of all agents is shown by an indicator in the bottom left of each page.
The indicator will appear green if all the agents are online, i.e. are sending heartbeat messages to the SOC.OS platform.
The indicator will appear red if all the agents are offline, i.e. are unable to send heartbeat messages to the SOC.OS platform.
The indicator will appear orange if some, but not all, of the agents are online.
More details about agent health can be obtained by clicking on the status indicator icon. This opens a panel where the status of each agent is individually listed.
The time that each agent last sent a heartbeat message to the SOC.OS platform is also shown.
It can take around 5 minutes for the indicator in the SOC.OS tool to be updated to reflect changes in agent status.
While an agent is offline, any alerts forwarded through that agent will not be sent to the SOC.OS platform. It is important to bring the agent back online as quickly as possible.
Common causes for the agent going offline are:
If a temporary issue caused the agent to go offline, the agent may automatically reconnect in a few minutes. The time that the last heartbeat message was sent to the SOC.OS platform can be helpful when determining if this is the case. If the agent remains offline, please restart it as soon as possible to prevent loss of alert data.
Details about why the agent disconnected can be found in the agent log files and host machine service logs.
More information on restarting the agent or viewing agent logs can be found here.
Please email email@example.com if you have questions or any problems with your agent.