Telemetry
Introduction
The ColorTokens Xshield agent software collects various telemetry data to build visibility of servers (including their applications, network connections, open ports, etc.).
The agent software uses native operating system APIs to retrieve this information at regular intervals. This data is then distributed to the Xshield platform, which uses it to:
- Visualize network communications
- Identify vulnerabilities
- Apply security policies
Telemetry Data Types
| Data Type | Description |
|---|---|
| Hardware | • CPU • Memory • Network Interfaces (NIC) |
| Operating System | • Version • Patches • Software Versions • CPU & Memory Usage • Open ports • Host Name • Interfaces (Name, IP address) |
| Network Flow Data | Metadata of network traffic including: • Source • Destination • Port • Protocol • Traffic statistics (Bytes, Packets) |
| Host Firewall | • Firewall Status • Programmed Rules • Firewall actions |
| Firewall EventLogs | • Connection allowed events • Connection blocked events |
Data Transfer Frequency
The following table describes how frequently different types of telemetry data are sent to the Xshield platform:
| Type | Interval (seconds) | Description |
|---|---|---|
| Heartbeat | 120 | Basic telemetry |
| Traffic Metrics | 120 | Traffic data sent to telemetry.[cluster].colortokens.com |
| Port Metrics | 1800 | Listening ports information. Short-lived port listening is handled in traffic metrics |
| Firewall Logs | 300 | Captured firewall allowed/denied logs. Allowed traffic exported only in test-mode |
| Firewall Rules | 1800 | Rules programmed on the host firewall |
| Agent Logs | 600 | Agent logs sent directly to logs.[cluster].colortokens.com |
| Agent Compute Usage | 120 | CPU and memory metrics: • Collected every 2 minutes • Reported as sliding window average (window size: 5) • Memory reported if average changes by >10MB • CPU reported if average changes by >5% |
| North-South Source IP visibility | 21600 (6 hours) | - |
| Network Flows Upload (SIEM) | 900 | Only when flow collection is enabled under integrations. Supported only for Server & Gatekeeper Agents |
Traffic Collection
Network telemetry is collected using the operating system's native tools such as PCAP. Key points:
- Collection typically occurs only on NICs where traffic enters/exits the server/endpoint
- No traffic metrics are collected for:
- Tunnel interfaces (e.g., TAP, TUN)
- Loopback interfaces
Agent Compute Resource Usage
The Xshield agent uses minimal compute resources to perform its operations. However, compute usage may increase if the traffic load is heavey on the system. The Xshield agent is built to not exceed resource usage beyond the specified limits during these periods of peak activity.
The Xshield agent also may use the filesystem to store collected data if it is not able to communicate back to the Xshield platform. This is done so as to not lose any critical network communications.
The following table provides the maximum use of compute resources by the Xshield agent.
| Compute | Upper bound |
|---|---|
| CPU | < 10% |
| RAM | 100 MB |
| Disk | 1 GB |
| Bandwidth | 50-75 MB data per day |