All Collections
User Guide
Apps
Apps
Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

SIRP provides point integrations with a number of cyber security, IT and OT products. Each product’s integration is supported by its own app. Each app is individually configured and has its own set of actions. Currently SIRP integrates with more than 100+ technologies supporting 550+ actions.

To view the list of current integration apps, go to the Main Menu and select Apps.

Click on the toggle button under the Status column to Enable or Disable an app. Enabling an app displays a popup with a sample of the configuration required for successful connectivity with the desired product. Add the configuration details in the configuration box and click Save.

Apps that support instances will allow you to add multiple configurations. For example, if you have multiple Checkpoint firewalls in your network, SIRP allows you to add configurations for each firewall instance so that you can execute actions on any of the chosen firewalls.

Currently, SIRP does not provide open access to its API framework to allow its customers to write their own integration apps. This feature will be made available to the customers soon. But until then, all integrations are handled by the SIRP’s dedicated integrations team and all integrations are done free-of-cost within 72 hours.

Approval Workflows

SIRP allows you to configure approval workflows for specific actions on each integrated application. These workflows can help analysts trigger the actions to the hierarchy of relevant personnel for approval via email or the web.

To access this functionality, navigate to the Main Menu, click Apps, and click the Approval Workflows.

Click Create Approval Workflow. Below is a workflow that can be used against a firewall block action.

You have the option to set Primary Approvers, Secondary Approvers, and Executive Approvers. If a specific action is not approved within a given time frame, it is then escalated to another approver. You also have the option to set failover time between approvers. If a request's processing time exceeds the primary approver's capacity, the approval option will be forwarded to the secondary approver. The primary approver will not be able to approve the request if the primary failover time is exceeded

To map this workflow to an Action, navigate to the Main Menu, click Apps, click the Action Count against your desired application that you want to map workflow to.

Click on edit icon against the action you want workflow to be mapped. Below is an example where "Firewall Block Approval" is mapped to "add_ip_to_blacklist" action of Zscaler app. So whenever "add_ip_to_blacklist" action will be used either as a ad-hoc or playbook action, approval workflow will be executed.

Action Approval Workflows

SIRP provides allows you to define comprehensive workflows for the approval of any automation actions. This is useful in cases when a certain approval process is required before the execution of a certain action. For example, approval might be required from an IT administrator before disabling a user on Microsoft Active Directory. Or an approval might be required from the Network administrator before blocking an IP address on the parameter firewall.

There are two steps to define workflows.

1. Create workflows.

2. Assign workflows to the action

Create Approval Workflow

You can create approval workflow once and use it as many times and in as many actions you want. To view the list of approval workflows, Go to Apps from the left-hand navigation menu then click on the Approval Workflows button at the top.

Click on the Create Approval Workflow button at the top left corner then enter

following information in the popup.

  • Name: Name of the workflow

  • Status: Status of the workflow.

  • Primary Approvers: List of the users who we wish to get approval from.

  • Primary Failover: Time duration the playbook will wait before sending the same approval request to the Secondary Approvers.

  • Secondary Approvers: List of users who will be sent approval request if none of the Primary Approvers approve the request in a given amount of time.

  • Secondary Failover: Time duration the playbook will wait before sending the same approval request to the Executive Approvers.

  • Executive Approvers: List of users who will be sent approval request if none of the Secondary Approvers approve the request in a given amount of time.

Click Create

The new workflow will appear in the list.

Note: If none of the approvers ever approve the request, the playbook will remain in pending state. The playbook’s logs will show the log “Pending approval”

Assign Workflow to Action

Once an approval workflow is created, it can be assigned to any of the actions. Once action can have only one approval workflow. To assign an approval workflow to an action go to Apps from the left-hand navigation menu then click on the number under the Actions Count column. This will show you the list of available actions of a particular App.

  • Click on the Edit icon under the Actions column

  • Select the desired Workflow from the dropdown

  • Click the Save icon under the Actions column

Multi-Config

In App configuration pane, a multi-config + button is available. Once clicked, another set of configuration will open up that will require separate set on information to integrate multiple SIEM tools as per below example; Qradar App in SIRP allows you to create multiple Qradar configurations and integrate number of Qradar instances in one instance on SIRP.

Did this answer your question?