SIRP is a Risk-based Security Orchestration, Automation, and Response (SOAR) platform that fuses essential cybersecurity information to enable a unified cyber response. Through a single integrated platform, it drives security visibility, so decisions can be better prioritized and response time is dramatically reduced. With SIRP, the entire cybersecurity function works as a single, cohesive unit.
The purpose of this guide is to provide steps and guidelines for the deployment of SIRP virtual appliance using VMware, the ESX/ESXi server.
The document contains all the steps required to successfully deploy SIRP on-prem virtual appliance in your environment including:
Verifying the prerequisites
Deployment of the virtual appliance
Performing initial configuration
To ensure that SIRP works correctly, ensure that the virtual appliance that you use meets the minimum software and hardware requirements.
Before you install your virtual appliance, ensure that the following minimum requirements are met:
Hypervisor for virtual machine image
VMware vSphere ESX/ESXi 5 or later
1 server-class CPU, 8 to 16 cores
Minimum of 16GB RAM, 32GB recommended
SIRP needs at least 512 GB space
Note: Disk space requirements vary based on the volume of data consumed and the size of your environment. Please refer to the SIRP Sizing Guidelines.
A one-gigabit network interface
Valid SSL Certificate signed by known CA
Requirement for Network Connectivity
Below table list the ports which must be open to traffic in order to use SIRP. Use this table to design your firewall rules for your installation.
Used for administering the operating system.
TCP 80 and 8080
Port for requests sent over HTTP. SIRP redirects all HTTP requests to HTTPS.
HTTPS port for the web interface.
TCP 80, 443, 4444
Outbound connectivity to TCP/443 to app.sirp.io receive SIRP proprietary Threat Intelligence. TCP/80 and TCP/4444 Outbound connectivity on app.sirp.io to pull updates from the cloud server.
It is highly recommended that Internet access is provided for a SIRP upgrade and fetching new Apps and Actions. At a minimum, allow outbound connectivity to app.sirp.io on TCP/4444 and TCP/443
Use the latest, fully patched version of your browser. SIRP requires a web browser that supports HTML 5, SVG graphics, and TLS. SIRP supports these web browsers:
Microsoft Internet Explorer 11
Before you deploy SIRP, ensure that you have the following information:
Network mask address
Default gateway address
Primary Domain Name System (DNS) server address
Secondary DNS server address (optional)
SMTP Server details
Proxy Server details
Note: The pre-requisites required to run Automation actions and Playbooks are provided later in the document.
Deploying SIRP On-prem Appliance
This section covers the process of deploying the SIRP on-prem appliance along with its initial configuration.
The SIRP on-prem virtual appliance ships as a .ova and .ovf file. Testing of the virtual appliance is primarily done on VMware ESXi, but it should work with any virtualization platform that can import OVAs, and supports x64 Linux guests. The operating system that the virtual appliance ships with is Ubuntu 16.x x86_64. If your virtualization platform supports .ovf files, but not .ova, you can use the following command to extract the files into the .ovf and .vmdk files.
tar -xzf SIRP.ova
Step 1 - Import
Download or copy the provided SIRP virtual machine (.ovf or .ova) file to a location that is accessible to your PC.
From the VMware vSphere menu bar select File > Deploy OVF Template.
The Import Library window will appear along with a dialog box for browsing to the location of the OVF file
Browse and select the SIRP. ovf or .ova file and click Next.
In the next step, enter the name for the imported virtual machine in the Save As text box and select the folder location where to save it.
The default destination is the Virtual Machines folder created by VMware Fusion.
VMware Fusion will display the disk space needed for the import and the space available on the current disk.
Fusion will perform OVF specification conformance and virtual hardware compliance checks. Meanwhile, a status bar will indicate the progress of this import process.
After the import is complete, the virtual machine will appear in the virtual machine library and in a separate virtual machine window.
Once the virtual machine shuts down, you must turn it on. After booting the SIRP appliance, the IP address of the system will be displayed on the command prompt. This IP address can be used to access the SIRP web interface.
Step 2 – Configure
The next step is to login to SIRP CLI and perform initial configurations. After successful ssh connection just type SIRP and baseconfig will load itself.
Sirp baseconfig includes a few initial configuration items:
Setup base parameters
Setup Base Parameters
Entering Setup Base Parameters will show below configurable items:
Configure Network Interfaces
Configure Network Interfaces
First, configure Network Interfaces, an example of configuration is shown below:
Select interface to configure such as: ens160.
Provide IP address with Subnet Postfix: 192.168.5.152/24
Provide Gateway IP Address: 192.168.5.1
Next, we need to configure DNS IP Address for example: 184.108.40.206
Set Hostname accordingly such as: sirp.orgname.com
Proxy URL will be provided with Port Such as: sirp.proxy.com:8080
There are a few options available to configure.
Install Self-Signed Certificate
Upload and Install Certificate
Install Self-Signed Certificate
To install a self-signed certificate, Select Install self-signed certificate and then Select Regenerate Self-Signed Certificate to complete the procedure.
Select Generate CSR to generate certificate signing request to procure a signed certificate through the internal Certificate Authority (CA). CSR will ask for certain information as shown below:
Once we get Signed certificate from Internal (CA) that will be uploaded using Upload and Install Certificate.
It will then ask for Private Key and Public Key (certificate) respectively which need to be pasted.
Finally, we are going to check connectivity with (app.sirp.io on ports 443 and 80)
If the check is successful, then we can access SIRP UI from a compatible web browser.
To configure mail server settings, log in the SIRP Web UI from any standard browser
Login to SIRP Web UI
Browse to the IP address configured in previous steps and log in using the admin credentials provided to you during the SIRP onboarding. Alternatively, click on the link in your invitation email to register a new account.
You will be presented with a form to enter your profile details and set a password.
Update Profile Information
Once you are logged in, in the upper-left corner of the page, the dashboard contains two options: Profile and Logout. Click on Profile to verify and complete your profile information.
For an account, the email address is treated as the "username." Once set, it cannot be changed later.
In order to change your password, click on the Change Password at the bottom right corner of the profile form then enter your current password and enter the new password twice. Then click the Change Password button.
Configure Mail Server
For email configuration settings, log in to SIRP Web UI and go to Administration -> Organization -> Email Config
Choose a Type from the dropdown based on the authentication type supported by your email server:
User Auth: Hostname, Username, and Password
Advanced. Hostname, Username, Password, Port, and Encryption
SIRP licensing works based on the number of users who will log in to SIRP.
To add a license, follow these steps:
1. Click on the Administration from the left menu.
2. Go to the Product Settings -> License.
3. Click on the Upload button to upload your SIRP license file.
In case of the machine gets stuck on the Ubuntu screen, Press ESC on the black screen a couple of times. It will show an error. Usually, it's a network error. Stop the machine. Go in preferences. Untick stay connected on start in network adapter. Boot a couple of times and it will work fine then. Alternatively, try changing the VM’s adapter.
Appendix – Connectivity for Apps
SIEM <> SIRP
SIRP ingests alerts and offenses from the SIEM using a pull mechanism.
SIRP needs to be able to connect with the SIEM in order to automatically pull alerts and offenses. Configure your firewall to allow connectivity between SIRP and your SIEM IP address.
Note: Follow the SOP of your respective SIEM to configure its app and enable ingestion.
IMAP <> SIRP
It is not uncommon for enterprises to have a single mailbox configured where users can forward suspicious emails for further investigation. The ingestion feature in the SIRP’s IMAP app is primarily designed to pull emails from such mailbox and create alerts and artifacts in SIRP.
Furthermore, in some cases, alerts from the SIEM are also ingested through email. You can configure alerts, custom searches, and rules to send notifications to a mailbox. SIRP reads that mailbox to ingest and store alerts.
Take the following steps to enable Email-based ingestion:
Step 1 – Allow Connectivity
Configure your Firewall to allow connectivity between your IMAP server and SIRP.
Step 1 – Configure IMAP App
To configure the IMAP app, the following information should be available:
Follow the SOPs relevant to your SIEM to configure custom searches and email notifications.
Microsoft Active Directory <> SIRP
It is common for analysts to pull user information from an organization’s Active Directory for investigation. SIRP integrates with Active Directory to enrich investigations directly into SIRP without having analysts browse Active Directory separately.
To enable Active Directory enrichment, the following information should be available.
Active Directory Host
It is common for analysts to pull certain information for investigation from various websites. SIRP integrates with the most popular external sources to enrich investigations directly into SIRP without having analysts to visit websites individually. To enable basic enrichment, access to the following URLs should be allowed from SIRP: