Introduction

The Remote Agent is a lightweight application installed at the end-customer site and that connects the remote environment to your Siemplify platform. The Agent allows security teams to run actions and playbooks on the remote environment to gather information and interact with remote security products.

The agent communicates with Siemplify via the Siemplify Publisher – a Proxy Server that usually resides in the Cloud. The agent syncs automatically with Siemplify to allow seamless agent distribution. The relevant connectors and integrations need to be configured to allow the Agent to run them.

This How-To article will explain step by step how to setup and configure every aspect of the Remote Agents.

Architecture Overview

The following screenshot shows an overview of the solution.

For full architecture information, please refer to Remote Agents in the Architecture Guide.

Deployment Overview

  1. Prerequisites
  2. Deploy the Publisher
  3. Pair the Publisher
  4. Create and Deploy Agent
  5. Assign Integration
  6. Assign Connector
  7. Monitor and Troubleshoot
  8. Test the Remote Agent

Prerequisites

Please make sure your server meets the following requirements before proceeding:

General Requirements -

  • Update your Siemplify license to include Siemplify Agent modules. The amount of Agents you can configure depends on the license you purchased.
  • Make sure your have your Siemplify Publisher OVA and the encryption key pair
  • Ports 443 on the Publisher should be open for communication
  • Please open an FTP port on the Publisher to transfer there the encryption files during the deployment
  • Configure the Email (SMTP, IMAP) integration in your Marketplace
  • Configure the Siemplify integration in your Marketplace to allow log collection into the EK

Hardware Requirements for the Publisher OVA

  • CPU: 4 cores / 8 cores
  • RAM: 8GB / 16GB
  • Storage: 100GB / 200GB

Hardware Requirements for the Agent

  • CPU: 4 cores / 8 cores
  • RAM: 8GB / 16GB
  • Storage: 100GB

Deploy the Publisher

In this section, we will describe how to deploy and setup a working instance of Siemplify Publisher.

  1. Deploy the Siemplify Publisher OVA (supplied by Siemplify) so it is accessible by remote agents and your Siemplify instance (via web).
  2. Use the default credentials to login to the machine:
  1. Transfer the provided “agent.key” to the following path at the Siemplify Publisher server:
    /SiemplifyPublisher/Keys
  2. Validate that Siemplify Publisher is running by executing the following command:
    supervisorctl status siemplify_publisher
  1. If not, start Siemplify Publisher by executing the command:
    supervisorctl start siemplify_publisher
  2. Adjust the time of the Publisher server with the timedatectl command (to match the time of the Siemplify server)
  1. In the browser, open the Admin Panel of the Siemplify Publisher by accessing
    https://{siemplify_publisher_host_ip}/admin
  1. Use the default credentials for the Admin account.
    • MSSP
    • Password1!
  2. After login, you will be asked to change the default password.
  3. Click on Home to be transferred to the main page of the Admin Panel.
  4. Go to Tokens and copy the token of the MSSP user. This token will be used to pair the Siemplify Publisher with your Siemplify platform.

For the next step, your Siemplify administrator will need the public address of the Publisher and the API Key.

Pair Publisher

The next step is to pair the Publisher with your Siemplify instance as follows.

  1. In the Siemplify platform, navigate to Settings > Advanced > Publisher.
  2. Click the plus icon on the top right of the screen.
  3. Fill in the following information
    1. Name of Publisher
    2. Server API Root (Address)
    3. Agent Communication Time: This is the time threshold for the Publisher to receive a ping from the Agent. Once this time is up, the Publisher will tell Siemplify that the Agent is down.
    4. Publisher API token: Created at deployment phase.
    5. Certificate for encryption (Supplied by Siemplify)
  4. Click Save.

Note that you can click on View Publisher Logs to view the logs in ElasticSearch. This can be useful if there is a Status error.

Create and deploy Agent

The next step is to create the Agent, associate it with the Publisher and then send the installation link to your customer or the remote environment.

  1. In the Siemplify platform, navigate to Settings > Advanced > Remote Agents.
  2. Click the plus icon on the top right of the screen.
  3. Fill out the relevant information: Name, Environment (for which environment/s this Agent is going to be used), Publisher and click “Is Enabled”. Note that each agent can be assigned to multiple environments or “All Environments” and to a SINGLE publisher.
  4. Click Save.
  5. A unique identifier is generated automatically for each customer.
  6. A download link to install the Agent on the remote site will be created for each customer.
  7. Click Send Now in the Agent Installer Access for the platform to send the defined user the link for them to install the Agent.
    • Make sure you configure the Email integration in the Marketplace to allow sending emails

Agent Status Options:

Waiting for Agent: Only displays if it is a new agent and it is enabled. Status means it’s waiting for the agent to be installed and perform initial communication with Siemplify.
Live: There is full communication from Agent to Publisher and from Siemplify to Publisher in last X minutes (where X is taken from Publisher configuration)
Error: There was a problem with the communication from Agent to Publisher or from Siemplify to Publisher in last X minutes (where X is taken from Publisher configuration)
Disabled: Will display if the agent is disabled
Stopped: Will display if the agent was stopped

The Siemplify Agent should be installed on a server that is accessible both to Siemplify Publisher and to the security tools in the corresponding environment.

Agent Installation Prerequisites (Software)

  • OS: Windows 10 ×64 \ Windows Server 2016 \ Ubuntu 12+ \ Centos 7+
  • Python 2.7.14 (Also add python to environment variables)
  • pip 9.0.2+
  • Visual C++ Python Compiler (windows only)
  • GCC (Linux only)

To install a Siemplify Remote Agent:

  1. Open the email with the installation links.
  2. Download and extract the zip file which contains the following 3 files:
  • SiemplifyAgent installer: The installer of the Siemplify Agent.
  • agent.key: The key for encrypting and decrypting the data.
  • config.JSON: Configurations as configured in the Siemplify Server for the given Siemplify Agent instance.
  • Install the agent as an admin
  • Go to the new folder c:\SiemplifyAgent where you can test if the agent is running with the following command:
    agent_cli.py status

Set up Integration

Next, we will set up an integration from the Marketplace to run remotely via the Agent.

  1. Navigate to the Marketplace.
  2. Select the required environment (integration can only run remotely for specific environments).
  3. Select the required Integration and click Configure Integration.
  4. Select Run Remotely and click Save.
  5. Actions that run on cases from this environment can now run remotely (manual actions and playbook actions)

Set up Connector

Next, we will set up the Connector to run remotely via the Agent. You can assign as many Connectors as you like.

  1. Navigate to Connectors.
  2. Create a new connector.
  3. Select Remote Connector as shown in screenshot below.
  4. Click Create.
  5. Select the required environment.
  6. Select the required Remote Agent. You will see the Remote Agent status on the top of the screen.

Disable an Agent

To disable an agent:

  1. Navigate to Settings > Advanced > Remote Agents.
  2. Click Edit on the required agent.
  3. Deselect the Enabled checkbox. Note that you will receive a warning message.
  4. Click Save.
    p(banner tip). An agent that was disabled will not run actions and connectors or communicate with Siemplify until enabled.

Stop an Agent

To stop an agent:

  1. Navigate to Settings > Advanced > Remote Agents.
  2. Click Edit on the required agent.
  3. Click the red Stop Agent button.
  4. Click Save.

Monitoring and Troubleshooting

Both the Publisher and the Agent will have logs (within EK) which you can use to monitor and troubleshoot where necessary.
Remote jobs are sent with a unique ID which can be tracked in the logs.

The Agent Information presented in the Settings screen includes:

  • Last Agent Communication Time
  • Last Action Execution Time
  • Agent Version
  • Required Siemplify Version
  • Agent IP
  • Agent Hostname
  • Paired Publisher
  • Environments
  • Connectors And Integrations

Test the Remote Agents

To do a basic test of the full flow, try deploying an agent locally (in a disconnected network) and connecting to one of your integrated security tools through the agent.

  1. Create a new agent and send the download link to an email address you can access.
  2. Click on the link in the email and download the agent.
  3. Deploy it locally.
  4. Make sure the agent can communicate with the Publisher you assigned to it (i.e. ping the Publisher from the Agent command line).
  5. Make sure the agent can also communicate with another product (e.g. Active Directory, Service Now). We will test the flow from Siemplify to the agent and back.
  6. Setup the relevant integration to run remotely and test the actions.

Both integrations and connectors provide testing features and show the status of the assigned Remote Agents in the Siemplify platform.
The same flow can be repeated with Agents deployed on remote sites.

Need more help with this?
Click here to open a Support ticket

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.