Whitelist URLs CentOS
The platform needs to access external data sources to ingest intel, as well as to enrich entities and observables. You may want to whitelist these URLs, domains and addresses, so that the platform can communicate with the external intel and service providers.
Repositories
When installing or upgrading the platform and its dependencies, the system needs to access the following source repositories.
Repository URL |
Belongs to |
Repo type |
https://downloads.eclecticiq.com/ |
EclecticIQ Platform |
rpm |
https://dl.fedoraproject.org/pub/epel/7/x86_64/ |
EPEL |
rpm |
Enrichers and feeds
Feeds and enrichers access data sources through these URLs.
Whitelist the domains and allow traffic to and from them.
Domain |
Belongs to |
Type |
http://${variable_subdomain}.cyberfeed.net:${port_number} |
AnubisNetworks |
incoming feed |
https://www.binarydefense.com/ |
Binary Defense Systems Artillery Threat Intelligence Feed |
incoming feed |
https://censys.io/api/v1/search/ipv4 |
Censys |
enricher |
https://hexillion.com/rf/xml/1.0/whois/ |
CentralOps Domain Dossier |
enricher |
https://www.circl.lu/v2pssl/cquery/ |
CIRCL IPs related to SSL certificate |
enricher |
https://www.circl.lu/v2pssl/cfetch/ |
CIRCL SSL Certificate Fetcher |
enricher |
https://panacea.threatgrid.com/api/ |
Cisco Threat Grid |
enricher, incoming feed |
https://investigate.api.umbrella.com/bgp_routes/ip/ |
Cisco ASN Info |
enricher |
https://investigate.api.umbrella.com/dnsdb/ |
Cisco DNS RR History |
enricher |
https://investigate.api.umbrella.com/ips/ |
Cisco Malicious Domains |
enricher |
https://investigate.api.umbrella.com/links/ |
Cisco Related Domains |
enricher |
https://investigate.api.umbrella.com/sample/ |
Cisco Umbrella Threat Grid integration |
enricher |
https://investigate.api.umbrella.com/samples/ |
Cisco Umbrella Threat Grid integration |
enricher |
https://investigate.api.umbrella.com/whois/ |
Cisco Whois |
enricher |
https://www.threathq.com/ |
Cofense PhishMe Intelligence |
incoming feed |
https://intelapi.crowdstrike.com |
Crowdstrike Falcon X |
enricher |
https://intelapi.crowdstrike.com/indicator/ |
Crowdstrike Falcon X indicators |
incoming feed |
https://intelapi.crowdstrike.com/reports/ |
Crowdstrike Falcon X reports |
incoming feed |
https://intelapi.crowdstrike.com/actors/ |
Crowdstrike Falcon X threat actors |
incoming feed |
https://cve.circl.lu/api/cve/ |
CVE Search |
enricher |
https://cve.circl.lu/api/last |
CVE Search API |
incoming feed |
http://atm.cybercrime-tracker.net/hashs.php |
Cybercrime Tracker ATM Provider |
incoming feed |
https://cybercrime-tracker.net/rss.xml |
Cybercrime Tracker Domain Provider |
incoming feed |
https://cybercrime-tracker.net/zbox_rss.php |
Cybercrime Tracker Zbot Provider |
incoming feed |
https://portal-digitalshadows.com |
Digital Shadows Searchlight |
incoming feed |
http://api.domaintools.com/v1/${ip_address}/host-domains |
DomainTools Hosted Domains |
enricher |
https://api.domaintools.com/v1/iris-investigate/ |
DomainTools Iris Investigate |
enricher |
http://api.domaintools.com/v1/${domain}/name-server-domains/ |
DomainTools Malicious Server Domains |
enricher |
http://api.domaintools.com/v1/${domain, host, ipv4}/whois/parsed |
DomainTools Parsed Whois |
enricher |
http://api.domaintools.com/v1/reputation |
DomainTools Reputation |
enricher |
https://api.domaintools.com/v1/${domain}/reverse-ip |
DomainTools Reverse IP |
enricher |
http://api.domaintools.com/v1/reverse-whois/ |
DomainTools Reverse Whois |
enricher |
https://api.domaintools.com/v1/${ip_address}/host-domains |
DomainTools Suspicious Domains |
enricher |
https://api.domaintools.com/v1/${input_domain_name}/hosting-history/ |
DomainTools Hosting History |
enricher |
https://api.domaintools.com/v1/${input_domain_name}/whois/history/ |
DomainTools Whois History |
enricher |
https://intel.dragos.com/api/v1/doc/ |
Dragos Threat Feed |
incoming feed |
https://intel.dragos.com/ |
Dragos Threat Feed |
incoming feed |
http://isc.sans.edu/api/ip/ |
DShield |
enricher |
https://cti.eclecticiq.com/feeds/auth |
EclecticIQ Fusion Center Intelligence Essentials or Premium |
incoming feed |
http://${elasticsearch_instance_url}:9200/${schema_resource} |
Elasticsearch sightings |
enricher |
https://api.dnsdb.info/ |
Farsight DNSDB |
enricher |
https://api.isightpartners.com/search/basic |
FireEye iSIGHT |
enricher |
https://api.isightpartners.com/search/text |
FireEye iSIGHT |
enricher |
https://api.isightpartners.com/search/advanced |
FireEye iSIGHT |
enricher |
https://api.isightpartners.com/report/${report_id} |
FireEye iSIGHT |
enricher |
https://api.isightpartners.com/report/index |
FireEye iSIGHT Intelligence Report API |
incoming feed |
https://api.isightpartners.com/report/${report_id} |
FireEye iSIGHT Intelligence Report API |
incoming feed |
https://endlesstunnel.info/ |
Flashpoint AggregINT |
enricher |
https://endlesstunnel.info/ |
Flashpoint Blueprint |
enricher |
https://fp.tools/api/v4/forums/visits |
Flashpoint Forum Visits |
enricher |
https://fp.tools/api/v4/reports |
Flashpoint Intelligence Reports |
incoming feed |
https://endlesstunnel.info/ |
Flashpoint Thresher |
enricher |
https://fp.tools/api/v4/torrents/peers |
Flashpoint Torrents |
enricher |
https://cybercrime-portal.fox-it.com/ |
Fox-IT InTELL Portal |
enricher, incoming feed |
https://enterprise.api.greynoise.io |
GreyNoise |
enricher |
http://hailataxii.com |
Hail a TAXII |
open source cyber threat intelligence source |
https://honeypot.dk |
Honeypot.dk |
incoming feed |
https://www.hybrid-analysis.com/api/v2 |
HybridAnalysis |
enricher |
https://portal.vigilante.io |
InfoArmor VigilanteATI |
enricher, incoming feed |
https://api.intel471.com/v1/ |
Intel 471 |
enricher, incoming feed |
https://api.intsights.com |
IntSights Alerts |
incoming feed |
https://jbxcloud.joesecurity.org/api/v2 |
JoeSandbox Analysis Feed |
incoming feed |
https://wlinfo.kaspersky.com/api/v1.0/ |
Kaspersky Threat Intelligence Data Feeds |
incoming feed |
https://tip.kaspersky.com/api/domain/ |
Kaspersky Threat Intelligence Portal Threat Lookup |
enricher |
https://tip.kaspersky.com/api/ip/ |
Kaspersky Threat Intelligence Portal Threat Lookup |
enricher |
https://tip.kaspersky.com/api/ip/url/ |
Kaspersky Threat Intelligence Portal Threat Lookup |
enricher |
https://tip.kaspersky.com/api/hash/ |
Kaspersky Threat Intelligence Portal Threat Lookup |
enricher |
http://malwaredomains.lehigh.edu |
Malwaredomains |
incoming feed |
/absolute/path/to/GeoLite2-City.mmdb |
MaxMind GeoIP |
enricher |
https://api.loganalytics.io/v1/ |
Microsoft Sentinel Alerts Feed |
incoming feed |
http://${misp_instance_url}/ |
MISP API |
enricher |
https://listservintel.ncfta.net/api/fetch/ |
NCFTA ListServ Intel |
incoming feed |
https://nti.nsfocusglobal.com/api/v1/search/ |
NSFocus Intelligence |
enricher |
http://api.openresolve.com/ |
OpenDNS OpenResolve |
enricher |
https://openphish.com/feed.txt |
OpenPhish |
incoming feed |
https://autofocus.paloaltonetworks.com |
Palo Alto Autofocus |
enricher |
https://${pan-os_instance_url}/api |
Palo Alto PAN-OS Traffic Report |
incoming feed |
https://checkurl.phishtank.com/checkurl |
PhishTank |
enricher |
https://api.emaildefense.proofpoint.com/ |
Proofpoint Email Brand Defense |
enricher |
https://api.emaildefense.proofpoint.com/ |
Proofpoint Email Threat |
enricher |
http://${pydat_instance_url}:8000/ |
PyDat |
enricher |
https://api.recordedfuture.com/api/v2/ |
Recorded Future |
enricher |
https://app.recordedfuture.com/live/sc/ |
Recorded Future |
enricher |
https://stat.ripe.net/data/geoloc/ |
RIPEstat GeoIP |
enricher |
https://stat.ripe.net/data/whois/ |
RIPEstat Whois |
enricher |
https://api.passivetotal.org/v2/enrichment |
RiskIQ PassiveTotal IP/Domain |
enricher |
https://api.passivetotal.org/v2//enrichment/malware |
RiskIQ PassiveTotal Malware |
enricher |
https://api.passivetotal.org/v2/dns/passive |
RiskIQ PassiveTotal Passive DNS |
enricher |
https://api.passivetotal.org/v2/whois |
RiskIQ PassiveTotal Whois |
enricher |
https://api.shodan.io/shodan/ |
Shodan |
enricher |
https://api.silobreaker.com/v1/infocus |
Silobreaker |
enricher |
https://api.silobreaker.com/search/documents |
Silobreaker API |
incoming feed |
http://${splunk_instance_url}:8089/ |
Splunk sightings |
enricher |
https://api.spycloud.io/sp-v1/breach |
SpyCloud Breach Data |
enricher |
https://api.spycloud.io/enterprise-v1/ |
SpyCloud Watchlist Ingest |
incoming feed |
https://datafeeds.symantec.com/feeds/datafeed.asmx |
Symantec DeepSight Intelligence DataFeeds |
incoming feed |
https://test.taxiistand.com/ |
TAXII Stand |
public OpenTAXII test server |
https://www.threatcrowd.org/ |
ThreatCrowd |
enricher |
https://api.threatrecon.co/api/v1/search/date |
Threat Recon |
incoming feed |
https://check.torproject.org/cgi-bin/TorBulkExitList.py |
Tor Bulk Exit List |
enricher |
https://unshorten.me/s/ |
Unshorten-URL |
enricher |
https://www.virustotal.com/vtapi/v2/file/report |
VirusTotal |
enricher |
https://www.virustotal.com/vtapi/v2/url/report |
VirusTotal |
enricher |
https://www.virustotal.com/vtapi/v2/ip-address/report |
VirusTotal |
enricher |
https://www.virustotal.com/vtapi/v2/domain/report |
VirusTotal |
enricher |
https://www.virustotal.com/vtapi/v2/file/search |
VirusTotal |
incoming feed |
https://cloud.vmray.com/rest/ |
VMRay Malware Submission Feed |
incoming feed |
https://api.bcti.brightcloud.com/1.0/ |
Webroot |
enricher |
Open ports
The platform components communicate with the platform and with each other through these ports.
Make sure they are open within the platform network.
Port |
Belongs to |
25 587 |
Postfix
|
80 443 |
Nginx
|
4008 |
eclecticiq-neo4jbatcher |
5432 |
PostgreSQL |
5601 |
Kibana |
6379 |
Redis |
6755 |
Logstash |
7474 7473 7687 |
Neo4j
|
8008 |
platform-api |
8125 |
Statsite |
9000 |
opentaxii |
9200 |
Elasticsearch |