Whitelist URLs Rocky Linux#

The platform needs to access external data sources to ingest intel, as well as to enrich entities and observables. You may want to whitelist these URLs, domains and addresses, so that the platform can communicate with the external intel and service providers.

Repositories#

When installing or upgrading the platform and its dependencies, the system needs to access the following source repositories.

Repository URL	Belongs to	Repo type
`https://downloads.eclecticiq.com/`	EclecticIQ Platform	rpm
`https://dl.fedoraproject.org/pub/epel/7/x86_64/`	EPEL	rpm

Enrichers and feeds#

Feeds and enrichers access data sources through these URLs. Whitelist the domains and allow traffic to and from them.

Domain	Belongs to	Type
`http://${variable_subdomain}.cyberfeed.net:${port_number}`	AnubisNetworks	incoming feed
`https://www.binarydefense.com/`	Binary Defense Systems Artillery Threat Intelligence Feed	incoming feed
`https://censys.io/api/v1/search/ipv4`	Censys	enricher
`https://hexillion.com/rf/xml/1.0/whois/`	CentralOps Domain Dossier	enricher
`https://www.circl.lu/v2pssl/cquery/`	CIRCL IPs related to SSL certificate	enricher
`https://www.circl.lu/v2pssl/cfetch/`	CIRCL SSL Certificate Fetcher	enricher
`https://panacea.threatgrid.com/api/`	Cisco Threat Grid	enricher, incoming feed
`https://investigate.api.umbrella.com/bgp_routes/ip/`	Cisco ASN Info	enricher
`https://investigate.api.umbrella.com/dnsdb/`	Cisco DNS RR History	enricher
`https://investigate.api.umbrella.com/ips/`	Cisco Malicious Domains	enricher
`https://investigate.api.umbrella.com/links/`	Cisco Related Domains	enricher
`https://investigate.api.umbrella.com/sample/`	Cisco Umbrella Threat Grid integration	enricher
`https://investigate.api.umbrella.com/samples/`	Cisco Umbrella Threat Grid integration	enricher
`https://investigate.api.umbrella.com/whois/`	Cisco Whois	enricher
`https://www.threathq.com/`	Cofense PhishMe Intelligence	incoming feed
`https://intelapi.crowdstrike.com`	Crowdstrike Falcon X	enricher
`https://intelapi.crowdstrike.com/indicator/`	Crowdstrike Falcon X indicators	incoming feed
`https://intelapi.crowdstrike.com/reports/`	Crowdstrike Falcon X reports	incoming feed
`https://intelapi.crowdstrike.com/actors/`	Crowdstrike Falcon X threat actors	incoming feed
`https://cve.circl.lu/api/cve/`	CVE Search	enricher
`https://cve.circl.lu/api/last`	CVE Search API	incoming feed
`http://atm.cybercrime-tracker.net/hashs.php`	Cybercrime Tracker ATM Provider	incoming feed
`https://cybercrime-tracker.net/rss.xml`	Cybercrime Tracker Domain Provider	incoming feed
`https://cybercrime-tracker.net/zbox_rss.php`	Cybercrime Tracker Zbot Provider	incoming feed
`https://portal-digitalshadows.com`	Digital Shadows Searchlight	incoming feed
`http://api.domaintools.com/v1/${ip_address}/host-domains`	DomainTools Hosted Domains	enricher
`https://api.domaintools.com/v1/iris-investigate/`	DomainTools Iris Investigate	enricher
`http://api.domaintools.com/v1/${domain}/name-server-domains/`	DomainTools Malicious Server Domains	enricher
``http://api.domaintools.com/v1/${domain, host, ipv4}/whois/parsed`	DomainTools Parsed Whois	enricher
`http://api.domaintools.com/v1/reputation`	DomainTools Reputation	enricher
`https://api.domaintools.com/v1/${domain}/reverse-ip`	DomainTools Reverse IP	enricher
`http://api.domaintools.com/v1/reverse-whois/`	DomainTools Reverse Whois	enricher
`https://api.domaintools.com/v1/${ip_address}/host-domains`	DomainTools Suspicious Domains	enricher
`https://api.domaintools.com/v1/${input_domain_name}/hosting-history/`	DomainTools Hosting History	enricher
`https://api.domaintools.com/v1/${input_domain_name}/whois/history/`	DomainTools Whois History	enricher
`https://intel.dragos.com/api/v1/doc/`	Dragos Threat Feed	incoming feed
`https://intel.dragos.com/`	Dragos Threat Feed	incoming feed
`http://isc.sans.edu/api/ip/`	DShield	enricher
`https://cti.eclecticiq.com/feeds/auth`	EclecticIQ Fusion Center Intelligence Essentials or Premium	incoming feed
`http://${elasticsearch_instance_url}:9200/${schema_resource}`	Elasticsearch sightings	enricher
`https://api.dnsdb.info/`	Farsight DNSDB	enricher
`https://api.isightpartners.com/search/basic`	FireEye iSIGHT	enricher
`https://api.isightpartners.com/search/text`	FireEye iSIGHT	enricher
`https://api.isightpartners.com/search/advanced`	FireEye iSIGHT	enricher
`https://api.isightpartners.com/report/${report_id}`	FireEye iSIGHT	enricher
`https://api.isightpartners.com/report/index`	FireEye iSIGHT Intelligence Report API	incoming feed
`https://api.isightpartners.com/report/${report_id}`	FireEye iSIGHT Intelligence Report API	incoming feed
`https://endlesstunnel.info/`	Flashpoint AggregINT	enricher
`https://endlesstunnel.info/`	Flashpoint Blueprint	enricher
`https://fp.tools/api/v4/forums/visits`	Flashpoint Forum Visits	enricher
`https://fp.tools/api/v4/reports`	Flashpoint Intelligence Reports	incoming feed
`https://endlesstunnel.info/`	Flashpoint Thresher	enricher
`https://fp.tools/api/v4/torrents/peers`	Flashpoint Torrents	enricher
`https://cybercrime-portal.fox-it.com/`	Fox-IT InTELL Portal	enricher, incoming feed
`https://enterprise.api.greynoise.io`	GreyNoise	enricher
`http://hailataxii.com`	Hail a TAXII	open source cyber threat intelligence source
`https://honeypot.dk`	Honeypot.dk	incoming feed
`https://www.hybrid-analysis.com/api/v2`	HybridAnalysis	enricher
`https://portal.vigilante.io`	InfoArmor VigilanteATI	enricher, incoming feed
`https://api.intel471.com/v1/`	Intel 471	enricher, incoming feed
`https://api.intsights.com`	IntSights Alerts	incoming feed
`https://jbxcloud.joesecurity.org/api/v2`	JoeSandbox Analysis Feed	incoming feed
`https://wlinfo.kaspersky.com/api/v1.0/`	Kaspersky Threat Intelligence Data Feeds	incoming feed
`https://tip.kaspersky.com/api/domain/`	Kaspersky Threat Intelligence Portal Threat Lookup	enricher
`https://tip.kaspersky.com/api/ip/`	Kaspersky Threat Intelligence Portal Threat Lookup	enricher
`https://tip.kaspersky.com/api/ip/url/`	Kaspersky Threat Intelligence Portal Threat Lookup	enricher
`https://tip.kaspersky.com/api/hash/`	Kaspersky Threat Intelligence Portal Threat Lookup	enricher
`http://malwaredomains.lehigh.edu`	Malwaredomains	incoming feed
`/absolute/path/to/GeoLite2-City.mmdb``	MaxMind GeoIP	enricher
`https://api.loganalytics.io/v1/`	Microsoft Sentinel Alerts Feed	incoming feed
`http://${misp_instance_url}/`	MISP API	enricher
`https://listservintel.ncfta.net/api/fetch/`	NCFTA ListServ Intel	incoming feed
`https://nti.nsfocusglobal.com/api/v1/search/`	NSFocus Intelligence	enricher
`http://api.openresolve.com/`	OpenDNS OpenResolve	enricher
`https://openphish.com/feed.txt`	OpenPhish	incoming feed
`https://autofocus.paloaltonetworks.com`	Palo Alto Autofocus	enricher
`https://${pan-os_instance_url}/api`	Palo Alto PAN-OS Traffic Report	incoming feed
`https://checkurl.phishtank.com/checkurl`	PhishTank	enricher
`https://api.emaildefense.proofpoint.com/`	Proofpoint Email Brand Defense	enricher
`https://api.emaildefense.proofpoint.com/`	Proofpoint Email Threat	enricher
`http://${pydat_instance_url}:8000/`	PyDat	enricher
`https://api.recordedfuture.com/api/v2/`	Recorded Future	enricher
`https://app.recordedfuture.com/live/sc/`	Recorded Future	enricher
`https://stat.ripe.net/data/geoloc/`	RIPEstat GeoIP	enricher
`https://stat.ripe.net/data/whois/`	RIPEstat Whois	enricher
`https://api.passivetotal.org/v2/enrichment`	RiskIQ PassiveTotal IP/Domain	enricher
`https://api.passivetotal.org/v2//enrichment/malware`	RiskIQ PassiveTotal Malware	enricher
`https://api.passivetotal.org/v2/dns/passive`	RiskIQ PassiveTotal Passive DNS	enricher
`https://api.passivetotal.org/v2/whois`	RiskIQ PassiveTotal Whois	enricher
`https://api.shodan.io/shodan/`	Shodan	enricher
`https://api.silobreaker.com/v1/infocus`	Silobreaker	enricher
`https://api.silobreaker.com/search/documents`	Silobreaker API	incoming feed
`http://${splunk_instance_url}:8089/`	Splunk sightings	enricher
`https://api.spycloud.io/sp-v1/breach`	SpyCloud Breach Data	enricher
`https://api.spycloud.io/enterprise-v1/`	SpyCloud Watchlist Ingest	incoming feed
`https://datafeeds.symantec.com/feeds/datafeed.asmx`	Symantec DeepSight Intelligence DataFeeds	incoming feed
`https://test.taxiistand.com/`	TAXII Stand	public OpenTAXII test server
`https://www.threatcrowd.org/`	ThreatCrowd	enricher
`https://api.threatrecon.co/api/v1/search/date`	Threat Recon	incoming feed
`https://check.torproject.org/cgi-bin/TorBulkExitList.py`	Tor Bulk Exit List	enricher
`https://unshorten.me/s/`	Unshorten-URL	enricher
`https://www.virustotal.com/vtapi/v2/file/report`	VirusTotal	enricher
`https://www.virustotal.com/vtapi/v2/url/report`	VirusTotal	enricher
`https://www.virustotal.com/vtapi/v2/ip-address/report`	VirusTotal	enricher
`https://www.virustotal.com/vtapi/v2/domain/report`	VirusTotal	enricher
`https://www.virustotal.com/vtapi/v2/file/search`	VirusTotal	incoming feed
`https://cloud.vmray.com/rest/`	VMRay Malware Submission Feed	incoming feed
`https://api.bcti.brightcloud.com/1.0/`	Webroot	enricher

Open ports#

The platform components communicate with the platform and with each other through these ports.

Make sure they are open within the platform network.

Port	Belongs to
25 587	Postfix 25: SMTP 587: mail submission
80 443	Nginx 80: HTTP 443: HTTPS
5432	PostgreSQL
5601	Kibana
6379	Redis
6755	Logstash
8008	`platform-api`
8125	Statsite
9000	opentaxii
9200	Elasticsearch