Whitelist URLs RHEL#

The platform needs to access external data sources to ingest intel, as well as to enrich entities and observables. You may want to whitelist these URLs, domains and addresses, so that the platform can communicate with the external intel and service providers.

Repositories#

When installing or upgrading the platform and its dependencies, the system needs to access the following source repositories.

Repository URL

Belongs to

Repo type

https://downloads.eclecticiq.com/

EclecticIQ Platform

rpm

https://dl.fedoraproject.org/pub/epel/7/x86_64/

EPEL

rpm

Enrichers and feeds#

Feeds and enrichers access data sources through these URLs. Whitelist the domains and allow traffic to and from them.

Domain

Belongs to

Type

http://${variable_subdomain}.cyberfeed.net:${port_number}

AnubisNetworks

incoming feed

https://www.binarydefense.com/

Binary Defense Systems Artillery Threat Intelligence Feed

incoming feed

https://censys.io/api/v1/search/ipv4

Censys

enricher

https://hexillion.com/rf/xml/1.0/whois/

CentralOps Domain Dossier

enricher

https://www.circl.lu/v2pssl/cquery/

CIRCL IPs related to SSL certificate

enricher

https://www.circl.lu/v2pssl/cfetch/

CIRCL SSL Certificate Fetcher

enricher

https://panacea.threatgrid.com/api/

Cisco Threat Grid

enricher, incoming feed

https://investigate.api.umbrella.com/bgp_routes/ip/

Cisco ASN Info

enricher

https://investigate.api.umbrella.com/dnsdb/

Cisco DNS RR History

enricher

https://investigate.api.umbrella.com/ips/

Cisco Malicious Domains

enricher

https://investigate.api.umbrella.com/links/

Cisco Related Domains

enricher

https://investigate.api.umbrella.com/sample/

Cisco Umbrella Threat Grid integration

enricher

https://investigate.api.umbrella.com/samples/

Cisco Umbrella Threat Grid integration

enricher

https://investigate.api.umbrella.com/whois/

Cisco Whois

enricher

https://www.threathq.com/

Cofense PhishMe Intelligence

incoming feed

https://intelapi.crowdstrike.com

Crowdstrike Falcon X

enricher

https://intelapi.crowdstrike.com/indicator/

Crowdstrike Falcon X indicators

incoming feed

https://intelapi.crowdstrike.com/reports/

Crowdstrike Falcon X reports

incoming feed

https://intelapi.crowdstrike.com/actors/

Crowdstrike Falcon X threat actors

incoming feed

https://cve.circl.lu/api/cve/

CVE Search

enricher

https://cve.circl.lu/api/last

CVE Search API

incoming feed

http://atm.cybercrime-tracker.net/hashs.php

Cybercrime Tracker ATM Provider

incoming feed

https://cybercrime-tracker.net/rss.xml

Cybercrime Tracker Domain Provider

incoming feed

https://cybercrime-tracker.net/zbox_rss.php

Cybercrime Tracker Zbot Provider

incoming feed

https://portal-digitalshadows.com

Digital Shadows Searchlight

incoming feed

http://api.domaintools.com/v1/${ip_address}/host-domains

DomainTools Hosted Domains

enricher

https://api.domaintools.com/v1/iris-investigate/

DomainTools Iris Investigate

enricher

http://api.domaintools.com/v1/${domain}/name-server-domains/

DomainTools Malicious Server Domains

enricher

``http://api.domaintools.com/v1/${domain, host, ipv4}/whois/parsed`

DomainTools Parsed Whois

enricher

http://api.domaintools.com/v1/reputation

DomainTools Reputation

enricher

https://api.domaintools.com/v1/${domain}/reverse-ip

DomainTools Reverse IP

enricher

http://api.domaintools.com/v1/reverse-whois/

DomainTools Reverse Whois

enricher

https://api.domaintools.com/v1/${ip_address}/host-domains

DomainTools Suspicious Domains

enricher

https://api.domaintools.com/v1/${input_domain_name}/hosting-history/

DomainTools Hosting History

enricher

https://api.domaintools.com/v1/${input_domain_name}/whois/history/

DomainTools Whois History

enricher

https://intel.dragos.com/api/v1/doc/

Dragos Threat Feed

incoming feed

https://intel.dragos.com/

Dragos Threat Feed

incoming feed

http://isc.sans.edu/api/ip/

DShield

enricher

https://cti.eclecticiq.com/feeds/auth

EclecticIQ Fusion Center Intelligence Essentials or Premium

incoming feed

http://${elasticsearch_instance_url}:9200/${schema_resource}

Elasticsearch sightings

enricher

https://api.dnsdb.info/

Farsight DNSDB

enricher

https://api.isightpartners.com/search/basic

FireEye iSIGHT

enricher

https://api.isightpartners.com/search/text

FireEye iSIGHT

enricher

https://api.isightpartners.com/search/advanced

FireEye iSIGHT

enricher

https://api.isightpartners.com/report/${report_id}

FireEye iSIGHT

enricher

https://api.isightpartners.com/report/index

FireEye iSIGHT Intelligence Report API

incoming feed

https://api.isightpartners.com/report/${report_id}

FireEye iSIGHT Intelligence Report API

incoming feed

https://endlesstunnel.info/

Flashpoint AggregINT

enricher

https://endlesstunnel.info/

Flashpoint Blueprint

enricher

https://fp.tools/api/v4/forums/visits

Flashpoint Forum Visits

enricher

https://fp.tools/api/v4/reports

Flashpoint Intelligence Reports

incoming feed

https://endlesstunnel.info/

Flashpoint Thresher

enricher

https://fp.tools/api/v4/torrents/peers

Flashpoint Torrents

enricher

https://cybercrime-portal.fox-it.com/

Fox-IT InTELL Portal

enricher, incoming feed

https://enterprise.api.greynoise.io

GreyNoise

enricher

http://hailataxii.com

Hail a TAXII

open source cyber threat intelligence source

https://honeypot.dk

Honeypot.dk

incoming feed

https://www.hybrid-analysis.com/api/v2

HybridAnalysis

enricher

https://portal.vigilante.io

InfoArmor VigilanteATI

enricher, incoming feed

https://api.intel471.com/v1/

Intel 471

enricher, incoming feed

https://api.intsights.com

IntSights Alerts

incoming feed

https://jbxcloud.joesecurity.org/api/v2

JoeSandbox Analysis Feed

incoming feed

https://wlinfo.kaspersky.com/api/v1.0/

Kaspersky Threat Intelligence Data Feeds

incoming feed

https://tip.kaspersky.com/api/domain/

Kaspersky Threat Intelligence Portal Threat Lookup

enricher

https://tip.kaspersky.com/api/ip/

Kaspersky Threat Intelligence Portal Threat Lookup

enricher

https://tip.kaspersky.com/api/ip/url/

Kaspersky Threat Intelligence Portal Threat Lookup

enricher

https://tip.kaspersky.com/api/hash/

Kaspersky Threat Intelligence Portal Threat Lookup

enricher

http://malwaredomains.lehigh.edu

Malwaredomains

incoming feed

`/absolute/path/to/GeoLite2-City.mmdb``

MaxMind GeoIP

enricher

https://api.loganalytics.io/v1/

Microsoft Sentinel Alerts Feed

incoming feed

http://${misp_instance_url}/

MISP API

enricher

https://listservintel.ncfta.net/api/fetch/

NCFTA ListServ Intel

incoming feed

https://nti.nsfocusglobal.com/api/v1/search/

NSFocus Intelligence

enricher

http://api.openresolve.com/

OpenDNS OpenResolve

enricher

https://openphish.com/feed.txt

OpenPhish

incoming feed

https://autofocus.paloaltonetworks.com

Palo Alto Autofocus

enricher

https://${pan-os_instance_url}/api

Palo Alto PAN-OS Traffic Report

incoming feed

https://checkurl.phishtank.com/checkurl

PhishTank

enricher

https://api.emaildefense.proofpoint.com/

Proofpoint Email Brand Defense

enricher

https://api.emaildefense.proofpoint.com/

Proofpoint Email Threat

enricher

http://${pydat_instance_url}:8000/

PyDat

enricher

https://api.recordedfuture.com/api/v2/

Recorded Future

enricher

https://app.recordedfuture.com/live/sc/

Recorded Future

enricher

https://stat.ripe.net/data/geoloc/

RIPEstat GeoIP

enricher

https://stat.ripe.net/data/whois/

RIPEstat Whois

enricher

https://api.passivetotal.org/v2/enrichment

RiskIQ PassiveTotal IP/Domain

enricher

https://api.passivetotal.org/v2//enrichment/malware

RiskIQ PassiveTotal Malware

enricher

https://api.passivetotal.org/v2/dns/passive

RiskIQ PassiveTotal Passive DNS

enricher

https://api.passivetotal.org/v2/whois

RiskIQ PassiveTotal Whois

enricher

https://api.shodan.io/shodan/

Shodan

enricher

https://api.silobreaker.com/v1/infocus

Silobreaker

enricher

https://api.silobreaker.com/search/documents

Silobreaker API

incoming feed

http://${splunk_instance_url}:8089/

Splunk sightings

enricher

https://api.spycloud.io/sp-v1/breach

SpyCloud Breach Data

enricher

https://api.spycloud.io/enterprise-v1/

SpyCloud Watchlist Ingest

incoming feed

https://datafeeds.symantec.com/feeds/datafeed.asmx

Symantec DeepSight Intelligence DataFeeds

incoming feed

https://test.taxiistand.com/

TAXII Stand

public OpenTAXII test server

https://www.threatcrowd.org/

ThreatCrowd

enricher

https://api.threatrecon.co/api/v1/search/date

Threat Recon

incoming feed

https://check.torproject.org/cgi-bin/TorBulkExitList.py

Tor Bulk Exit List

enricher

https://unshorten.me/s/

Unshorten-URL

enricher

https://www.virustotal.com/vtapi/v2/file/report

VirusTotal

enricher

https://www.virustotal.com/vtapi/v2/url/report

VirusTotal

enricher

https://www.virustotal.com/vtapi/v2/ip-address/report

VirusTotal

enricher

https://www.virustotal.com/vtapi/v2/domain/report

VirusTotal

enricher

https://www.virustotal.com/vtapi/v2/file/search

VirusTotal

incoming feed

https://cloud.vmray.com/rest/

VMRay Malware Submission Feed

incoming feed

https://api.bcti.brightcloud.com/1.0/

Webroot

enricher

Open ports#

The platform components communicate with the platform and with each other through these ports.

Make sure they are open within the platform network.

Port

Belongs to

  • 25

  • 587

Postfix

  • 25: SMTP

  • 587: mail submission

  • 80

  • 443

Nginx

  • 80: HTTP

  • 443: HTTPS

  • 5432

PostgreSQL

  • 5601

Kibana

  • 6379

Redis

  • 6755

Logstash

  • 8008

platform-api

  • 8125

Statsite

  • 9000

opentaxii

  • 9200

Elasticsearch