Network Requirements
CICADA IR requires outbound network access to communicate with data sources, threat intelligence providers, AI services, and licensing infrastructure. Provide this page to your network or firewall team to configure allow-list rules.
Only the services you actually use need to be whitelisted — see the "Required?" column for guidance.
Identity and endpoint data sources
| Service | FQDN | Port | Protocol | Required? |
|---|---|---|---|---|
| Microsoft Entra ID (authentication) | login.microsoftonline.com | 443 | HTTPS | If using Entra ID |
| Microsoft Graph API | graph.microsoft.com | 443 | HTTPS | If using Entra ID, M365, or Defender |
| Microsoft Defender for Endpoint (US) | api.securitycenter.microsoft.com | 443 | HTTPS | If using MDE |
| Microsoft Defender for Endpoint (EU) | api-eu.securitycenter.microsoft.com | 443 | HTTPS | If using MDE (EU tenant) |
| CrowdStrike Falcon API (US-1) | api.crowdstrike.com | 443 | HTTPS | If using CrowdStrike |
| CrowdStrike Falcon API (US-2) | api.us-2.crowdstrike.com | 443 | HTTPS | If using CrowdStrike (US-2) |
| CrowdStrike Falcon API (EU-1) | api.eu-1.crowdstrike.com | 443 | HTTPS | If using CrowdStrike (EU) |
| Active Directory (LDAP) | Customer DC IP address | 389 | LDAP | If using on-prem AD |
| Active Directory (LDAPS) | Customer DC IP address | 636 | LDAPS | If using on-prem AD (encrypted) |
| WinRM (HTTP) | Customer host IP addresses | 5985 | HTTP | If collecting Windows event logs |
| WinRM (HTTPS) | Customer host IP addresses | 5986 | HTTPS | If collecting Windows event logs (encrypted) |
Threat intelligence providers
| Service | FQDN | Port | Protocol | Required? |
|---|---|---|---|---|
| VirusTotal | www.virustotal.com | 443 | HTTPS | If TI enrichment enabled |
| AbuseIPDB | api.abuseipdb.com | 443 | HTTPS | If TI enrichment enabled |
| URLhaus | urlhaus-api.abuse.ch | 443 | HTTPS | If TI enrichment enabled |
| ThreatFox | threatfox-api.abuse.ch | 443 | HTTPS | If TI enrichment enabled |
| Shodan | api.shodan.io | 443 | HTTPS | If TI enrichment enabled |
| OTX AlienVault | otx.alienvault.com | 443 | HTTPS | If TI enrichment enabled |
AI and LLM services
| Service | FQDN | Port | Protocol | Required? |
|---|---|---|---|---|
| Ollama (local LLM) | Configurable (default: localhost) | 11434 | HTTP | If using local LLM |
| Anthropic Claude API | api.anthropic.com | 443 | HTTPS | If using cloud LLM |
Licensing & system services
CICADA IR does not phone home. The VM does not need to contact any CICADA IR server to function. Licence activation is performed locally during the setup wizard using your product key. Offline activation is available for air-gapped environments. No telemetry, usage data, or investigation data is ever sent to us.
| Service | FQDN | Port | Protocol | Required? |
|---|---|---|---|---|
| CICADA IR licensing | api.cicada-ir.ai | 443 | HTTPS | No — offline activation available |
| NTP (time sync) | pool.ntp.org | 123 | UDP | Recommended |
| NTP (Ubuntu default) | ntp.ubuntu.com | 123 | UDP | Recommended |
| Ubuntu security updates | security.ubuntu.com | 443 | HTTPS | Recommended |
Inbound access
| Service | Port | Protocol | Required? | Notes |
|---|---|---|---|---|
| CICADA IR web interface | 443 | HTTPS | Yes | From analyst workstations |
| SSH management | 22 | SSH | Optional | From management network only; disabled by default |
Firewall rule examples
Palo Alto Networks (PAN-OS)
# Data sources
allow outbound tcp/443 to login.microsoftonline.com
allow outbound tcp/443 to graph.microsoft.com
allow outbound tcp/443 to api.crowdstrike.com
allow outbound tcp/636 to <dc-ip-address>
# Threat intelligence
allow outbound tcp/443 to www.virustotal.com
allow outbound tcp/443 to api.abuseipdb.com
allow outbound tcp/443 to urlhaus-api.abuse.ch
allow outbound tcp/443 to threatfox-api.abuse.ch
allow outbound tcp/443 to api.shodan.io
allow outbound tcp/443 to otx.alienvault.com
# AI services
allow outbound tcp/443 to api.anthropic.com
# System
allow outbound udp/123 to pool.ntp.orgWindows Firewall / Group Policy
# Example: allow CICADA IR VM to reach Graph API
New-NetFirewallRule -DisplayName "CICADA IR - Graph API" `
-Direction Outbound `
-RemoteAddress (Resolve-DnsName graph.microsoft.com).IPAddress `
-RemotePort 443 `
-Protocol TCP `
-Action AllowAir-gapped and restricted environments
If the CICADA IR VM cannot reach the internet:
- Threat intelligence: Disable TI enrichment in Settings > Threat Intelligence. Investigations will still work, but IOCs will not be automatically enriched. You can manually import TI data via CSV.
- Cloud LLM: Use a local Ollama instance instead of cloud providers. Point the LLM configuration to your internal Ollama server.
- Licensing: Use offline license activation (see Getting Started).
- NTP: Point the VM to your internal NTP server by editing
/etc/systemd/timesyncd.conf. - Updates: Apply OS security patches via your internal patch management system.
DNS resolution
Ensure the VM has a working DNS configuration:
# Check current DNS
resolvectl status
# Test resolution
dig graph.microsoft.com
dig api.crowdstrike.comIf using an internal DNS server that does not resolve public FQDNs, configure conditional forwarders or add the CICADA IR VM to a DNS policy that allows external resolution for the domains listed on this page.
Proxy configuration
If your environment routes outbound traffic through an HTTP proxy:
# Set proxy for the CICADA IR backend
sudo systemctl edit cicada-backend
# Add under [Service]:
# Environment="HTTPS_PROXY=http://proxy.yourcompany.com:8080"
# Environment="NO_PROXY=localhost,127.0.0.1,<dc-ip>"Then restart the backend service:
sudo systemctl restart cicada-backend