RiskAnalytics Support

ShadowNet Customer API v2 features unified dynamic IP and DNS lists in a format that’s able to be loaded directly into a number of security appliances and SIEM platforms, such as Palo Alto Networks, Splunk and many more. Two endpoints are available, and must be accessed with the generated username, password and license key with specially-crafted requests. 

• https://shadownet.riskanalytics.io/lists/v2/ipList/

Provides a unified text feed with one IP/CIDR per line for all subscribed IP lists

• https://shadownet.riskanalytics.io/lists/v2/dnsList/

Provides a unified text feed with one Domain/FQDN per line for all subscribed DNS lists

Your personalized URLs for using the API are available from inside RAForce. Click the configuration button for ShadowNet API from the Services panel.

At the top of the configuration page, you can see your credentials, your private URL and several examples for pulling both versions of the DNS and IP feeds.

As you scroll down, you can see the IP and DNS lists to which you're subscribed, and the available lists. If you are using these feeds with an enforcement platform such as a web filter, next-gen firewall or other security appliance, a few caveats exist for region lists:

• Regional DNS lists contain only country-code TLDs for countries in that region. For example, the Eastern Europe DNS block list contains only 14 elements including IDN/Punycode (укр, ua, sk, рф, ru, ro, pl, md, hu, cz, бг, bg, бел and by) but they may cause trouble with DNS and web filters because they're not whole domains.
• Regional IP lists contain many IP address ranges, which may exhaust your firewall's capacity for list elements. 
• Blocks for regions will likely only be attributed to the policy to which the ShadowNet feed is applied, so it's difficult to tell a security threat from a geographic region that's being blocked by the ShadowNet feed.

Whitelisting

Whitelisted IP addresses specified inside RAForce will be filtered out of the ShadowNet feed, even if it is the source of a known-malicious attack or it's a member of a policy list. When used for enforcement, we recommend pro-active whitelisting of critical assets, B2B partners and your own infrastructure. Ensure that your ShadowNet service is subscribed to the Whitelist(s) you've created in order to ensure these entries work as expected. You can also whitelist any asset that is being blocked in error or that you require access to. The next time your list refreshes (or you manually refresh it), the whitelisted addresses should disappear from the feed so that it can be accessed.

DNS and IP Address Research

Using the Threat Intel Search pane on the left-side navigation menu, you can search your subscribed lists for DNS or IP addresses to get more details.