Managing URL whitelists
Certain components in Security Data Lake, such as alerts and HTTP-based data adapters, can generate outgoing HTTP requests. These requests originate from Security Data Lake servers and may attempt to reach internal systems, including sensitive endpoints like AWS EC2 metadata, which could expose keys or other credentials.
To mitigate this risk, outgoing HTTP requests are restricted to a predefined allowlist of approved URLs. Any request to a URL not included in the allowlist is automatically blocked.
Creating a URL allowlist
To create a new URL allowlist, follow these steps:
From the menu on the top of the page, select System > Configurations.
Select URL Whitelist from the menu on the right side of the page.
Select Edit configuration.
Select Add Url from the configuration menu and set the following parameters:
Title - Enter a unique title for the whitelist entry.
URL - Specify the exact URL that Security Data Lake should be allowed to access.
Type - Select the matching method for the allowlisted URL. This defines how Security Data Lake compares the entered URL against outgoing requests. You can choose one of the following:
Exact match - The URL must match the string exactly. If the URL is identical to the value entered, it is allowed.
Regex - The URL must match a regular expression pattern. If the URL matches the pattern, it is allowed.
Note
Security Data Lake uses the Java Pattern class to evaluate regular expressions.
Select Update configuration to apply the change.
Disabling an URL allowlist
The allowlist is enabled by default. If the security implications mentioned above are of no concern, the allowlist can be completely disabled. When disabled, HTTP requests will not be restricted. To disable the allowlist:
From the menu on the top of the page, select System > Configurations.
Select URL Whitelist from the left-hand menu.
Click Edit configuration.
From the configuration menu, check Disable Whitelist.
Select Update configuration to apply the change.