Incident ResponderGet Started With Incident Responder

Table of Contents

Network Prerequisites for Deploying Incident Responder

Before you deploy Incident Responder, open ports and whitelist URLs.

Open Ports

Note

For IMAP and POP3, only open the ports that match the email server protocol you use.

From

To

Port

Protocol

User Network

Case Manager Node

22/TCP

SSH

Log Sources

Case Manager Node

9875/TCP/UDP

Syslog

Incident Responder Appliance

Internal Email Server

143/TCP

IMAP

Incident Responder Appliance

Internal Email Server

993/TCP

IMAPS

Incident Responder Appliance

Internal Email Server

25/TCP

SMTP

Incident Responder Appliance

Internal Email Server

587/TCP

SMTPS

Incident Responder Appliance

Internal Email Server

110/TCP

POP3

Incident Responder Appliance

Internal Email Server

995/TCP

Secure POP3

Incident Responder Appliance

External Internet

43/TPC

HTTP (whois)

Whitelist URLs

You must whitelist URLs to use some services and actions.

Service

URL

Actions

MaxMind

maxmind.com / geopip.maxmind.com

Geolocate IP

VirusTotal

virustotal.com

Get URL Reputation

Get IP Reputation

IP-API

ip-api.com

Geolocate IP

GoogleSafe Browsing

googleapis.com

safebrowsing.googleapis.com

Get URL Reputation

Get IP Reputation

Microsoft Trace

https://reports.office365.com/ecp/reportingwebservice

/reporting.svc/MessageTrace

Microsoft Outlook Message Track