Network Requirements
External Access
The SailPoint Entro Outpost requires access to various external URLs in order for the Outpost to communicate with the SailPoint Entro platform:
SailPoint Entro:
*api.entro.security- SailPoint Entro's own API endpoint
Note
The Outpost does not communicate directly with SailPoint Entro's UI (app.entro.security)
AWS:
-
*.s3.amazonaws.com -
*.s3.{region}.amazonaws.com -
iam.amazonaws.com -
logs.{region}.amazonaws.com -
secretsmanager.{region}.amazonaws.com -
sqs.{region}.amazonaws.com -
sts.{region}.amazonaws.com -
s3express-control.{region}.amazonaws.com -
monitoring.us-east-1.amazonaws.com
Note
Default region is us-east-1 unless specified otherwise. Replace {region} accordingly.
More about AWS service endpoints can be found here:
Firewall / proxy notes
Caution
Do not perform SSL stripping or MITM on SailPoint Entro traffic.
-
Allow outbound HTTPS to SailPoint Entro API hosts and required AWS endpoints above.
-
If using SailPoint Entro perimeter static IPs, see the IP list on the SaaS-perimeter page.
-
If a proxy is required, make sure the proxy is configured in the
.env-connectorfile.
Local Access
Allow connectivity between the Outpost and any integrated services. For example -
-
To onboard your local BitBucket server - Allow the Outpost to access it
-
To onboard SMB File Shares - Allow the Outpost to access them
The SailPoint Entro Outpost must have network connectivity to any onboarded integration.
Exposure Validation Checks
When token and secret exposures are found by the Outpost scanner, the SailPoint Entro Outpost connects to the service that the secret belongs to and determines the validity status of the token or secret. Allow the Outpost to connect to the following URLs to determine the current validity of the exposure:
| origin_type | endpoints | purpose |
|---|---|---|
| AIVEN_API_KEY | https://api.aiven.io/v1/account |
Validate Aiven API key and fetch user info |
| AKEYLESS_ACCESS_KEY | https://api.akeyless.io/auth |
Validate Akeyless Access Key |
| ALGOLIA | https://-dsn.algolia.net/1/ |
Validate Algolia API key |
| ARTIFACTORY_JFROG_CREDS_JWT | https://*.jfrog.io/artifactory/api/storageinfohttps:///artifactory/api/users |
Validate JFrog Artifactory JWT credentials |
| ARTIFACTORY_JFROG_TOKEN | https://*.jfrog.io/artifactory/api/storageinfohttps:///artifactory/api/users |
Validate JFrog Artifactory token |
| ASANA_ACCESS_TOKEN | https://app.asana.com/api/1.0/users/me |
Validate Asana Personal Access Token and fetch user info |
| AWS | sts:GetCallerIdentityiam:GetAccessKeyInfo (AWS Servers) |
Validate AWS credentials and fetch account/resource info |
| AZURE_APP_REGISTRATION_CLIENT_SECRET | https://login.microsoftonline.com/*/oauth2/v2.0/token |
Validate Azure App Registration Client Secret |
| AZURE_COSMOS_DB_KEY | _.azure.com/_ |
Validate Azure Cosmos DB Key |
| AZURE_DEVOPS_PAT_V2 | https://app.vssps.visualstudio.com/_apis/accounts |
Validate Azure DevOps token and fetch accounts |
| AZURE_DEVOPS_TOKEN | https://app.vssps.visualstudio.com/_apis/accounts |
Validate Azure DevOps token and fetch accounts |
| AZURE_STORAGE_ACCESS_KEY | https://*.blob.core.windows.net/?comp=list |
Validate Azure Storage Access Key |
| BITBUCKET_OAUTH_CREDS | https://bitbucket.org/site/oauth2/access_token |
Validate Bitbucket OAuth credentials and fetch token info |
| BOX_OAUTH | https://api.box.com/oauth2/token |
Validate Box OAuth token |
| BUILDKITE | https://api.buildkite.com/v2/access-token |
Validate Buildkite API token |
| CONTENTFUL | https://api.contentful.com/organizations |
Validate Contentful API key |
| DATABRICKS_PAT | https://*.databricks.com/api/2.0/token/createhttps://*azurewebsites.net/api/2.0/token/createhttps://*azuredatabricks.net/api/2.0/token/create |
Validate Databricks Personal Access Token |
| DATADOG_API_KEY | https://us5.datadoghq.com/api/v1/validatehttps://app.datadoghq.com/api/v1/validatehttps://us3.datadoghq.com/api/v1/validatehttps://app.datadoghq.eu/api/v1/validatehttps://app.ddog-gov.com/api/v1/validatehttps://ap1.datadoghq.com/api/v1/validate |
Validate Datadog API key |
| DIGITAL_OCEAN_PERSONAL_ACCESS_TOKEN | https://api.digitalocean.com/v2/account |
Validate DigitalOcean Personal Access Token |
| DIGITAL_OCEAN_SPACES_KEYS | https://nyc3.digitaloceanspaces.comhttps://sfo2.digitaloceanspaces.comhttps://ams3.digitaloceanspaces.comhttps://sgp1.digitaloceanspaces.comhttps://fra1.digitaloceanspaces.com |
Validate DigitalOcean Spaces keys |
| DROPBOX_APP_CREDS | https://www.dropbox.com/oauth2/authorize?client_id=${the key we found}&response_type=code |
Validate Dropbox app credentials |
| DROPBOX_APP_OAUTH_TOKEN | https://api.dropboxapi.com/2/users/get_current_account |
Validate Dropbox OAuth token and fetch account info |
| DROPBOX_SIGN_API_KEY | https://api.hellosign.com/v3/template/list |
Validate Dropbox Sign API key |
| ELASTIC_CLOUD | https://api.elastic-cloud.com/api/v1/deployments |
Validate Elastic Cloud credentials and fetch deployments |
| ENTRO_API_KEY | https://fidelity-api.entro.security/v2/scan?generic=false&redact=true |
Validate SailPoint Entro API key |
| FACEBOOK_APP_ID | https://graph.facebook.com/debug_token?input_token=${credsWeFound}&access_token=${credsWeFound} |
Validate Facebook App ID |
| FASTLY_API_KEY | https://api.fastly.com/tokens/self |
Validate Fastly API key |
| FIGMA_PAT | https://api.figma.com/v1/me |
Validate Figma Personal Access Token and fetch user info |
| FULLSTORY | https://developer.fullstory.com/server/v1/authentication/me/ |
Validate FullStory API key and fetch user info |
| GITHUB | https://api.github.com/userhttps://api.github.com/user/repos |
Validate GitHub token and fetch user/repos info |
| GITBOOK_API_KEY | https://api.gitbook.com/v1/user |
Validate GitBook API key |
| GITLAB_PAT | https://gitlab.com/api/v4/userhttps://gitlab.com/api/v4/runnershttps://gitlab.com/api/v4/projects/{project_id}/cluster_agentshttps://gitlab.com/api/v4/projects/{project_id}/repository/files/{file_path}/raw?ref={branch}https://gitlab.com/api/v4/projects/{project_id}/registry/repositories |
Validate GitLab Personal Access Token and fetch user info |
| GOOGLE_GCP | https://maps.googleapis.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&key=${key we found} |
Validate Google Cloud API token |
| GOOGLE_GCP_SERVICE_ACCOUNT | https://oauth2.googleapis.com/token |
Validate GCP service account credentials |
| GROQ_API_KEY | https://api.groq.com/openai/v1/chat/completions |
Validate Groq API key |
| HEROKU | https://api.heroku.com/apps |
Validate Heroku API key and fetch apps |
| HUBSPOT | https://api.hubapi.com/oauth/v2/private-apps/get/access-token-info |
Validate HubSpot API key and fetch token info |
| HUGGING_FACE_ACCESS_TOKEN | https://huggingface.co/api/whoami-v2 |
Validate Hugging Face access token |
| JFROG_JWT_ACCESS_TOKEN | https://*.jfrog.io/artifactory/api/storageinfohttps:///artifactory/api/users |
Validate JFrog Artifactory JWT access token |
| JFROG_REFERENCE_ACCESS_TOKEN | https://*.jfrog.io/artifactory/api/storageinfohttps:///artifactory/api/users |
Validate JFrog Artifactory reference access token |
| KLAVIYO_API_KEY | https://a.klaviyo.com/api/accounts |
Validate Klaviyo API key |
| LAUNCHDARKLY_API_KEY | https://app.launchdarkly.com/api/v2/caller-identity |
Validate LaunchDarkly API key |
| LAUNCHDARKLY_MOBILE | https://app.launchdarkly.com/api/v2/caller-identity |
Validate LaunchDarkly mobile key |
| LAUNCHDARKLY_SDK | https://app.launchdarkly.com/api/v2/caller-identity |
Validate LaunchDarkly SDK key |
| MAILCHIMP_API_KEY | https://*.api.mailchimp.com/3.0/ |
Validate Mailchimp API key |
| MAILGUN_PAT | https://api.mailgun.net/v4/domains |
Validate Mailgun Personal Access Token |
| META_APP_CREDS | https://graph.facebook.com/debug_token?input_token=${creds we found}&access_token=${creds we found} |
Validate Meta (Facebook) app credentials |
| META_APP_CREDS_PAIR | https://graph.facebook.com/debug_token?input_token=${credsWeFound}&access_token=${credsWeFound} |
Validate Meta (Facebook) app credentials |
| META_USER_TOKEN | https://graph.facebook.com/debug_token?input_token=${token}&access_token=${token} |
Validate Meta (Facebook) user token |
| NOTION | https://api.notion.com/v1/users/me |
Validate Notion API key and fetch user info |
| NPM | https://registry.npmjs.org/-/whoami |
Validate NPM token |
| OKTA_API_KEY | _.okta.com/_ |
Validate Okta API key |
| OKTA_CLIENT_SECRET | _.okta.com/_ |
Validate Okta client secret |
| OPENAI | https://api.openai.com/v1/models |
Validate OpenAI API key and fetch available models |
| OPENAI_SERVICE_ACCOUNT | https://api.openai.com/v1/models |
Validate OpenAI API key and fetch available models |
| OPENWEATHER_API_KEY | https://api.openweathermap.org/data/2.5/weather?id=524901&lang=fr&appid=${found token} |
Validate OpenWeather API key |
| PAYPAL_BRAINTREE_CREDS_PAIR | https://api-m.sandbox.paypal.com/v1/oauth2/token |
Validate PayPal Braintree credentials |
| PINECONE_API_KEY | https://controller.gcp-starter.pinecone.io/databaseshttps://controller.us-west1-gcp-free.pinecone.io/databaseshttps://controller.asia-southeast1-gcp-free.pinecone.io/databaseshttps://controller.us-west4-gcp-free.pinecone.io/databaseshttps://controller.us-west1-gcp.pinecone.io/databaseshttps://controller.us-central1-gcp.pinecone.io/databaseshttps://controller.us-west4-gcp.pinecone.io/databaseshttps://controller.us-east4-gcp.pinecone.io/databaseshttps://controller.northamerica-northeast1-gcp.pinecone.io/databaseshttps://controller.asia-northeast1-gcp.pinecone.io/databaseshttps://controller.asia-southeast1-gcp.pinecone.io/databaseshttps://controller.us-east1-gcp.pinecone.io/databaseshttps://controller.eu-west1-gcp.pinecone.io/databaseshttps://controller.eu-west4-gcp.pinecone.io/databaseshttps://controller.us-east-1-aws.pinecone.io/databaseshttps://controller.eastus-azure.pinecone.io/databases |
Validate Pinecone API key |
| PINECONE_KEY | https://controller.gcp-starter.pinecone.io/actions/whoamihttps://controller.us-west1-gcp-free.pinecone.io/actions/whoamihttps://controller.asia-southeast1-gcp-free.pinecone.io/actions/whoamihttps://controller.us-west4-gcp-free.pinecone.io/actions/whoamihttps://controller.us-west1-gcp.pinecone.io/actions/whoamihttps://controller.us-central1-gcp.pinecone.io/actions/whoamihttps://controller.us-west4-gcp.pinecone.io/actions/whoamihttps://controller.us-east4-gcp.pinecone.io/actions/whoamihttps://controller.northamerica-northeast1-gcp.pinecone.io/actions/whoamihttps://controller.asia-northeast1-gcp.pinecone.io/actions/whoamihttps://controller.asia-southeast1-gcp.pinecone.io/actions/whoamihttps://controller.us-east1-gcp.pinecone.io/actions/whoamihttps://controller.eu-west1-gcp.pinecone.io/actions/whoamihttps://controller.eu-west4-gcp.pinecone.io/actions/whoamihttps://controller.us-east-1-aws.pinecone.io/actions/whoamihttps://controller.eastus-azure.pinecone.io/actions/whoami |
Validate Pinecone key |
| PINGDOM_TOKEN | https://api.pingdom.com/api/3.1/checks |
Validate Pingdom token |
| PUBNUB | https://ps.pndsn.com/v2/objects/${subscribe key}/uuids |
Validate PubNub subscribe key |
| PUBNUB_FULL_CREDS | https://ps.pndsn.com/signal/${publish key}/${subscribe key}/0/ch1/0/%22typing_on%22?uuid=user-123 |
Validate PubNub full credentials |
| REDIS_CLOUD_API_KEYS | https://api.redislabs.com/v1/ |
Validate Redis Cloud API key |
| SENDGRID | https://api.sendgrid.com/v3/templates |
Validate SendGrid API key and fetch templates |
| SENTRY_ORGANIZATION_AUTH_TOKEN | https://us.sentry.io/api/0/organizations/_/projects/https://eu.sentry.io/api/0/organizations/_/projects/ where we extract the org from the found token |
Validate Sentry organization auth token |
| SENTRY_TOKEN | https://sentry.io/api/0/projects/ |
Validate Sentry token |
| SENTRY_USER_AUTH_TOKEN | https://us.sentry.io/api/0/organizations/https://eu.sentry.io/api/0/organizations/ |
Validate Sentry user auth token |
| SHIPPO | https://api.goshippo.com/shipments/ |
Validate Shippo API token |
| SHOPIFY_KEY | https://*.myshopify.com/admin/oauth/access_scopes.json |
Validate Shopify API key |
| SLACK | https://slack.com/api/auth.test |
Validate Slack token and fetch workspace/user info |
| SLACKWEBHOOK | https://hooks.slack.com/services/* |
Validate Slack webhook by sending a simple request |
| SNOWFLAKE | https://_.snowflakecomputing.com/session/v1/login-requesthttps://_.snowflakecomputing.com/queries/v1/query-request |
Validate Snowflake credentials |
| SNOWFLAKE_GENERIC_CREDENTIALS | https://_.snowflakecomputing.com/session/v1/login-requesthttps://_.snowflakecomputing.com/queries/v1/query-request |
Validate Snowflake credentials |
| SQUARE_APP_TOKEN | https://connect.squareupsandbox.com/v2/merchants |
Validate Square app token |
| SQUARE_FULL_CREDS | https://connect.squareupsandbox.com/v2/merchants |
Validate Square full credentials |
| STRIPE_API_KEY | https://api.stripe.com/v1/charges |
Validate Stripe API key and fetch account info |
| SUMO_LOGIC_ACCESS_ID | https://api.sumologic.com/api/v1/users |
Validate Sumo Logic Access ID credentials |
| SUMO_LOGIC_CREDS | https://api.sumologic.com/api/v1/users |
Validate Sumo Logic credentials |
| TWILIO_API_KEY | https://verify.twilio.com/v2/Services |
Validate Twilio API key |
| TWILIO_MASTER_CREDENTIALS | https://verify.twilio.com/v2/Services |
Validate Twilio master credentials |
| TYPEFORM_API_TOKEN | https://api.typeform.com/me |
Validate Typeform API token |
| URI | * | Validate generic URI |
| X_CONSUMER_CREDS | https://api.twitter.com/oauth2/tokenhttps://api.twitter.com/2/tweets/20 |
Validate X-Consumer credentials |