https://live.paloaltonetworks.com/t5/general-topics/how-to-parse-and-filter-proofpoint-list/m-p/387185#M95439 <P>Hello,</P><P>Since the default proofpoint miner is not working 'im trying to find a workaround to be able to download and filter the lists.</P><P>I have tried to use the generic json or csv miner but i'm having issues with both:</P><P>&nbsp;</P><P>With the json miner I receive 0 values from the lists, I guess is not able to parse it.</P><P>This is an example from the proofpoint list:</P><P>{</P><P>&nbsp;&nbsp; "<A href="http://webmail.bokep-indo.grup-whatsapp.xyz" target="_blank">webmail.bokep-indo.grup-whatsapp.xyz</A>" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Drop" : "72"</P><P>&nbsp;&nbsp; },</P><P>&nbsp;&nbsp; "<A href="http://beaconsupport.com" target="_blank">beaconsupport.com</A>" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "RemoteAccessService" : "51"</P><P>&nbsp;&nbsp; },</P><P>&nbsp;&nbsp; "<A href="http://fbgaragedoors.com" target="_blank">fbgaragedoors.com</A>" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Drop" : "37"</P><P>&nbsp;&nbsp; },</P><P>&nbsp;&nbsp; "webmail.marelanhostlivev2.event-op.cf" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "AbusedTLD" : "98"</P><P>&nbsp;&nbsp; }</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>With the&nbsp;<SPAN>minemeld.ft.csv.CSVFT miner I have partial success, all the fields are parsed but filtering on "score" is not working.</SPAN></P><P><SPAN>Here is a log example</SPAN></P><P><SPAN>{<BR />"category": "1",<BR />"_age_out": 1616595084032,<BR />"confidence": 80,<BR />"share_level": "red",<BR />"_last_run": 1614010284043,<BR />"sources": [<BR />"ProofpointET"<BR />],<BR />"score": "117",<BR />"first_seen": 1614003084032,<BR />"type": "IPv4",<BR />"last_seen": 1614003084032<BR />}</SPAN></P><P>&nbsp;</P><P>If in output condition I add "score &gt; 99" this is ignored or not matched</P><P>&nbsp;</P><P>Do you have any suggestion on how to manage a custom list?</P><P>The originali list is a simple csv/json/txt with indicator,category,score.</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P> Mon, 22 Feb 2021 16:13:30 GMT MMeld_Testing 2021-02-22T16:13:30Z https://live.paloaltonetworks.com/t5/general-topics/how-to-parse-and-filter-proofpoint-list/m-p/387185#M95439 <P>Hello,</P><P>Since the default proofpoint miner is not working 'im trying to find a workaround to be able to download and filter the lists.</P><P>I have tried to use the generic json or csv miner but i'm having issues with both:</P><P>&nbsp;</P><P>With the json miner I receive 0 values from the lists, I guess is not able to parse it.</P><P>This is an example from the proofpoint list:</P><P>{</P><P>&nbsp;&nbsp; "<A href="http://webmail.bokep-indo.grup-whatsapp.xyz" target="_blank">webmail.bokep-indo.grup-whatsapp.xyz</A>" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Drop" : "72"</P><P>&nbsp;&nbsp; },</P><P>&nbsp;&nbsp; "<A href="http://beaconsupport.com" target="_blank">beaconsupport.com</A>" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "RemoteAccessService" : "51"</P><P>&nbsp;&nbsp; },</P><P>&nbsp;&nbsp; "<A href="http://fbgaragedoors.com" target="_blank">fbgaragedoors.com</A>" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Drop" : "37"</P><P>&nbsp;&nbsp; },</P><P>&nbsp;&nbsp; "webmail.marelanhostlivev2.event-op.cf" : {</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "AbusedTLD" : "98"</P><P>&nbsp;&nbsp; }</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>With the&nbsp;<SPAN>minemeld.ft.csv.CSVFT miner I have partial success, all the fields are parsed but filtering on "score" is not working.</SPAN></P><P><SPAN>Here is a log example</SPAN></P><P><SPAN>{<BR />"category": "1",<BR />"_age_out": 1616595084032,<BR />"confidence": 80,<BR />"share_level": "red",<BR />"_last_run": 1614010284043,<BR />"sources": [<BR />"ProofpointET"<BR />],<BR />"score": "117",<BR />"first_seen": 1614003084032,<BR />"type": "IPv4",<BR />"last_seen": 1614003084032<BR />}</SPAN></P><P>&nbsp;</P><P>If in output condition I add "score &gt; 99" this is ignored or not matched</P><P>&nbsp;</P><P>Do you have any suggestion on how to manage a custom list?</P><P>The originali list is a simple csv/json/txt with indicator,category,score.</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P> Mon, 22 Feb 2021 16:13:30 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-parse-and-filter-proofpoint-list/m-p/387185#M95439 MMeld_Testing 2021-02-22T16:13:30Z https://live.paloaltonetworks.com/t5/general-topics/how-to-parse-and-filter-proofpoint-list/m-p/387316#M95440 <P>For that JSON structure you cannot use the JSON parser, as the indicators are the keys of the feed and this is not supported. The JSON Miners expects a list of objects/indicators. Also if the feed is large JSON does not scale too well, as the full file should be loaded and parsed to extract indicators. I would suggest to use CSV Miner instead.</P> <P>The problem with the filter on the score is that the <EM>score</EM> attribute is a string and not a number, the filter <EM>score &gt; 99 </EM>could not work then. You should convert <EM>score</EM> to number before filtering, basically yous should try: <EM>to_number(score) &gt; 99</EM></P> Tue, 23 Feb 2021 08:40:37 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-parse-and-filter-proofpoint-list/m-p/387316#M95440 lmori 2021-02-23T08:40:37Z https://live.paloaltonetworks.com/t5/general-topics/how-to-parse-and-filter-proofpoint-list/m-p/387755#M95441 <P>It worked, thank you for your reply.</P><P>&nbsp;</P><P>Is there a list of functions that can be used as filter in the output node?</P><P>&nbsp;</P><P>Thank you.</P> Thu, 25 Feb 2021 08:52:52 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-parse-and-filter-proofpoint-list/m-p/387755#M95441 MMeld_Testing 2021-02-25T08:52:52Z