https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/307551#M96320 <P>I have created a feed of O365 URLs&nbsp;<SPAN>filtering on expressRoute = True</SPAN></P><LI-CODE lang="markup">infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - o365_expressRoute == true name: accept o365_expressRoute - actions: - drop name: drop all</LI-CODE><P>&nbsp;All works fine...&nbsp; However,</P><P>Comparing the results from Minemeld with the output from a bit of PowerShell, which does the same job. Minemeld does not include the URL&nbsp;<STRONG>*.outlook.office.com</STRONG>.&nbsp;&nbsp;</P><LI-CODE lang="python">(Invoke-WebRequest -Uri $EndpointUri | ConvertFrom-Json) | % { if ($_.expressRoute) { $_.urls } }</LI-CODE><P>I can not see why.&nbsp;&nbsp;</P> Wed, 22 Jan 2020 11:02:34 GMT Potato-soup 2020-01-22T11:02:34Z https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/233214#M96314 <P>I'm trying to filter out unneeded/unnecessary indicators from our O365 feed, but no matter where I apply the filters I am still receiving all of the indicators.</P> <P>&nbsp;</P> <P>For example, I would like to filter on only indicators available over Express Route, and in the JSON you can see that 'expressRoute' is an available field with a boolean value of either true or false, but trying to add an infilter or outfilter condition for 'o365_expressRoute' doesn't work. I just end up with 0 indicators in my output due to the drop all at the end of my condition statements.</P> <P>&nbsp;</P> <P>Can someone explain to me why this is? There's even an available prototype that comes with MineMeld for filtering out 3rd Party Integrations from the O365 API feed, and even that doesn't work.</P> Mon, 01 Oct 2018 17:55:44 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/233214#M96314 benime 2018-10-01T17:55:44Z https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/233780#M96315 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/86056">@benime</a>,</P> <P>&nbsp;</P> <P>just attempted to reproduce your experience in my lab unsuccesfully. In my case, the input filter for the Express Route condition works like a charm.</P> <P>&nbsp;</P> <P>This is my infilter configuration:</P> <PRE>infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - o365_expressRoute == true name: accept o365_expressRoute - actions: - drop name: drop all </PRE> Wed, 03 Oct 2018 21:17:16 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/233780#M96315 xhoms 2018-10-03T21:17:16Z https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/233789#M96316 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/6710">@xhoms</a>, It's funny because I was using almost the exact same syntax/conditions you were; except I was using single quotes around the 'true' in the o365_expressRoute condition. </P> <P>&nbsp;</P> <P>Once I removed those it works as expected, now.</P> <P><BR />Thanks for following up!</P> Wed, 03 Oct 2018 22:05:40 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/233789#M96316 benime 2018-10-03T22:05:40Z https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/237920#M96317 <P>Hi Guys,</P> <P>&nbsp;</P> <P>I have tried to accomplish something similar, but instead of filtering on expressRoute I wanted to filter on "required" JSON field.</P> <P>&nbsp;</P> <P>It seems I have able to accomplish this, but I still don't understnad why you need to append "o365_" to the name of the JSON field:</P> <P>&nbsp;</P> <PRE>infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - type == 'URL' - o365_required == true name: accept required URL only - actions: - drop name: drop all whitelist_prefixes: - wl</PRE> Wed, 31 Oct 2018 10:26:14 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/237920#M96317 aleksandar.astardzhiev 2018-10-31T10:26:14Z https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/238570#M96318 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>,</P> <P>&nbsp;</P> <P>current O365_API miner implementation prefixes the attributes 'expressRoute', 'optionalImpact', 'serviceArea', 'tcpPorts', 'udpPorts', 'category' and 'required' with the 'o365_' string. That is the reason.</P> <P>&nbsp;</P> <P><A href="https://github.com/PaloAltoNetworks/minemeld-core/blob/dc261fe35614b87ab554b08a0e2a7962850bb23d/minemeld/ft/o365.py#L276" target="_self">https://github.com/PaloAltoNetworks/minemeld-core/blob/dc261fe35614b87ab554b08a0e2a7962850bb23d/minemeld/ft/o365.py#L276</A></P> Mon, 05 Nov 2018 11:59:05 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/238570#M96318 xhoms 2018-11-05T11:59:05Z https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/271722#M96319 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/6710">@xhoms</a>,</P> <P>I would like to filter for indicators with the category "allow" or "optimize" only. How would you define the filter for that? I cannot find that much information regarding filtering using a processor. I hope my steps are correct?&nbsp;</P> <OL> <LI>create a new prototype of the IPv4Generic processor</LI> <LI>create infilters for that<BR /> <PRE>infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - o365_category == 'Allow' name: accept o365_categoryAllow<BR />- actions:<BR /> - accept<BR /> conditions:<BR /> - o365_category == 'Optimize'<BR /> name: accept o365_categoryOptimize - actions: - drop name: drop all</PRE> </LI> <LI>create a processor node using the previously selfmade prototype</LI> <LI>set as input the o365 miner</LI> <LI>create a output / feed node using the HCGreenWithValue prototype &amp; set as input the selfmade processor</LI> </OL> <P>Thanks a lot for your help!</P> Thu, 20 Jun 2019 14:55:17 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/271722#M96319 CyberforceHero203 2019-06-20T14:55:17Z https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/307551#M96320 <P>I have created a feed of O365 URLs&nbsp;<SPAN>filtering on expressRoute = True</SPAN></P><LI-CODE lang="markup">infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - o365_expressRoute == true name: accept o365_expressRoute - actions: - drop name: drop all</LI-CODE><P>&nbsp;All works fine...&nbsp; However,</P><P>Comparing the results from Minemeld with the output from a bit of PowerShell, which does the same job. Minemeld does not include the URL&nbsp;<STRONG>*.outlook.office.com</STRONG>.&nbsp;&nbsp;</P><LI-CODE lang="python">(Invoke-WebRequest -Uri $EndpointUri | ConvertFrom-Json) | % { if ($_.expressRoute) { $_.urls } }</LI-CODE><P>I can not see why.&nbsp;&nbsp;</P> Wed, 22 Jan 2020 11:02:34 GMT https://live.paloaltonetworks.com/t5/general-topics/cannot-apply-advanced-filters-for-o365-api-feeds/m-p/307551#M96320 Potato-soup 2020-01-22T11:02:34Z