10-01-2018 10:50 AM - edited 10-01-2018 10:55 AM
I'm trying to filter out unneeded/unnecessary indicators from our O365 feed, but no matter where I apply the filters I am still receiving all of the indicators.
For example, I would like to filter on only indicators available over Express Route, and in the JSON you can see that 'expressRoute' is an available field with a boolean value of either true or false, but trying to add an infilter or outfilter condition for 'o365_expressRoute' doesn't work. I just end up with 0 indicators in my output due to the drop all at the end of my condition statements.
Can someone explain to me why this is? There's even an available prototype that comes with MineMeld for filtering out 3rd Party Integrations from the O365 API feed, and even that doesn't work.
Solved! Go to Solution.
10-03-2018 02:17 PM
just attempted to reproduce your experience in my lab unsuccesfully. In my case, the input filter for the Express Route condition works like a charm.
This is my infilter configuration:
infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - o365_expressRoute == true name: accept o365_expressRoute - actions: - drop name: drop all
10-03-2018 03:04 PM - edited 10-03-2018 03:05 PM
@xhoms, It's funny because I was using almost the exact same syntax/conditions you were; except I was using single quotes around the 'true' in the o365_expressRoute condition.
Once I removed those it works as expected, now.
Thanks for following up!
10-31-2018 03:26 AM
I have tried to accomplish something similar, but instead of filtering on expressRoute I wanted to filter on "required" JSON field.
It seems I have able to accomplish this, but I still don't understnad why you need to append "o365_" to the name of the JSON field:
infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - type == 'URL' - o365_required == true name: accept required URL only - actions: - drop name: drop all whitelist_prefixes: - wl
11-05-2018 03:59 AM
current O365_API miner implementation prefixes the attributes 'expressRoute', 'optionalImpact', 'serviceArea', 'tcpPorts', 'udpPorts', 'category' and 'required' with the 'o365_' string. That is the reason.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!