Reply
L1 Bithead
Posts: 6
Registered: ‎03-27-2018
Accepted Solution

Cannot apply advanced filters for O365 API feeds

[ Edited ]

I'm trying to filter out unneeded/unnecessary indicators from our O365 feed, but no matter where I apply the filters I am still receiving all of the indicators.

 

For example, I would like to filter on only indicators available over Express Route, and in the JSON you can see that 'expressRoute' is an available field with a boolean value of either true or false, but trying to add an infilter or outfilter condition for 'o365_expressRoute' doesn't work. I just end up with 0 indicators in my output due to the drop all at the end of my condition statements.

 

Can someone explain to me why this is? There's even an available prototype that comes with MineMeld for filtering out 3rd Party Integrations from the O365 API feed, and even that doesn't work.

L5 Sessionator
Posts: 275
Registered: ‎11-15-2012

Re: Cannot apply advanced filters for O365 API feeds

Hi @BenjaminCole,

 

just attempted to reproduce your experience in my lab unsuccesfully. In my case, the input filter for the Express Route condition works like a charm.

 

This is my infilter configuration:

infilters:
-   actions:
    - accept
    conditions:
    - __method == 'withdraw'
    name: accept withdraws
-   actions:
    - accept
    conditions:
    - o365_expressRoute == true
    name: accept o365_expressRoute
-   actions:
    - drop
    name: drop all
L1 Bithead
Posts: 6
Registered: ‎03-27-2018

Re: Cannot apply advanced filters for O365 API feeds

[ Edited ]

@xhoms, It's funny because I was using almost the exact same syntax/conditions you were; except I was using single quotes around the 'true' in the o365_expressRoute condition.

 

Once I removed those it works as expected, now.


Thanks for following up!

L2 Linker
Posts: 35
Registered: ‎08-01-2017

Re: Cannot apply advanced filters for O365 API feeds

Hi Guys,

 

I have tried to accomplish something similar, but instead of filtering on expressRoute I wanted to filter on "required" JSON field.

 

It seems I have able to accomplish this, but I still don't understnad why you need to append "o365_" to the name of the JSON field:

 

infilters:
-   actions:
    - accept
    conditions:
    - __method == 'withdraw'
    name: accept withdraws
-   actions:
    - accept
    conditions:
    - type == 'URL'
    - o365_required == true
    name: accept required URL only
-   actions:
    - drop
    name: drop all
whitelist_prefixes:
- wl
Highlighted
L5 Sessionator
Posts: 275
Registered: ‎11-15-2012

Re: Cannot apply advanced filters for O365 API feeds

Hi @Alexander.Astardzhiev,

 

current O365_API miner implementation prefixes the attributes 'expressRoute', 'optionalImpact', 'serviceArea', 'tcpPorts', 'udpPorts', 'category' and 'required' with the 'o365_' string. That is the reason.

 

https://github.com/PaloAltoNetworks/minemeld-core/blob/dc261fe35614b87ab554b08a0e2a7962850bb23d/mine...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!