How to filter O365 API feed?

Reply
L7 Applicator

Re: How to filter O365 API feed?

Just merged the code: https://github.com/PaloAltoNetworks/minemeld-core/pull/340

It will be there in the next release (if you are not using the develop branch now)

L1 Bithead

Re: How to filter O365 API feed?

Hi Luigi

 

Great news! Do you know the release date of the next stable version which contains your new code?

 

Cheers Markus

L1 Bithead

Re: How to filter O365 API feed?

Hi Luigi

Is the stable release already available with the improvment of the filter?

Cheers Markus

Highlighted
L7 Applicator

Re: How to filter O365 API feed?

@mfepan just released version 0.9.64 with the improved Miners. It adds new attributes terminating with _list that include all the value of that attribute in the different endpoints. You can use them with the filters to reliably detect specific ids, categories, required, etc.... Example:

{
    "confidence": 100,
    "first_seen": 1565616931749,
    "last_seen": 1565616931749,
    "o365_category": "Allow",
    "o365_category_list": [
        "optimize",
        "allow"
    ],
    "o365_expressRoute": true,
    "o365_expressRoute_list": [
        "true"
    ],
    "o365_id": 6,
    "o365_id_list": [
        "1",
        "2",
        "5",
        "6"
    ],
    "o365_notes": "Exchange Online POP3 migration",
    "o365_notes_list": [
        "exchange online imap4 migration",
        "exchange online pop3 migration"
    ],
    "o365_required": false,
    "o365_required_list": [
        "false",
        "true"
    ],
    "o365_serviceArea": "Exchange",
    "o365_serviceArea_list": [
        "exchange"
    ],
    "o365_tcpPorts": "995",
    "o365_tcpPorts_list": [
        "995",
        "587",
        "143",
        "993",
        "443",
        "80"
    ],
    "o365_udpPorts_list": [],
    "share_level": "green",
    "sources": [
        "worldwide-any"
    ],
    "type": "IPv6"
}

 

L1 Bithead

Re: How to filter O365 API feed?

Hi Luigi

Great, we will test it and let you know if everything works as expected.

Regards Markus

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!