02-03-2021 10:59 PM - edited 02-03-2021 11:00 PM
Hello,
Using Miner "azure-public-cloudIPsWithServiceTags", I'm trying to get all the subnets from the Azure Region "switzerlandn".
I am using a filter I found in this forum :
- actions:
- accept
conditions:
- azure_region == 'switzerlandn'
- share_level == 'green'
name: accept azure IP for region switzerlandn
But it doesn't work... I have only a few prefixes
Looking at the .json file, I found the missing prefixes in 2 sections, the first is my "switzerlandn" section, the other has no label :
"name": "AzureCloud",
"id": "AzureCloud",
"properties": {
"changeNumber": 61,
"region": "",
"regionId": 0,
"platform": "Azure",
"systemService": "",
"addressPrefixes": [
"13.64.0.0/16",
"13.65.0.0/16",
...
Looking at Minemeld's logs, I see the following for a missing prefix (ouput of azure-public-cloudIPsWithServiceTags Miner) :
"_age_out": 4294967295000,
"confidence": 100,
"azure_system_service_list": [
""
],
"azure_platform_list": [
"azure"
],
"azure_region": "",
"share_level": "green",
"azure_platform": "Azure",
"_last_run": 1612367795560,
"sources": [
"azure-public-cloudIPsWithServiceTags"
],
"azure_name": "AzureCloud",
"azure_name_list": [
"azurecloud",
"azurecloud.switzerlandn"
],
"azure_id_list": [
"azurecloud",
"azurecloud.switzerlandn"
],
"azure_region_list": [
"",
"switzerlandn"
],
"azure_system_service": "",
"first_seen": 1611921383932,
"azure_id": "AzureCloud",
"type": "IPv4",
"last_seen": 1611921383932
}
Did you see the value of azure_region and the azure_region_list ? This explains why my filter (azure_region == "switzerlandn") doesn't work. The Miner puts in the "azure_region" field the last value it read from the .json file... And in my case the last value is ""...
Now my questions :
- I'm looking for a filter that will test if "switzerlandn" is contained in the azure_region_list. Any idea ?
- Or a way to modify the Miner, to avoid the "concatenation" of the prefixes that appear twice in the .json file.
Any idea ?
Thanks for your help !
Christophe
02-04-2021 02:00 AM
I found the answer here, thank you Dpurton
Here is my final filter :
infilters:
- actions:
- accept
conditions:
- __method == 'withdraw'
name: accept withdraws
- actions:
- accept
conditions:
- contains(azure_region_list, 'switzerlandn') == true
name: accept switzerlandn
- actions:
- drop
name: drop all
Apply this filter into an aggregator of type "stdlib.aggregatorIPv4Generic" and you will get all the prefixes for the desired region. If you need many regions, just add many actions, like this :
- actions:
- accept
conditions:
- contains(azure_region_list, 'switzerlandn') == true
name: accept switzerlandn
- actions:
- accept
conditions:
- contains(azure_region_list, 'northeurope') == true
name: accept northeurope
02-04-2021 02:00 AM
I found the answer here, thank you Dpurton
Here is my final filter :
infilters:
- actions:
- accept
conditions:
- __method == 'withdraw'
name: accept withdraws
- actions:
- accept
conditions:
- contains(azure_region_list, 'switzerlandn') == true
name: accept switzerlandn
- actions:
- drop
name: drop all
Apply this filter into an aggregator of type "stdlib.aggregatorIPv4Generic" and you will get all the prefixes for the desired region. If you need many regions, just add many actions, like this :
- actions:
- accept
conditions:
- contains(azure_region_list, 'switzerlandn') == true
name: accept switzerlandn
- actions:
- accept
conditions:
- contains(azure_region_list, 'northeurope') == true
name: accept northeurope
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
