I would like to filter for indicators with the category "allow" or "optimize" only. How would you define the filter for that? I cannot find that much information regarding filtering using a processor. I hope my steps are correct?
infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - o365_category == 'Allow' name: accept o365_categoryAllow
- o365_category == 'Optimize'
name: accept o365_categoryOptimize - actions: - drop name: drop all
Thanks a lot for your help!
Thanks for the fast reply.
It looks like it works, but if I compare the output node (finally listed indicators after my filter) with the json file which is hopefully the correct source of the miner o365-api.wordwide-any (https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a...), then it hasn't the same amount of IP's (indicators).
If you modify the filter for the category "Optimize" only, then I get these 6 indicators at the output node:
But when I check the json file, there are more indicators listed:
Do you have any explanation for that? What have I done wrong? Is it not the same source or is the handling of the processor not correct?
Another interesting thing is that. When I don't add a parameter to the output feed, then it looks like this:
And when I add the parameter "?tr=1", then it looks like this:
Means with the CIDR notation an aditional indicator is listed (220.127.116.11/21), I have no idea why. How about you?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!