About Farouk.Kahoul

hi Luigi   thx for your answer.   im using the VERSION: 0.9.66. i have found a way to filter using the syntax: contains(xxxxx_list, 'yyyyyyy') == true ... View more

Merci milles Dpurton !   my experience:   - use combinations of filters as conditions: contains(xxxxxx_xxxx_list, 'lowercasename') == true   note the lowercase !   also, if you want to filter on a field that contains a "." like name or id, it seems it doesn't work, you will have to use others fields like region+service for example.     this is my prototype based on stdlib.feedHCWithValue :   infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - contains(azure_system_service_list, 'azureappservice') == true name: accept AzureAppService - actions: - accept conditions: - contains(azure_region_list, 'northeurope') == true - contains(azure_system_service_list, '') == true name: accept northeurope_system_service_empty - actions: - accept conditions: - contains(azure_region_list, 'westeurope') == true - contains(azure_system_service_list, '') == true name: accept westeurope_system_service_empty - actions: - accept conditions: - contains(azure_system_service_list, 'azuread') == true name: accept azuread - actions: - accept conditions: - contains(azure_system_service_list, 'azureadvancedthreatprotection') == true name: accept AzureAdvancedThreatProtection - actions: - accept conditions: - contains(azure_system_service_list, 'azureappservicemanagement') == true name: accept AzureAppServiceManagement - actions: - drop name: drop all store_value: true         ... View more

 think the question is: "how to build a condition to ACCEPT the entry if at least one variable is on the list"   my filter is azure_name_list == 'AzureActiveDirectory'   this one has been accepted:   azure_name_list:[azureactivedirectory]   this one has been dropped:   azure_name_list:[azureactivedirectory,azureactivedirectorydomainservices]   because this IP entry is used for both ranges "azureactivedirectory" and "azureactivedirectorydomainservices".   i tried   conditions: - share_level == "green" - type == "IPv4" - contains(azure_name_list, 'AzureActiveDirectory') == true   but syntax should not be good.   is there someone able to help me on the YAML syntax to build a condition where at least the variable is present on the list?       ... View more

hi   did you resolved your problem of filtering by service name? i have the same problem. ... View more

Hi   i'm in the same situation. i dont understand why i cannot get the IPs from the name "AzureCloud.westeurope".   my filters: NAME CONDITIONS ACTIONS accept withdraws __method == 'withdraw' accept AzureActiveDirectory share_level == 'green' type == 'IPv4' azure_name == 'AzureActiveDirectory' accept AzureAdvancedThreatProtection share_level == 'green' type == 'IPv4' azure_name == 'AzureAdvancedThreatProtection' accept AppService share_level == 'green' type == 'IPv4' azure_name == 'AppService' accept AppServiceManagement share_level == 'green' type == 'IPv4' azure_name_list == 'AppServiceManagement' accept AppService.NorthEurope share_level == 'green' type == 'IPv4' azure_name == 'AppService.NorthEurope' accept AzureCloud.northeurope share_level == 'green' type == 'IPv4' azure_name == 'AzureCloud.northeurope' accept AppService.WestEurope share_level == 'green' type == 'IPv4' azure_name == 'AppService.WestEurope' accept AzureCloud.westeurope share_level == 'green' type == 'IPv4' azure_name == 'azurecloud.westeurope' accept drop all   drop     logs shows TRACE/DROP for a range: { "confidence": 100, "azure_system_service_list": [ "" ], "azure_platform_list": [ "azure" ], "azure_region": "", "share_level": "green", "azure_id": "AzureCloud", "sources": [ "Azure-worldwide-miner-2" ], "azure_name": "AzureCloud", "azure_name_list": [ "azurecloud.westeurope", "azurecloud" ], "azure_id_list": [ "azurecloud.westeurope", "azurecloud" ], "azure_region_list": [ "", "westeurope" ], "azure_system_service": "", "first_seen": 1582736638722, "azure_platform": "Azure", "type": "IPv4", "last_seen": 1582736638722 }   pls advice.   ... View more