Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About Farouk.Kahoul
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About Farouk.Kahoul
12-02-2021
5Posts
1Like
0Solutions
Dec 02, 2021Last Visited
User
Activity
User
Profile
Latest posts by Farouk.Kahoul
| Subject | Views | Posted |
|---|---|---|
| 4077 | 03-06-2020 02:49 AM | |
| 4424 | 03-04-2020 03:22 AM | |
| 4490 | 03-02-2020 09:16 AM | |
| 4201 | 02-28-2020 06:48 AM | |
| 4530 | 02-27-2020 08:59 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 03-06-2020 02:49 AM |
User Badges
Community Statistics
| Member Since | 02-27-2020 08:54 AM |
| Date Last Visited | 12-02-2021 04:14 AM |
| Posts | 5 |
| Total Likes Received | 1 |
03-06-2020
02:49 AM
1 Kudo
hi Luigi
thx for your answer.
im using the VERSION: 0.9.66.
i have found a way to filter using the syntax: contains(xxxxx_list, 'yyyyyyy') == true
... View more
03-04-2020
03:22 AM
Merci milles Dpurton !
my experience:
- use combinations of filters as conditions: contains(xxxxxx_xxxx_list, 'lowercasename') == true
note the lowercase !
also, if you want to filter on a field that contains a "." like name or id, it seems it doesn't work, you will have to use others fields like region+service for example.
this is my prototype based on stdlib.feedHCWithValue :
infilters: - actions: - accept conditions: - __method == 'withdraw' name: accept withdraws - actions: - accept conditions: - contains(azure_system_service_list, 'azureappservice') == true name: accept AzureAppService - actions: - accept conditions: - contains(azure_region_list, 'northeurope') == true - contains(azure_system_service_list, '') == true name: accept northeurope_system_service_empty - actions: - accept conditions: - contains(azure_region_list, 'westeurope') == true - contains(azure_system_service_list, '') == true name: accept westeurope_system_service_empty - actions: - accept conditions: - contains(azure_system_service_list, 'azuread') == true name: accept azuread - actions: - accept conditions: - contains(azure_system_service_list, 'azureadvancedthreatprotection') == true name: accept AzureAdvancedThreatProtection - actions: - accept conditions: - contains(azure_system_service_list, 'azureappservicemanagement') == true name: accept AzureAppServiceManagement - actions: - drop name: drop all store_value: true
... View more
03-02-2020
09:16 AM
think the question is: "how to build a condition to ACCEPT the entry if at least one variable is on the list"
my filter is azure_name_list == 'AzureActiveDirectory'
this one has been accepted:
azure_name_list:[azureactivedirectory]
this one has been dropped:
azure_name_list:[azureactivedirectory,azureactivedirectorydomainservices]
because this IP entry is used for both ranges "azureactivedirectory" and "azureactivedirectorydomainservices".
i tried
conditions: - share_level == "green" - type == "IPv4" - contains(azure_name_list, 'AzureActiveDirectory') == true
but syntax should not be good.
is there someone able to help me on the YAML syntax to build a condition where at least the variable is present on the list?
... View more
02-28-2020
06:48 AM
hi
did you resolved your problem of filtering by service name?
i have the same problem.
... View more
02-27-2020
08:59 AM
Hi
i'm in the same situation.
i dont understand why i cannot get the IPs from the name "AzureCloud.westeurope".
my filters:
NAME
CONDITIONS
ACTIONS
accept withdraws
__method == 'withdraw'
accept
AzureActiveDirectory
share_level == 'green'
type == 'IPv4'
azure_name == 'AzureActiveDirectory'
accept
AzureAdvancedThreatProtection
share_level == 'green'
type == 'IPv4'
azure_name == 'AzureAdvancedThreatProtection'
accept
AppService
share_level == 'green'
type == 'IPv4'
azure_name == 'AppService'
accept
AppServiceManagement
share_level == 'green'
type == 'IPv4'
azure_name_list == 'AppServiceManagement'
accept
AppService.NorthEurope
share_level == 'green'
type == 'IPv4'
azure_name == 'AppService.NorthEurope'
accept
AzureCloud.northeurope
share_level == 'green'
type == 'IPv4'
azure_name == 'AzureCloud.northeurope'
accept
AppService.WestEurope
share_level == 'green'
type == 'IPv4'
azure_name == 'AppService.WestEurope'
accept
AzureCloud.westeurope
share_level == 'green'
type == 'IPv4'
azure_name == 'azurecloud.westeurope'
accept
drop all
drop
logs shows TRACE/DROP for a range:
{ "confidence": 100, "azure_system_service_list": [ "" ], "azure_platform_list": [ "azure" ], "azure_region": "", "share_level": "green", "azure_id": "AzureCloud", "sources": [ "Azure-worldwide-miner-2" ], "azure_name": "AzureCloud", "azure_name_list": [ "azurecloud.westeurope", "azurecloud" ], "azure_id_list": [ "azurecloud.westeurope", "azurecloud" ], "azure_region_list": [ "", "westeurope" ], "azure_system_service": "", "first_seen": 1582736638722, "azure_platform": "Azure", "type": "IPv4", "last_seen": 1582736638722 }
pls advice.
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks
