The ticket titled “API ip-geo D&R Rule“ is locked, so I am starting a new thread.
I have implemented the updated D&R rule (from the previous ticket) and it is still matching US IPs.
I have a rule that only excludes US IPs and it works as expected (matches non-US IPs). So the API lookup is working.
hmmm, can you share the rule that’s not working here again? Just so we have the most up to date version all in context?
Here is the rule:
event: UserLoggedIn
metadata_rules:
op: and
rules:
- case sensitive: false
not: true
op: is
path: event/country/iso_code
value: US
- case sensitive: false
not: true
op: is
path: event/country/iso_code
value: CA
op: lookup
path: event/ActorIpAddress
resource: lcr://api/ip-geo
Thanks, AI caught the issue:
In the customer's metadata_rules, the path is event/country/iso_code. But metadata_rules evaluate against the lookup result directly, not the original event. The ip-geo API returns data structured like:
{
"country": {
"iso_code": "US"
},
"continent": {
"code": "NA"
}
}
When the metadata_rules context is set up (detect.go:1587-1590), the Message is replaced with the raw lookup result dict — there's no event wrapper. So the path event/country/iso_code fails to find anything.
The cascade then:
1. is at path event/country/iso_code → path doesn't exist → extracts nothing → no match → returns false
2. not: true inverts → true
3. Same for the CA check → true
4. and of both → true → rule matches every IP
The fix for the customer — change event/country/iso_code to just country/iso_code:
event: UserLoggedIn
metadata_rules:
op: and
rules:
- case sensitive: false
not: true
op: is
path: country/iso_code
value: US
- case sensitive: false
not: true
op: is
path: country/iso_code
value: CA
op: lookup
path: event/ActorIpAddress
resource: lcr://api/ip-geo
The event/ prefix is correct for the outer rule's path (since the IP address is in the event payload at event/ActorIpAddress), but inside metadata_rules the root context is the lookup result itself, so paths are relative to that.
This resolved the issue. Thank you very much!
Can I ask what your prompt looked like for this? Was it as simple as feeding it the rule and asking it to troubleshoot why it wasn’t working?
Essentially yes, I also cheated a bit and pointed to the code. But you could point to the new doc: GitHub - refractionPOINT/documentation: LimaCharlie Markdown Documentation · GitHub
That doc is about to become canonical and replace the current doc.limacharlie.io
Thank you very much!