Update Security_Containers/crowdsec/postoverflows/s01-whitelist/geoip-allow.yaml

Security_Containers/crowdsec/postoverflows/s01-whitelist/geoip-allow.yaml

@@ -1,7 +1,8 @@
 name: crowdsecurity/geoip-allow-us-de
 description: "Block all countries except US and Germany"
 filter: "evt.Enriched.IsoCode != 'US' && evt.Enriched.IsoCode != 'DE'"
-blackhole: 1m
-labels:
-  type: geo_block
-remediation: true
+whitelist:
+  reason: "GeoIP block - country not in allowlist"
+  expression:
+    - "evt.Enriched.IsoCode == 'US'"
+    - "evt.Enriched.IsoCode == 'DE'"