Docker-Compose/Security_Containers/crowdsec/postoverflows/s01-whitelist/geoip-allow.yaml

name: crowdsecurity/geoip-allow-us-de
description: "Block all countries except US and Germany"
filter: "evt.Enriched.IsoCode != 'US' && evt.Enriched.IsoCode != 'DE'"
whitelist:
  reason: "GeoIP block - country not in allowlist"
  expression:
    - "evt.Enriched.IsoCode == 'US'"
    - "evt.Enriched.IsoCode == 'DE'"