Custom rule for filtering traffic from some ccountries

This works and there are over 2000 challenges per day:

(ip.geoip.country eq "CN" and cf.threat_score gt 0) or (ip.geoip.country eq "RU" and cf.threat_score gt 0) or (ip.geoip.country eq "KP" and cf.threat_score gt 0) or (ip.geoip.country eq "VN" and cf.threat_score gt 0) or (ip.geoip.country eq "TR" and cf.threat_score gt 0) or (ip.geoip.country eq "TH" and cf.threat_score gt 0) or (ip.geoip.country eq "IQ" and cf.threat_score gt 0) or (ip.geoip.country eq "IR" and cf.threat_score gt 0) or (ip.geoip.country eq "ID" and cf.threat_score gt 0) or (ip.geoip.country eq "PL" and cf.threat_score gt 0)

This does nothing. Zero challenges after a day:

(ip.geoip.country in {"CN" "ID" "IR" "IQ" "KP" "RU" "TW" "TH" "TR" "VN" "PL"} and cf.threat_score gt 0)

I thought the second method was prefered?:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.