Hi everyone,
I am having an issue where a logical AND NOT isn't working properly. Simply put I have an alert for mail servers that should be whitelisting a single IP's communication with either one of two IPs.
index=* tag=network NOT (src_ip=10.100.90.34 AND dest_ip=10.100.1.1) NOT(src_ip=10.100.90.34 AND dest_ip=10.100.1.2) (dest_port=25 OR dest_port=465 OR dest_port=2525 OR dest_port=110 OR dest_port=995 OR dest_port=143 OR dest_port=993) NOT
[
| inputlookup Inventory
| eval category=split(asset_category, "|")
| search category="Email" OR category="Mail"
| return 100 $asset_ip ]
| eval is_local=`local_ip_list(src)`
| where is_local=1
| stats earliest(_time) as Timestamp, values(dest) as "Destination IP", values(app) as Application, values(dest_port) as Port, values(user) as Username, earliest(_raw) as "Raw Log", count by src
| convert ctime(Timestamp)
| rename count as Correlated src as "Source IP"
| search Correlated >29
My issue is that the alert is firing for communication between 10.100.90.34 and 10.100.1.1 or 10.100.1.2, IP A,B and C respectively. I've tried
`NOT(A (B OR C))`
Also:
` NOT(A B) NOT(A C)`
Based on both logical expressions the results should not include communication between those 2 devices.
**Note:** I am unable to modify the inventory lookup table, *and*, I have tried the search without the sub-search with the same result, except of course having my lookup table results included in the alert.
Thanks for taking the time to read this.
↧