Hi There! Please I need your help, I am ingesting logs ARP and DHCP to find IPs outside my porganizatión, so I implemented an alarm but I must exclude 1650 MAC addresses, can I create a list with these MAC addresses to add in the alarm with elasticsearch query without creating a very large query?
Currently my query in alarm is:
{
"query": {
"bool": {
"must":[
{
"match":{
"type": "device_packet_flood"
}
}
]
}
}
}
But I have to filter 1650 addresses MAC for example:
{
"query": {
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"type": "device_packet_flood"
}
}
]
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"match_phrase": {
"device": "00:00:F6:CB:AC:51 OR 04:56:E5:7C:BB:4 OR etc OR etc OR etc OR etc (1650 MAcs)"
}
}
]
}
}
]
}
}
}