Query DSL, Boolean query. Multiple conditions for must_not

Hello guys, hope you are doing well and healthy.

Im having a little trouble using DSL querys.
My objective is this:
I want to trigger an event that,
the action must be "UserLoggedIn",
the country must NOT be Portugal, and i also want to add some exceptions.
The following query actually works, but i dont know, or i cant add some of the exceptions i want.

So, imagine, i dont want to trigger if the user is "john@hotmail.com" and the country is "Germany". with the following query im not triggering any kind of logs from "john@hotmail.com", and i need to add inside each exception, the country verification.

And if there was an event from "john@hotmail.com" and the country "Spain", the event would still trigger. Thats what i mean.

Let me know if my explanation is not clear.

My query:

    "body": {
                "query": {
                  "bool": {
                    "must": [
                      {
                        "match": {
                          "event.action": "UserLoggedIn"
                        }
                      },
                      {
                        "range": {
                          "logstash_processed_at": {
                            "gte": "now-1m",
                            "lte": "now"
                          }
                        }
                      }
                    ],
                    "must_not": [
                      {
                        "match": {
                          "geoip.country_name": "Portugal"
                        }
                      },
                      {
                        "match": {
                          "user.id": "john@hotmail.com"
                        }
                      },
                      {
                        "match": {
                          "user.id": "michael@hotmail.com"
                        }
                      },
                      {
                        "match": {
                          "user.id": "william@hotmail.com"
                        }
                      }
                    ]
                  }
                }
            

I have already read some of the documentation, in order to understand. and i didnt found yet something that would fill my requirements. If there is something that i must read before doing this, i'm open to it!
Thank you so much for your help :slight_smile: