Hi everyone,

I am having an issue where a logical AND NOT isn't working properly. Simply put I have an alert for mail servers that should be whitelisting a single IP's communication with either one of two IPs.

index=* tag=network NOT (src_ip=10.100.90.34 AND dest_ip=10.100.1.1) NOT(src_ip=10.100.90.34 AND dest_ip=10.100.1.2) (dest_port=25 OR dest_port=465 OR dest_port=2525 OR dest_port=110 OR dest_port=995 OR dest_port=143 OR dest_port=993) NOT
    [
    | inputlookup Inventory 
    | eval category=split(asset_category, "|") 
    | search category="Email" OR category="Mail" 
    | return 100 $asset_ip ] 
| eval is_local=`local_ip_list(src)` 
| where is_local=1 
| stats earliest(_time) as Timestamp, values(dest) as "Destination IP", values(app) as Application, values(dest_port) as Port, values(user) as Username, earliest(_raw) as "Raw Log", count by src 
| convert ctime(Timestamp) 
| rename count as Correlated src as "Source IP" 
| search Correlated >29

My issue is that the alert is firing for communication between 10.100.90.34 and 10.100.1.1 or 10.100.1.2, IP A,B and C respectively. I've tried
NOT(A (B OR C))
Also:
NOT(A B) NOT(A C)
Based on both logical expressions the results should not include communication between those 2 devices.
Note: I am unable to modify the inventory lookup table, and, I have tried the search without the sub-search with the same result, except of course having my lookup table results included in the alert.

Thanks for taking the time to read this.