Looking for some assistance on cleaning up a query. I have created a dashboard card in IDR with the following query, but it seems a bit messy. Is there a way to make this more concise? I want to exclude 4 ports and a handful of IP addresses (not a range) from the results.
where((“direction” = OUTBOUND) AND “destination_port” != xx AND “destination_port” != xx AND “destination_port” != xx AND “destination_port” != xx AND destination_address != xx.xx.xx.xx AND destination_address != xx.xx.xx.xx AND destination_address != xx.xx.xx.xx AND destination_address != xx.xx.xx.xx AND asset != “assetname”) groupby(asset, destination_port,destination_address) calculate(count)
In this case, it looks like you may want to replace
“destination_port” != xx AND “destination_port” != yy AND “destination_port” != zz
With:
destination_port NOT IN ["xx", "yy", "zz"]
The same can be done with the IP addresses, but I do want to call out that we also support CIDR notation, which may allow you to cut down on that section of the query even more.