IDR Query - regex AND\AND NOT

talford · November 10, 2023, 11:49am

Hi, I’m trying to create a query on our Cloud Activity logs to find any forwarding rules set up to forward to external domains.
This query is finding all the forwarding rules as expected, but i’m having trouble then excluding those to our domain:

where(“source_json.Operation” = “UpdateInboxRules”
AND “source_json.OperationProperties.6.Name” = “RuleActions”
AND “source_json.OperationProperties.6.Value” /Forward/)

Adding this to the rule does produce a recent example, so I know there is data that matches my desired rule:

AND “source_json.OperationProperties.6.Value” /hotmail/

Howver, I’ve tried changing the statement above as below, but then i get no results:

AND NOT “source_json.OperationProperties.6.Value” /mydomain/

Please could you someone let me know what I’m doing wrong or if there is a better way to do this?

Thanks

talford · November 10, 2023, 12:23pm

I had also tried != instead of NOT with no luck, but it looks like expanding the regex has resolved the problem along with the !=

where("action" = "UpdateInboxRules" AND "source_json.OperationProperties.0.Value" = "AddMailboxRule" AND "source_json.OperationProperties.6.Value" = /.*Forward.*/ AND "source_json.OperationProperties.6.Value" != /.*mydomain.*/,loose)