Is there a way to run a report / SIEM query / Raw log query which specifies several device IPs (IP of device that sent the log) to be excluded?
I recently took over my company's AV deployment and I'm trying to determine all of the devices that are currently sending logs to the server so that we can determine what ISN'T sending logs.
Instead of combing through millions of events, I'd like a way to run a query / report that excludes a specific device IP. That way I could say "Ok, I see events coming from 220.127.116.11, so this next query will not include 18.104.22.168 and we'll see what is still there". Then I could keep doing that until there's nothing left.
I see plenty of ways to exclude src/dst IPs for events but no way to exclude device IPs which seems to be associated with the device that sent the original event.