I want to make a very specific exclusion from my search. In my case, there are two different field names I am interested in excluding, but I only want to exclude the search result if they BOTH match a specific value. To be more clear:
If "threat_name=WindowsThreat" and "src_ip=192.168.1.0/24" then do not return the search result.
If "threat_name=WindowsThreat" and "src_ip=something other than 192.168.1.0/24" then yes return the search result.
| search NOT (threat_name="WindowsThreat" AND src_ip="192.168.1.0/24")
OR | where threat_name!="WindowsThreat" AND src_ip="192.168.1.0/24"
Either of these will work to give you all results where threatname is not "WindowsThreat" and srcip is not explicitly "192.168.1.0/24". If you are wanting to exclude all src_ips that fall in the CIDR range 192.168.1.0/24. You will need to change the where to...
| where threat_name!="WindowsThreat" AND NOT cidrmatch("192.168.1.0/24", src_ip)