sigma-specification icon indicating copy to clipboard operation
sigma-specification copied to clipboard
verified publisher icon SigmaHQ

Version 2.1 - New modifier to check if field is empty or null

Open frack113 opened this issue 1 year ago • 1 comments

Add a new modifer to check if the field data is empty or null. Some telemetry use - too

  • name: ?
  • type: boolean
    myfield|?: false

will cover

filter_null:
    myfield: null
filter_empty:
    myfield:  ''
    myfield: '-'
condition: not 1 of filter_*

frack113 avatar Aug 06 '24 16:08 frack113

What use case does this solve that |exists doesn't? IIRC most SIEMs I used cannot discriminate between a field existing and a field existing and having the null value. What are some examples of SIEMs that have this feature, and why would one want to use that instead of |exists?

Res260 avatar Aug 13 '24 22:08 Res260

Sorry , forget this one ... It took me less than a year to answer it 😄 Yes, it is not usefull

frack113 avatar Jul 29 '25 04:07 frack113