cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
alfoc
alfoc
Level 8
Report Inappropriate Content
Message 1 of 10
‎07-08-2014 07:10 AM

Check for null/empty field

Hi,

how can I filter for a null/empty filed?

For example, I want filter every event with "::" IP address.

"::" or "0.0.0.0" or "regex" or "contains(/^$/)"doesn't works.

2 people had this problem.
0 Kudos
Reply
9 Replies
relaxpreppy
relaxpreppy
Level 7
Report Inappropriate Content
Message 2 of 10
‎10-28-2014 10:41 AM

Re: Check for null/empty field

this would be helpful... I am trying to figure out how to see VPN events where the username field is not null

0 Kudos
Reply
rickgrimes
rickgrimes
Level 8
Report Inappropriate Content
Message 3 of 10
‎01-06-2015 10:51 AM

Re: Check for null/empty field

This question is now almost 6 months old.  Is there seriously no one out there can can answer a question as simple as this?  Is McAfee's ESM incapable of filtering by null/not null values?

If either of these are the case, I will be making a strong case to abandon ESM/Nitro, and opt for a SIEM with either better support or a more-knowledgeable community.

Reply
Highlighted
pcktech
pcktech
Level 9
Report Inappropriate Content
Message 4 of 10
‎01-12-2015 08:57 PM

Re: Check for null/empty field

I haven't looked at the Destination or Source IP Address fields, but I have found something interesting for the Source User field.

Click the ! (for NOT) for the Source User field, then type "regex($)" in the field -- this will show you all events with a Null Source User. Unclick NOT to see events with a Source User that is not null/blank/empty.

I've only tested this on Windows events currently. Stumbled across that after all the standard null expressions failed to work (\x00, \x0, \000, ^$, \A\z, and many others).

Regarding Rickgrimes' post, the Nitro/McAfee SIEM really doesn't play well with "null" unfortunately (pretends the field simply doesn't exist -- can't filter on something that doesn't exist). There might be a PCRE setting McAfee could adjust... if we put in Product Enhancement Requests, assuming there isn't a technological reason why it is the way it is.

Reply
bnevarez
bnevarez
Level 7
Report Inappropriate Content
Message 5 of 10
‎01-16-2015 03:37 PM

Re: Check for null/empty field

Excellent answer

0 Kudos
Reply
ryan.fitzpatric
ryan.fitzpatric
Level 9
Report Inappropriate Content
Message 6 of 10
‎01-28-2015 09:16 PM

Re: Check for null/empty field

Using contains([^a-zA-Z0-9\$\-\_]*) may also work, as it is looking for anything matching special characters only, not including the hyphen, underscore, and the dollar (windows system accounts), which should be the only time the username string actually contains a special character, unless the parser grabs a username with a % token in it, which I have seen a couple times.

Reply
pcktech
pcktech
Level 9
Report Inappropriate Content
Message 7 of 10
‎01-29-2015 09:17 AM

Re: Check for null/empty field

Hello,

contains([a-zA-Z0-9\$\-\_]*) and contains([^a-zA-Z0-9\$\-\_]*) do not work, the ESM considers them invalid expressions. However, Source User NOT regex([a-zA-Z0-9\$\-\_]*) does work and seems to return the similar or same results as Source User NOT regex($) -- though like you said not all special characters are excluded so it's possible a Source User field consisting of just those characters (e.g. %#@) might be returned.

So far these filters work on Windows and Linux data sources that I've seen and tested.

Reply
itzamlan
itzamlan
Level 7
Report Inappropriate Content
Message 8 of 10
‎02-21-2017 12:25 AM

Re: Check for null/empty field

Well I tried the most foolish way possibly. I created multiple dynamic watchlists containing all possible values. Then used the NOT operator.

0 Kudos
Reply
enrique.rodrigu
enrique.rodrigu
Level 8
Report Inappropriate Content
Message 9 of 10
‎10-02-2018 03:13 PM

Re: Check for null/empty field

Hi 

 

You can use regex(\x20) with not And for me works fine

0 Kudos
Reply
David1111
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 10 of 10
‎10-08-2018 03:33 AM

Re: Check for null/empty field

try 

{Unavailable} 0

this is presenting a empty field in the mcafee format

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC