Community Help Hub

Former Member · ‎07-08-2014

Hi,

how can I filter for a null/empty filed?

For example, I want filter every event with "::" IP address.

"::" or "0.0.0.0" or "regex" or "contains(/^$/)"doesn't works.

Former Member · ‎10-28-2014

this would be helpful... I am trying to figure out how to see VPN events where the username field is not null

Former Member · ‎01-06-2015

This question is now almost 6 months old. Is there seriously no one out there can can answer a question as simple as this? Is McAfee's ESM incapable of filtering by null/not null values?

If either of these are the case, I will be making a strong case to abandon ESM/Nitro, and opt for a SIEM with either better support or a more-knowledgeable community.

Former Member · ‎01-12-2015

I haven't looked at the Destination or Source IP Address fields, but I have found something interesting for the Source User field.

Click the ! (for NOT) for the Source User field, then type "regex($)" in the field -- this will show you all events with a Null Source User. Unclick NOT to see events with a Source User that is not null/blank/empty.

I've only tested this on Windows events currently. Stumbled across that after all the standard null expressions failed to work (\x00, \x0, \000, ^$, \A\z, and many others).

Regarding Rickgrimes' post, the Nitro/McAfee SIEM really doesn't play well with "null" unfortunately (pretends the field simply doesn't exist -- can't filter on something that doesn't exist). There might be a PCRE setting McAfee could adjust... if we put in Product Enhancement Requests, assuming there isn't a technological reason why it is the way it is.

Former Member · ‎01-16-2015

Excellent answer

Former Member · ‎01-28-2015

Using contains([^a-zA-Z0-9\$\-\_]*) may also work, as it is looking for anything matching special characters only, not including the hyphen, underscore, and the dollar (windows system accounts), which should be the only time the username string actually contains a special character, unless the parser grabs a username with a % token in it, which I have seen a couple times.

Former Member · ‎01-29-2015

Hello,

contains([a-zA-Z0-9\$\-\_]*) and contains([^a-zA-Z0-9\$\-\_]*) do not work, the ESM considers them invalid expressions. However, Source User NOT regex([a-zA-Z0-9\$\-\_]*) does work and seems to return the similar or same results as Source User NOT regex($) -- though like you said not all special characters are excluded so it's possible a Source User field consisting of just those characters (e.g. %#@) might be returned.

So far these filters work on Windows and Linux data sources that I've seen and tested.

Former Member · ‎02-21-2017

Well I tried the most foolish way possibly. I created multiple dynamic watchlists containing all possible values. Then used the NOT operator.

enrique.rodrigu · ‎10-02-2018

Hi

You can use regex(\x20) with not And for me works fine

David1111 · ‎10-08-2018

try

{Unavailable} 0

this is presenting a empty field in the mcafee format

Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Re: Check for null/empty field

Community Help Hub

Join the Community