cancel
Showing results for 
Search instead for 
Did you mean: 
alfoc
Level 8
Report Inappropriate Content
Message 1 of 10

Check for null/empty field

Hi,

how can I filter for a null/empty filed?

For example, I want filter every event with "::" IP address.

"::" or "0.0.0.0" or "regex" or "contains(/^$/)"doesn't works.

9 Replies

Re: Check for null/empty field

this would be helpful... I am trying to figure out how to see VPN events where the username field is not null

Re: Check for null/empty field

This question is now almost 6 months old.  Is there seriously no one out there can can answer a question as simple as this?  Is McAfee's ESM incapable of filtering by null/not null values?

If either of these are the case, I will be making a strong case to abandon ESM/Nitro, and opt for a SIEM with either better support or a more-knowledgeable community.

pcktech
Level 9
Report Inappropriate Content
Message 4 of 10

Re: Check for null/empty field

I haven't looked at the Destination or Source IP Address fields, but I have found something interesting for the Source User field.

Click the ! (for NOT) for the Source User field, then type "regex($)" in the field -- this will show you all events with a Null Source User. Unclick NOT to see events with a Source User that is not null/blank/empty.

I've only tested this on Windows events currently. Stumbled across that after all the standard null expressions failed to work (\x00, \x0, \000, ^$, \A\z, and many others).

Regarding Rickgrimes' post, the Nitro/McAfee SIEM really doesn't play well with "null" unfortunately (pretends the field simply doesn't exist -- can't filter on something that doesn't exist). There might be a PCRE setting McAfee could adjust... if we put in Product Enhancement Requests, assuming there isn't a technological reason why it is the way it is.

Re: Check for null/empty field

Excellent answer

Re: Check for null/empty field

Using contains([^a-zA-Z0-9\$\-\_]*) may also work, as it is looking for anything matching special characters only, not including the hyphen, underscore, and the dollar (windows system accounts), which should be the only time the username string actually contains a special character, unless the parser grabs a username with a % token in it, which I have seen a couple times.

pcktech
Level 9
Report Inappropriate Content
Message 7 of 10

Re: Check for null/empty field

Hello,

contains([a-zA-Z0-9\$\-\_]*) and contains([^a-zA-Z0-9\$\-\_]*) do not work, the ESM considers them invalid expressions. However, Source User NOT regex([a-zA-Z0-9\$\-\_]*) does work and seems to return the similar or same results as Source User NOT regex($) -- though like you said not all special characters are excluded so it's possible a Source User field consisting of just those characters (e.g. %#@) might be returned.

So far these filters work on Windows and Linux data sources that I've seen and tested.

Re: Check for null/empty field

Well I tried the most foolish way possibly. I created multiple dynamic watchlists containing all possible values. Then used the NOT operator.

Re: Check for null/empty field

Hi 

 

You can use regex(\x20) with not And for me works fine

Highlighted
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 10 of 10

Re: Check for null/empty field

try 

{Unavailable} 0

this is presenting a empty field in the mcafee format

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community