7 Replies Latest reply on Feb 21, 2017 2:25 AM by itzamlan

    Check for null/empty field

    alfoc

      Hi,

       

      how can I filter for a null/empty filed?

      For example, I want filter every event with "::" IP address.

       

      "::" or "0.0.0.0" or "regex" or "contains(/^$/)"doesn't works.

        • 1. Re: Check for null/empty field
          relaxpreppy

          this would be helpful... I am trying to figure out how to see VPN events where the username field is not null

          • 2. Re: Check for null/empty field
            rickgrimes

            This question is now almost 6 months old.  Is there seriously no one out there can can answer a question as simple as this?  Is McAfee's ESM incapable of filtering by null/not null values?

             

            If either of these are the case, I will be making a strong case to abandon ESM/Nitro, and opt for a SIEM with either better support or a more-knowledgeable community.

            • 3. Re: Check for null/empty field
              pcktech

              I haven't looked at the Destination or Source IP Address fields, but I have found something interesting for the Source User field.

               

              Click the ! (for NOT) for the Source User field, then type "regex($)" in the field -- this will show you all events with a Null Source User. Unclick NOT to see events with a Source User that is not null/blank/empty.

               

              I've only tested this on Windows events currently. Stumbled across that after all the standard null expressions failed to work (\x00, \x0, \000, ^$, \A\z, and many others).

               

              Regarding Rickgrimes' post, the Nitro/McAfee SIEM really doesn't play well with "null" unfortunately (pretends the field simply doesn't exist -- can't filter on something that doesn't exist). There might be a PCRE setting McAfee could adjust... if we put in Product Enhancement Requests, assuming there isn't a technological reason why it is the way it is.

              • 4. Re: Check for null/empty field
                bnevarez

                Excellent answer

                • 5. Re: Check for null/empty field
                  ryan.fitzpatrick

                  Using contains([^a-zA-Z0-9\$\-\_]*) may also work, as it is looking for anything matching special characters only, not including the hyphen, underscore, and the dollar (windows system accounts), which should be the only time the username string actually contains a special character, unless the parser grabs a username with a % token in it, which I have seen a couple times.

                  • 6. Re: Check for null/empty field
                    pcktech

                    Hello,

                     

                    contains([a-zA-Z0-9\$\-\_]*) and contains([^a-zA-Z0-9\$\-\_]*) do not work, the ESM considers them invalid expressions. However, Source User NOT regex([a-zA-Z0-9\$\-\_]*) does work and seems to return the similar or same results as Source User NOT regex($) -- though like you said not all special characters are excluded so it's possible a Source User field consisting of just those characters (e.g. %#@) might be returned.

                     

                    So far these filters work on Windows and Linux data sources that I've seen and tested.

                    • 7. Re: Check for null/empty field
                      itzamlan

                      Well I tried the most foolish way possibly. I created multiple dynamic watchlists containing all possible values. Then used the NOT operator.