There are at least two ways that MAC addresses can be represented and, as far as I have been able to determine, the addresses that may be plucked from logs by the various parsers are not normalised - they use the format that the log used.
See Notational Conventions in this piece : http://en.wikipedia.org/wiki/MAC_address
My conclusion was that this was going to make life miserable as far as reliable MAC address filtering was concerned.
You're right - I have the same behaviour for both events and flows - it seems this is a behaviour by default.
It seems this is disabled as it has a performance impact - the following document describes how to enable it:
Let me know if this resolves your issue!
Thanks Markie Mark! This works!