Version 2.1 - New modifier to check if field is empty or null

SigmaHQ / sigma-specification

Sigma rule specification

Other

111 stars 40 forks source link

Version 2.1 - New modifier to check if field is empty or null #142

Open frack113 opened 3 months ago

frack113 commented 3 months ago

Add a new modifer to check if the field data is empty or null. Some telemetry use - too

name: ?
type: boolean

    myfield|?: false

will cover

filter_null:
    myfield: null
filter_empty:
    myfield:  ''
    myfield: '-'
condition: not 1 of filter_*

Res260 commented 3 months ago

What use case does this solve that |exists doesn't? IIRC most SIEMs I used cannot discriminate between a field existing and a field existing and having the null value. What are some examples of SIEMs that have this feature, and why would one want to use that instead of |exists?