From 4e5a9a58a50555d2a88c99cdc67ea8b026b65841 Mon Sep 17 00:00:00 2001
From: Johnny Walker <10174710+iosonogio@users.noreply.github.com>
Date: Tue, 9 Mar 2021 17:41:54 +0100
Subject: [PATCH] Update netwitness-epl.py

nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
---
 tools/sigma/backends/netwitness-epl.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/sigma/backends/netwitness-epl.py b/tools/sigma/backends/netwitness-epl.py
index e580b259c..62506337b 100644
--- a/tools/sigma/backends/netwitness-epl.py
+++ b/tools/sigma/backends/netwitness-epl.py
@@ -55,8 +55,8 @@ class NetWitnessEplBackend(SingleTextQueryBackend):
     listSeparator = ", "
     valueExpression = "\'%s\'"
     keyExpression = "%s"
-    nullExpression = "%s exists"
-    notNullExpression = "%s exists"
+    nullExpression = "%s is null"
+    notNullExpression = "%s is not null"
     mapExpression = "(%s=%s)"
     mapListsSpecialHandling = True