diff --git a/tools/sigma/backends/netwitness-epl.py b/tools/sigma/backends/netwitness-epl.py
index e580b259c..62506337b 100644
--- a/tools/sigma/backends/netwitness-epl.py
+++ b/tools/sigma/backends/netwitness-epl.py
@@ -55,8 +55,8 @@ class NetWitnessEplBackend(SingleTextQueryBackend):
     listSeparator = ", "
     valueExpression = "\'%s\'"
     keyExpression = "%s"
-    nullExpression = "%s exists"
-    notNullExpression = "%s exists"
+    nullExpression = "%s is null"
+    notNullExpression = "%s is not null"
     mapExpression = "(%s=%s)"
     mapListsSpecialHandling = True
 
diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py
index 25aed08d0..c8898ec67 100644
--- a/tools/sigma/backends/netwitness.py
+++ b/tools/sigma/backends/netwitness.py
@@ -37,7 +37,7 @@ class NetWitnessBackend(SingleTextQueryBackend):
     listSeparator = ", "
     valueExpression = "\'%s\'"
     keyExpression = "%s"
-    nullExpression = "%s exists"
+    nullExpression = "%s !exists"
     notNullExpression = "%s exists"
     mapExpression = "(%s=%s)"
     mapListsSpecialHandling = True