From 4e5a9a58a50555d2a88c99cdc67ea8b026b65841 Mon Sep 17 00:00:00 2001
From: Johnny Walker <10174710+iosonogio@users.noreply.github.com>
Date: Tue, 9 Mar 2021 17:41:54 +0100
Subject: [PATCH 1/2] Update netwitness-epl.py

nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
---
 tools/sigma/backends/netwitness-epl.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/sigma/backends/netwitness-epl.py b/tools/sigma/backends/netwitness-epl.py
index e580b259c..62506337b 100644
--- a/tools/sigma/backends/netwitness-epl.py
+++ b/tools/sigma/backends/netwitness-epl.py
@@ -55,8 +55,8 @@ class NetWitnessEplBackend(SingleTextQueryBackend):
     listSeparator = ", "
     valueExpression = "\'%s\'"
     keyExpression = "%s"
-    nullExpression = "%s exists"
-    notNullExpression = "%s exists"
+    nullExpression = "%s is null"
+    notNullExpression = "%s is not null"
     mapExpression = "(%s=%s)"
     mapListsSpecialHandling = True
 

From 0873c57acf1d5b8b93bb654681bbdd2550a189ad Mon Sep 17 00:00:00 2001
From: Johnny Walker <10174710+iosonogio@users.noreply.github.com>
Date: Tue, 9 Mar 2021 17:43:44 +0100
Subject: [PATCH 2/2] Update netwitness.py

nullExpression fixed to be really null (missing exclamation mark)
---
 tools/sigma/backends/netwitness.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py
index 25aed08d0..c8898ec67 100644
--- a/tools/sigma/backends/netwitness.py
+++ b/tools/sigma/backends/netwitness.py
@@ -37,7 +37,7 @@ class NetWitnessBackend(SingleTextQueryBackend):
     listSeparator = ", "
     valueExpression = "\'%s\'"
     keyExpression = "%s"
-    nullExpression = "%s exists"
+    nullExpression = "%s !exists"
     notNullExpression = "%s exists"
     mapExpression = "(%s=%s)"
     mapListsSpecialHandling = True