How to whitelist NULL values?


I’m a quite new in Elastic world and I’d like to know if it’s possible to whitelist a NULL value.

We have a rule that detects the authentications of our privileges accounts on unauthorized assets which is based on a whitelist. Unfortunately, some of events have “Workstation Name” and “Source Network Address” fields empty (a guess that dash symbol represents a NULL value in Elastic).


These events generate an alert at each appearance because the NULL value is not whitelisted. So the question is how can it be whitelisted?

Thanks for the help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.