diff --git a/output/encryption.rst b/output/encryption.rst
index 38760f2..92be559 100644
--- a/output/encryption.rst
+++ b/output/encryption.rst
@@ -15,7 +15,7 @@ You can decrypt the logs later with THOR Util:
 
 .. code-block:: console
 
-   nextron@unix:~$ thor-util decrypt --privkey mykey-private.pem thorlog.json
+   nextron@unix:~$ thor-util decrypt --privkey mykey-private.pem thorlog.jsonl
 
 For more information about ``thor-util``, see the separate `THOR Util
 manual <https://thor-util-manual.nextron-systems.com/>`__.
diff --git a/signatures/sigma.rst b/signatures/sigma.rst
index 48aede7..fbe978e 100644
--- a/signatures/sigma.rst
+++ b/signatures/sigma.rst
@@ -163,7 +163,7 @@ rules:
    * - ``service_name``
      - ``SERVICE_NAME``
 
-To match null/empty fields:
+To match null (nonexistent) fields:
 
 .. code-block:: yaml
 
@@ -171,6 +171,14 @@ To match null/empty fields:
        selection:
            FILE: null
 
+To match empty (but existent) fields:
+
+.. code-block:: yaml
+
+   detection:
+       selection:
+           FILE: ''
+
 Detection Examples
 ******************