From 1cc7b329239fe8ef4c19a3cea9d007c9fa8795d6 Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Fri, 22 May 2026 10:57:06 +0200
Subject: [PATCH 1/2] chore: use jsonl ending

---
 output/encryption.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/output/encryption.rst b/output/encryption.rst
index 38760f2..92be559 100644
--- a/output/encryption.rst
+++ b/output/encryption.rst
@@ -15,7 +15,7 @@ You can decrypt the logs later with THOR Util:
 
 .. code-block:: console
 
-   nextron@unix:~$ thor-util decrypt --privkey mykey-private.pem thorlog.json
+   nextron@unix:~$ thor-util decrypt --privkey mykey-private.pem thorlog.jsonl
 
 For more information about ``thor-util``, see the separate `THOR Util
 manual <https://thor-util-manual.nextron-systems.com/>`__.

From b6748499a8c2fbe79d4c8f854ed5b381cf70a7f1 Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Fri, 22 May 2026 10:58:20 +0200
Subject: [PATCH 2/2] fix: clarify how null and empty fields are matched in
 sigma

---
 signatures/sigma.rst | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/signatures/sigma.rst b/signatures/sigma.rst
index 48aede7..fbe978e 100644
--- a/signatures/sigma.rst
+++ b/signatures/sigma.rst
@@ -163,7 +163,7 @@ rules:
    * - ``service_name``
      - ``SERVICE_NAME``
 
-To match null/empty fields:
+To match null (nonexistent) fields:
 
 .. code-block:: yaml
 
@@ -171,6 +171,14 @@ To match null/empty fields:
        selection:
            FILE: null
 
+To match empty (but existent) fields:
+
+.. code-block:: yaml
+
+   detection:
+       selection:
+           FILE: ''
+
 Detection Examples
 ******************