Sigma to EQL converting issue for Windows Log

[Ron89]

For Sigma rule with rule id: 17d619c1-e020-4347-957e-1d1207455c93

Orignal rule:

title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
    - https://threathunterplaybook.com/library/windows/active_directory_replication.html
    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: "2019-07-26"
modified: "2021-11-27"
tags:
    - attack.credential-access
    - attack.t1003.006
logsource:
    product: windows
    service: security
detection:
    selection:
        AccessMask: "0x100"
        EventID: 4662
        Properties|contains:
            - 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
            - 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
            - 89e95b76-444d-4c62-991a-0facbeda640c
    filter:
        - SubjectUserName|endswith: $
        - SubjectUserName|startswith: MSOL_
    condition: selection and not filter
fields:
    - ComputerName
    - SubjectDomainName
    - SubjectUserName
falsepositives:
    - Unknown
level: critical

converted EQL:

any where winlog.channel:"Security" and (winlog.channel:"Security" and ((winlog.event_data.AccessMask:"0x100" and event.code:"4662" and (winlog.event_data.Properties like~ ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"))) and (not (user.name like~ ("*$", "MSOL_*"))))) 

This converted result generates a lot of false positive as all machine account generated AD sync traffic now creates critical events.

Root issue of the issue: SubjectUserName should have been converted to winlog.event_data.SubjectUserName instead of user.name.

With the mapping change,

any where winlog.channel:"Security" and (winlog.channel:"Security" and (((winlog.event_data.AccessMask:"0x100" and event.code:"4662" and (winlog.event_data.Properties like~ ("*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*89e95b76-444d-4c62-991a-0facbeda640c*"))) and ( not (winlog.event_data.SubjectUserName like~ ( "*$", "MSOL_*")))) ))

will correct result in empty findings in normal scenario.

{
  "is_partial": false,
  "is_running": false,
  "took": 30,
  "timed_out": false,
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "events": []
  }
}

Please help fix the issue by resolving the mapping correctly, specifically, SubjectUserName should have been converted to winlog.event_data.SubjectUserName instead of user.name.

[Ron89]

Similar issue seems to have been reported on #13411. May I know if the pattern I reported above is in the scope of fixing in next update?