Comparing values of 2 fields in detection.

[anon-e-mousse]

Hey all,

I was wondering whether there is a way to compare 2 field values within a sigma rule.
My use case:
In order to see whether a new user account is domain or local, I would like to compare the new users domain name and the hostname. If they are the same that would indicate local account.
So the detection would look something like the following:
detection:
selection:
EventID: 4720
filter:
host: DomainName
condition: selection and filter

Please do not recommend other ways of detecting local accounts vs domain accounts. This is relevant to other alerts too.
Thanks!

[YamatoSecurity]

I also think this feature would be helpful for writing rules.
What about adding a |equalsfield pipe keyword to the sigma specification for this?

Ex: https://github.com/Yamato-Security/hayabusa-rules/blob/main/hayabusa/builtin/Security/LogonLogoff/Logon/Sec_4624_Med_Logon-Type9-NewInteractive_PossibleTokenImpersonation.yml