Rule tuning not converted properly in Kibana

[geistchevalier]

I'm trying to tune the detection for CVE-2021-42278 to exclude a known problematic DC that's causing false positives. But SO is converting my rule weirdly in the Kibana console

The log data is as the following, pulled using the Microsoft DHCP integration

"events": [
    "_source": {
        "winlog": {
            ...
            "event_data":  {
                ...
                "IssuingKDC": "problematicDC"
                ...
            }
            ...
        }
    }
]

The tuning rule I wrote

sofilter:
  winlog.event_data.IssuingKDC:"problematicDC"

---

The rule when I click on the TEST IN KIBANA

GET /.ds-logs-*/_eql/search
{
	"query": """
	any where winlog.channel:"System" and (winlog.channel:"System" and (((event.code like~ ("35", "36", "37", "38")) and winlog.provider_name:"Microsoft-Windows-Kerberos-Key-Distribution-Center") 
	and (not "winlog.event_data.IssuingKDC:\"problematicDC\"")))
	"""
}

which results in the following errors:

{
  "error": {
    "root_cause": [
      {
        "type": "verification_exception",
        "reason": """Found 1 problem
line 2:199: argument of [not "winlog.event_data.IssuingKDC:\"problematicDC\""] must be [boolean], found value ["winlog.event_data.IssuingKDC:\"problematicDC\""] type [keyword]"""
      }
    ],
    "type": "verification_exception",
    "reason": """Found 1 problem
line 2:199: argument of [not "winlog.event_data.IssuingKDC:\"problematicDC\""] must be [boolean], found value ["winlog.event_data.IssuingKDC:\"problematicDC\""] type [keyword]"""
  },
  "status": 400
}

---

If I exclude the extra " marks, it works as expected and filters out the problematic DC

GET /.ds-logs-*/_eql/search
{
	"query": """
	any where winlog.channel:"System" and (winlog.channel:"System" and (((event.code like~ ("35", "36", "37", "38")) and winlog.provider_name:"Microsoft-Windows-Kerberos-Key-Distribution-Center") 
	and (not winlog.event_data.IssuingKDC:"problematicDC")))
	"""
}

I get my expected result

{
  "is_partial": false,
  "is_running": false,
  "took": 18,
  "timed_out": false,
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "events": []
  }
}

My question is, how do I write the sofilter rule so that it converts properly in Kibana?

[defensivedepth]

@geistchevalier Have you tried single quotes or no quotes at all for the sofilter?

[geistchevalier]

I fixed it after referring to the other tunings that I did before this, formatting issue

Changed it to the following:

sofilter:
    - winlog.event_data.IssuingKDC: problematicDC

which gives me the following when testing in kibana

... and (not winlog.event_data.IssuingKDC:"problematicDC") ...