Don't convert rules that have incompatible fields or just delete those fields?

[YamatoSecurity]

When we convert rules like process_creation to Sysmon 1 and Security 4688, we do not create a Security 4688 rule if the rule contains fields that do not exist in Security 4688 as those fields may be important for detection or filtering out false positives. However, many process_creation rules are now often using fields like OriginalFileName so won't be able to detected with Windows built-in rules.

Example:

title: File Decoded From Base64/Hex Via Certutil.EXE
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
...
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|windash:
            - '-decode ' # Decode Base64
            - '-decodehex ' # Decode Hex
    condition: all of selection_*

For rules like this, it would be better to still use it for searching Security 4688 events but without the OriginalFileName field:

detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
    selection_cli:
        CommandLine|contains|windash:
            - '-decode ' # Decode Base64
            - '-decodehex ' # Decode Hex
    condition: all of selection_*

An attacker may be able to bypass this rule by renaming certutil.exe but it is still better to be able to detect attacks where the file is not renamed.

We need to research further about what will happen if we just remove the incompatible fields. If it causes problems then we may need make exceptions depending on the rule. (For example, only convert to Security 4688 and delete OriginalFileName if there are both a OriginalFileName and Image field, etc...)