[BUG] _exists_ check does not exist for "not" condition in sigma rules

[jowg-amazon]

What is the bug?
A clear and concise description of the bug.
There is a feature gap for customers when configuring a Sigma rule with a not clause. The not clause generates a finding if an ingested document does not match whatever is specified in the detection section. However, this currently also includes cases where that field itself doesn’t exist in the ingested document.

Example of a Pre-Packaged Cloudtrail YAML Rule:

id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
logsource:
  product: cloudtrail
title: AWS Root Credentials
description: Detects AWS root account usage
tags:
  - attack.privilege_escalation
  - attack.t1078.004
falsepositives:
  - >-
    AWS Tasks That Require AWS Account Root User Credentials
    https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
level: medium
status: experimental
references:
  - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html'
author: vitaliy0x1
detection:
  selection_usertype:
    userIdentity.type: Root
  selection_eventtype:
    eventType: AwsServiceEvent
  condition: selection_usertype and not selection_eventtype

Example of an ingested document generating an incorrect finding

{
“selection_usertype”: Root
}

This above example generates an incorrect finding because of the not selection_eventtype condition since the field eventType is not present in the ingested document.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Create a detector with a sigma rule with a not condition
2. Insert a document without that field specified in the not condition
3. Incorrect finding will be generated

What is the expected behavior?
A clear and concise description of what you expected to happen.

What is your host/environment?

• OS: 2.11
• Version [e.g. 22]
• Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.