[FEATURE] Sigma rule - exists modifier

[jan-balas-partnersbanka]

Is your feature request related to a problem?
YES. I need to filter events where a specific field <FIELD_NAME> is not equal to a given value <BLOCKED_VALUE>, while also including events where <FIELD_NAME> does not exist at all.
When I express this in Sigma as “not Selection_1” (where Selection_1 is <FIELD_NAME>: <BLOCKED_VALUE>), the generated query implicitly adds an existence check and effectively becomes:
(NOT <FIELD_NAME>: "<BLOCKED_VALUE>" AND exists: <FIELD_NAME>)

This is also mentioned in #1463

Example: it is needed for processing AWS cloudtrail logs when one wants to detect specific activity of all users and filter autoscaling activity by excluding
userIdentity.invokedBy: autoscaling.amazonaws.com

What solution would you like?

Implement sigma modifier “|exists” - Sigma rule - exists modifier
This would allow me to creare a query line

Condition:  Field_NOT_exists or not Blacklisted 
Field_NOT_exists 
   <FIELD_NAME>|exists: false	
Blacklisted
  <FIELD_NAME>:<BLOCKED_VALUE>

[andrross]

Catch All Triage - 1 2 3 4

@eirsep Can a maintainer take a look here?