Rule Does Not Meet Current Sigma Capabilities

[BalsamicSentry]

For rule f6de9536-0441-4b3f-a646-f4e00f300ffd "Weak Encryption Enabled and Kerberoast", the values specified will never detect on Windows Security Event Logs (At least from what I can see; I do not have Sysmon to compare).
Real-world values are displayed as "0x" followed by numbers, but this rule is either expecting question marks or is expecting the user to do extra work to edit the rule.

Example:

03/03/2025 00:00:00 AM
LogName=Security
EventCode=4738
EventType=0
ComputerName=DESKTOP-1234
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=00000001
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was changed.

Subject:
...

Target Account:
...

Changed Attributes:
...
Old UAC Value: 0x210
New UAC Value: 0x210
...

Additional Information:
...

Also, there is a dead link in the detection section.

[phantinuss]

The selections match using the |endswith modifier. The question marks are one-character wildcards. Therefore I don't see a systematic issue with the rule. Your example, if it would use a different combination of flags, would match. Am I correct that this was just an issue about misunderstanding on how to read the rule or did you test it and it didn't work? If so please explain on how to reproduce this test.