Hej Jake,
actually I just wrote the rule direct in the Forum - not in the editor. That is just missing ) and wrong " and I missed the order of contains (first value then the string)
rule "lets detect bad stuff"
when
// sets check for the presence of both fields
has_field("sysmon_event_id") AND
has_field("GrantedAccess") AND
contains("11",to_string($message.sysmon_event_id)) AND
contains("0x100", to_string($message.GrantedAccess))
then
set_field("BadDetected", "true");
end