Windows Event Catalog

106396 events across 1740 providers, 8393 with sample data85530 with field definitions571 trace events4694 with reference links

Provider	Events	Samples
Microsoft-Windows-Security-Auditing	426	207
Microsoft-Windows-Sysmon	30	30
Microsoft-Windows-PowerShell	189	41
Microsoft-Windows-Windows Defender	94	26
Microsoft-Windows-TaskScheduler	148	38
Microsoft-Windows-WMI-Activity	25	15
Microsoft-Windows-TerminalServices-LocalSessionManager	47	16
Microsoft-Windows-DNS-Server-Service	497	35
Microsoft-Windows-ActiveDirectory_DomainService	41	41
Microsoft-Windows-Kernel-Process	27	13
Service Control Manager	91	36
Microsoft-Windows-Bits-Client	114	28
Microsoft-Windows-Windows Firewall With Advanced Security	171	51
Microsoft-Windows-AppLocker	49	16
Microsoft-Windows-NTLM	21	5
Microsoft-Windows-Security-Kerberos	90	14
Microsoft-Windows-CertificationAuthority	355	35
Microsoft-Office-Word2	976	955
Microsoft-Office-Word	886	886
OfficeAirSpace	470	470
Microsoft-Office-Word3	450	417
Microsoft-Windows-Shell-Core	2380	217
Linux Auditd	205	164
Microsoft-Windows-TCPIP	624	140
Microsoft-Windows-AppXDeployment-Server	2020	125
Microsoft-Windows-Security-SPP	326	117
Microsoft-Windows-Hyper-V-VMMS	7057	109
Microsoft-Windows-Dwm-Core	334	107
Microsoft-Office-Events	91	91
AD FS	562	78
Microsoft-Windows-Application Server-Applications	481	78
Microsoft-Windows-DxgKrnl	707	75
Microsoft-Windows-ServerManager-MultiMachine	333	65
Microsoft-Windows-GroupPolicy	177	64
MSSQL$SQLEXPRESS	63	63
Microsoft-Windows-PushNotifications-Platform	412	62
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider	996	59
ESF	148	57
Microsoft-Windows-WinRM	327	57
MSSQL$MICROSOFT##WID	50	50
Microsoft-Windows-Win32k	358	49
Microsoft-Windows-Dhcp-Client	164	48
Microsoft-Windows-DeviceManagement-Pushrouter	107	46
Microsoft-Windows-ESE	140	46
Microsoft-Windows-Hyper-V-VmSwitch	529	45
Microsoft-Windows-Time-Service	178	43
Microsoft-Windows-SENSE	214	41
Microsoft-Windows-DHCP-Server	565	38
ESENT	36	36
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS	89	34
Microsoft-Windows-SMBClient	181	34
Microsoft-Antimalware-Engine	110	32
Microsoft-Windows-FailoverClustering	762	32
Microsoft-Windows-AppReadiness	174	31
Microsoft-Windows-Ntfs	72	31
Microsoft-Windows-DotNETRuntime	145	30
Microsoft-Windows-SMBServer	207	29
Microsoft-Windows-CAPI2	74	28
Microsoft-Windows-PrintService	219	28
Microsoft-Windows-ShellCommon-StartLayoutPopulation	126	28
Microsoft-Windows-Threat-Intelligence	34	28
Microsoft-Windows-DHCPv6-Client	127	27
Microsoft-Windows-VHDMP	84	27
Microsoft-Windows-Winlogon	151	27
Microsoft-Windows-Winsock-AFD	96	27
Microsoft-Windows-DNS-Client	107	26
Microsoft-Windows-DNSServer	167	26
Microsoft-Windows-Search	258	26
AD FS Auditing	25	25
Microsoft-Windows-COM-Perf	55	25
Microsoft-Windows-DeviceSetupManager	102	25
Microsoft-Windows-DriverFrameworks-UserMode	77	25
OfficeLoggingLiblet	25	25
Microsoft-Windows-Kernel-Registry	45	23
Microsoft-Windows-User Device Registration	220	23
Microsoft-Windows-Hyper-V-Worker	1669	22
Microsoft-Windows-Kernel-File	25	22
Microsoft-Windows-Kernel-PnP	196	22
Microsoft-Windows-StorPort	362	22
Microsoft-Windows-CodeIntegrity	111	21
Microsoft-Windows-DSC	255	21
Microsoft-Windows-Kernel-Boot	261	21
Microsoft-Windows-UxTheme	33	21
Microsoft-Windows-DotNETRuntimeRundown	23	20
Microsoft-Windows-HttpService	132	20
Microsoft-Windows-ModernDeployment-Diagnostics-Provider	239	20
MsiInstaller	46	20
DFSR	19	19
Windows Server Update Services	19	19
Microsoft-Windows-Diagnosis-PLA	48	18
Microsoft-Windows-MSDTC	723	18
Microsoft-Windows-ServerManager-ManagementProvider	70	18
Microsoft-Windows-TSF-msctf	95	18
NTDS ISAM	18	18
Microsoft-Windows-CloudStore	60	17
Microsoft-Windows-StateRepository	95	17
MSSQLSERVER	22	17
Microsoft-Windows-Dwm-Compositor	36	16
Microsoft-Windows-Kernel-Network	22	16
Microsoft-Windows-WAS	430	16

View all 1740 providers (showing the top 100 by sample data)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Windows Event Catalog

Keyboard shortcuts

Search operators