type: | events / rules / providers |
vendor: | sigma / elastic / splunk / kusto / chronicle (vendor name alone also works: sigma:, kql:, secops:…) |
tactic: | TA-id, slug, or name: credential_access, TA0006 |
technique: | technique or sub-technique ID: T1003, T1003.001 (alias tech:) |
severity: | critical / high / medium / low / informational (alias sev:) |
risk_score | Numeric comparison on the Elastic risk score (0 to 100): risk_score>50, risk_score<=20, risk_score=99 (alias risk; Elastic rules only) |
stages: | Rules with exactly N pipeline stages |
correlation: | single_event / sequence / alternatives / alternatives_cross_log / all_required / correlated |
with: | Co-occurrence event-id; stacks (with:4624 with:4769) to require all, while a comma list in one occurrence (with:4624,4769) is an either-or group. Implies multi-event |
like: | Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): like:comsvcs_lsass_memory_dump-splunk-sysmon |
groupby: | Entity-grouping substring match against group_by_keys: groupby:user, groupby:host |
uses: | Rules whose predicate tree touches the field (any kind, any value): uses:CommandLine |
excludes: | Rules with top-level not() clauses on the field (FP whitelists): excludes:ParentImage |
field: / value: | Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (value:*mimikatz*) |
indicator: | Shorthand for field:F value:V: indicator:Image=*\powershell.exe |
kind: | Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (vendor:elastic kind:cidr_match) and drives the indicator tier: contains / starts_with / ends_with / regex / cidr / eq / in … (operator aliases op:/match:) |
has: / no: | sample, field, notes, refs, trace, thirdparty, rule, pattern, timewindow, threshold, newterms, sigma/elastic/splunk/kusto/chronicle |
-op:val | Exclude matches; works on most operators but not type:/like:/has:/no: (use no:<flag> to exclude a rule flag): tactic:execution -vendor:splunk. Standalone -kind:/-field:/-value: drop every rule carrying a matching predicate leaf (type:rules -kind:is_null) |
field:"…" / value:"…" | Quoted value = anchored exact match (also allows spaces): value:"net user" |
a,b | Comma = OR inside one operator (vendor:sigma,elastic, severity:high,critical); repeating a facet merges the same way. field:/value: never split (literal commas) |
vendors: / stage: | Singular and plural spellings fold to the canonical operator and value: tactics: = tactic:, type:event = type:events, correlation:sequences = correlation:sequence, has:thresholds = has:threshold |
"quoted phrase" | Exact-match a multi-word phrase (free text) |