Brute Force `T1110`

Tactic: Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Events covered

24 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4625	An account failed to log on.
Security-Auditing	Event ID 4634	An account was logged off.
Security-Auditing	Event ID 4648	A logon was attempted using explicit credentials.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4723	An attempt was made to change an account's password.
Security-Auditing	Event ID 4724	An attempt was made to reset an account's password.
Security-Auditing	Event ID 4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	Event ID 4771	Kerberos pre-authentication failed.
Security-Auditing	Event ID 4776	The domain controller attempted to validate the credentials for an account.
Security-Auditing	Event ID 5152	The Windows Filtering Platform blocked a packet.
Security-Auditing	Event ID 5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing	Event ID 5155	The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing	Event ID 5156	The Windows Filtering Platform has permitted a connection.
Security-Auditing	Event ID 5157	The Windows Filtering Platform has blocked a connection.
Security-Auditing	Event ID 5158	The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing	Event ID 5159	The Windows Filtering Platform has blocked a bind to a local port.
Defender-DeviceLogonEvents	LogonSuccess	Logon succeeded
Defender-DeviceLogonEvents	LogonFailed	Logon failed
MSSQLSERVER	Event ID 18456	Event ID 18456
MSSQLSERVER	Event ID 33205	Event ID 33205
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 298 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (360 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`sourcetype`	46	`eq` 45, `in` 1	`aws:cloudtrail`, `azure:monitor:aad`, `crowdstrike:identities`, `o365:management:activity`, `XmlWinEventLog:Microsoft-Windows-NTLM/Operational`
`EventID`	44	`eq` 40, `in` 3, `regex_match` 1	`4625`, `8004`, `4624`, `4768`, `4776`
`EventType`	34	`eq` 24, `in` 9, `starts_with` 7, `contains` 1	`user.authentication.`, `user.session.start`, `ssh_login`, `user_login`, `logon-failed`
`MessageType`	24	`eq` 24	`0`, `2`
`Channel`	23	`eq` 23, `in` 17
`data_stream.dataset`	21	`eq` 20, `in` 1	`okta.system`, `azure.signinlogs`, `o365.audit`, `aws.cloudtrail`, `azure.identity_protection`
`Status`	20	`eq` 17, `in` 2, `contains` 1	`0x6`, `403`, `Success`, `0x12`, `0x18`
`eventtype`	19	`eq` 19, `contains` 1, `starts_with` 1
`Codename`	18	`eq` 18	`codeNameList`, `Password Guessing`, `Password Spraying`
`src_ip`	16	`eq` 7, `is_not_null` 5, `ne` 5, `cidr_match` 3	`-`, `%domain_controllers_ips%`, `10.0.0.0/8`, `127.0.0.0/8`, `127.0.0.1`
`aws::eventName`	15	`eq` 15	`ConsoleLogin`, `GetPasswordData`, `ModifyDBInstance`, `AssumeRole`, `GetObject`
`isOutlier`	14	`eq` 14	`1`
`LogonType`	13	`eq` 12, `ne` 1	`Network`, `Interactive`, `RemoteInteractive`, `Unlock`
`TargetUserName`	12	`ne` 10, `eq` 2	`*$`, `%account_allowed_proxy%`, `Administrator`
`event.category`	12	`eq` 12	`authentication`, `process`

Top indicator values (918 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`MessageType`	`eq`	`0` kustoAlsid Active Directory attacks pathways kustoAlsid Indicators of Exposures kustoAlsid Password issues kustoAlsid privileged accounts issues kustoAlsid user accounts issues kustoTenable.ad Active Directory attacks pathways kustoTenable.ad Indicators of Exposures kustoTenable.ad Password issues kustoTenable.ad privileged accounts issues kustoTenable.ad user accounts issues kustoTIE Active Directory attacks pathways kustoTIE Indicators of Exposures kustoTIE Password issues kustoTIE privileged accounts issues kustoTIE user accounts issues	15	15
`MessageType`	`eq`	`2` kustoAlsid Indicators of Attack kustoAlsid Password Guessing kustoAlsid Password Spraying kustoTenable.ad Indicators of Attack kustoTenable.ad Password Guessing kustoTenable.ad Password Spraying kustoTIE Indicators of Attack kustoTIE Password Guessing kustoTIE Password Spraying	9	21
`isOutlier`	`eq`	`1` splunkAWS Unusual Number of Failed Authentications From Ip splunkAzure AD Unusual Number of Failed Authentications From Ip splunkDetect Distributed Password Spray Attempts splunkDetect Password Spray Attempts splunkGCP Unusual Number of Failed Authentications From Ip splunkMultiple Failed Network Logon Attempts from Host (Windows Event Log) splunkWindows Unusual Count Of Disabled Users Failed Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Fail To Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Failed To Auth Using NTLM splunkWindows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials splunkWindows Unusual Count Of Users Failed To Auth Using Kerberos splunkWindows Unusual Count Of Users Failed To Authenticate From Process splunkWindows Unusual Count Of Users Failed To Authenticate Using NTLM splunkWindows Unusual Count Of Users Remotely Failed To Auth From Host	14	28
`Codename`	`eq`	`codeNameList` kustoAlsid Active Directory attacks pathways kustoAlsid Password issues kustoAlsid privileged accounts issues kustoAlsid user accounts issues kustoTenable.ad Active Directory attacks pathways kustoTenable.ad Password issues kustoTenable.ad privileged accounts issues kustoTenable.ad user accounts issues kustoTIE Active Directory attacks pathways kustoTIE Password issues kustoTIE privileged accounts issues kustoTIE user accounts issues	12	12
`EventID`	`eq`	`4625` splunkMultiple Failed Network Logon Attempts from Host (Windows Event Log) splunkRDP Brute-force Detection (Windows Event Log) splunkSuspicious Login Failures (Windows Event Log) splunkWindows Local Administrator Credential Stuffing splunkWindows Multiple Users Failed To Authenticate From Process splunkWindows Multiple Users Remotely Failed To Authenticate From Host splunkWindows Unusual Count Of Users Failed To Authenticate From Process splunkWindows Unusual Count Of Users Remotely Failed To Auth From Host kustoExcessive Windows Logon Failures kustoFailed logon attempts by valid accounts within 10 mins chronicleMITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One chronicleMITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity	12	15
`EventID`	`eq`	`4768` splunkWindows Multiple Disabled Users Failed To Authenticate Wth Kerberos splunkWindows Multiple Invalid Users Fail To Authenticate Using Kerberos splunkWindows Unusual Count Of Disabled Users Failed Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Fail To Auth Using Kerberos	4	13
`EventID`	`eq`	`4776` splunkWindows Multiple Invalid Users Failed To Authenticate Using NTLM splunkWindows Multiple Users Failed To Authenticate From Host Using NTLM splunkWindows Unusual Count Of Invalid Users Failed To Auth Using NTLM splunkWindows Unusual Count Of Users Failed To Authenticate Using NTLM	4	5
`TargetUserName`	`ne`	`*$` splunkWindows Multiple Disabled Users Failed To Authenticate Wth Kerberos splunkWindows Multiple Invalid Users Fail To Authenticate Using Kerberos splunkWindows Multiple Invalid Users Failed To Authenticate Using NTLM splunkWindows Multiple Users Failed To Authenticate From Host Using NTLM splunkWindows Multiple Users Failed To Authenticate Using Kerberos splunkWindows Unusual Count Of Disabled Users Failed Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Fail To Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Failed To Auth Using NTLM splunkWindows Unusual Count Of Users Failed To Auth Using Kerberos splunkWindows Unusual Count Of Users Failed To Authenticate Using NTLM	10	14
`event.category`	`eq`	`authentication` elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted elasticEntra ID User Sign-in with Unusual Authentication Type elasticM365 Identity User Account Lockouts elasticM365 Identity User Brute Force Attempted elasticMultiple Logon Failure from the same Source Address elasticOkta Admin Console Login Failure elasticPotential Password Spraying Attack via SSH elasticPrivileged Accounts Brute Force	10	31
`LogonType`	`eq`	`Network` sigmaExternal Remote SMB Logon from Public IP elasticMultiple Logon Failure Followed by Logon Success elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force splunkMultiple Failed Network Logon Attempts from Host (Windows Event Log) splunkRDP Brute-force Detection (Windows Event Log) splunkWindows Local Administrator Credential Stuffing splunkWindows Multiple Users Remotely Failed To Authenticate From Host splunkWindows Unusual Count Of Users Remotely Failed To Auth From Host	9	40
`aws::eventName`	`eq`	`ConsoleLogin` sigmaAWS ConsoleLogin Failed Authentication splunkAWS Credential Access Failed Login splunkAWS High Number Of Failed Authentications From Ip splunkAWS Multiple Users Failing To Authenticate From Ip splunkAWS Unusual Number of Failed Authentications From Ip kustoCross-Cloud Password Spray detection kustoFailed AzureAD logons but success logon to AWS Console kustoSuccessful AWS Console Login from IP Address Observed Conducting Password Spray pantherFailed Root Console Login	9	27
`data_stream.dataset`	`eq`	`okta.system` elasticAttempts to Brute Force an Okta User Account elasticMultiple Okta User Auth Events with Same Device Token Hash Behind a Proxy elasticMultiple Okta User Authentication Events with Same Device Token Hash elasticOkta Successful Login After Credential Attack elasticPotential Okta Brute Force (Device Token Rotation) elasticPotential Okta Brute Force (Multi-Source) elasticPotential Okta Credential Stuffing (Single Source) elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source)	9	48
`data_stream.dataset`	`eq`	`azure.signinlogs` elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID MFA TOTP Brute Force Attempted elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted elasticEntra ID User Sign-in with Unusual Authentication Type	5	30
`event.outcome`	`eq`	`failure` elasticAWS IAM Principal Enumeration via UpdateAssumeRolePolicy elasticAWS Management Console Brute Force of Root User Identity elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted elasticPotential External Linux SSH Brute Force Detected elasticPotential Internal Linux SSH Brute Force Detected elasticPotential Password Spraying Attack via SSH elasticPotential Successful SSH Brute Force Attack	9	16
`unique_accounts`	`gt`	`30` splunkAWS Multiple Users Failing To Authenticate From Ip splunkWindows Multiple Disabled Users Failed To Authenticate Wth Kerberos splunkWindows Multiple Invalid Users Fail To Authenticate Using Kerberos splunkWindows Multiple Invalid Users Failed To Authenticate Using NTLM splunkWindows Multiple Users Fail To Authenticate Wth ExplicitCredentials splunkWindows Multiple Users Failed To Authenticate From Host Using NTLM splunkWindows Multiple Users Failed To Authenticate From Process splunkWindows Multiple Users Failed To Authenticate Using Kerberos splunkWindows Multiple Users Remotely Failed To Authenticate From Host	9	9
`EventType`	`eq`	`user.session.start` elasticMultiple Okta User Authentication Events with Same Device Token Hash elasticOkta Successful Login After Credential Attack elasticPotential Okta Brute Force (Device Token Rotation) elasticPotential Okta Brute Force (Multi-Source) elasticPotential Okta Credential Stuffing (Single Source) elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source)	7	8
`EventType`	`starts_with`	`user.authentication.` elasticMultiple Okta User Authentication Events with Same Device Token Hash elasticOkta Successful Login After Credential Attack elasticPotential Okta Brute Force (Device Token Rotation) elasticPotential Okta Brute Force (Multi-Source) elasticPotential Okta Credential Stuffing (Single Source) elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source)	7	8
`sourcetype`	`eq`	`aws:cloudtrail` splunkAWS Credential Access Failed Login splunkAWS Credential Access GetPasswordData splunkAWS Credential Access RDS Password reset splunkAWS High Number Of Failed Authentications From Ip splunkAWS IAM Assume Role Policy Brute Force splunkAWS Multiple Users Failing To Authenticate From Ip splunkAWS Unusual Number of Failed Authentications From Ip	7	59
`sourcetype`	`eq`	`azure:monitor:aad` splunkAzure Active Directory High Risk Sign-in splunkAzure AD High Number Of Failed Authentications For User splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multi-Source Failed Authentications Spike splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Successful Authentication From Different Ips splunkAzure AD Unusual Number of Failed Authentications From Ip	7	47
`sourcetype`	`eq`	`crowdstrike:identities` splunkCrowdstrike Admin Weak Password Policy splunkCrowdstrike Admin With Duplicate Password splunkCrowdstrike High Identity Risk Severity splunkCrowdstrike Medium Identity Risk Severity splunkCrowdstrike User Weak Password Policy splunkCrowdstrike User with Duplicate Password	6	6
`sourcetype`	`eq`	`o365:management:activity` splunkHigh Number of Login Failures from a single source splunkO365 Excessive Authentication Failures Alert splunkO365 High Number Of Failed Authentications for User splunkO365 Multi-Source Failed Authentications Spike splunkO365 Multiple OS Vendors Authenticating From User splunkO365 Multiple Users Failing To Authenticate From Ip	6	80
`sourcetype`	`eq`	`XmlWinEventLog:Microsoft-Windows-NTLM/Operational` splunkWindows Multiple NTLM Null Domain Authentications splunkWindows Unusual NTLM Authentication Destinations By Source splunkWindows Unusual NTLM Authentication Destinations By User splunkWindows Unusual NTLM Authentication Users By Destination splunkWindows Unusual NTLM Authentication Users By Source	5	5
`okta::outcome.reason`	`in`	`INVALID_CREDENTIALS` elasticPotential Okta Brute Force (Device Token Rotation) elasticPotential Okta Brute Force (Multi-Source) elasticPotential Okta Credential Stuffing (Single Source) elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source) kustoPotential Password Spray Attack	6	6
`okta::outcome.reason`	`in`	`LOCKED_OUT` elasticPotential Okta Brute Force (Device Token Rotation) elasticPotential Okta Brute Force (Multi-Source) elasticPotential Okta Credential Stuffing (Single Source) elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source)	5	5
`security_result.action`	`eq`	`BLOCK` chronicleAWS High Number Of Unknown User Authentication Attempts chronicleAWS Unusual Number Of Failed Authentication Attempts From The Same IP chronicleMITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One chronicleMITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity chronicleMITRE ATT&CK T1110.003 RW Windows Password Spray chronicleOkta User Rejected Multiple Push Notifications	6	17
`Operation`	`eq`	`UserLoginFailed` splunkHigh Number of Login Failures from a single source splunkO365 High Number Of Failed Authentications for User splunkO365 Multi-Source Failed Authentications Spike splunkO365 Multiple Users Failing To Authenticate From Ip pantherMicrosoft365 Brute Force Login by User	5	8
`Workload`	`eq`	`AzureActiveDirectory` splunkHigh Number of Login Failures from a single source splunkO365 Excessive Authentication Failures Alert splunkO365 High Number Of Failed Authentications for User splunkO365 Multi-Source Failed Authentications Spike splunkO365 Multiple Users Failing To Authenticate From Ip	5	31
`category`	`eq`	`SignInLogs` splunkAzure AD High Number Of Failed Authentications For User splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Successful Authentication From Different Ips splunkAzure AD Unusual Number of Failed Authentications From Ip	5	12
`properties.authenticationDetails{}.succeeded`	`eq`	`false` splunkAzure AD High Number Of Failed Authentications For User splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multi-Source Failed Authentications Spike splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Unusual Number of Failed Authentications From Ip	5	5
`properties.status.errorCode`	`eq`	`50126` splunkAzure AD High Number Of Failed Authentications For User splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multi-Source Failed Authentications Spike splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Unusual Number of Failed Authentications From Ip	5	5

Exclusions (198 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`src_ip`	`cidr_match`	`10.0.0.0/8` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP elasticPotential External Linux SSH Brute Force Detected kustoRemote Desktop Network Brute force (ASIM Network Session schema)	4
`src_ip`	`cidr_match`	`127.0.0.0/8` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP elasticPotential External Linux SSH Brute Force Detected kustoRemote Desktop Network Brute force (ASIM Network Session schema)	4
`src_ip`	`cidr_match`	`169.254.0.0/16` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP elasticPotential External Linux SSH Brute Force Detected kustoRemote Desktop Network Brute force (ASIM Network Session schema)	4
`src_ip`	`cidr_match`	`172.16.0.0/12` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP elasticPotential External Linux SSH Brute Force Detected kustoRemote Desktop Network Brute force (ASIM Network Session schema)	4
`src_ip`	`cidr_match`	`192.168.0.0/16` sigmaExternal Remote RDP Logon from Public IP sigmaExternal Remote SMB Logon from Public IP elasticPotential External Linux SSH Brute Force Detected kustoRemote Desktop Network Brute force (ASIM Network Session schema)	4
`src_ip`	`eq`	`%domain_controllers_ips%` sigmaBrutforce enumeration with non existing users (login) sigmaBrutforce enumeration with unexisting users (Kerberos) sigmaKerberos enumeration with existing/unexisting users (Kerbrute)	3
`Location`	`contains`	`<countries you do operate out of e,g gb, use or for multiple>` sigmaFailed Authentications From Countries You Do Not Operate Out Of sigmaSuccessful Authentications From Countries You Do Not Operate Out Of	2
`Status`	`in`	`0xc000005e` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc00000dc` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc0000133` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc000015b` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc0000192` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`TO_IP(source.ip)`	`cidr_match`	`127.0.0.0/8` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`TO_IP(source.ip)`	`cidr_match`	`::1` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`azure.identityprotection.properties.risk_state`	`in`	`confirmedSafe` elasticEntra ID Protection - Risk Detection - Sign-in Risk elasticEntra ID Protection - Risk Detection - User Risk	2

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Brute Force `T1110`

Events covered

Authoring guide

Fields filtered most (360 distinct)

Top indicator values (918 distinct)

Exclusions (198 distinct)

Rules under this technique

Sigma 40 rules

Elastic 39 rules

Splunk 76 rules

Kusto 96 rules

YARA-L 14 rules

Panther 33 rules

Keyboard shortcuts

Search operators

Brute Force T1110

Events covered

Authoring guide

Fields filtered most (360 distinct)

Top indicator values (918 distinct)

Exclusions (198 distinct)

Rules under this technique

Sigma 40 rules

Elastic 39 rules

Splunk 76 rules

Kusto 96 rules

YARA-L 14 rules

Panther 33 rules

Brute Force `T1110`