M365 coverage

222 M365 detection rules across 5 vendors covering 118 (Workload, Operation) pairs. Each RecordType and Operation maps to a catalog entry under the Microsoft 365, Entra ID & Azure catalog.

AzureActiveDirectory 72 rules, 24 operations

Add a partner to cross-tenant access setting. 1 rule

O365 Cross-Tenant Access Change splunk (medium)

Add app role assignment grant to user. 1 rule

O365 Add App Role Assignment Grant User splunk (medium)

Add app role assignment to service principal. 1 rule

O365 Admin Consent Bypassed by Service Principal splunk (medium)

Add application. 3 rules

O365 AD PowerShell App Login Subsequent Activity chronicle (medium)
O365 Application Available To Other Tenants splunk (medium)
O365 Entra ID Application Creation chronicle (low)

Add eligible member to role. 2 rules

O365 Privileged Role Assigned splunk (medium)
O365 Privileged Role Assigned To Service Principal splunk (medium)

Add group. 2 rules

Hunt for Office 365 group creation failures chronicle (low)
Hunt for Office 365 group creation success chronicle (low)

Add member to group. 2 rules

Hunt for Office 365 group modification add member success chronicle (low)
Office 365 group modification add member success has exceeded a defined threshold chronicle (low)

Add member to role. 6 rules

M365 Identity Global Administrator Role Assigned elastic (medium)
O365 Add User To Admin Role chronicle (medium)
O365 High Privilege Role Granted splunk (medium)
O365 Privileged Role Assigned splunk (medium)
O365 Privileged Role Assigned To Service Principal splunk (medium)
O365 Recently Created Entra ID User Assigned Roles chronicle (medium)

Add owner to application. 1 rule

O365 Application Registration Owner Added splunk (medium)

Add registered users to device. 1 rule

M365 Identity OAuth Flow by User Sign-in to Device Registration elastic (high)

Add service principal. 2 rules

O365 Multiple Service Principals Created by SP splunk (low)
O365 Multiple Service Principals Created by User splunk (low)

Add user* 1 rule

O365 External Guest User Invited splunk (medium)

Consent to application. 5 rules

M365 Identity OAuth Illicit Consent Grant by Rare Client and User elastic (medium)
O365 File Permissioned Application Consent Granted by User splunk (medium)
O365 Mail Permissioned Application Consent Granted by User splunk (medium)
O365 Tenant Wide Admin Consent Granted splunk (medium)
O365 User Consent Blocked for Risky Application splunk (medium)

Delete group. 1 rule

Office 365 group deletion success chronicle (low)

Delete partner specific cross-tenant access setting. 1 rule

O365 Cross-Tenant Access Change splunk (medium)

PasswordLogonInitialAuthUsingPassword 2 rules

M365 Identity User Account Lockouts elastic (medium)
M365 Identity User Brute Force Attempted elastic (medium)

Remove member from group. 1 rule

Hunt for Office 365 group modification remove member success chronicle (low)

Update application. 8 rules

O365 AD PowerShell App Login Subsequent Activity chronicle (medium)
O365 Application Available To Other Tenants splunk (medium)
O365 Entra ID App Modify Permission Change On Watchlist chronicle (medium)
O365 Entra ID App Permissions Percent Threshold Exceeded chronicle (medium)
O365 Entra ID App Permissions Threshold Exceeded chronicle (medium)
O365 FullAccessAsApp Permission Assigned splunk (medium)
O365 Mailbox Read Access Granted to Application splunk (medium)
O365 Privileged Graph API Permission Assigned splunk (medium)

Update authorization policy. 1 rule

O365 Block User Consent For Risky Apps Disabled splunk (medium)

Update policy. 1 rule

O365 External Identity Policy Changed splunk (medium)

Update user. 1 rule

O365 New MFA Method Registered splunk (medium)

UserLoggedIn 16 rules

Azure Login Bypassing Conditional Access Policies sigma (high)
Hunt for suspicious sign-in to Entra ID Using Extrnal Call Method chronicle (medium)
M365 Identity Login from Atypical Region elastic (medium)
M365 Identity Login from Impossible Travel Location elastic (medium)
M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs elastic (high)
M365 Identity OAuth Flow by User Sign-in to Device Registration elastic (high)
M365 Identity OAuth Phishing via First-Party Microsoft Application elastic (medium)
M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) elastic (high)
O365 AD PowerShell App Login Subsequent Activity chronicle (medium)
O365 Admin Login Activity To Uncommon Microsoft Cloud Apps chronicle (high)
O365 Concurrent Sessions From Different Ips splunk (medium)
O365 Login Activity To Azure AD PowerShell App chronicle (medium)
O365 Login Activity To Uncommon Microsoft Cloud Apps chronicle (medium)
O365 Multiple AppIDs and UserAgents Authentication Spike splunk (low)
O365 Multiple OS Vendors Authenticating From User splunk (medium)
O365 Persistent Login Activity To Azure AD PowerShell App chronicle (medium)

UserLoginFailed 10 rules

High Number of Login Failures from a single source splunk (low)
M365 Identity User Account Lockouts elastic (medium)
M365 Identity User Brute Force Attempted elastic (medium)
O365 Excessive SSO logon errors splunk (low)
O365 High Number Of Failed Authentications for User splunk (medium)
O365 Multi-Source Failed Authentications Spike splunk
O365 Multiple AppIDs and UserAgents Authentication Spike splunk (low)
O365 Multiple Failed MFA Requests For User splunk (medium)
O365 Multiple OS Vendors Authenticating From User splunk (medium)
O365 Multiple Users Failing To Authenticate From Ip splunk (medium)

(any) 2 rules

M365 Entra ID Risk Detection Signal elastic (low)
M365 Identity Unusual SSO Authentication Errors for User elastic (medium)

Exchange 105 rules, 52 operations

*AntiPhish* 1 rule

O365 Email Security Feature Changed splunk (medium)

*Malware* 1 rule

O365 Email Security Feature Changed splunk (medium)

*SafeAttachment* 1 rule

O365 Email Security Feature Changed splunk (medium)

*SafeLink* 1 rule

O365 Email Security Feature Changed splunk (medium)

*TransportRule 1 rule

O365 Email Transport Rule Changed splunk (low)

Add-FederatedDomain 1 rule

M365 Exchange Federated Domain Created or Modified elastic (low)

Add-MailboxFolderPermission 2 rules

O365 Mailbox Folder Read Permission Granted splunk (medium)
Rare and potentially high-risk Office operations kusto (low)

Add-MailboxPermission 3 rules

M365 Exchange Mailbox High-Risk Permission Delegated elastic (low)
O365 Elevated Mailbox Permission Assigned splunk (medium)
Rare and potentially high-risk Office operations kusto (low)

Add-RecipientPermission 1 rule

M365 Exchange Mailbox High-Risk Permission Delegated elastic (low)

AddFolderPermissions 1 rule

O365 Mailbox Folder Read Permission Assigned splunk (medium)

Disable-* 2 rules

O365 Email Security Feature Changed splunk (medium)
O365 Email Transport Rule Changed splunk (low)

Disable-AntiPhishRule 1 rule

M365 Exchange Anti-Phish Rule Modification elastic (medium)

Disable-MalwareFilterRule 1 rule

M365 Exchange Malware Filter Rule Modified elastic (medium)

Disable-SafeAttachmentRule 1 rule

M365 Exchange Email Safe Attachment Rule Disabled elastic (low)

Disable-SafeLinksRule 1 rule

M365 Exchange Email Safe Link Policy Disabled elastic (medium)

Disable-TransportRule 1 rule

M365 Exchange Mail Flow Transport Rule Modified elastic (medium)

HardDelete 6 rules

M365 Exchange MFA Notification Email Deleted or Moved elastic (low)
O365 Email Hard Delete Excessive Volume splunk (low)
O365 Email Password and Payroll Compromise Behavior splunk (medium)
O365 Email Receive and Hard Delete Takeover Behavior splunk (low)
O365 Email Send and Hard Delete Exfiltration Behavior splunk (low)
O365 Email Send and Hard Delete Suspicious Behavior splunk (low)

MailItemsAccessed 7 rules

Exchange workflow MailItemsAccessed operation anomaly kusto (medium)
M365 Exchange Mailbox Accessed by Unusual Client elastic (medium)
M365 Exchange Mailbox Items Accessed Excessively elastic (medium)
O365 Multiple Mailboxes Accessed via API splunk (medium)
O365 OAuth App Mailbox Access via EWS splunk (medium)
O365 OAuth App Mailbox Access via Graph API splunk (medium)
Office 365 mail accessed via unexpected application chronicle (medium)

ModifyFolderPermissions 2 rules

O365 Mailbox Folder Read Permission Assigned splunk (medium)
O365 Mailbox Inbox Folder Shared with All Users splunk (medium)

MoveToDeletedItems 1 rule

M365 Exchange MFA Notification Email Deleted or Moved elastic (low)

New-* 2 rules

O365 Email Security Feature Changed splunk (medium)
O365 Email Transport Rule Changed splunk (low)

New-AcceptedDomain 1 rule

M365 Exchange Federated Domain Created or Modified elastic (low)

New-InboxRule 8 rules

Inbox Rules Creation Or Update Activity in O365 sigma (medium)
M365 Exchange Inbox Forwarding Rule Created elastic (medium)
M365 Exchange Inbox Phishing Evasion Rule Created elastic (medium)
M365 Exchange Inbox Rule with Obfuscated Name elastic (medium)
Malicious BEC Inbox Rule kusto (medium)
Malicious Inbox Rule kusto (medium)
O365 Email New Inbox Rule Created splunk (low)
Rare and potentially high-risk Office operations kusto (low)

New-ManagementRoleAssignment 2 rules

M365 Exchange Management Group Role Assigned elastic (medium)
Rare and potentially high-risk Office operations kusto (low)

New-TransportRule 4 rules

M365 Exchange Inbox Forwarding Rule Created elastic (medium)
M365 Exchange Mail Flow Transport Rule Created elastic (medium)
Mail redirect via ExO transport rule kusto (medium)
Threat Essentials - Mail redirect via ExO transport rule kusto (medium)

PasswordLogonInitialAuthUsingPassword 2 rules

M365 Identity User Account Lockouts elastic (medium)
M365 Identity User Brute Force Attempted elastic (medium)

Remove-* 2 rules

O365 Email Security Feature Changed splunk (medium)
O365 Email Transport Rule Changed splunk (low)

Remove-AcceptedDomain 1 rule

M365 Exchange Federated Domain Created or Modified elastic (low)

Remove-AntiPhishPolicy 1 rule

M365 Exchange Anti-Phish Policy Deleted elastic (medium)

Remove-AntiPhishRule 1 rule

M365 Exchange Anti-Phish Rule Modification elastic (medium)

Remove-DlpPolicy 1 rule

Deprecated - M365 Exchange DLP Policy Deleted elastic (medium)

Remove-FederatedDomain 1 rule

M365 Exchange Federated Domain Created or Modified elastic (low)

Remove-MalwareFilterPolicy 1 rule

M365 Exchange Malware Filter Policy Deleted elastic (medium)

Remove-MalwareFilterRule 1 rule

M365 Exchange Malware Filter Rule Modified elastic (medium)

Remove-TransportRule 1 rule

M365 Exchange Mail Flow Transport Rule Modified elastic (medium)

Send 1 rule

O365 Email Send Attachments Excessive Volume splunk (low)

Send* 2 rules

O365 Email Send and Hard Delete Exfiltration Behavior splunk (low)
O365 Email Send and Hard Delete Suspicious Behavior splunk (low)

SendAs 1 rule

O365 Email Send Attachments Excessive Volume splunk (low)

SendOnBehalf 1 rule

O365 Email Send Attachments Excessive Volume splunk (low)

Set-* 2 rules

O365 Email Security Feature Changed splunk (medium)
O365 Email Transport Rule Changed splunk (low)

Set-AcceptedDomain 1 rule

M365 Exchange Federated Domain Created or Modified elastic (low)

Set-AdminAuditLogConfig 3 rules

Exchange AuditLog Disabled kusto (medium)
Office 365 logging has been enabled chronicle (critical)
Office 365 logging is disabled chronicle (critical)

Set-DkimSigningConfig 1 rule

M365 Exchange DKIM Signing Configuration Disabled elastic (medium)

Set-InboxRule 6 rules

Inbox Rules Creation Or Update Activity in O365 sigma (medium)
M365 Exchange Inbox Forwarding Rule Created elastic (medium)
M365 Exchange Inbox Phishing Evasion Rule Created elastic (medium)
M365 Exchange Inbox Rule with Obfuscated Name elastic (medium)
O365 Email New Inbox Rule Created splunk (low)
Rare and potentially high-risk Office operations kusto (low)

Set-Mailbox 3 rules

M365 Exchange Inbox Forwarding Rule Created elastic (medium)
M365 Exchange Mailbox High-Risk Permission Delegated elastic (low)
Rare and potentially high-risk Office operations kusto (low)

Set-MailboxAuditBypassAssociation 1 rule

M365 Exchange Mailbox Audit Logging Bypass Added elastic (medium)

Set-MailboxFolderPermission 1 rule

O365 Mailbox Folder Read Permission Granted splunk (medium)

Set-MsolDomainFederationSettings 1 rule

M365 Exchange Federated Domain Created or Modified elastic (low)

Set-TransportRule 4 rules

M365 Exchange Inbox Forwarding Rule Created elastic (medium)
Mail redirect via ExO transport rule kusto (medium)
Rare and potentially high-risk Office operations kusto (low)
Threat Essentials - Mail redirect via ExO transport rule kusto (medium)

SoftDelete 2 rules

M365 Exchange MFA Notification Email Deleted or Moved elastic (low)
O365 Email Password and Payroll Compromise Behavior splunk (medium)

UserLoginFailed 2 rules

M365 Identity User Account Lockouts elastic (medium)
M365 Identity User Brute Force Attempted elastic (medium)

(any) 8 rules

M365 Purview DLP Signal elastic (low)
M365 Purview Insider Risk Signal elastic (low)
M365 Quarantine and Hygiene Signal elastic (low)
M365 Threat Intelligence Signal elastic (low)
Multiple users email forwarded to same destination kusto (medium)
NRT Malicious Inbox Rule kusto (medium)
NRT Multiple users email forwarded to same destination kusto (medium)
Office Policy Tampering kusto (medium)

MicrosoftTeams 9 rules, 8 operations

FileAccessed 1 rule

Accessed files shared by temporary external user kusto (low)

FileUploaded 1 rule

Accessed files shared by temporary external user kusto (low)

MemberAdded 1 rule

Accessed files shared by temporary external user kusto (low)

MemberRemoved 2 rules

Accessed files shared by temporary external user kusto (low)
Office 365 Teams member removed chronicle (low)

Set-CsTeamsClientConfiguration 1 rule

Deprecated - M365 Teams Guest Access Enabled elastic (medium)

Set-CsTenantFederationConfiguration 1 rule

Deprecated - M365 Teams External Access Enabled elastic (medium)

TeamDeleted 1 rule

Multiple Teams deleted by a single user kusto (low)

TeamsTenantSettingChanged 1 rule

M365 Teams Custom Application Interaction Enabled elastic (medium)

OneDrive 14 rules, 8 operations

FileAccessed 1 rule

M365 SharePoint/OneDrive File Access via PowerShell elastic (medium)

FileDownloaded 4 rules

M365 OneDrive/SharePoint Excessive File Downloads elastic (medium)
M365 SharePoint/OneDrive File Access via PowerShell elastic (medium)
Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)

FileMalwareDetected 1 rule

M365 OneDrive Malware File Upload elastic (high)

FileSyncDownloadedFull 2 rules

Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)

FileSyncUploadedFull 2 rules

Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)

FileUploaded 2 rules

Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)

SharingPolicyChanged 1 rule

M365 SharePoint Site Sharing Policy Weakened elastic (medium)

SiteCollectionAdminAdded 1 rule

M365 SharePoint Site Administrator Added elastic (medium)

SecurityComplianceCenter 15 rules, 7 operations

AdminMailAccess 1 rule

O365 Email Access By Security Administrator splunk (medium)

AdminSubmission 1 rule

O365 Email Reported By Admin Found Malicious splunk (medium)

AlertEntityGenerated 3 rules

O365 Email Reported By User Found Malicious splunk (medium)
O365 Email Suspicious Behavior Alert splunk (medium)
O365 ZAP Activity Detection splunk (low)

AlertTriggered 1 rule

Deprecated - M365 Security Compliance Email Reported by User as Malware or Phish elastic (medium)

Unusual volume of file deletion 1 rule

Deprecated - M365 Security Compliance Unusual Volume of File Deletion elastic (medium)

User restricted from sending email 1 rule

Deprecated - M365 Security Compliance User Restricted from Sending Email elastic (medium)

(any) 7 rules

Deprecated - M365 Security Compliance Potential Ransomware Activity elastic (medium)
M365 AIR Investigation Signal elastic (low)
M365 Purview DLP Signal elastic (low)
M365 Purview Insider Risk Signal elastic (low)
M365 Purview Security Compliance Signal elastic (low)
M365 Security Compliance Admin Signal elastic (low)
M365 Threat Intelligence Signal elastic (low)

SharePoint 34 rules, 14 operations

AnonymousLinkCreated 1 rule

O365 OneDrive Anonymous Link Created or Updated chronicle (medium)

AnonymousLinkUpdated 1 rule

O365 OneDrive Anonymous Link Created or Updated chronicle (medium)

AnonymousLinkUsed 1 rule

O365 OneDrive Anonymous Link Accessed chronicle (medium)

FileAccessed 3 rules

M365 SharePoint/OneDrive File Access via PowerShell elastic (medium)
O365 Exfiltration via File Access splunk (low)
O365 OneDrive Anonymous File Accessed chronicle (medium)

FileDownloaded 9 rules

Dataverse - Mass download from SharePoint document management kusto (low)
Hunt for Non-Anonymous Office 365 file downloads chronicle (low)
M365 SharePoint/OneDrive File Access via PowerShell elastic (medium)
O365 Exfiltration via File Download splunk (low)
O365 OneDrive Anonymous File Downloaded chronicle (medium)
Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)
SharePointFileOperation via devices with previously unseen user agents kusto (medium)
SharePointFileOperation via previously unseen IPs kusto (medium)

FileMalwareDetected 2 rules

M365 SharePoint Malware File Detected elastic (high)
O365 SharePoint Malware Detection splunk (medium)

FileSyncDownloadedFull 2 rules

Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)

FileSyncUploadedFull 2 rules

Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)

FileUploaded 6 rules

Dataverse - Executable uploaded to SharePoint document management site kusto (low)
New executable via Office FileUploaded Operation kusto (low)
Office365 Sharepoint File transfer above threshold kusto (medium)
Office365 Sharepoint File transfer Folders above threshold kusto (medium)
SharePointFileOperation via devices with previously unseen user agents kusto (medium)
SharePointFileOperation via previously unseen IPs kusto (medium)

SearchQueryInitiatedSharepoint 1 rule

O365 SharePoint Suspicious Search Behavior splunk (low)

SearchQueryPerformed 2 rules

M365 SharePoint Search for Sensitive Content elastic (low)
O365 SharePoint Suspicious Search Behavior splunk (low)

SharingPolicyChanged 2 rules

M365 SharePoint Site Sharing Policy Weakened elastic (medium)
O365 SharePoint Allowed Domains Policy Changed splunk (medium)

SiteCollectionAdminAdded 1 rule

M365 SharePoint Site Administrator Added elastic (medium)

(any) 1 rule

M365 Purview DLP Signal elastic (low)

SkypeForBusiness 2 rules, 2 operations

Set-CsTeamsClientConfiguration 1 rule

Deprecated - M365 Teams Guest Access Enabled elastic (medium)

Set-CsTenantFederationConfiguration 1 rule

Deprecated - M365 Teams External Access Enabled elastic (medium)

ThreatIntelligence 3 rules, 2 operations

AtpDetection 1 rule

O365 Threat Intelligence Suspicious File Detected splunk (medium)

TIMailData 2 rules

O365 Threat Intelligence Suspicious Email Delivered splunk (low)
Suspicious Email Delivered In Microsoft 365 sigma (medium)

(unattributed) 61 rules, 1 operation

(any) 61 rules

Activity from Anonymous IP Addresses sigma (medium)
Activity from Infrequent Country sigma (medium)
Activity from Suspicious IP Addresses sigma (medium)
Activity Performed by Terminated User sigma (medium)
Anomalous login followed by Teams action kusto (medium)
Data Exfiltration to Unsanctioned Apps sigma (medium)
Detect Direct Send phishing emails kusto
Detect external user sending suspicious link to multiple users kusto
Detect Malicious Teams Message kusto
Detect PIM elevation with user risk kusto
Detect Possible Teams BEC Attack by High Teams Recipients kusto
Disabling Multi Factor Authentication sigma (high)
External user added and removed in short timeframe kusto (low)
Filewall - Blocked emails kusto (high)
Filewall - Blocked files kusto (high)
GreyNoise TI map IP entity to OfficeActivity kusto (medium)
Hunt domains with Seamless SSO enabled in Entra ID Connect kusto
Hunt for accounts with leaked credentials kusto
Insider Risk_Microsoft Purview Insider Risk Management Alert Observed kusto (high)
Logon from a Risky IP Address sigma (medium)
Lumen TI IPAddress in OfficeActivity kusto (medium)
M365 Azure Monitor Alert Email with Financial or Billing Theme elastic (low)
M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity kusto (medium)
Mail Forwarding/Redirecting Activity In O365 sigma (medium)
Microsoft 365 - Impossible Travel Activity sigma (medium)
Microsoft 365 - Potential Ransomware Activity sigma (medium)
Microsoft 365 - Unusual Volume of File Deletion sigma (medium)
Microsoft 365 - User Restricted from Sending Email sigma (medium)
New Federated Domain Added sigma (medium)
New Federated Domain Added - Exchange sigma (medium)
O365 Advanced Audit Disabled splunk (medium)
O365 Bypass MFA via Trusted IP splunk (medium)
O365 Disable MFA splunk (medium)
O365 DLP Rule Triggered splunk (low)
O365 Email Suspicious Search Behavior splunk (low)
O365 Entra ID App Client Secret Added, Updated or Deleted chronicle (medium)
O365 Exfiltration via File Sync Download splunk (low)
O365 Safe Links Detection splunk (medium)
O365 Service Principal Privilege Escalation splunk (medium)
Phishing link click observed in Network Traffic kusto (medium)
PST Export Alert Using eDiscovery Alert sigma (medium)
PST Export Alert Using New-ComplianceSearchAction sigma (medium)
SharePoint CVE-2025-49706 Exploitation chronicle (high)
Suspicious AWS console logins by credential access alerts kusto (medium)
Suspicious Inbox Forwarding sigma (low)
Suspicious OAuth App File Download Activities sigma (medium)
Suspicious SPN logon from workstation (DumpGuard) kusto
ThreatConnect TI map Email entity to OfficeActivity kusto (medium)
ThreatConnect TI Map URL Entity to OfficeActivity Data kusto (medium)
TI map Domain entity to EmailEvents kusto (medium)
TI map Domain entity to EmailEvents kusto (medium)
TI map Domain entity to EmailUrlInfo kusto (medium)
TI map Domain entity to EmailUrlInfo kusto (medium)
TI map Email entity to EmailEvents kusto (medium)
TI map Email entity to EmailEvents kusto (medium)
TI map Email entity to OfficeActivity kusto (medium)
TI map Email entity to OfficeActivity kusto (medium)
TI map IP entity to OfficeActivity kusto (medium)
TI map IP entity to OfficeActivity kusto (medium)
TI Map URL Entity to OfficeActivity Data [Deprecated] kusto (medium)
VTI - High Severity Domain Collision Detection kusto (high)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)