Drive GoogleWorkspace-drive

21 operations, identified by eventName in the audit log.

eventName	Description
any	Source-only rules that filter on applicationName 'drive' without specifying an eventName attribute here.
change_acl_editors	The editor access-control list for a Drive file was changed.
change_document_access_scope	The access scope of a Drive document was changed (e.g. from private to shared).
change_document_visibility	The visibility setting of a Drive document was changed.
change_user_access	A user's access to a Drive file was changed.
copy	A Drive file was copied.
delete	A Drive file was permanently deleted.
download	A Drive file was downloaded.
email_as_attachment	A Drive file was sent as an email attachment.
source_copy	A Drive file was copied from an external source.
trash	A Drive file was moved to trash.
view	A Drive file was viewed.
create	A new file or folder was created in Drive.
edit	A Drive file was edited.
rename	A Drive file or folder was renamed.
move	A Drive file or folder was moved to a different location.
upload	A file was uploaded to Drive.
print	A Drive file was printed.
request_access	A user requested access to a Drive file they do not have permission to view.
deny_access_request	An access request to a Drive file was denied.
add_to_folder	A Drive file was added to a folder.

any: Drive (any event)

Application: GoogleWorkspace-drive

Description

Source-only rules that filter on applicationName 'drive' without specifying an eventName attribute here.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Reports API: drive activity events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive
Reports API activities.list reference https://developers.google.com/workspace/admin/reports/reference/rest/v1/activities/list

change_acl_editors: Change ACL Editors

Application: GoogleWorkspace-drive

Description

The editor access-control list for a Drive file was changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`about.labels["is_suspicious"]`	eq	`true`	1 rule	chronicle
`target.user.email_addresses`	regex_match	`.@gmail\.com\|.@aol\.com\|.@ymail\.com\|.@ymail\.com\|.@hotmail\.com\|.@outlook\.com\|.*@icloud\.com`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace File Shared From Google Drive To Free Email Domain source: Identifies when a user shares a file on Google Drive with a free email domain, which may indicate data exfiltration.↳ also matches change_document_access_scope: Change Document Access Scope, change_document_visibility: Change Document Visibility, change_user_access: Change User Access
Google Workspace Suspicious Login and Google Drive File Share source: Identifies when a Google Workspace user shares a file on Google Drive after a suspicious login event occurred.↳ also matches change_document_access_scope: Change Document Access Scope, change_document_visibility: Change Document Visibility, change_user_access: Change User Access

References #

Drive Activity Events: change_acl_editors https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#change_acl_editors

change_document_access_scope: Change Document Access Scope

Application: GoogleWorkspace-drive

Description

The access scope of a Drive document was changed (e.g. from private to shared).

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`about.labels["is_suspicious"]`	eq	`true`	1 rule	chronicle
`target.user.email_addresses`	regex_match	`.@gmail\.com\|.@aol\.com\|.@ymail\.com\|.@ymail\.com\|.@hotmail\.com\|.@outlook\.com\|.*@icloud\.com`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace File Shared From Google Drive To Free Email Domain source: Identifies when a user shares a file on Google Drive with a free email domain, which may indicate data exfiltration.↳ also matches change_acl_editors: Change ACL Editors, change_document_visibility: Change Document Visibility, change_user_access: Change User Access
Google Workspace Suspicious Login and Google Drive File Share source: Identifies when a Google Workspace user shares a file on Google Drive after a suspicious login event occurred.↳ also matches change_acl_editors: Change ACL Editors, change_document_visibility: Change Document Visibility, change_user_access: Change User Access

References #

Drive Activity Events: change_document_access_scope https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#change_document_access_scope

change_document_visibility: Change Document Visibility

Application: GoogleWorkspace-drive

Description

The visibility setting of a Drive document was changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`about.labels["is_suspicious"]`	eq	`true`	1 rule	chronicle
`target.user.email_addresses`	regex_match	`.@gmail\.com\|.@aol\.com\|.@ymail\.com\|.@ymail\.com\|.@hotmail\.com\|.@outlook\.com\|.*@icloud\.com`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace File Shared From Google Drive To Free Email Domain source: Identifies when a user shares a file on Google Drive with a free email domain, which may indicate data exfiltration.↳ also matches change_acl_editors: Change ACL Editors, change_document_access_scope: Change Document Access Scope, change_user_access: Change User Access
Google Workspace Suspicious Login and Google Drive File Share source: Identifies when a Google Workspace user shares a file on Google Drive after a suspicious login event occurred.↳ also matches change_acl_editors: Change ACL Editors, change_document_access_scope: Change Document Access Scope, change_user_access: Change User Access

References #

Drive Activity Events: change_document_visibility https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#change_document_visibility

change_user_access: Change User Access

Application: GoogleWorkspace-drive

Description

A user's access to a Drive file was changed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`about.labels["is_suspicious"]`	eq	`true`	1 rule	chronicle
`target.user.email_addresses`	regex_match	`.@gmail\.com\|.@aol\.com\|.@ymail\.com\|.@ymail\.com\|.@hotmail\.com\|.@outlook\.com\|.*@icloud\.com`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace File Shared From Google Drive To Free Email Domain source: Identifies when a user shares a file on Google Drive with a free email domain, which may indicate data exfiltration.↳ also matches change_acl_editors: Change ACL Editors, change_document_access_scope: Change Document Access Scope, change_document_visibility: Change Document Visibility
Google Workspace Suspicious Login and Google Drive File Share source: Identifies when a Google Workspace user shares a file on Google Drive after a suspicious login event occurred.↳ also matches change_acl_editors: Change ACL Editors, change_document_access_scope: Change Document Access Scope, change_document_visibility: Change Document Visibility

References #

Drive Activity Events: change_user_access https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#change_user_access

copy: Copy

Application: GoogleWorkspace-drive

Description

A Drive file was copied.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`target.resource.attribute.labels["visibility"]`	eq	`people_with_link`	2 rules	chronicle
`target.resource.attribute.labels["visibility"]`	eq	`public_on_the_web`	2 rules	chronicle
`EventType`	eq	`authorize`	1 rule	elastic
`EventType`	eq	`copy`	1 rule	elastic
`gws::token_client_id`	ends_with	`apps.googleusercontent.com`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace Object Copied to External Drive with App Consent source medium: Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where "copy" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.

YARA-L #

Google Workspace Multiple Files Copied From Google Drive source: Identifies when a user copies multiple files from Google Drive, which may indicate data exfiltration.↳ also matches source_copy: Source Copy
Google Workspace Encryption Key File Accessed By An Anonymous User source: Identifies when an encryption key file is accessed by an anonymous user in Google Drive. An adversary may attempt to access encryption keys before moving laterally and compromising sensitive data.↳ also matches download: Download, view: View
Google Workspace Malicious File Downloaded source: Identifies when a user downloads a potentially malicious file from Google Drive.↳ also matches download: Download, view: View

References #

Drive Activity Events: copy https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#copy

delete: Delete

Application: GoogleWorkspace-drive

Description

A Drive file was permanently deleted.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace Multiple Files Deleted From Google Drive source: Identifies when a user deletes multiple files from Google Drive, which may indicate data destruction.↳ also matches trash: Trash

References #

Drive Activity Events: delete https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#delete

download: Download

Application: GoogleWorkspace-drive

Description

A Drive file was downloaded.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`target.resource.attribute.labels["visibility"]`	eq	`people_with_link`	2 rules	chronicle
`target.resource.attribute.labels["visibility"]`	eq	`public_on_the_web`	2 rules	chronicle
`about.labels["is_suspicious"]`	eq	`true`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace Encryption Key File Accessed By An Anonymous User source: Identifies when an encryption key file is accessed by an anonymous user in Google Drive. An adversary may attempt to access encryption keys before moving laterally and compromising sensitive data.↳ also matches copy: Copy, view: View
Google Workspace Malicious File Downloaded source: Identifies when a user downloads a potentially malicious file from Google Drive.↳ also matches copy: Copy, view: View
Google Workspace Multiple Files Downloaded From Google Drive source: Identifies when a user downloads multiple files from Google Drive, which may indicate data exfiltration.

Show 1 more (4 total)

Google Workspace Suspicious Login and Google Drive File Download source: Identifies when a Google Workspace user downloads a file from Google Drive after a suspicious login event occurred.

References #

Drive Activity Events: download https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#download

email_as_attachment: Email as Attachment

Application: GoogleWorkspace-drive

Description

A Drive file was sent as an email attachment.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`target.user.email_addresses`	regex_match	`.@gmail\.com\|.@aol\.com\|.@ymail\.com\|.@ymail\.com\|.@hotmail\.com\|.@outlook\.com\|.*@icloud\.com`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace Multiple Files Sent As Email Attachments From Google Drive source: Identifies when a user sends multiple files from Google Drive as an email attachment to a free email domain, which may indicate data exfiltration.

References #

Drive Activity Events: email_as_attachment https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#email_as_attachment

source_copy: Source Copy

Application: GoogleWorkspace-drive

Description

A Drive file was copied from an external source.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace Multiple Files Copied From Google Drive source: Identifies when a user copies multiple files from Google Drive, which may indicate data exfiltration.↳ also matches copy: Copy

References #

Drive Activity Events: source_copy https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#source_copy

trash: Trash

Application: GoogleWorkspace-drive

Description

A Drive file was moved to trash.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace Multiple Files Deleted From Google Drive source: Identifies when a user deletes multiple files from Google Drive, which may indicate data destruction.↳ also matches delete: Delete

References #

Drive Activity Events: trash https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#trash

view: View

Application: GoogleWorkspace-drive

Description

A Drive file was viewed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`target.resource.attribute.labels["visibility"]`	eq	`people_with_link`	2 rules	chronicle
`target.resource.attribute.labels["visibility"]`	eq	`public_on_the_web`	2 rules	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Google Workspace Encryption Key File Accessed By An Anonymous User source: Identifies when an encryption key file is accessed by an anonymous user in Google Drive. An adversary may attempt to access encryption keys before moving laterally and compromising sensitive data.↳ also matches copy: Copy, download: Download
Google Workspace Malicious File Downloaded source: Identifies when a user downloads a potentially malicious file from Google Drive.↳ also matches copy: Copy, download: Download

References #

Drive Activity Events: view https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive#view

create: Create

Application: GoogleWorkspace-drive

Description

A new file or folder was created in Drive.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

edit: Edit

Application: GoogleWorkspace-drive

Description

A Drive file was edited.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

rename: Rename

Application: GoogleWorkspace-drive

Description

A Drive file or folder was renamed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

move: Move

Application: GoogleWorkspace-drive

Description

A Drive file or folder was moved to a different location.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

upload: Upload

Application: GoogleWorkspace-drive

Description

A file was uploaded to Drive.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

print: Print

Application: GoogleWorkspace-drive

Description

A Drive file was printed.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

request_access: Request Access

Application: GoogleWorkspace-drive

Description

A user requested access to a Drive file they do not have permission to view.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

deny_access_request: Deny Access Request

Application: GoogleWorkspace-drive

Description

An access request to a Drive file was denied.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

add_to_folder: Add to Folder

Application: GoogleWorkspace-drive

Description

A Drive file was added to a folder.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Drive Activity Events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/drive

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)