Login GoogleWorkspace-login

28 operations, identified by eventName in the audit log.

eventName	Description
any	Source-only rules that filter on applicationName 'login' without specifying an eventName attribute here.
2sv_disable	A user disabled 2-Step Verification on their account.
email_forwarding_out_of_domain	A user configured automatic email forwarding to an external address.
gov_attack_warning	Google detected that the account may have been targeted by a government-backed attacker.
login_failure	A user authentication attempt failed.
login_success	A user successfully authenticated to Google Workspace.
suspicious_login	Google detected a suspicious login attempt on the account.
suspicious_login_less_secure_app	A suspicious login from a less-secure application was detected.
suspicious_programmatic_login	A suspicious programmatic (API or app) login was detected.
2sv_enroll	A user enrolled in 2-Step Verification.
logout	A user signed out of their Google Workspace account.
login_challenge	A login challenge (e.g. an additional verification step) was presented to the user.
login_verification	A user completed a login verification step.
password_edit	A user changed their own account password.
recovery_email_edit	A user changed their account recovery email address.
recovery_phone_edit	A user changed their account recovery phone number.
account_disabled_generic	A user account was disabled for a policy reason.
account_disabled_spamming	A user account was disabled because it was found to be sending spam.
account_disabled_hijacked	A user account was disabled because it was detected as hijacked.
account_disabled_password_leak	A user account was disabled because a password leak was detected.
risky_sensitive_action_allowed	A risky or sensitive action by a user was allowed after risk evaluation.
risky_sensitive_action_blocked	A risky or sensitive action by a user was blocked after risk evaluation.
passkey_enrolled	A user enrolled a passkey as a login method.
passkey_removed	A user removed a passkey login method.
titanium_enroll	A user enrolled in Google's Advanced Protection Program (Titanium).
titanium_unenroll	A user left Google's Advanced Protection Program (Titanium).
blocked_sender	An email sender was blocked by a user or policy.
user_signed_out_due_to_suspicious_session_cookie	A user was signed out because a suspicious session cookie was detected.

any: Login (any event)

Application: GoogleWorkspace-login

Description

Source-only rules that filter on applicationName 'login' without specifying an eventName attribute here.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Reports API: login activity events https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login
Reports API activities.list reference https://developers.google.com/workspace/admin/reports/reference/rest/v1/activities/list

2sv_disable: 2-Step Verification Disabled

Application: GoogleWorkspace-login

Description

A user disabled 2-Step Verification on their account.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace 2SV Policy Disabled source medium: Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.

References #

Login Activity Events: 2sv_disable https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#2sv_disable

email_forwarding_out_of_domain: Email Forwarding Out of Domain

Application: GoogleWorkspace-login

Description

A user configured automatic email forwarding to an external address.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`login.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Out Of Domain Email Forwarding source medium: Detects automatic email forwarding to external domains in Google Workspace, which may indicate data leakage or misuse.

References #

Login Activity Events: email_forwarding_out_of_domain https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#email_forwarding_out_of_domain

gov_attack_warning: Government-Backed Attack Warning

Application: GoogleWorkspace-login

Description

Google detected that the account may have been targeted by a government-backed attacker.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`login.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Google Workspace Government Attack Warning source medium: Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor

References #

Login Activity Events: gov_attack_warning https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#gov_attack_warning

login_failure: Login Failure

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

login_success: Login Success

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`about.labels["is_suspicious"]`	eq	`true`	2 rules	chronicle
`source.as.number`	is_not_null		1 rule	elastic
`user.email`	is_not_null		1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

Google Workspace User Login with Unusual ASN source low: Detects the first time a Google Workspace user successfully signs in from a given source ASN within a 14-day historical window. Most users have a stable set of egress ASNs (home ISP, corporate VPN, mobile carrier). A new ASN for a user is a meaningful anomaly as it surfaces ISP changes and travel, but also catches AiTM phishing-kit relays whose egress ASN was never previously associated with the user.

YARA-L #

Google Workspace Suspicious Login and Google Drive File Download source: Identifies when a Google Workspace user downloads a file from Google Drive after a suspicious login event occurred.
Google Workspace Suspicious Login and Google Drive File Share source: Identifies when a Google Workspace user shares a file on Google Drive after a suspicious login event occurred.

suspicious_login: Suspicious Login

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`login.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

suspicious_login_less_secure_app: Suspicious Login (Less Secure App)

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`login.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

suspicious_programmatic_login: Suspicious Programmatic Login

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`gcp::service_name`	eq	`login.googleapis.com`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

2sv_enroll: 2-Step Verification Enrolled

Application: GoogleWorkspace-login

Description

A user enrolled in 2-Step Verification.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: 2sv_enroll https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#2sv_enroll

logout: Logout

Application: GoogleWorkspace-login

Description

A user signed out of their Google Workspace account.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

login_challenge: Login Challenge

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

login_verification: Login Verification

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

password_edit: Password Edit

Application: GoogleWorkspace-login

Description

A user changed their own account password.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: password_edit https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#password_edit

recovery_email_edit: Recovery Email Edit

Application: GoogleWorkspace-login

Description

A user changed their account recovery email address.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: recovery_email_edit https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#recovery_email_edit

recovery_phone_edit: Recovery Phone Edit

Application: GoogleWorkspace-login

Description

A user changed their account recovery phone number.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: recovery_phone_edit https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#recovery_phone_edit

account_disabled_generic: Account Disabled (Generic)

Application: GoogleWorkspace-login

Description

A user account was disabled for a policy reason.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: account_disabled_generic https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#account_disabled_generic

account_disabled_spamming: Account Disabled (Spamming)

Application: GoogleWorkspace-login

Description

A user account was disabled because it was found to be sending spam.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: account_disabled_spamming https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#account_disabled_spamming

account_disabled_hijacked: Account Disabled (Hijacked)

Application: GoogleWorkspace-login

Description

A user account was disabled because it was detected as hijacked.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: account_disabled_hijacked https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#account_disabled_hijacked

account_disabled_password_leak: Account Disabled (Password Leak)

Application: GoogleWorkspace-login

Description

A user account was disabled because a password leak was detected.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: account_disabled_password_leak https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#account_disabled_password_leak

risky_sensitive_action_allowed: Risky Sensitive Action Allowed

Application: GoogleWorkspace-login

Description

A risky or sensitive action by a user was allowed after risk evaluation.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: risky_sensitive_action_allowed https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#risky_sensitive_action_allowed

risky_sensitive_action_blocked: Risky Sensitive Action Blocked

Application: GoogleWorkspace-login

Description

A risky or sensitive action by a user was blocked after risk evaluation.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: risky_sensitive_action_blocked https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#risky_sensitive_action_blocked

passkey_enrolled: Passkey Enrolled

Application: GoogleWorkspace-login

Description

A user enrolled a passkey as a login method.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: passkey_enrolled https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#passkey_enrolled

passkey_removed: Passkey Removed

Application: GoogleWorkspace-login

Description

A user removed a passkey login method.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: passkey_removed https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#passkey_removed

titanium_enroll: Advanced Protection Enrolled

Application: GoogleWorkspace-login

Description

A user enrolled in Google's Advanced Protection Program (Titanium).

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: titanium_enroll https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#titanium_enroll

titanium_unenroll: Advanced Protection Unenrolled

Application: GoogleWorkspace-login

Description

A user left Google's Advanced Protection Program (Titanium).

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: titanium_unenroll https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#titanium_unenroll

blocked_sender: Blocked Sender

Application: GoogleWorkspace-login

Description

An email sender was blocked by a user or policy.

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

References #

Login Activity Events: blocked_sender https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#blocked_sender

user_signed_out_due_to_suspicious_session_cookie: User Signed Out (Suspicious Session Cookie)

Application: GoogleWorkspace-login

Fields #

Name	Description
`applicationName`	Reports API applicationName value identifying the GWS service (e.g. admin, login, drive).
`eventName`	The specific action within this application.
`actor.email`	Email address of the user or administrator who performed the action.
`actor.profileId`	Unique Google Workspace profile ID of the actor.
`ipAddress`	IP address of the actor at the time of the event.
`parameters`	Array of event-specific key-value parameters documenting affected resources.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)