Azure Active Directory / Entra ID events M365-AzureActiveDirectory

13 operations, identified by Operation in the audit log.

Operation	Description
_catch_all	Catch-all for M365-AzureActiveDirectory rules matching the RecordType but no specific Operation.
Add application.	An application registration was created in Azure Active Directory (the UAL operation string includes a trailing period).
Add group.	A group was created in Azure Active Directory (the UAL operation string includes a trailing period).
Add member to group.	A principal was added to a group in Azure Active Directory (the UAL operation string includes a trailing period).
Add member to role.	A principal was added to an Azure Active Directory directory role (the UAL operation string includes a trailing period).
Add registered users to device.	Registered users were added to a device object in Azure Active Directory (the UAL operation string includes a trailing period).
Consent to application.	Admin or user consent was granted to an application in Azure Active Directory (the UAL operation string includes a trailing period).
Delete group.	A group was deleted in Azure Active Directory (the UAL operation string includes a trailing period).
Remove member from group.	A principal was removed from a group in Azure Active Directory (the UAL operation string includes a trailing period).
Set-MsolDomainFederationSettings	Federation settings for a domain were changed via the MSOnline module (a directory operation, not an Exchange cmdlet); abused to add a backdoor federation trust.
Update application.	An application registration was modified in Azure Active Directory (the UAL operation string includes a trailing period).
UserLoggedIn	A user successfully signed in to an Azure Active Directory-integrated application or service.
UserLoginFailed	A user sign-in attempt to an Azure Active Directory-integrated application failed (incorrect credentials, MFA denial, or Conditional Access block).

_catch_all: Azure Active Directory / Entra ID events (catch-all)

RecordType: M365-AzureActiveDirectory

Description

Catch-all for M365-AzureActiveDirectory rules matching the RecordType but no specific Operation.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add application.

RecordType: M365-AzureActiveDirectory

Description

An application registration was created in Azure Active Directory (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`target.resource.product_object_id`	eq	`1b730954-1685-4b74-9bfd-dac224a7b894`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

O365 AD PowerShell App Login Subsequent Activity source: Once a user authenticates to the Azure AD PowerShell application, if they take multiple admin actions indicative of establishing their own persistence with an Entra ID application within a portion of the access token time, alert for additional investigation↳ also matches Update application., UserLoggedIn
O365 Entra ID Application Creation source: Application creation is a legitimate activity but doesn't occur frequently. Alerts when a new application is created in Entra ID (formerly Azure AD).

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add group.

RecordType: M365-AzureActiveDirectory

Description

A group was created in Azure Active Directory (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.action`	eq	`BLOCK`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

Hunt for Office 365 group creation failures source: Detects when a group is attempted to be created but fails in Office 365. This could be due to insufficient permissions or other errors
Hunt for Office 365 group creation success source: Detects when a group is created in Office 365.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add member to group.

RecordType: M365-AzureActiveDirectory

Description

A principal was added to a group in Azure Active Directory (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Detection Rules #

View all rules referencing this event →

YARA-L #

Hunt for Office 365 group modification add member success source: Detects when a user is added to a group in Office 365.
Office 365 group modification add member success has exceeded a defined threshold source: Detects when a group GUID in Office 365 has more users added to it by the same user than a defined thresold.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add member to role.

Equivalent operation in the other pipeline: Add member to role (Entra ID directory audit)

RecordType: M365-AzureActiveDirectory

Description

A principal was added to an Azure Active Directory directory role (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Identity Global Administrator Role Assigned source medium: Identifies when the Microsoft 365 Global Administrator or Company Administrator role is assigned to a user or service principal. The Global Administrator role has extensive privileges across Entra ID and Microsoft 365 services, making it a high-value target for adversaries seeking persistent access. Successful assignments of this role may indicate potential privilege escalation or unauthorized access attempts, especially if performed by accounts that do not typically manage high-privilege roles.

YARA-L #

O365 Add User To Admin Role source: Adding users to administrative roles is not malicious, but due to the sensitivity of certain roles, validation should occur when this occurs
O365 Recently Created Entra ID User Assigned Roles source: Detects when a user is created in Entra ID and assigned roles within a defined time window.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Add registered users to device.

Equivalent operation in the other pipeline: Add registered users to device (Entra ID directory audit)

RecordType: M365-AzureActiveDirectory

Description

Registered users were added to a device object in Azure Active Directory (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`UserLoggedIn`	1 rule	elastic
`m365::ExtendedProperties.RequestType`	eq	`OAuth2:Authorize`	1 rule	elastic
`m365::ExtendedProperties.ResultStatusDetail`	eq	`Redirect`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Identity OAuth Flow by User Sign-in to Device Registration source high: Identifies attempts to register a new device in Microsoft Entra ID after OAuth authentication with authorization code grant. Adversaries may use OAuth phishing techniques to obtain an OAuth authorization code, which can then be exchanged for access and refresh tokens. This rule detects a sequence of events where a user principal authenticates via OAuth, followed by a device registration event, indicating potential misuse of the OAuth flow to establish persistence or access resources.↳ also matches UserLoggedIn

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Consent to application.

Equivalent operation in the other pipeline: Consent to application (Entra ID directory audit)

RecordType: M365-AzureActiveDirectory

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`m365::ObjectId`	is_not_null		1 rule	elastic
`m365::Target.Type`	in	`0`	1 rule	elastic
`m365::Target.Type`	in	`10`	1 rule	elastic
`m365::Target.Type`	in	`2`	1 rule	elastic
`m365::Target.Type`	in	`3`	1 rule	elastic
`m365::UserId`	is_not_null		1 rule	elastic

Delete group.

RecordType: M365-AzureActiveDirectory

Description

A group was deleted in Azure Active Directory (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Detection Rules #

View all rules referencing this event →

YARA-L #

Office 365 group deletion success source: Detects when a group is deleted.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Remove member from group.

RecordType: M365-AzureActiveDirectory

Description

A principal was removed from a group in Azure Active Directory (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Detection Rules #

View all rules referencing this event →

YARA-L #

Hunt for Office 365 group modification remove member success source: Detects when a user is removed from a group in Office 365.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Set-MsolDomainFederationSettings

RecordType: M365-AzureActiveDirectory

Description

Federation settings for a domain were changed via the MSOnline module (a directory operation, not an Exchange cmdlet); abused to add a backdoor federation trust.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Exchange Federated Domain Created or Modified source low: Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

Update application.

RecordType: M365-AzureActiveDirectory

Description

An application registration was modified in Azure Active Directory (the UAL operation string includes a trailing period).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`security_result.action`	eq	`ALLOW`	4 rules	chronicle
`target.resource.attribute.labels.key`	regex_match	`NewValue_EntitlementId-`	3 rules	chronicle
`target.resource.attribute.labels.key`	regex_match	`OldValue_EntitlementId-`	3 rules	chronicle
`target.resource.product_object_id`	eq	`1b730954-1685-4b74-9bfd-dac224a7b894`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

O365 Entra ID App Modify Permission Change On Watchlist source: Alerts when a permission on the watchlist is applied to an Entra ID application.
O365 Entra ID App Permissions Percent Threshold Exceeded source: Detects when an excessive number of permissions are assigned to an Entra ID application within a time window, potentially indicating a greedy permission grab, as a percentage from old permissions to new permissions
O365 Entra ID App Permissions Threshold Exceeded source: Detects when an excessive number of permissions are assigned to an Entra ID application within a time window, potentially indicating a greedy permission grab, as a numeric value comparing old permissions to new permissions

Show 1 more (4 total)

O365 AD PowerShell App Login Subsequent Activity source: Once a user authenticates to the Azure AD PowerShell application, if they take multiple admin actions indicative of establishing their own persistence with an Entra ID application within a portion of the access token time, alert for additional investigation↳ also matches Add application., UserLoggedIn

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

UserLoggedIn

RecordType: M365-AzureActiveDirectory

Description

A user successfully signed in to an Azure Active Directory-integrated application or service.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`UserLoggedIn`	6 rules	elastic
`security_result.action`	eq	`ALLOW`	6 rules	chronicle
`m365::UserId`	is_not_null		3 rules	elastic
`target.resource.product_object_id`	eq	`1b730954-1685-4b74-9bfd-dac224a7b894`	3 rules	chronicle
`Provider_Name`	eq	`AzureActiveDirectory`	2 rules	elastic
`m365::ApplicationId`	in	`00b41c95-dab0-4487-9791-b9d2c32c80f2`	2 rules	elastic
`m365::ApplicationId`	in	`04b07795-8ddb-461a-bbee-02f9e1bf7b46`	2 rules	elastic
`m365::ApplicationId`	in	`0ec893e0-5785-4de6-99da-4ed124e5296c`	2 rules	elastic
`m365::ApplicationId`	in	`1950a258-227b-4e31-a9cf-717495945fc2`	2 rules	elastic
`m365::ApplicationId`	in	`1fec8e78-bce4-4aaf-ab1b-5451cc387264`	2 rules	elastic
`m365::ApplicationId`	in	`22098786-6e16-43cc-a27d-191a01a1e3b5`	2 rules	elastic
`m365::ApplicationId`	in	`26a7ee05-5602-4d76-a7ba-eae8b7b67941`	2 rules	elastic
`m365::ApplicationId`	in	`27922004-5251-4030-b22d-91ecd9a37ea4`	2 rules	elastic
`m365::ApplicationId`	in	`2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8`	2 rules	elastic
`m365::ApplicationId`	in	`4813382a-8fa7-425e-ab75-3b753aab3abb`	2 rules	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Login Bypassing Conditional Access Policies source high: Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Elastic #

M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs source high: Identifies sign-ins on behalf of a principal user to the Microsoft Graph or legacy Azure AD API from multiple IPs using first-party Microsoft applications from the FOCI (Family of Client IDs) group. Developer tools like Azure CLI, VSCode, and Azure PowerShell accessing these resources from multiple IPs are flagged, along with any FOCI application accessing the deprecated Windows Azure Active Directory from multiple IPs. This behavior may indicate an adversary using a phished OAuth authorization code or refresh token, as seen in attacks like ConsentFix where attackers steal localhost OAuth codes and replay them from attacker infrastructure.
M365 Identity Login from Atypical Region source medium: Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated from in a specific time window. Atypical regions are identified by combining the user's country and region geolocation history; an authentication from a new country/region pair for that user may indicate an adversary attempting to access the account from an unusual location or behind a VPN.
M365 Identity Login from Impossible Travel Location source medium: Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.

Show 3 more (6 total)

M365 Identity OAuth Phishing via First-Party Microsoft Application source medium: Detects potentially suspicious OAuth authorization activity in Microsoft 365 where first-party Microsoft applications from the FOCI (Family of Client IDs) group request access to Microsoft Graph or legacy Azure AD resources. Developer tools like Azure CLI, Visual Studio Code, and Azure PowerShell accessing these resources are flagged, as they are commonly abused in phishing campaigns like ConsentFix. Additionally, any FOCI family application accessing the deprecated Windows Azure Active Directory resource is flagged since this API is rarely used legitimately and attackers target it for stealth. First-party apps are trusted by default in all tenants and cannot be blocked, making them ideal for OAuth phishing attacks.
M365 Potential AiTM UserLoggedIn via Office App (Tycoon2FA) source high: Detects Microsoft 365 audit "UserLoggedIn" events consistent with Tycoon 2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity: the Microsoft Authentication Broker requesting access where the object identifier matches Microsoft Graph or Exchange Online, or the Office web client application authenticating to itself, combined with Node.js-style user agents (node, axios, undici). Tycoon 2FA bypasses MFA by relaying authentication and capturing session material, often targeting Microsoft 365 and Gmail. Baseline legitimate automation and developer tooling before tuning.
M365 Identity OAuth Flow by User Sign-in to Device Registration source high: Identifies attempts to register a new device in Microsoft Entra ID after OAuth authentication with authorization code grant. Adversaries may use OAuth phishing techniques to obtain an OAuth authorization code, which can then be exchanged for access and refresh tokens. This rule detects a sequence of events where a user principal authenticates via OAuth, followed by a device registration event, indicating potential misuse of the OAuth flow to establish persistence or access resources.↳ also matches Add registered users to device.

YARA-L #

O365 Admin Login Activity To Uncommon Microsoft Cloud Apps source: This rule detects O365 login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default
O365 Login Activity To Azure AD PowerShell App source: Logins to Azure AD PowerShell app can have legitimate purposes, but are also abused to gain access to user information. Programmatic access to Entra ID (Azure AD) should generally be through apps, so reviewing these activities is needed.
O365 Login Activity To Uncommon Microsoft Cloud Apps source: This rule detects O365 login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default

Show 3 more (6 total)

O365 Persistent Login Activity To Azure AD PowerShell App source: Continual logins to Azure AD PowerShell app are not a security best practice, if this is observed, additional investigation is needed
Hunt for suspicious sign-in to Entra ID Using Extrnal Call Method source: Detects authentication to O365 followed by a non-interactive sign-ins that aligns to suspicious activity.
O365 AD PowerShell App Login Subsequent Activity source: Once a user authenticates to the Azure AD PowerShell application, if they take multiple admin actions indicative of establishing their own persistence with an Entra ID application within a portion of the access token time, alert for additional investigation↳ also matches Add application., Update application.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

UserLoginFailed

RecordType: M365-AzureActiveDirectory

Description

A user sign-in attempt to an Azure Active Directory-integrated application failed (incorrect credentials, MFA denial, or Conditional Access block).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`AzureActiveDirectoryEventType`	The type of Microsoft Entra event (AccountLogon, AzureApplicationAuditEvent, ...).
`ExtendedProperties`	Extended properties of the Microsoft Entra event (name/value pairs).
`ModifiedProperties`	For admin events: the property modified, its new value, and its previous value.
`TargetResources`	Objects affected by the operation (users, groups, apps, service principals, roles), with modifiedProperties; the Graph / Sentinel projection of the same record.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`PasswordLogonInitialAuthUsingPassword`	2 rules	elastic
`EventType`	in	`UserLoginFailed`	2 rules	elastic
`Provider_Name`	in	`AzureActiveDirectory`	2 rules	elastic
`Provider_Name`	in	`Exchange`	2 rules	elastic
`m365::Target.Type`	in	`0`	2 rules	elastic
`m365::Target.Type`	in	`10`	2 rules	elastic
`m365::Target.Type`	in	`2`	2 rules	elastic
`m365::Target.Type`	in	`6`	2 rules	elastic
`Esql.brute_force_type`	ne	`other`	1 rule	elastic
`Esql.event_count`	ge	`10`	1 rule	elastic
`source.as.organization.name`	ne	`MICROSOFT-CORP-MSN-as-BLOCK`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 Identity User Brute Force Attempted source medium: Identifies brute-force authentication activity targeting Microsoft 365 user accounts using failed sign-in patterns that match password spraying, credential stuffing, or password guessing behavior. Adversaries may attempt brute-force authentication with credentials obtained from previous breaches, leaks, marketplaces or guessable passwords.
M365 Identity User Account Lockouts source medium: Detects a burst of Microsoft 365 user account lockouts within a short 5-minute window. A high number of IdsLocked login errors across multiple user accounts may indicate brute-force attempts for the same users resulting in lockouts.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)