Microsoft-Windows-COMRuntime

35 events across 4 channels

Event	Title	Channel	Sample
1	CliModalLoopDelay	Tracing	N
2	ComCallDelay	Tracing	Y
3	DropKeyboardMessage	MessageProcessing	N
4	DropMouseMessage	MessageProcessing	N
5	DropQueueSyncMessage	MessageProcessing	N
6	DropPointerMessage	MessageProcessing	N
7	PrematureStubRundown	Tracing	N
18205	DCOM server attempted to listen on an invalid endpoint.	Operational	N
18207	The machine wide limit settings do not grant param1 param2 permission for the …	Operational	N
18208	The param1 permission settings do not grant param2 param3 permission for the COM …	Operational	N
18209	The param1 permission settings do not grant param2 access permission to the COM …	Operational	N
18210	The application-specific permission settings do not grant param1 access …	Operational	N
18211	The machine wide limit settings do not grant param1 access permission to the COM …	Operational	N
18212	The machine wide param1 param2 security descriptor is invalid.	Operational	N
18213	The launch and activation security descriptor for the COM Server application …	Operational	N
18214	The param1 access security descriptor for the COM Server application param2 with …	Operational	N
18215	The application-specific access security descriptor for the COM Server …	Operational	N
18216	The machine wide group policy param1 Limits security descriptor is invalid.	Operational	N
18219	The machine wide limit settings do not grant param1 param2 permission for COM …	Operational	N
18220	OLE (Object Linking and Embedding) in the application "param1" was trying to …	Operational	N
18221	The attempt to connect to the RPCSS service was denied access for the COM Server …	Operational	N
32769	task_032769	Activations	Y
3221243677	DCOM server attempted to listen on an invalid endpoint.	Operational	N
3221243679	The machine wide limit settings do not grant {param1} {param2} permission for …	Operational	N
3221243680	The {param1} permission settings do not grant {param2} {param3} permission for …	Operational	N
3221243681	The {param1} permission settings do not grant {param2} access permission to the …	Operational	N
3221243682	The application-specific permission settings do not grant {param1} access …	Operational	N
3221243683	The machine wide limit settings do not grant {param1} access permission to the …	Operational	N
3221243684	The machine wide {param1} {param2} security descriptor is invalid.	Operational	N
3221243685	The launch and activation security descriptor for the COM Server application …	Operational	N
3221243686	The {param1} access security descriptor for the COM Server application {param2} …	Operational	N
3221243687	The application-specific access security descriptor for the COM Server …	Operational	N
3221243688	The machine wide group policy {param1} Limits security descriptor is invalid.	Operational	N
3221243691	The machine wide limit settings do not grant {param1} {param2} permission for …	Operational	N
3221243692	OLE (Object Linking and Embedding) in the application "param1" was trying to …	Operational	N

Event ID 1: CliModalLoopDelay

Provider: Microsoft-Windows-COMRuntime
Channel: Tracing
Task: CliModalLoopDelay

Fields #

Name	Description
`Flags` UInt32
`BlockTimeMs` UInt32
`TotalTimeMs` UInt32

Event ID 2: ComCallDelay

Provider: Microsoft-Windows-COMRuntime
Channel: Tracing
Also via: realtime ETW trace
Level: Informational
Task: ComCallDelay
Opcode: win:Info

Fields #

Name	Description
`Flags` UInt32
`CallTimeMs` UInt32
`CallResult` UInt32
`TargetThreadId` UInt32	Thread ID in the target process.
`TargetProcessId` UInt32	Process ID of the target process.
`TargetMethod` UInt32
`TargetInterface` GUID

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-COMRuntime",
    "guid": "{BF406804-6AFA-46E7-8A48-6C357E1D6D61}",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": "0x4000000000000002",
    "time_created": "2026-06-02T05:14:54.111+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{431EA5F1-C4C9-4A44-A885-A4F9F25D7908}"
    },
    "execution": {
      "process_id": 4304,
      "thread_id": 17928
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CallResult": 0,
    "CallTimeMs": 2985,
    "Flags": 0,
    "TargetInterface": "{A5EBA07A-DAE8-4D15-B12F-728EFD8A9866}",
    "TargetMethod": 3,
    "TargetProcessId": 20648,
    "TargetThreadId": 0
  },
  "message": "ComCallDelay"
}

Event ID 3: DropKeyboardMessage

Provider: Microsoft-Windows-COMRuntime
Channel: MessageProcessing
Task: DropKeyboardMessage

Fields #

Name	Description
`ApartmentType` UInt32

Event ID 4: DropMouseMessage

Provider: Microsoft-Windows-COMRuntime
Channel: MessageProcessing
Task: DropMouseMessage

Fields #

Name	Description
`ApartmentType` UInt32

Event ID 5: DropQueueSyncMessage

Provider: Microsoft-Windows-COMRuntime
Channel: MessageProcessing
Task: DropQueueSyncMessage

Fields #

Name	Description
`ApartmentType` UInt32

Event ID 6: DropPointerMessage

Provider: Microsoft-Windows-COMRuntime
Channel: MessageProcessing
Task: DropPointerMessage

Fields #

Name	Description
`ApartmentType` UInt32
`Message` UInt32

Event ID 7: PrematureStubRundown

Provider: Microsoft-Windows-COMRuntime
Channel: Tracing
Task: PrematureStubRundown

Fields #

Name	Description
`IID` GUID
`Method` UInt32
`IPID` GUID
`CallType` UInt32

Event ID 18205: DCOM server attempted to listen on an invalid endpoint.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

DCOM server attempted to listen on an invalid endpoint. Protocol Sequence: ProtocolSequence Endpoint: Endpoint Flags: Flags.

Message #

DCOM server attempted to listen on an invalid endpoint. Protocol Sequence: %1 Endpoint: %2 Flags: %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 18207: The machine wide limit settings do not grant param1 param2 permission for the COM Server application with CLSID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The machine wide limit settings do not grant param1 param2 permission for the COM Server application with CLSID.

Message #

The machine wide limit settings do not grant %1 %2 permission for the COM Server application with CLSID 
%3
 and APPID 
%4
 to the user %5\%6 SID (%7) from address %8 running in the application container %9 SID (%10). This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`param6` UnicodeString
`param7` UnicodeString
`param8` UnicodeString
`param9` UnicodeString
`param10` UnicodeString

Event ID 18208: The param1 permission settings do not grant param2 param3 permission for the COM Server application with CLSID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The param1 permission settings do not grant param2 param3 permission for the COM Server application with CLSID.

Message #

The %1 permission settings do not grant %2 %3 permission for the COM Server application with CLSID 
%4
 and APPID 
%5
 to the user %6\%7 SID (%8) from address %9 running in the application container %10 SID (%11). This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`param6` UnicodeString
`param7` UnicodeString
`param8` UnicodeString
`param9` UnicodeString
`param10` UnicodeString
`param11` UnicodeString

Event ID 18209: The param1 permission settings do not grant param2 access permission to the COM Server application param3 with APPID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The param1 permission settings do not grant param2 access permission to the COM Server application param3 with APPID.

Message #

The %1 permission settings do not grant %2 access permission to the COM Server application %3 with APPID 
%4
 to the user %5\%6 SID (%7) from address %8 running in the application container %9 SID (%10). This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`param6` UnicodeString
`param7` UnicodeString
`param8` UnicodeString
`param9` UnicodeString
`param10` UnicodeString

Event ID 18210: The application-specific permission settings do not grant param1 access permission to the COM Server application param2 with APPID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The application-specific permission settings do not grant param1 access permission to the COM Server application param2 with APPID.

Message #

The application-specific permission settings do not grant %1 access permission to the COM Server application %2 with APPID 
%3
 to the user %4\%5 SID (%6) from address %7 running in the application container %8 SID (%9). The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`param6` UnicodeString
`param7` UnicodeString
`param8` UnicodeString
`param9` UnicodeString

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/troubleshoot/windows-server/events-18210-3041-and-1-hyper-v-replica

Event ID 18211: The machine wide limit settings do not grant param1 access permission to the COM Server application param2 with APPID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The machine wide limit settings do not grant param1 access permission to the COM Server application param2 with APPID.

Message #

The machine wide limit settings do not grant %1 access permission to the COM Server application %2 with APPID 
%3
 to the user %4\%5 SID (%6) from address %7 running in the application container %8 SID (%9). This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`param6` UnicodeString
`param7` UnicodeString
`param8` UnicodeString
`param9` UnicodeString

Event ID 18212: The machine wide param1 param2 security descriptor is invalid.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The machine wide param1 param2 security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Message #

The machine wide %1 %2 security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 18213: The launch and activation security descriptor for the COM Server application with APPID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The launch and activation security descriptor for the COM Server application with APPID.

Message #

The launch and activation security descriptor for the COM Server application with APPID 
%1
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString

Event ID 18214: The param1 access security descriptor for the COM Server application param2 with APPID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The param1 access security descriptor for the COM Server application param2 with APPID.

Message #

The %1 access security descriptor for the COM Server application %2 with APPID 
%3
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 18215: The application-specific access security descriptor for the COM Server application param1 with APPID.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The application-specific access security descriptor for the COM Server application param1 with APPID.

Message #

The application-specific access security descriptor for the COM Server application %1 with APPID 
%2
 is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed.  The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 18216: The machine wide group policy param1 Limits security descriptor is invalid.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The machine wide group policy param1 Limits security descriptor is invalid. The security descriptor is defined as an invalid Security Descriptor Definitions Language (SDDL) string. The requested action was therefore not performed. Please contact your administrator to get the security descriptor corrected in the Group Policy settings.

Message #

The machine wide group policy %1 Limits security descriptor is invalid. The security descriptor is defined as an invalid Security Descriptor Definitions Language (SDDL) string. The requested action was therefore not performed. Please contact your administrator to get the security descriptor corrected in the Group Policy settings.

Fields #

Name	Description
`param1` UnicodeString

Event ID 18219: The machine wide limit settings do not grant param1 param2 permission for COM Server applications to the user param3\param4 SID (param5) from address param6 running in the...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational
Opcode: Info

Description

The machine wide limit settings do not grant param1 param2 permission for COM Server applications to the user param3\param4 SID (param5) from address param6 running in the application container param7 SID (param8). This security permission can be modified using the Component Services administrative tool.

Message #

The machine wide limit settings do not grant %1 %2 permission for COM Server applications to the user %3\%4 SID (%5) from address %6 running in the application container %7 SID (%8). This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`param6` UnicodeString
`param7` UnicodeString
`param8` UnicodeString

Event ID 18220: OLE (Object Linking and Embedding) in the application "param1" was trying to convert embedded content in a document; however, OLE no longer supports the presentation format for the embedded content

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 18221: The attempt to connect to the RPCSS service was denied access for the COM Server application param1 to the user param2\param3 SID (param4) running in the applicati...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Description

The attempt to connect to the RPCSS service was denied access for the COM Server application param1 to the user param2\param3 SID (param4) running in the application container param5 SID (param6). The most likely cause is that the machine wide Access Limits do not grant the user or application local access permissions. The Access Limits can be modified using the Component Services administrative tool.

Message #

The attempt to connect to the RPCSS service was denied access for the COM Server application %1 to the user %2\%3 SID (%4) running in the application container %5 SID (%6). The most likely cause is that the machine wide Access Limits do not grant the user or application local access permissions. The Access Limits can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString
`param4` UnicodeString
`param5` UnicodeString
`param6` UnicodeString

Event ID 32769: task_032769

Provider: Microsoft-Windows-COMRuntime
Channel: Activations
Also via: realtime ETW trace
Level: Informational
Opcode: win:Info

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-COMRuntime",
    "guid": "{BF406804-6AFA-46E7-8A48-6C357E1D6D61}",
    "event_source_name": "",
    "event_id": 32769,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": "0x2000000000000000",
    "time_created": "2026-06-02T05:15:00.216+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 21100,
      "thread_id": 18468
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "Undefined",
    "param2": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "param3": "Windows.Internal.StateRepository.FileTypeAssociation"
  },
  "message": ""
}

Event ID 3221243677: DCOM server attempted to listen on an invalid endpoint.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Description

DCOM server attempted to listen on an invalid endpoint. Protocol Sequence: {param1} Endpoint: {param2} Flags: {param3}.

Message #

DCOM server attempted to listen on an invalid endpoint. Protocol Sequence:  {param1} Endpoint: {param2} Flags:    {param3}

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 3221243679: The machine wide limit settings do not grant {param1} {param2} permission for the COM Server application with CLSID {param3} and APPID {param4} to ...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The machine wide limit settings do not grant {param1} {param2} permission for the COM Server application with CLSID {param3} and APPID {param4} to the user {param5}\{param6} SID ({param7}) from address %8. This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 3221243680: The {param1} permission settings do not grant {param2} {param3} permission for the COM Server application with CLSID {param4} and APPID {param5} to...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The {param1} permission settings do not grant {param2} {param3} permission for the COM Server application with CLSID {param4} and APPID {param5} to the user {param6}\{param7} SID ({param8}) from address %9. This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`

Event ID 3221243681: The {param1} permission settings do not grant {param2} access permission to the COM Server application {param3} with APPID {param4} to the user {pa...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The {param1} permission settings do not grant {param2} access permission to the COM Server application {param3} with APPID {param4} to the user {param5}\{param6} SID ({param7}) from address {param8}. This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`

Event ID 3221243682: The application-specific permission settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to ...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The application-specific permission settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to the user {param4}\{param5} SID ({param6}) from address {param7}. The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 3221243683: The machine wide limit settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to the user {par...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The machine wide limit settings do not grant {param1} access permission to the COM Server application {param2} with APPID {param3} to the user {param4}\{param5} SID ({param6}) from address {param7}. This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 3221243684: The machine wide {param1} {param2} security descriptor is invalid.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The machine wide {param1} {param2} security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Name	Description
`param1`
`param2`

Event ID 3221243685: The launch and activation security descriptor for the COM Server application with APPID {param1} is invalid.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The launch and activation security descriptor for the COM Server application with APPID {param1} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Name	Description
`param1`

Event ID 3221243686: The {param1} access security descriptor for the COM Server application {param2} with APPID {param3} is invalid.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The {param1} access security descriptor for the COM Server application {param2} with APPID {param3} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 3221243687: The application-specific access security descriptor for the COM Server application {param1} with APPID {param2} is invalid.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The application-specific access security descriptor for the COM Server application {param1} with APPID {param2} is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed.  The application set this security permission programmatically; to modify this security permission contact the application vendor.

Fields #

Name	Description
`param1`
`param2`

Event ID 3221243688: The machine wide group policy {param1} Limits security descriptor is invalid.

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The machine wide group policy {param1} Limits security descriptor is invalid. The security descriptor is defined as an invalid Security Descriptor Definitions Language (SDDL) string. The requested action was therefore not performed. Please contact your administrator to get the security descriptor corrected in the Group Policy settings.

Fields #

Name	Description
`param1`

Event ID 3221243691: The machine wide limit settings do not grant {param1} {param2} permission for COM Server applications to the user {param3}\{param4} SID ({param5}) ...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Message #

The machine wide limit settings do not grant {param1} {param2} permission for COM Server applications to the user {param3}\{param4} SID ({param5}) from address {param6}. This security permission can be modified using the Component Services administrative tool.

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 3221243692: OLE (Object Linking and Embedding) in the application "param1" was trying to convert embedded content in a document; however, OLE no longer supports th...

Provider: Microsoft-Windows-COMRuntime
Channel: Operational

Description

OLE (Object Linking and Embedding) in the application "param1" was trying to convert embedded content in a document; however, OLE no longer supports the presentation format for the embedded content. Newer versions of this application may support this presentation format natively.

Message #

OLE (Object Linking and Embedding) in the application "%1" was trying to convert embedded content in a document; however, OLE no longer supports the presentation format for the embedded content.  Newer versions of this application may support this presentation format natively.

Fields #

Name	Description
`param1` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {BF406804-6AFA-46E7-8A48-6C357E1D6D61}

Defined in combase.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-COMRuntime

Event ID 1: CliModalLoopDelay

Fields #

Event ID 2: ComCallDelay

Fields #

Example Event #

Event ID 3: DropKeyboardMessage

Fields #

Event ID 4: DropMouseMessage

Fields #

Event ID 5: DropQueueSyncMessage

Fields #

Event ID 6: DropPointerMessage

Fields #

Event ID 7: PrematureStubRundown

Fields #

Event ID 18205: DCOM server attempted to listen on an invalid endpoint.

Description

Message #

Fields #

Event ID 18207: The machine wide limit settings do not grant param1 param2 permission for the COM Server application with CLSID.

Description

Message #

Fields #

Event ID 18208: The param1 permission settings do not grant param2 param3 permission for the COM Server application with CLSID.

Description

Message #

Fields #

Related Events #

Event ID 18209: The param1 permission settings do not grant param2 access permission to the COM Server application param3 with APPID.

Description

Message #

Fields #

Event ID 18210: The application-specific permission settings do not grant param1 access permission to the COM Server application param2 with APPID.

Description

Message #

Fields #

References #

Event ID 18211: The machine wide limit settings do not grant param1 access permission to the COM Server application param2 with APPID.

Description

Message #

Fields #

Event ID 18212: The machine wide param1 param2 security descriptor is invalid.

Description

Message #

Fields #

Event ID 18213: The launch and activation security descriptor for the COM Server application with APPID.

Description

Message #

Fields #

Event ID 18214: The param1 access security descriptor for the COM Server application param2 with APPID.

Description

Message #

Fields #

Event ID 18215: The application-specific access security descriptor for the COM Server application param1 with APPID.

Description

Message #

Fields #

Event ID 18216: The machine wide group policy param1 Limits security descriptor is invalid.

Description

Message #

Fields #

Event ID 18219: The machine wide limit settings do not grant param1 param2 permission for COM Server applications to the user param3\param4 SID (param5) from address param6 running in the...

Description

Message #

Fields #

Related Events #

Event ID 18220: OLE (Object Linking and Embedding) in the application "param1" was trying to convert embedded content in a document; however, OLE no longer supports the presentation format for the embedded content

Fields #

Event ID 18221: The attempt to connect to the RPCSS service was denied access for the COM Server application param1 to the user param2\param3 SID (param4) running in the applicati...

Description

Message #

Fields #

Event ID 32769: task_032769

Fields #

Example Event #

Event ID 3221243677: DCOM server attempted to listen on an invalid endpoint.

Description

Message #

Fields #