Microsoft-Windows-MSDTC Client 2

38 events across 2 channels

Event	Title	Channel	Sample
4097	Failed to clean up the default DTC cluster resource setting	Operational	N
4098	Contact = param1 was deleted successfully	Operational	N
4099	Failed to create DTC cluster resource	Operational	N
4100	Attempt to find the drive letter or Volume Guid corresponding to the cluster …	Operational	N
4101	Attempting to change the DTC cluster resource's log file path to param1 has …	Operational	N
4102	Application specified a cluster resource ID: param1, but no DTC cluster resource …	Operational	N
4103	Service: param1 is still running	Operational	N
4104	Failed trying to get the state of the cluster node:	Application	Y
4104	Failed trying to get the state of the cluster node:	Operational	N
4350	Cluster API call failed with error code:	Application	Y
4350	Cluster API call failed with error code:	Operational	Y
4872	A caller has attempted to register an XA resource while XA transactions are …	Operational	N
4873	An XA transaction manager has attempted to open the MSDTC XA resource while XA …	Operational	N
4874	A caller has attempted to propagate a transaction to a remote system, but MSDTC …	Operational	N
4875	A caller has attempted to import a transaction from a remote system, but MSDTC …	Operational	N
4876	A caller has attempted to export a transaction to a remote system, but MSDTC is …	Operational	N
4878	MSDTC encountered an error (HR=0xparam1) while attempting to authenticate an …	Operational	N
4879	MSDTC encountered an error (HR=0xparam1) while attempting to establish a secure …	Application	Y
4879	MSDTC encountered an error (HR=0xparam1) while attempting to establish a secure …	Operational	Y
4881	A caller has attempted to connect to a remote MSDTC on machine 'param1'	Operational	N
1073745921	Failed to clean up the default DTC cluster resource setting.	Operational	N
1073745922	Contact = param1 was deleted successfully.	Operational	N
1073745923	Failed to create DTC cluster resource.	Operational	N
1073745924	Attempt to find the drive letter or Volume Guid corresponding to the cluster …	Operational	N
1073745925	Attempting to change the DTC cluster resource's log file path to param1 has …	Operational	N
1073745926	Application specified a cluster resource ID: param1, but no DTC cluster resource …	Operational	N
1073745927	Service: Service is still running.	Operational	N
1073745928	Failed trying to get the state of the cluster node: param1.	Operational	N
1073746174	Cluster API call failed with error code: param1.	Operational	Y
1073746185	Cluster API call failed with error code: {param1}.	Operational	N
2147488520	A caller has attempted to register an XA resource while XA transactions are …	Operational	N
2147488521	An XA transaction manager has attempted to open the MSDTC XA resource while XA …	Operational	N
2147488522	A caller has attempted to propagate a transaction to a remote system, but MSDTC …	Operational	N
2147488523	A caller has attempted to import a transaction from a remote system, but MSDTC …	Operational	N
2147488524	A caller has attempted to export a transaction to a remote system, but MSDTC is …	Operational	N
2147488526	MSDTC encountered an error (HR=0xparam1) while attempting to authenticate an …	Operational	N
2147488527	MSDTC encountered an error (HR=0xparam1) while attempting to establish a secure …	Operational	Y
2147488529	A caller has attempted to connect to a remote MSDTC on machine 'param1'.	Operational	N

Event ID 4097: Failed to clean up the default DTC cluster resource setting

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 4098: Contact = param1 was deleted successfully

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 4099: Failed to create DTC cluster resource

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 4100: Attempt to find the drive letter or Volume Guid corresponding to the cluster DTC's dependent disk resource has failed

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 4101: Attempting to change the DTC cluster resource's log file path to param1 has failed

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 4102: Application specified a cluster resource ID: param1, but no DTC cluster resource could be returned

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 4103: Service: param1 is still running

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 4104: Failed trying to get the state of the cluster node:

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Application
Level: Error

Fields #

Name	Description
`param1`
`param2`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-MSDTC Client 2",
    "guid": "{155CB334-3D7F-4ff1-B107-DF8AFC3C0363}",
    "event_source_name": "MSDTC Client 2",
    "event_id": 4104,
    "version": 0,
    "level": 2,
    "task": 14,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2023-11-05T22:27:41.546510+00:00",
    "event_record_id": 1466,
    "correlation": {},
    "execution": {
      "process_id": 4608,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "",
    "param2": "0x8007045B"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4104: Failed trying to get the state of the cluster node:

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 4350: Cluster API call failed with error code:

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Application
Level: Warning

Fields #

Name	Description
`param1`
`param2`
`param3`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-MSDTC Client 2",
    "guid": "{155CB334-3D7F-4ff1-B107-DF8AFC3C0363}",
    "event_source_name": "MSDTC Client 2",
    "event_id": 4350,
    "version": 0,
    "level": 3,
    "task": 14,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T20:23:52.178949+00:00",
    "event_record_id": 3710,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "0x800706D9",
    "param2": "OpenClusterEx",
    "param3": "lpszClusterName: (null)"
  },
  "message": ""
}

Event ID 4350: Cluster API call failed with error code:

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational
Level: 3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-MSDTC Client 2",
    "event_id": 4350,
    "level": 3,
    "task": 14,
    "opcode": 0,
    "time_created": "2026-03-13T20:23:52.1789492+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Application"
  },
  "event_data": {
    "param2": "OpenClusterEx",
    "param1": "0x800706D9",
    "param3": "lpszClusterName: (null)"
  }
}

Event ID 4872: A caller has attempted to register an XA resource while XA transactions are disabled

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Event ID 4873: An XA transaction manager has attempted to open the MSDTC XA resource while XA transactions are disabled

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Event ID 4874: A caller has attempted to propagate a transaction to a remote system, but MSDTC network DTC access is currently disabled on machine 'param1'

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 4875: A caller has attempted to import a transaction from a remote system, but MSDTC is currently configured to disallow inbound transaction manager communication on machine 'param1'

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 4876: A caller has attempted to export a transaction to a remote system, but MSDTC is currently configured to disallow outbound transaction manager communication on machine 'param1'

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 4878: MSDTC encountered an error (HR=0xparam1) while attempting to authenticate an incoming connection from system 'param2'

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 4879: MSDTC encountered an error (HR=0xparam1) while attempting to establish a secure connection with system

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Application
Level: Warning

Fields #

Name	Description
`param1`
`param2`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-MSDTC Client 2",
    "guid": "{155CB334-3D7F-4ff1-B107-DF8AFC3C0363}",
    "event_source_name": "MSDTC Client 2",
    "event_id": 4879,
    "version": 0,
    "level": 3,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2023-10-25T22:53:19.706720+00:00",
    "event_record_id": 1415,
    "correlation": {},
    "execution": {
      "process_id": 932,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "WinDevEval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "80000171",
    "param2": "WINDEVEVAL"
  },
  "message": ""
}

Event ID 4879: MSDTC encountered an error (HR=0xparam1) while attempting to establish a secure connection with system

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational
Level: 3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-MSDTC Client 2",
    "guid": "{155CB334-3D7F-4FF1-B107-DF8AFC3C0363}",
    "event_source_name": "",
    "event_id": 4879,
    "version": 0,
    "level": 3,
    "task": 3,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T06:18:33.7428069+00:00",
    "event_record_id": 648,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "Application",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "80000171",
    "param2": "TELEMETRY-DC-A"
  },
  "message": "MSDTC encountered an error (HR=0x80000171) while attempting to establish a secure connection with system TELEMETRY-DC-A."
}

Event ID 4881: A caller has attempted to connect to a remote MSDTC on machine 'param1'

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Fields #

Name	Description
`param1` UnicodeString

Event ID 1073745921: Failed to clean up the default DTC cluster resource setting.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Failed to clean up the default DTC cluster resource setting. The default DTC cluster resource setting might be invalid. The error code returned: param1.

Message #

Failed to clean up the default DTC cluster resource setting. The default DTC cluster resource setting might be invalid. The error code returned: %1

Fields #

Name	Description
`param1` UnicodeString

Event ID 1073745922: Contact = param1 was deleted successfully.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Contact = was deleted successfully. Attempt to copy the new contact = over it failed. The DTC configuration may be corrupted. The operation that failed must be retried. The error code returned.

Message #

Contact = %1 was deleted successfully. Attempt to copy the new contact = %2 over it failed. The DTC configuration may be corrupted. The operation that failed must be retried. The error code returned: %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 1073745923: Failed to create DTC cluster resource.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Failed to create DTC cluster resource. DTC cluster resource GUID specified = param1. The error code returned: param2.

Message #

Failed to create DTC cluster resource. DTC cluster resource GUID specified = %1. The error code returned: %2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 1073745924: Attempt to find the drive letter or Volume Guid corresponding to the cluster DTC's dependent disk resource has failed.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Attempt to find the drive letter or Volume Guid corresponding to the cluster DTC's dependent disk resource has failed. If the dependent disk resource does not support Volume Guid information, please configure at least one dependent disk partition with a drive letter. The error code returned: param1

Message #

Attempt to find the drive letter or Volume Guid corresponding to the cluster DTC's dependent disk resource has failed. If the dependent disk resource does not support Volume Guid information, please configure at least one dependent disk partition with a drive letter. The error code returned: %1

Fields #

Name	Description
`param1` UnicodeString

Event ID 1073745925: Attempting to change the DTC cluster resource's log file path to param1 has failed.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Attempting to change the DTC cluster resource's log file path to param1 has failed. Please verify if log path is configured to a valid dependent disk partition. The error code returned: param2.

Message #

Attempting to change the DTC cluster resource's log file path to %1 has failed. Please verify if log path is configured to a valid dependent disk partition. The error code returned: %2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 1073745926: Application specified a cluster resource ID: param1, but no DTC cluster resource could be returned.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Application specified a cluster resource ID: param1, but no DTC cluster resource could be returned. Instead, the local DTC instance was returned.

Message #

Application specified a cluster resource ID: %1, but no DTC cluster resource could be returned. Instead, the local DTC instance was returned

Fields #

Name	Description
`param1` UnicodeString

Event ID 1073745927: Service: Service is still running.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Service: Service is still running. Attempt to cleanup the service has failed.

Message #

Service: %1 is still running. Attempt to cleanup the service has failed

Fields #

Name	Description
`param1` UnicodeString

Event ID 1073745928: Failed trying to get the state of the cluster node: param1.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Failed trying to get the state of the cluster node: param1.The error code returned: param2.

Message #

Failed trying to get the state of the cluster node: %1.The error code returned: %2

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Event ID 1073746174: Cluster API call failed with error code: param1.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational
Level: 3

Description

Cluster API call failed with error code: param1. Cluster API function: ClusterAPIFunction Arguments: Arguments.

Message #

Cluster API call failed with error code: %1. Cluster API function: %2 Arguments: %3

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-MSDTC Client 2",
    "event_id": 4350,
    "level": 3,
    "task": 14,
    "opcode": 0,
    "time_created": "2026-03-13T20:23:52.1789492+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Application"
  },
  "event_data": {
    "param2": "OpenClusterEx",
    "param1": "0x800706D9",
    "param3": "lpszClusterName: (null)"
  }
}

Event ID 1073746185: Cluster API call failed with error code: {param1}.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

Cluster API call failed with error code: {param1}. Cluster API function: {param2} Arguments: {param3}.

Message #

Cluster API call failed with error code: {param1}. Cluster API function: {param2} Arguments: {param3}

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 2147488520: A caller has attempted to register an XA resource while XA transactions are disabled.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

A caller has attempted to register an XA resource while XA transactions are disabled. Please review the MSDTC configuration settings.

Message #

A caller has attempted to register an XA resource while XA transactions are disabled. Please review the MSDTC configuration settings.

Event ID 2147488521: An XA transaction manager has attempted to open the MSDTC XA resource while XA transactions are disabled.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

An XA transaction manager has attempted to open the MSDTC XA resource while XA transactions are disabled. Please review the MSDTC configuration settings.

Message #

An XA transaction manager has attempted to open the MSDTC XA resource while XA transactions are disabled. Please review the MSDTC configuration settings.

Event ID 2147488522: A caller has attempted to propagate a transaction to a remote system, but MSDTC network DTC access is currently disabled on machine 'param1'.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

A caller has attempted to propagate a transaction to a remote system, but MSDTC network DTC access is currently disabled on machine 'param1'. Please review the MS DTC configuration settings.

Message #

A caller has attempted to propagate a transaction to a remote system, but MSDTC network DTC access is currently disabled on machine '%1'. Please review the MS DTC configuration settings.

Fields #

Name	Description
`param1` UnicodeString

Event ID 2147488523: A caller has attempted to import a transaction from a remote system, but MSDTC is currently configured to disallow inbound transaction manager comm...

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

A caller has attempted to import a transaction from a remote system, but MSDTC is currently configured to disallow inbound transaction manager communication on machine 'param1'. Please review the MS DTC configuration settings.

Message #

A caller has attempted to import a transaction from a remote system, but MSDTC is currently configured to disallow inbound transaction manager communication on machine '%1'. Please review the MS DTC configuration settings.

Fields #

Name	Description
`param1` UnicodeString

Event ID 2147488524: A caller has attempted to export a transaction to a remote system, but MSDTC is currently configured to disallow outbound transaction manager commu...

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

A caller has attempted to export a transaction to a remote system, but MSDTC is currently configured to disallow outbound transaction manager communication on machine 'param1'. Please review the MS DTC configuration settings.

Message #

A caller has attempted to export a transaction to a remote system, but MSDTC is currently configured to disallow outbound transaction manager communication on machine '%1'. Please review the MS DTC configuration settings.

Fields #

Name	Description
`param1` UnicodeString

Event ID 2147488526: MSDTC encountered an error (HR=0xparam1) while attempting to authenticate an incoming connection from system 'param2'.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

MSDTC encountered an error (HR=0xparam1) while attempting to authenticate an incoming connection from system 'param2'. The principal name is param3.

Message #

MSDTC encountered an error (HR=0x%1) while attempting to authenticate an incoming connection from system '%2'. The principal name is %3.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString
`param3` UnicodeString

Event ID 2147488527: MSDTC encountered an error (HR=0xparam1) while attempting to establish a secure connection with system param2.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational
Level: 3

Description

MSDTC encountered an error (HR=0xparam1) while attempting to establish a secure connection with system param2.

Message #

MSDTC encountered an error (HR=0x%1) while attempting to establish a secure connection with system %2.

Fields #

Name	Description
`param1` UnicodeString
`param2` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-MSDTC Client 2",
    "event_id": 4879,
    "level": 3,
    "task": 3,
    "opcode": 0,
    "time_created": "2026-03-15T04:21:57.0604250+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Application"
  },
  "event_data": {
    "param1": "80000171",
    "param2": "JD-DC01-2022"
  }
}

Event ID 2147488529: A caller has attempted to connect to a remote MSDTC on machine 'param1'.

Provider: Microsoft-Windows-MSDTC Client 2
Channel: Operational

Description

A caller has attempted to connect to a remote MSDTC on machine 'param1'. The attempt failed because the remote machine is configured to disallow remote clients.

Message #

A caller has attempted to connect to a remote MSDTC on machine '%1'.  The attempt failed because the remote machine is configured to disallow remote clients.

Fields #

Name	Description
`param1` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 155cb334-3d7f-4ff1-b107-df8afc3c0363

Defined in msdtcVSp1res.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 2001.12.10941.16384, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 2001.12.10941.16384, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)