Microsoft-Windows-OfflineFiles

31 events across 3 channels

Event	Title	Channel	Sample
1	The Offline Files service started successfully.	Operational	Y
2	The Offline Files service is terminating.	Operational	Y
3	The Offline Files service is waiting for all running tasks to complete.	Operational	Y
4	The Offline Files service has terminated.	Operational	Y
5	The Offline Files service received a STOP or SHUTDOWN control from the Service …	Operational	N
6	The Offline Files driver.	System	N
7	User logon detected.	Operational	N
8	User logoff detected.	Operational	Y
9	Path disconnected.	Operational	N
10	Path reconnected.	Operational	N
11	Offline Files configuration is being controlled by Group Policy.	Operational	Y
12	Offline Files configuration is being controlled by WMI configuration classes …	Operational	N
1000	Background agent failed startup, error = Text.	Operational	N
1001	Background Synchronization failed on Path.	Operational	N
1002	Background Synchronization executed successfully.	Operational	N
1003	Background Synchronization has started on Path as client has not synced for …	Operational	N
1004	Path Path transitioned to slow link with latency = Latency and bandwidth = …	Operational	N
1005	Path Path transitioned to online with latency = Latency.	Operational	N
1006	Background Synchronization failed for FailedFileCount files on Path.	Operational	N
1007	Path Path transitioned to slow link mode so the user will work offline with …	Operational	N
1008	Path Path failed to transition to slow link mode due to an open handle on …	Operational	N
1009	Path Path failed to transition to slow link mode due to an open handle.	Operational	N
2000	Sync info for Path Only the server copy exists.	SyncLog	N
2001	Sync info for Path Only the client copy exists.	SyncLog	N
2002	Sync info for Path Both client and server copies exist.	SyncLog	N
2003	Sync info for Path Server copy exists, client copy deleted.	SyncLog	N
2004	Sync info for Path Server copy exists, client copy replaced then deleted.	SyncLog	N
2005	Sync succeeded.	SyncLog	N
2006	Sync failed.	SyncLog	N
2010	Creation of new excluded file type.	Operational	N
2011	Rename of file SourcePath to file TargetPath was blocked.	Operational	N

Event ID 1: The Offline Files service started successfully.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Level: Informational
Opcode: Info

Description

The Offline Files service started successfully.

Message #

The Offline Files service started successfully.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-OfflineFiles",
    "guid": "{95353826-4FBE-41D4-9C42-F521C6E86360}",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387920,
    "time_created": "2026-05-30T04:03:24.6211326+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 9144,
      "thread_id": 6004
    },
    "channel": "Microsoft-Windows-OfflineFiles/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "The Offline Files service started successfully."
}

Event ID 2: The Offline Files service is terminating.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Level: Informational
Opcode: Info

Description

The Offline Files service is terminating.

Message #

The Offline Files service is terminating.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-OfflineFiles",
    "guid": "{95353826-4FBE-41D4-9C42-F521C6E86360}",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387920,
    "time_created": "2026-05-30T04:03:24.2126163+00:00",
    "event_record_id": 3,
    "correlation": {},
    "execution": {
      "process_id": 11852,
      "thread_id": 932
    },
    "channel": "Microsoft-Windows-OfflineFiles/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "The Offline Files service is terminating."
}

Event ID 3: The Offline Files service is waiting for all running tasks to complete.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Level: Informational
Opcode: Info

Description

The Offline Files service is waiting for all running tasks to complete.

Message #

The Offline Files service is waiting for all running tasks to complete.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-OfflineFiles",
    "guid": "{95353826-4FBE-41D4-9C42-F521C6E86360}",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387920,
    "time_created": "2026-05-30T04:03:24.2177139+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 11852,
      "thread_id": 12980
    },
    "channel": "Microsoft-Windows-OfflineFiles/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "The Offline Files service is waiting for all running tasks to complete."
}

Event ID 4: The Offline Files service has terminated.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Level: Informational
Opcode: Info

Description

The Offline Files service has terminated.

Message #

The Offline Files service has terminated.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-OfflineFiles",
    "guid": "{95353826-4FBE-41D4-9C42-F521C6E86360}",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387920,
    "time_created": "2026-05-30T04:03:24.2181741+00:00",
    "event_record_id": 5,
    "correlation": {},
    "execution": {
      "process_id": 11852,
      "thread_id": 12980
    },
    "channel": "Microsoft-Windows-OfflineFiles/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "The Offline Files service has terminated."
}

Event ID 5: The Offline Files service received a STOP or SHUTDOWN control from the Service Control Manager.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

The Offline Files service received a STOP or SHUTDOWN control from the Service Control Manager. The service will now stop.

Message #

The Offline Files service received a STOP or SHUTDOWN control from the Service Control Manager.  The service will now stop.

Event ID 6: The Offline Files driver.

Provider: Microsoft-Windows-OfflineFiles
Channel: System
Opcode: Info

Description

The Offline Files driver (csc.sys) is not running.

Message #

The Offline Files driver (csc.sys) is not running.

Event ID 7: User logon detected.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

User logon detected.

Message #

User logon detected
Account: %1
Session: %2

Fields #

Name	Description
`Account` UnicodeString
`Session` UInt32

Event ID 8: User logoff detected.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Level: Informational
Opcode: Info

Description

User logoff detected.

Message #

User logoff detected
Account: %1
Session: %2

Fields #

Name	Description
`Info.Account` UnicodeString
`Info.Session` UInt32
`Account` UnicodeString
`Session` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-OfflineFiles",
    "guid": "{95353826-4FBE-41D4-9C42-F521C6E86360}",
    "event_source_name": "",
    "event_id": 8,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387912,
    "time_created": "2026-05-30T04:14:38.6921031+00:00",
    "event_record_id": 8,
    "correlation": {},
    "execution": {
      "process_id": 9144,
      "thread_id": 3416
    },
    "channel": "Microsoft-Windows-OfflineFiles/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "Info": {
      "Account": "ludus\\domainuser",
      "Session": "2"
    }
  },
  "message": "User logoff detected\r\nAccount: ludus\\domainuser\r\nSession: 2"
}

Event ID 9: Path disconnected.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Path disconnected.

Message #

Path disconnected.
%1

Fields #

Name	Description
`Path` UnicodeString

Event ID 10: Path reconnected.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Path reconnected.

Message #

Path reconnected.
%1

Fields #

Name	Description
`Path` UnicodeString

Event ID 11: Offline Files configuration is being controlled by Group Policy.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Level: Informational
Opcode: Info

Description

Offline Files configuration is being controlled by Group Policy.

Message #

Offline Files configuration is being controlled by Group Policy.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-OfflineFiles",
    "guid": "{95353826-4FBE-41D4-9C42-F521C6E86360}",
    "event_source_name": "",
    "event_id": 11,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387936,
    "time_created": "2026-05-30T04:03:24.5587637+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 9144,
      "thread_id": 6004
    },
    "channel": "Microsoft-Windows-OfflineFiles/Operational",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "Offline Files configuration is being controlled by Group Policy."
}

Event ID 12: Offline Files configuration is being controlled by WMI configuration classes Win32_OfflineFilesUserConfiguration and Win32_OfflineFilesMachineConfi...

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Offline Files configuration is being controlled by WMI configuration classes Win32_OfflineFilesUserConfiguration and Win32_OfflineFilesMachineConfiguration.

Message #

Offline Files configuration is being controlled by WMI configuration classes Win32_OfflineFilesUserConfiguration and Win32_OfflineFilesMachineConfiguration.

Event ID 1000: Background agent failed startup, error = Text.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Background agent failed startup, error = Text.

Message #

Background agent failed startup, error = %1

Fields #

Name	Description
`Text` UnicodeString

Event ID 1001: Background Synchronization failed on Path.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Background Synchronization failed on.

Message #

Background Synchronization failed on 

%1

Fields #

Name	Description
`Path` UnicodeString
`ResultCode` UnicodeString
`Result` UnicodeString

Event ID 1002: Background Synchronization executed successfully.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Background Synchronization executed successfully.

Message #

Background Synchronization executed successfully.

Event ID 1003: Background Synchronization has started on Path as client has not synced for MinutesSinceLastSync minutes.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Background Synchronization has started on.

Message #

Background Synchronization has started on 

%1

 as client has not synced for %2 minutes.

Fields #

Name	Description
`Path` UnicodeString
`MinutesSinceLastSync` UInt32

Event ID 1004: Path Path transitioned to slow link with latency = Latency and bandwidth = Bandwidth.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Path Path transitioned to slow link with latency = Latency and bandwidth = Bandwidth.

Message #

Path %1 transitioned to slow link with latency = %2 and bandwidth = %3

Fields #

Name	Description
`Path` UnicodeString
`Latency` UInt64
`Bandwidth` UInt64

Event ID 1005: Path Path transitioned to online with latency = Latency.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Path Path transitioned to online with latency = Latency.

Message #

Path %1 transitioned to online with latency = %2

Fields #

Name	Description
`Path` UnicodeString
`Latency` UInt64

Event ID 1006: Background Synchronization failed for FailedFileCount files on Path.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Background Synchronization failed for FailedFileCount files on.

Message #

Background Synchronization failed for %2 files on 

%1

Fields #

Name	Description
`Path` UnicodeString
`FailedFileCount` UInt32

Event ID 1007: Path Path transitioned to slow link mode so the user will work offline with background synchronization of the data to the file server.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Path Path transitioned to slow link mode so the user will work offline with background synchronization of the data to the file server. The administrator has configured this path to work offline regardless of the network performance.

Message #

Path %1 transitioned to slow link mode so the user will work offline with background synchronization of the data to the file server. The administrator has configured this path to work offline regardless of the network performance.

Fields #

Name	Description
`Path` UnicodeString

Event ID 1008: Path Path failed to transition to slow link mode due to an open handle on FileName.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Path Path failed to transition to slow link mode due to an open handle on FileName.

Message #

Path %1 failed to transition to slow link mode due to an open handle on %2.

Fields #

Name	Description
`Path` UnicodeString
`FileName` UnicodeString

Event ID 1009: Path Path failed to transition to slow link mode due to an open handle.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Path Path failed to transition to slow link mode due to an open handle.

Message #

Path %1 failed to transition to slow link mode due to an open handle.

Fields #

Name	Description
`Path` UnicodeString

Event ID 2000: Sync info for Path Only the server copy exists.

Provider: Microsoft-Windows-OfflineFiles
Channel: SyncLog
Opcode: Info

Description

Sync info for Path.

Message #

Sync info for %1
Only the server copy exists.
%10
See details for more information.

Fields #

Name	Description
`Path` UnicodeString
`ServerIsDir` Boolean
`ClientDeleted` Boolean
`ServerChanged` Boolean
`ServerLastWriteTime` FILETIME
`ServerChangeTime` FILETIME
`ServerAttributes` UInt32
`ServerSize` UInt64
`SyncState` UInt32
`SyncStateText` UnicodeString

Event ID 2001: Sync info for Path Only the client copy exists.

Provider: Microsoft-Windows-OfflineFiles
Channel: SyncLog
Opcode: Info

Description

Sync info for Path.

Message #

Sync info for %1
Only the client copy exists.
%12
See details for more information.

Fields #

Name	Description
`Path` UnicodeString
`ClientIsDir` Boolean
`ClientChanged` Boolean
`ClientIsSparse` Boolean
`ClientCreatedOffline` Boolean
`ClientDeletedOffline` Boolean
`ClientLastWriteTime` FILETIME
`ClientChangeTime` FILETIME
`ClientAttributes` UInt32
`ClientSize` UInt64
`ServerDeleted` Boolean
`SyncState` UInt32
`SyncStateText` UnicodeString

Event ID 2002: Sync info for Path Both client and server copies exist.

Provider: Microsoft-Windows-OfflineFiles
Channel: SyncLog
Opcode: Info

Description

Sync info for Path.

Message #

Sync info for %1
Both client and server copies exist.
%17
See details for more information.

Fields #

Name	Description
`Path` UnicodeString
`ClientIsDir` Boolean
`ClientChanged` Boolean
`ClientIsSparse` Boolean
`ClientCreatedOffline` Boolean
`ClientLastWriteTime` FILETIME
`ClientChangeTime` FILETIME
`ClientAttributes` UInt32
`ClientSize` UInt64
`ServerIsDir` Boolean
`ServerChanged` Boolean
`ServerLastWriteTime` FILETIME
`ServerChangeTime` FILETIME
`ServerAttributes` UInt32
`ServerSize` UInt64
`SyncState` UInt32
`SyncStateText` UnicodeString

Event ID 2003: Sync info for Path Server copy exists, client copy deleted.

Provider: Microsoft-Windows-OfflineFiles
Channel: SyncLog
Opcode: Info

Description

Sync info for Path.

Message #

Sync info for %1
Server copy exists, client copy deleted.
%13
See details for more information.

Fields #

Name	Description
`Path` UnicodeString
`ClientIsDir` Boolean
`ClientChanged` Boolean
`ClientIsSparse` Boolean
`ClientCreatedOffline` Boolean
`ServerIsDir` Boolean
`ServerChanged` Boolean
`ServerLastWriteTime` FILETIME
`ServerChangeTime` FILETIME
`ServerAttributes` UInt32
`ServerSize` UInt64
`SyncState` UInt32
`SyncStateText` UnicodeString

Event ID 2004: Sync info for Path Server copy exists, client copy replaced then deleted.

Provider: Microsoft-Windows-OfflineFiles
Channel: SyncLog
Opcode: Info

Description

Sync info for Path.

Message #

Sync info for %1
Server copy exists, client copy replaced then deleted.
%10\
See details for more information.

Fields #

Name	Description
`Path` UnicodeString
`ClientIsDir` Boolean
`ServerIsDir` Boolean
`ServerChanged` Boolean
`ServerLastWriteTime` FILETIME
`ServerChangeTime` FILETIME
`ServerAttributes` UInt32
`ServerSize` UInt64
`SyncState` UInt32
`SyncStateText` UnicodeString

Event ID 2005: Sync succeeded.

Provider: Microsoft-Windows-OfflineFiles
Channel: SyncLog
Opcode: Info

Description

Sync succeeded.

Message #

Sync succeeded.

%1

Operation: %2

Fields #

Name Description

Path UnicodeString

Operation UnicodeString

Known values

%%2456: Open key file.
%%2457: Delete key file.
%%2458: Read persisted key from file.
%%2459: Write persisted key to file.
%%2464: Export of persistent cryptographic key.
%%2465: Import of persistent cryptographic key.
%%2480: Open Key.
%%2481: Create Key.
%%2482: Delete Key.
%%2483: Encrypt.
%%2484: Decrypt.
%%2485: Sign hash.
%%2486: Secret agreement.
%%2487: Domain settings.
%%2488: Local settings.
%%2489: Add provider.
%%2490: Remove provider.
%%2491: Add context.
%%2492: Remove context.
%%2493: Add function.
%%2494: Remove function.
%%2495: Add function provider.
%%2496: Remove function provider.
%%2497: Add function property.
%%2498: Remove function property.
%%2499: Machine key.
%%2500: User key.
%%2501: Key Derivation.
%%2502: Claim Creation.
%%2503: Claim Verification.

Event ID 2006: Sync failed.

Provider: Microsoft-Windows-OfflineFiles
Channel: SyncLog
Opcode: Info

Description

Sync failed.

Message #

Sync failed.

%1

Operation: %2
Result: %4

Fields #

Name	Description
`Path` UnicodeString
`Operation` UnicodeString	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ResultCode` UnicodeString
`Result` UnicodeString

Event ID 2010: Creation of new excluded file type.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Creation of new excluded file type.

Message #

Creation of new excluded file type 
%1 was blocked.

Fields #

Name	Description
`Path` UnicodeString

Event ID 2011: Rename of file SourcePath to file TargetPath was blocked.

Provider: Microsoft-Windows-OfflineFiles
Channel: Operational
Opcode: Info

Description

Rename of file SourcePath to file TargetPath was blocked. The source and/or target file name is an excluded file type.

Message #

Rename of file %1 to file %2 was blocked. The source and/or target file name is an excluded file type.

Fields #

Name	Description
`SourcePath` UnicodeString
`TargetPath` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 95353826-4fbe-41d4-9c42-f521c6e86360

Defined in cscsvc.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)