Microsoft-Windows-Program-Compatibility-Assistant

44 events across 5 channels

Event	Title	Channel	Sample
1	task_0	Analytic	N
1	Event ID 1	CompatAfterUpgrade	N
3	task_03	Analytic	N
3	Event ID 3	CompatAfterUpgrade	N
5	task_05	Analytic	N
5	Event ID 5	CompatAfterUpgrade	N
8	task_08	Analytic	N
8	Event ID 8	CompatAfterUpgrade	N
9	task_09	Analytic	N
9	Event ID 9	CompatAfterUpgrade	N
10	task_010	Analytic	N
10	Event ID 10	CompatAfterUpgrade	N
11	task_011	Analytic	N
11	Event ID 11	CompatAfterUpgrade	N
12	task_012	Analytic	N
12	Event ID 12	CompatAfterUpgrade	N
14	task_014	Analytic	N
14	Event ID 14	CompatAfterUpgrade	N
15	Binary data sent from PCA Diagnostic Module to PCA service for processing.	Analytic	N
15	Binary data sent from PCA Diagnostic Module to PCA service for processing.	CompatAfterUpgrade	N
16	PCA has finished monitoring an application: ExePath.	Program-Compatibility-Assistant	N
17	Exe: ResolverFiredEvent.ExePath ResolverName: ResolverFiredEvent.ResolverName.	Program-Compatibility-Assistant	Y
30	The Program Compatibility Assistant was invoked to correct a compatibility …	Program-Compatibility-Assistant	N
31	The Program Compatibility Assistant was invoked to correct a compatibility …	Program-Compatibility-Assistant	N
32	The Program Compatibility Assistant was invoked due to an unsigned driver …	Program-Compatibility-Assistant	N
101	PCA Service startup begin.	Operational	N
102	PCA Service startup finished.	Operational	N
103	PCA Process Monitor begin.	Operational	N
104	PCA Process Monitor finished.	Operational	N
105	PCA Service initialization begin.	Operational	N
106	PCA Service initialization finished.	Operational	N
107	PCA Service initialization begin.	Operational	N
108	PCA Service initialization finished.	Operational	N
200	The Program Compatibility Assistant service was stopped successfully.	Program-Compatibility-Assistant	N
201	The Program Compatibility Assistant service started successfully.	Program-Compatibility-Assistant	N
202	The Program Compatibility Assistant service failed to initialize.	Program-Compatibility-Assistant	N
203	The Program Compatibility Assistant service failed to start.	Program-Compatibility-Assistant	N
204	The Program Compatibility Assistant service failed to stop.	Program-Compatibility-Assistant	N
205	The Program Compatibility Assistant service failed to perform the phase two …	Program-Compatibility-Assistant	N
206	The Program Compatibility Assistant service successfully performed phase two …	Program-Compatibility-Assistant	N
1100	Notified PCA service of status icon registration.	Analytic	N
1200	PCA Trigger event:PCA_Trigger_event.	Analytic	N
1200	PCA Trigger event:TriggerID.	CompatAfterUpgrade	N
1234	Exe: AppIdApplicationID.	CompatAfterUpgrade	N

Event ID 1: task_0

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 1

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 3: task_03

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 3

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 5: task_05

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 5

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 8: task_08

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 8

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 9: task_09

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 9

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 10: task_010

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 10

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 11: task_011

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`DisplayNameSize`
`DisplayName`
`FullImagePathSize`
`FullImagePath`
`SessionId`

Event ID 11

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`DisplayNameSize` UInt32
`DisplayName` UnicodeString
`FullImagePathSize` UInt32
`FullImagePath` UnicodeString
`SessionId` UInt32

Event ID 12: task_012

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 12

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 14: task_014

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Fields #

Name	Description
`ApplicationNameSize`
`ApplicationName`
`CommandLineSize`
`CommandLine`
`CurrentDirectorySize`
`CurrentDirectory`
`DllNameSize`
`DllName`
`InterfaceCLSID`
`SessionId`
`Flags`

Event ID 14

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Fields #

Name	Description
`ApplicationNameSize` UInt32
`ApplicationName` UnicodeString
`CommandLineSize` UInt32
`CommandLine` UnicodeString
`CurrentDirectorySize` UInt32
`CurrentDirectory` UnicodeString
`DllNameSize` UInt32
`DllName` UnicodeString
`InterfaceCLSID` GUID
`SessionId` UInt32
`Flags` UInt32

Event ID 15: Binary data sent from PCA Diagnostic Module to PCA service for processing.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Description

Binary data sent from PCA Diagnostic Module to PCA service for processing. It is not meant to be human readable.

Message #

Binary data sent from PCA Diagnostic Module to PCA service for processing. It is not meant to be human readable.

Fields #

Name	Description
`TokenDataSize` UInt32
`TokenData` Binary

Event ID 15: Binary data sent from PCA Diagnostic Module to PCA service for processing.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Description

Binary data sent from PCA Diagnostic Module to PCA service for processing. It is not meant to be human readable.

Message #

Binary data sent from PCA Diagnostic Module to PCA service for processing. It is not meant to be human readable.

Fields #

Name	Description
`TokenDataSize` UInt32
`TokenData` Binary

Event ID 16: PCA has finished monitoring an application: ExePath.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

PCA has finished monitoring an application: ExePath.

Message #

PCA has finished monitoring an application: %1

The problems detected code is: %2

If this number is not 0, PCA observed some indications of compatibility problems.

For this application, the following dialog type was shown:%3

If this number is not 0, an actual dialog was shown offering possible fixes to suspected problems.

Fields #

Name	Description
`ExePath` UnicodeString
`ResolverMap` UInt64
`DialogType` UInt32

Event ID 17: Exe: ResolverFiredEvent.ExePath ResolverName: ResolverFiredEvent.ResolverName.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant
Level: Informational

Description

Exe: ExePath ResolverName: ResolverName

Message #

Exe: %1

ResolverName: %2

Fields #

Name	Description
`ExePath`
`ResolverName`

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Program-Compatibility-Assistant",
    "guid": "4CB314DF-C11F-47D7-9C04-65FB0051561B",
    "event_source_name": "",
    "event_id": 17,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T02:02:45.055790+00:00",
    "event_record_id": 42,
    "correlation": {},
    "execution": {
      "process_id": 5756,
      "thread_id": 8424
    },
    "channel": "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "ResolverFiredEvent": {
      "ExePath": "C:\\Program Files (x86)\\OpenOffice 4\\program\\soffice.exe",
      "ResolverName": "DetectorShim_KernelDriver"
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 30: The Program Compatibility Assistant was invoked to correct a compatibility problem.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Message #

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Application name: %1
Application version: %2
Executable path: %3
Scenario ID: %4
User action: %5
Compatibility layer: %6

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`ScenarioId` UnicodeString
`UserAction` UnicodeString
`CompatibilityLayer` UnicodeString

Event ID 31: The Program Compatibility Assistant was invoked to correct a compatibility problem.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Message #

The Program Compatibility Assistant was invoked to correct a compatibility problem. Information about the application is below.

Application name: %1
Application version: %2
Executable path: %3
Scenario ID: %4
User action: %5
Compatibility layer: %6
Deprecated component: %7

Fields #

Name	Description
`ApplicationName` UnicodeString
`ApplicationVersion` UnicodeString
`ExecutablePath` UnicodeString
`ScenarioId` UnicodeString
`UserAction` UnicodeString
`CompatibilityLayer` UnicodeString
`DeprecatedComponent` UnicodeString

Event ID 32: The Program Compatibility Assistant was invoked due to an unsigned driver install.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant was invoked due to an unsigned driver install. This version of Windows requires all drivers to have a valid digital signature. Information about the driver is below. Driver: DriverName Service: ServiceName Publisher: PublisherName Location: DriverPath Version: DriverVersion This driver is unavailable and the program that uses this driver might not work correctly.

Message #

The Program Compatibility Assistant was invoked due to an unsigned driver install. This version of Windows requires all drivers to have a valid digital signature. Information about the driver is below.

Driver: %1
Service: %2
Publisher: %3
Location: %4
Version: %5

This driver is unavailable and the program that uses this driver might not work correctly.

Fields #

Name	Description
`DriverName` UnicodeString
`ServiceName` UnicodeString
`PublisherName` UnicodeString
`DriverPath` UnicodeString
`DriverVersion` UnicodeString

Event ID 101: PCA Service startup begin.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_ServiceStartup
Opcode: Start

Description

PCA Service startup begin.

Message #

PCA Service startup begin.

Event ID 102: PCA Service startup finished.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_ServiceStartup
Opcode: Stop

Description

PCA Service startup finished.

Message #

PCA Service startup finished.

Event ID 103: PCA Process Monitor begin.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_MonitorProcess
Opcode: Start

Description

PCA Process Monitor begin.

Message #

PCA Process Monitor begin.

Event ID 104: PCA Process Monitor finished.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_MonitorProcess
Opcode: Stop

Description

PCA Process Monitor finished.

Message #

PCA Process Monitor finished.

Event ID 105: PCA Service initialization begin.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_ServiceInitialize
Opcode: Start

Description

PCA Service initialization begin.

Message #

PCA Service initialization begin.

Event ID 106: PCA Service initialization finished.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_ServiceInitialize
Opcode: Stop

Description

PCA Service initialization finished.

Message #

PCA Service initialization finished.

Event ID 107: PCA Service initialization begin.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_ServiceShutdown
Opcode: Start

Description

PCA Service initialization begin.

Message #

PCA Service initialization begin.

Event ID 108: PCA Service initialization finished.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Operational
Task: PCA_ServiceShutdown
Opcode: Stop

Description

PCA Service initialization finished.

Message #

PCA Service initialization finished.

Event ID 200: The Program Compatibility Assistant service was stopped successfully.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant service was stopped successfully.

Message #

The Program Compatibility Assistant service was stopped successfully.

Event ID 201: The Program Compatibility Assistant service started successfully.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant service started successfully.

Message #

The Program Compatibility Assistant service started successfully.

Event ID 202: The Program Compatibility Assistant service failed to initialize.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant service failed to initialize.

Message #

The Program Compatibility Assistant service failed to initialize.

Event ID 203: The Program Compatibility Assistant service failed to start.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant service failed to start.

Message #

The Program Compatibility Assistant service failed to start.

Event ID 204: The Program Compatibility Assistant service failed to stop.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant service failed to stop.

Message #

The Program Compatibility Assistant service failed to stop.

Event ID 205: The Program Compatibility Assistant service failed to perform the phase two initialization.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant service failed to perform the phase two initialization.

Message #

The Program Compatibility Assistant service failed to perform the phase two initialization.

Event ID 206: The Program Compatibility Assistant service successfully performed phase two initialization.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Program-Compatibility-Assistant

Description

The Program Compatibility Assistant service successfully performed phase two initialization.

Message #

The Program Compatibility Assistant service successfully performed phase two initialization.

Event ID 1100: Notified PCA service of status icon registration.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Description

Notified PCA service of status icon registration.

Message #

Notified PCA service of status icon registration.

Event ID 1200: PCA Trigger event:PCA_Trigger_event.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: Analytic

Description

PCA Trigger event:PCA_Trigger_event.

Message #

PCA Trigger event:%1

Fields #

Name	Description
`TriggerID`
`ExtraDataSize`
`ExtraData`

Event ID 1200: PCA Trigger event:TriggerID.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Description

PCA Trigger event:TriggerID.

Message #

PCA Trigger event:%1

Fields #

Name	Description
`TriggerID` UInt32
`ExtraDataSize` UInt32
`ExtraData` Binary

Event ID 1234: Exe: AppIdApplicationID.

Provider: Microsoft-Windows-Program-Compatibility-Assistant
Channel: CompatAfterUpgrade

Description

Exe: AppIdApplicationID.

Message #

Exe: AppId%1

Uptime %2

Fields #

Name	Description
`ApplicationID` UnicodeString
`Uptime` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 4cb314df-c11f-47d7-9c04-65fb0051561b

Defined in pcaevts.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)