Microsoft-Windows-WinNat

47 events across 2 channels

Event	Title	Channel	Sample
1001	TransportProtocol session created.	Trace	N
1002	TransportProtocol session lifetime updated.	Trace	N
1003	TransportProtocol session state updated.	Trace	N
1004	TransportProtocol session timedout.	Trace	N
1005	TransportProtocol session deleted.	Trace	N
1006	TransportProtocol binding created.	Trace	N
1007	TransportProtocol binding deleted.	Trace	N
1008	TransportProtocol binding session count updated.	Trace	N
1009	Translating TransportProtocol packet from IncomingSrcAddr:IncomingDstAddr to …	Trace	N
1010	Nat Instance InstanceName Action Status: Status.	Trace	N
1011	Packet filter Action Status: Status.	Trace	N
1012	WFP filter Action Status: Status.	Trace	N
1013	Address pool Action Status: Status.	Trace	N
1014	Address Action notification.	Trace	N
1015	Static binding Action Status: Status.	Trace	N
1016	Memory allocation failure: Description.	Trace	N
1017	TransportProtocol session created.	Oper	N
1018	TransportProtocol session deleted.	Oper	N
1019	Created NAT instance InstanceName for RoutingDomainId InternalRoutingDomainId …	Trace	N
1020	Modified NAT instance InstanceName properties.	Trace	N
1021	NAT instance InstanceName external interface index is ExternalInterfaceIndex for …	Trace	N
1022	Deleted NAT instance InstanceName.	Trace	N
1023	NAT instance InstanceName: RoutingDomainId InternalRoutingDomainId …	Trace	Y
1024	Added external address IPAddress:PortStart-PortEnd to NAT instance InstanceName.	Trace	N
1025	Removed external address IPAddress:PortStart-PortEnd from NAT instance …	Trace	N
1026	NAT instance InstanceName: external address IPAddress:PortStart-PortEnd.	Trace	Y
1027	Added static mapping TransportProtocol ExternalTransportAddress > …	Trace	N
1028	Removed static mapping TransportProtocol ExternalTransportAddress > …	Trace	N
1029	NAT instance InstanceName: static mapping TransportProtocol …	Trace	N
1030	NAT dropped IPv4 TransportProtocol packet which arrived over ArrivalNetwork …	Trace	N
1031	NAT detected a default route in compartment CompartmentId interface …	Trace	N
1032	NAT detected a default route in compartment CompartmentId interface …	Oper	N
1033	NAT instance InstanceName failed to allocate a TransportProtocol port …	Oper	N
1034	NAT left processing of IPv4 TransportProtocol packet to the host network stack …	Trace	Y
1035	NAT translated and forwarded IPv4 TransportProtocol packet which arrived over …	Trace	N
1036	NAT ERROR ErrorID: ErrorContext (ErrorMisc) Status Status.	Trace	N
1037	NAT Instance InstanceName created with no matching prefix …	Trace	N
1038	Info.	Trace	N
1039	Info.	Trace	N
1040	Info.	Trace	N
1041	Added IPxlat instance for interface InterfaceLuid.	Trace	N
1042	Modified IPxlat instance for interface InterfaceLuid.	Trace	N
1043	Deleted IPxlat instance for interface InterfaceLuid.	Trace	N
1044	XLAT.	Trace	N
1045	Added internal address IPAddress, IfIndex IfIndex to NAT instance InstanceName.	Trace	N
1046	Removed internal address IPAddress: IfIndex IfIndex from NAT instance …	Trace	N
1047	Driver state: PortChunkSize=PortChunkSize, RSCAware=RSCAware, UROAware=UROAware, …	Trace	Y

Event ID 1001: TransportProtocol session created.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatSessionCreate

Description

TransportProtocol session created. Internal source transport addr: InternalSrcAddr, Internal dest transport addr: InternalDstAddr, External source transport addr ExternalSrcAddr, External dest transport addr ExternalDstAddr, Lifetime: Lifetime seconds, TcpState:TcpSessionState.

Message #

%7 session created. Internal source transport addr: %2, Internal dest transport addr: %3, External source transport addr %5, External dest transport addr %6, Lifetime: %8 seconds, TcpState:%9

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalSrcAddr` Binary
`InternalDstAddr` Binary
`ExternalAddrLen` UInt32
`ExternalSrcAddr` Binary
`ExternalDstAddr` Binary
`TransportProtocol` UInt32
`Lifetime` UInt32
`TcpSessionState` UInt32
`InternalCompartmentId` UInt32

Event ID 1002: TransportProtocol session lifetime updated.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatSessionTimerUpdate

Description

session lifetime updated. Internal source transport addr: , Internal dest transport addr: , External source transport addr , External dest transport addr , Lifetime: seconds, TcpState.

Message #

%7 session lifetime updated. Internal source transport addr: %2, Internal dest transport addr: %3, External source transport addr %5, External dest transport addr %6, Lifetime: %8 seconds, TcpState: %9

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalSrcAddr` Binary
`InternalDstAddr` Binary
`ExternalAddrLen` UInt32
`ExternalSrcAddr` Binary
`ExternalDstAddr` Binary
`TransportProtocol` UInt32
`Lifetime` UInt32
`TcpSessionState` UInt32
`InternalCompartmentId` UInt32

Event ID 1003: TransportProtocol session state updated.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatSessionTcpStateUpdate

Description

TransportProtocol session state updated. Internal source transport addr: InternalSrcAddr, Internal dest transport addr: InternalDstAddr, External source transport addr ExternalSrcAddr, External dest transport addr ExternalDstAddr, Lifetime: Lifetime seconds, TcpState: TcpSessionState.

Message #

%7 session state updated. Internal source transport addr: %2, Internal dest transport addr: %3, External source transport addr %5, External dest transport addr %6, Lifetime: %8 seconds, TcpState: %9

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalSrcAddr` Binary
`InternalDstAddr` Binary
`ExternalAddrLen` UInt32
`ExternalSrcAddr` Binary
`ExternalDstAddr` Binary
`TransportProtocol` UInt32
`Lifetime` UInt32
`TcpSessionState` UInt32
`InternalCompartmentId` UInt32

Event ID 1004: TransportProtocol session timedout.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatSessionTimeout

Description

TransportProtocol session timedout. Internal source transport addr: InternalSrcAddr, Internal dest transport addr: InternalDstAddr, External source transport addr ExternalSrcAddr, External dest transport addr ExternalDstAddr, Lifetime: Lifetime seconds, TcpState: TcpSessionState.

Message #

%7 session timedout. Internal source transport addr: %2, Internal dest transport addr: %3, External source transport addr %5, External dest transport addr %6, Lifetime: %8 seconds, TcpState: %9

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalSrcAddr` Binary
`InternalDstAddr` Binary
`ExternalAddrLen` UInt32
`ExternalSrcAddr` Binary
`ExternalDstAddr` Binary
`TransportProtocol` UInt32
`Lifetime` UInt32
`TcpSessionState` UInt32
`InternalCompartmentId` UInt32

Event ID 1005: TransportProtocol session deleted.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatSessionDelete

Description

TransportProtocol session deleted. Internal source transport addr: InternalSrcAddr, Internal dest transport addr: InternalDstAddr, External source transport addr ExternalSrcAddr, External dest transport addr ExternalDstAddr, Lifetime: Lifetime seconds, TcpState: TcpSessionState.

Message #

%7 session deleted. Internal source transport addr: %2, Internal dest transport addr: %3, External source transport addr %5, External dest transport addr %6, Lifetime: %8 seconds, TcpState: %9

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalSrcAddr` Binary
`InternalDstAddr` Binary
`ExternalAddrLen` UInt32
`ExternalSrcAddr` Binary
`ExternalDstAddr` Binary
`TransportProtocol` UInt32
`Lifetime` UInt32
`TcpSessionState` UInt32
`InternalCompartmentId` UInt32

Event ID 1006: TransportProtocol binding created.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatBindingCreate

Description

TransportProtocol binding created. Internal transport addr: InternalAddr, External transport addr ExternalAddr, SessionCount: SessionCount, Configured: Configured.

Message #

%5 binding created. Internal transport addr: %2, External transport addr %4, SessionCount: %6, Configured: %7

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalAddr` Binary
`ExternalAddrLen` UInt32
`ExternalAddr` Binary
`TransportProtocol` UInt32
`SessionCount` UInt32
`Configured` Boolean
`InternalCompartmentId` UInt32

Event ID 1007: TransportProtocol binding deleted.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatBindingDelete

Description

TransportProtocol binding deleted. Internal transport addr: InternalAddr, External transport addr ExternalAddr, SessionCount: SessionCount, Configured: Configured.

Message #

%5 binding deleted. Internal transport addr: %2, External transport addr %4, SessionCount: %6, Configured: %7

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalAddr` Binary
`ExternalAddrLen` UInt32
`ExternalAddr` Binary
`TransportProtocol` UInt32
`SessionCount` UInt32
`Configured` Boolean
`InternalCompartmentId` UInt32

Event ID 1008: TransportProtocol binding session count updated.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatBindingSessionCount

Description

TransportProtocol binding session count updated. Internal transport addr: InternalAddr, External transport addr ExternalAddr, SessionCount: SessionCount, Configured: Configured.

Message #

%5 binding session count updated. Internal transport addr: %2, External transport addr %4, SessionCount: %6, Configured: %7

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalAddr` Binary
`ExternalAddrLen` UInt32
`ExternalAddr` Binary
`TransportProtocol` UInt32
`SessionCount` UInt32
`Configured` Boolean
`InternalCompartmentId` UInt32

Event ID 1009: Translating TransportProtocol packet from IncomingSrcAddr:IncomingDstAddr to TranslatedSrcAddr:TranslatedDstAddr, IPID:Identification.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatTranslation

Description

Translating TransportProtocol packet from IncomingSrcAddr:IncomingDstAddr to TranslatedSrcAddr:TranslatedDstAddr, IPID:Identification. Status: Status, IcmpType: IcmpType, IcmpCode: IcmpCode, IcmpErrorPayload: IcmpPayload.

Message #

Translating %8 packet from %2:%3 to %5:%6, IPID:%7. Status: %9, IcmpType: %10, IcmpCode: %11, IcmpErrorPayload: %12

Fields #

Name	Description
`IncomingAddrLen` UInt32
`IncomingSrcAddr` Binary
`IncomingDstAddr` Binary
`TranslatedAddrLen` UInt32
`TranslatedSrcAddr` Binary
`TranslatedDstAddr` Binary
`Identification` UInt32
`TransportProtocol` UInt32
`Status` UInt32	NTSTATUS reference
`IcmpType` UInt32
`IcmpCode` UInt32
`IcmpPayload` Boolean

Event ID 1010: Nat Instance InstanceName Action Status: Status.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatInstanceEvent

Description

Nat Instance InstanceName Action Status: Status.UdpIdleSessionTimeout: UdpIdleSessionTimeout sec, TcpTransientConnectionTimeout: TcpTransientConnectionTimeout, TcpEstablishedConnectionTimeout: TcpEstablishedConnectionTimeout, IcmpQueryTimeout: IcmpQueryTimeout, TcpFilteringBehavior: TcpFilteringBehavior, UdpFilteringBehavior: UdpFilteringBehavior, UdpInboundRefresh: UdpInboundRefresh, Enabled: Enabled

Message #

Nat Instance %1 %11 Status: %10.UdpIdleSessionTimeout: %2 sec, TcpTransientConnectionTimeout: %3, TcpEstablishedConnectionTimeout: %4, IcmpQueryTimeout: %5, TcpFilteringBehavior: %6, UdpFilteringBehavior: %7, UdpInboundRefresh: %8, Enabled: %9

Fields #

Name	Description
`InstanceName` UnicodeString
`UdpIdleSessionTimeout` UInt32
`TcpTransientConnectionTimeout` UInt32
`TcpEstablishedConnectionTimeout` UInt32
`IcmpQueryTimeout` UInt32
`TcpFilteringBehavior` UInt32
`UdpFilteringBehavior` UInt32
`UdpInboundRefresh` Boolean
`Enabled` Boolean
`Status` UInt32	NTSTATUS reference
`Action` UInt32

Event ID 1011: Packet filter Action Status: Status.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatPacketFilterEvent

Description

Packet filter Status: . Instance: , SrcPrefix: , SrcPrefixLength: , DstPrefix: , DstPrefixLength: , Ipv4Prefix: , Ipv4PrefixLength: , Nat64: , InterfaceLuid.

Message #

Packet filter %12 Status: %13. Instance: %1, SrcPrefix: %3, SrcPrefixLength: %4, DstPrefix: %5, DstPrefixLength: %6, Ipv4Prefix: %7, Ipv4PrefixLength: %8, Nat64: %9, InterfaceLuid: %10

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalPrefixAddrLength` UInt32
`InternalSrcPrefix` Binary
`InternalSrcPrefixLength` UInt32
`InternaDstlPrefix` Binary
`InternalDstPrefixLength` UInt32
`IPv4Prefix` UInt32
`IPv4PrefixLength` UInt32
`Nat64` Boolean
`InterfaceLuid` UInt64
`FilterId` UInt64
`Action` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1012: WFP filter Action Status: Status.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatWFPFilterEvent

Description

WFP filter Status: . Instance: , FilterId: , SrcPrefix: , SrcPrefixLength: , DstPrefix: , DstPrefixLength: , Ipv4Prefix: , Ipv4PrefixLength: , Nat64: , InterfaceLuid.

Message #

WFP filter %12 Status: %13. Instance: %1, FilterId: %11, SrcPrefix: %3, SrcPrefixLength: %4, DstPrefix: %5, DstPrefixLength: %6, Ipv4Prefix: %7, Ipv4PrefixLength: %8, Nat64: %9, InterfaceLuid: %10

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalPrefixAddrLength` UInt32
`InternalSrcPrefix` Binary
`InternalSrcPrefixLength` UInt32
`InternaDstlPrefix` Binary
`InternalDstPrefixLength` UInt32
`IPv4Prefix` UInt32
`IPv4PrefixLength` UInt32
`Nat64` Boolean
`InterfaceLuid` UInt64
`FilterId` UInt64
`Action` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1013: Address pool Action Status: Status.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatAddressPoolConfig

Description

Address pool Action Status: Status. Instance: InstanceName, Address: Address, StartingPort: StartingPort, EndingPort: EndingPort, InterfaceLuid: InterfaceLuid.

Message #

Address pool %6 Status: %7. Instance: %1, Address: %2, StartingPort: %3, EndingPort: %4, InterfaceLuid: %5

Fields #

Name	Description
`InstanceName` UnicodeString
`Address` UInt32
`StartingPort` UInt16
`EndingPort` UInt16
`InterfaceLuid` UInt64
`Action` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1014: Address Action notification.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatAddressChangeNotify

Description

Address Action notification. Address: Address, InterfaceLuid: InterfaceLuid.

Message #

Address %6 notification. Address: %2, InterfaceLuid: %5

Fields #

Name	Description
`InstanceName` UnicodeString
`Address` UInt32
`StartingPort` UInt16
`EndingPort` UInt16
`InterfaceLuid` UInt64
`Action` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1015: Static binding Action Status: Status.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatStaticBindingEvent

Description

Static binding Action Status: Status. Internal Source: InternalAddr, External Source: ExternalAddr, Protocol: TransportProtocol.

Message #

Static binding %6 Status: %7. Internal Source: %2, External Source: %4, Protocol: %5

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalAddr` Binary
`ExternalAddrLen` UInt32
`ExternalAddr` Binary
`TransportProtocol` UInt32
`Action` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1016: Memory allocation failure: Description.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMemoryAllocationFailure

Description

Memory allocation failure: Description.

Message #

Memory allocation failure: %1

Fields #

Name	Description
`Description` UnicodeString

Event ID 1017: TransportProtocol session created.

Provider: Microsoft-Windows-WinNat
Channel: Oper
Task: WinNatSessionCreateOperational

Description

Message #

%7 session created. Internal source transport addr: %2, Internal dest transport addr: %3, External source transport addr %5, External dest transport addr %6

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalSrcAddr` Binary
`InternalDstAddr` Binary
`ExternalAddrLen` UInt32
`ExternalSrcAddr` Binary
`ExternalDstAddr` Binary
`TransportProtocol` UInt32

Event ID 1018: TransportProtocol session deleted.

Provider: Microsoft-Windows-WinNat
Channel: Oper
Task: WinNatSessionDeleteOperational

Description

Message #

%7 session deleted. Internal source transport addr: %2, Internal dest transport addr: %3, External source transport addr %5, External dest transport addr %6

Fields #

Name	Description
`InternalAddrLen` UInt32
`InternalSrcAddr` Binary
`InternalDstAddr` Binary
`ExternalAddrLen` UInt32
`ExternalSrcAddr` Binary
`ExternalDstAddr` Binary
`TransportProtocol` UInt32

Event ID 1019: Created NAT instance InstanceName for RoutingDomainId InternalRoutingDomainId (CompartmentId CompartmentId) with external interface prefix AddressPrefix/PrefixLength.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMInstanceCreation

Description

Created NAT instance InstanceName for RoutingDomainId InternalRoutingDomainId (CompartmentId CompartmentId) with external interface prefix AddressPrefix/PrefixLength.

Message #

Created NAT instance %1 for RoutingDomainId %2 (CompartmentId %5) with external interface prefix %4/%3

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalRoutingDomainId` GUID
`PrefixLength` UInt32
`AddressPrefix` UInt32
`CompartmentId` UInt32
`ExternalInterfaceIndex` UInt32
`UdpIdleSessionTimeout` UInt32
`TcpTransientConnectionTimeout` UInt32
`TcpEstablishedConnectionTimeout` UInt32
`IcmpQueryTimeout` UInt32
`TcpFilteringBehavior` UInt32
`UdpFilteringBehavior` UInt32
`UdpInboundRefresh` Boolean
`InstanceType` UInt32

Event ID 1020: Modified NAT instance InstanceName properties.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMInstanceModification

Description

Modified NAT instance InstanceName properties.

Message #

Modified NAT instance %1 properties

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalRoutingDomainId` GUID
`ExternalIPInterfaceAddressPrefixLength` UInt32
`ExternalIPInterfaceAddressPrefix` UInt32
`CompartmentId` UInt32
`ExternalInterfaceIndex` UInt32
`UdpIdleSessionTimeout` UInt32
`TcpTransientConnectionTimeout` UInt32
`TcpEstablishedConnectionTimeout` UInt32
`IcmpQueryTimeout` UInt32
`TcpFilteringBehavior` UInt32
`UdpFilteringBehavior` UInt32
`UdpInboundRefresh` Boolean

Event ID 1021: NAT instance InstanceName external interface index is ExternalInterfaceIndex for prefix ExternalIPInterfaceAddressPrefix/ExternalIPInterfaceAddressPrefixLength.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMInstanceExternalInterfaceAssociation

Description

NAT instance InstanceName external interface index is ExternalInterfaceIndex for prefix ExternalIPInterfaceAddressPrefix/ExternalIPInterfaceAddressPrefixLength.

Message #

NAT instance %1 external interface index is %6 for prefix %4/%3

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalRoutingDomainId` GUID
`ExternalIPInterfaceAddressPrefixLength` UInt32
`ExternalIPInterfaceAddressPrefix` UInt32
`CompartmentId` UInt32
`ExternalInterfaceIndex` UInt32
`UdpIdleSessionTimeout` UInt32
`TcpTransientConnectionTimeout` UInt32
`TcpEstablishedConnectionTimeout` UInt32
`IcmpQueryTimeout` UInt32
`TcpFilteringBehavior` UInt32
`UdpFilteringBehavior` UInt32
`UdpInboundRefresh` Boolean

Event ID 1022: Deleted NAT instance InstanceName.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMInstanceDeletion

Description

Deleted NAT instance InstanceName.

Message #

Deleted NAT instance %1

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalRoutingDomainId` GUID
`ExternalIPInterfaceAddressPrefixLength` UInt32
`ExternalIPInterfaceAddressPrefix` UInt32
`CompartmentId` UInt32
`ExternalInterfaceIndex` UInt32
`UdpIdleSessionTimeout` UInt32
`TcpTransientConnectionTimeout` UInt32
`TcpEstablishedConnectionTimeout` UInt32
`IcmpQueryTimeout` UInt32
`TcpFilteringBehavior` UInt32
`UdpFilteringBehavior` UInt32
`UdpInboundRefresh` Boolean

Event ID 1023: NAT instance InstanceName: RoutingDomainId InternalRoutingDomainId (CompartmentId CompartmentId), external interface index ExternalInterfaceIndex (AddressPrefix/PrefixLength).

Provider: Microsoft-Windows-WinNat
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: WinNatMInstanceRundown
Opcode: win:Info

Description

NAT instance InstanceName: RoutingDomainId InternalRoutingDomainId (CompartmentId CompartmentId), external interface index ExternalInterfaceIndex (AddressPrefix/PrefixLength).

Message #

NAT instance %1: RoutingDomainId %2 (CompartmentId %5), external interface index %6 (%4/%3)

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalRoutingDomainId` GUID
`PrefixLength` UInt32
`AddressPrefix` UInt32
`CompartmentId` UInt32
`ExternalInterfaceIndex` UInt32
`UdpIdleSessionTimeout` UInt32
`TcpTransientConnectionTimeout` UInt32
`TcpEstablishedConnectionTimeout` UInt32
`IcmpQueryTimeout` UInt32
`TcpFilteringBehavior` UInt32
`UdpFilteringBehavior` UInt32
`UdpInboundRefresh` Boolean
`InstanceType` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinNat",
    "guid": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}",
    "event_source_name": "",
    "event_id": 1023,
    "version": 1,
    "level": 4,
    "task": 1023,
    "opcode": 0,
    "keywords": "0x0000000000000008",
    "time_created": "2026-06-02T06:08:06.772+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}"
    },
    "execution": {
      "process_id": 9736,
      "thread_id": 10668
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressPrefix": 12589740,
    "CompartmentId": 1,
    "ExternalInterfaceIndex": 0,
    "IcmpQueryTimeout": 30,
    "InstanceName": "ICSf3b2d77a-335a-48b3-8cf1-04bd3ff3b253",
    "InstanceType": 1,
    "InternalRoutingDomainId": "{00000000-0000-0000-0000-000000000000}",
    "PrefixLength": 20,
    "TcpEstablishedConnectionTimeout": 1800,
    "TcpFilteringBehavior": 1,
    "TcpTransientConnectionTimeout": 120,
    "UdpFilteringBehavior": 1,
    "UdpIdleSessionTimeout": 300,
    "UdpInboundRefresh": false
  },
  "message": "WinNatMInstanceRundown"
}

Event ID 1024: Added external address IPAddress:PortStart-PortEnd to NAT instance InstanceName.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMExternalAddressAddition

Description

Added external address IPAddress:PortStart-PortEnd to NAT instance InstanceName.

Message #

Added external address %3:%4-%5 to NAT instance %1

Fields #

Name	Description
`InstanceName` UnicodeString
`AddressLength` UInt32
`IPAddress` Binary
`PortStart` UInt16
`PortEnd` UInt16

Event ID 1025: Removed external address IPAddress:PortStart-PortEnd from NAT instance InstanceName.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMExternalAddressRemoval

Description

Removed external address IPAddress:PortStart-PortEnd from NAT instance InstanceName.

Message #

Removed external address %3:%4-%5 from NAT instance %1

Fields #

Name	Description
`InstanceName` UnicodeString
`AddressLength` UInt32
`IPAddress` Binary
`PortStart` UInt16
`PortEnd` UInt16

Event ID 1026: NAT instance InstanceName: external address IPAddress:PortStart-PortEnd.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: WinNatMExternalAddressRundown
Opcode: win:Info

Description

NAT instance InstanceName: external address IPAddress:PortStart-PortEnd.

Message #

NAT instance %1: external address %3:%4-%5

Fields #

Name	Description
`InstanceName` UnicodeString
`AddressLength` UInt32
`IPAddress` Binary
`PortStart` UInt16
`PortEnd` UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinNat",
    "guid": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}",
    "event_source_name": "",
    "event_id": 1026,
    "version": 0,
    "level": 4,
    "task": 1026,
    "opcode": 0,
    "keywords": "0x0000000000000008",
    "time_created": "2026-06-02T06:08:06.772+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}"
    },
    "execution": {
      "process_id": 9736,
      "thread_id": 10668
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AddressLength": 16,
    "IPAddress": "020000007F0000010000000000000000",
    "InstanceName": "ICSf3b2d77a-335a-48b3-8cf1-04bd3ff3b253",
    "PortEnd": 49833,
    "PortStart": 49734
  },
  "message": "WinNatMExternalAddressRundown"
}

Event ID 1027: Added static mapping TransportProtocol ExternalTransportAddress > InternalTransportAddress (CompartmentId CompartmentId) to NAT instance InstanceName (MappingType RemoteAddressPrefix/RemoteAddressP...

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMStaticMappingAddition

Description

Added static mapping TransportProtocol ExternalTransportAddress > InternalTransportAddress (CompartmentId CompartmentId) to NAT instance InstanceName (MappingType RemoteAddressPrefix/RemoteAddressPrefixLength).

Message #

Added static mapping %2 %5 > %6 (CompartmentId %8) to NAT instance %1 (%3 %9/%10)

Fields #

Name	Description
`InstanceName` UnicodeString
`TransportProtocol` UInt32
`MappingType` UInt32
`AddressLength` UInt32
`ExternalTransportAddress` Binary
`InternalTransportAddress` Binary
`InternalRoutingDomainId` GUID
`CompartmentId` UInt32
`RemoteAddressPrefix` Binary
`RemoteAddressPrefixLength` UInt32

Event ID 1028: Removed static mapping TransportProtocol ExternalTransportAddress > InternalTransportAddress (CompartmentId CompartmentId) from NAT instance InstanceName (MappingType RemoteAddressPrefix/RemoteAddr...

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMStaticMappingRemoval

Description

Removed static mapping TransportProtocol ExternalTransportAddress > InternalTransportAddress (CompartmentId CompartmentId) from NAT instance InstanceName (MappingType RemoteAddressPrefix/RemoteAddressPrefixLength).

Message #

Removed static mapping %2 %5 > %6 (CompartmentId %8) from NAT instance %1 (%3 %9/%10)

Fields #

Name	Description
`InstanceName` UnicodeString
`TransportProtocol` UInt32
`MappingType` UInt32
`AddressLength` UInt32
`ExternalTransportAddress` Binary
`InternalTransportAddress` Binary
`InternalRoutingDomainId` GUID
`CompartmentId` UInt32
`RemoteAddressPrefix` Binary
`RemoteAddressPrefixLength` UInt32

Event ID 1029: NAT instance InstanceName: static mapping TransportProtocol ExternalTransportAddress > InternalTransportAddress (CompartmentId CompartmentId) (MappingType RemoteAddressPrefix/RemoteAddressPrefixLen...

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMStaticMappingRundown

Description

NAT instance InstanceName: static mapping TransportProtocol ExternalTransportAddress > InternalTransportAddress (CompartmentId CompartmentId) (MappingType RemoteAddressPrefix/RemoteAddressPrefixLength).

Message #

NAT instance %1: static mapping %2 %5 > %6 (CompartmentId %8) (%3 %9/%10)

Fields #

Name	Description
`InstanceName` UnicodeString
`TransportProtocol` UInt32
`MappingType` UInt32
`AddressLength` UInt32
`ExternalTransportAddress` Binary
`InternalTransportAddress` Binary
`InternalRoutingDomainId` GUID
`CompartmentId` UInt32
`RemoteAddressPrefix` Binary
`RemoteAddressPrefixLength` UInt32

Event ID 1030: NAT dropped IPv4 TransportProtocol packet which arrived over ArrivalNetwork interface ArrivalInterfaceIndex in compartment ArrivalCompartmentId with reason: ActionReason.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMDroppedIPv4Packet

Description

NAT dropped IPv4 TransportProtocol packet which arrived over ArrivalNetwork interface ArrivalInterfaceIndex in compartment ArrivalCompartmentId with reason: ActionReason.

Message #

NAT dropped IPv4 %5 packet which arrived over %4 interface %3 in compartment %2 with reason: %1.

Fields #

Name	Description
`ActionReason` UInt32
`ArrivalCompartmentId` UInt32
`ArrivalInterfaceIndex` UInt32
`ArrivalNetwork` UInt32
`TransportProtocol` UInt32
`ForwardCompartmentId` UInt32
`ForwardInterfaceIndex` UInt32
`PacketLength` UInt32
`ContinuousLength` UInt32
`CapturedIPHeaderLength` UInt32
`CapturedTransportHeaderLength` UInt32
`ICMPErrorTransportProtocol` UInt32
`ICMPErrorCapturedIPHeaderLength` UInt32
`ICMPErrorCapturedTransportHeaderLength` UInt32
`IPHeader` Binary
`TransportHeader` Binary
`ICMPErrorIPHeader` Binary
`ICMPErrorTransportHeader` Binary

Event ID 1031: NAT detected a default route in compartment CompartmentId interface InterfaceIndex.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMImproperDefaultRoute

Description

NAT detected a default route in compartment CompartmentId interface InterfaceIndex. Default routes in internal compartments will prevent NAT operation for those compartments.

Message #

NAT detected a default route in compartment %1 interface %2. Default routes in internal compartments will prevent NAT operation for those compartments.

Fields #

Name	Description
`CompartmentId` UInt32
`InterfaceIndex` UInt32

Event ID 1032: NAT detected a default route in compartment CompartmentId interface InterfaceIndex.

Provider: Microsoft-Windows-WinNat
Channel: Oper
Task: WinNatMImproperDefaultRouteOper

Description

NAT detected a default route in compartment CompartmentId interface InterfaceIndex. Default routes in internal compartments will prevent NAT operation for those compartments.

Message #

NAT detected a default route in compartment %1 interface %2. Default routes in internal compartments will prevent NAT operation for those compartments.

Fields #

Name	Description
`CompartmentId` UInt32
`InterfaceIndex` UInt32

Event ID 1033: NAT instance InstanceName failed to allocate a TransportProtocol port dynamically because all ports in the instance's external address pool are in use.

Provider: Microsoft-Windows-WinNat
Channel: Oper
Task: WinNatMOutOfPortsOper

Description

NAT instance InstanceName failed to allocate a TransportProtocol port dynamically because all ports in the instance's external address pool are in use.

Message #

NAT instance %1 failed to allocate a %2 port dynamically because all ports in the instance's external address pool are in use.

Fields #

Name	Description
`InstanceName` UnicodeString
`TransportProtocol` UInt32

Event ID 1034: NAT left processing of IPv4 TransportProtocol packet to the host network stack over ArrivalNetwork interface ArrivalInterfaceIndex in compartment ArrivalCompartmentId with reason: ActionReason.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Also via: realtime ETW trace
Level: Verbose
Task: WinNatMSkippedIPv4Packet
Opcode: win:Info

Description

NAT left processing of IPv4 TransportProtocol packet to the host network stack over ArrivalNetwork interface ArrivalInterfaceIndex in compartment ArrivalCompartmentId with reason: ActionReason.

Message #

NAT left processing of IPv4 %5 packet to the host network stack over %4 interface %3 in compartment %2 with reason: %1.

Fields #

Name	Description
`ActionReason` UInt32
`ArrivalCompartmentId` UInt32
`ArrivalInterfaceIndex` UInt32
`ArrivalNetwork` UInt32
`TransportProtocol` UInt32
`ForwardCompartmentId` UInt32
`ForwardInterfaceIndex` UInt32
`PacketLength` UInt32
`ContinuousLength` UInt32
`CapturedIPHeaderLength` UInt32
`CapturedTransportHeaderLength` UInt32
`ICMPErrorTransportProtocol` UInt32
`ICMPErrorCapturedIPHeaderLength` UInt32
`ICMPErrorCapturedTransportHeaderLength` UInt32
`IPHeader` Binary
`TransportHeader` Binary
`ICMPErrorIPHeader` Binary
`ICMPErrorTransportHeader` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinNat",
    "guid": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}",
    "event_source_name": "",
    "event_id": 1034,
    "version": 0,
    "level": 5,
    "task": 1034,
    "opcode": 0,
    "keywords": "0x0000000000000020",
    "time_created": "2026-06-02T06:08:08.447+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}"
    },
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ActionReason": 21,
    "ArrivalCompartmentId": 1,
    "ArrivalInterfaceIndex": 11,
    "ArrivalNetwork": 2,
    "CapturedIPHeaderLength": 20,
    "CapturedTransportHeaderLength": 20,
    "ContinuousLength": 40,
    "ForwardCompartmentId": 0,
    "ForwardInterfaceIndex": 0,
    "ICMPErrorCapturedIPHeaderLength": 0,
    "ICMPErrorCapturedTransportHeaderLength": 0,
    "ICMPErrorIPHeader": "",
    "ICMPErrorTransportHeader": "",
    "ICMPErrorTransportProtocol": 0,
    "IPHeader": "450000281A4140003F064A20C00002FE0A020A6F",
    "PacketLength": 40,
    "TransportHeader": "ECF41762C38106F39091305D5010083640750000",
    "TransportProtocol": 6
  },
  "message": "WinNatMSkippedIPv4Packet"
}

Event ID 1035: NAT translated and forwarded IPv4 TransportProtocol packet which arrived over ArrivalNetwork interface ArrivalInterfaceIndex in compartment ArrivalCompartmentId to interface ForwardInterfaceIndex i...

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMForwardedIPv4Packet

Description

NAT translated and forwarded IPv4 TransportProtocol packet which arrived over ArrivalNetwork interface ArrivalInterfaceIndex in compartment ArrivalCompartmentId to interface ForwardInterfaceIndex in compartment ForwardCompartmentId.

Message #

NAT translated and forwarded IPv4 %5 packet which arrived over %4 interface %3 in compartment %2 to interface %7 in compartment %6.

Fields #

Name	Description
`ActionReason` UInt32
`ArrivalCompartmentId` UInt32
`ArrivalInterfaceIndex` UInt32
`ArrivalNetwork` UInt32
`TransportProtocol` UInt32
`ForwardCompartmentId` UInt32
`ForwardInterfaceIndex` UInt32
`PacketLength` UInt32
`ContinuousLength` UInt32
`CapturedIPHeaderLength` UInt32
`CapturedTransportHeaderLength` UInt32
`ICMPErrorTransportProtocol` UInt32
`ICMPErrorCapturedIPHeaderLength` UInt32
`ICMPErrorCapturedTransportHeaderLength` UInt32
`IPHeader` Binary
`TransportHeader` Binary
`ICMPErrorIPHeader` Binary
`ICMPErrorTransportHeader` Binary

Event ID 1036: NAT ERROR ErrorID: ErrorContext (ErrorMisc) Status Status.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMGeneralError

Description

NAT ERROR ErrorID: ErrorContext (ErrorMisc) Status Status.

Message #

NAT ERROR %1: %2 (%3) Status %4

Fields #

Name	Description
`ErrorID` UInt32
`ErrorContext` UnicodeString
`ErrorMisc` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1037: NAT Instance InstanceName created with no matching prefix AddressPrefix/PrefixLength.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMInstanceCreationWithNoMatchingPrefix

Description

NAT Instance InstanceName created with no matching prefix AddressPrefix/PrefixLength.

Message #

NAT Instance %1 created with no matching prefix %4/%3.

Fields #

Name	Description
`InstanceName` UnicodeString
`InternalRoutingDomainId` GUID
`PrefixLength` UInt32
`AddressPrefix` UInt32
`CompartmentId` UInt32
`ExternalInterfaceIndex` UInt32
`UdpIdleSessionTimeout` UInt32
`TcpTransientConnectionTimeout` UInt32
`TcpEstablishedConnectionTimeout` UInt32
`IcmpQueryTimeout` UInt32
`TcpFilteringBehavior` UInt32
`UdpFilteringBehavior` UInt32
`UdpInboundRefresh` Boolean
`InstanceType` UInt32

Event ID 1038: Info.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMTaskGenericEventInformational

Description

Info

Message #

%1

Fields #

Name	Description
`Info` UnicodeString

Event ID 1039: Info.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMTaskGenericEventError

Description

Info

Message #

%1

Fields #

Name	Description
`Info` UnicodeString

Event ID 1040: Info.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMTaskGenericEventError

Description

Info

Message #

%1

Fields #

Name	Description
`Info` UnicodeString

Event ID 1041: Added IPxlat instance for interface InterfaceLuid.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatIPxlatInstanceCreate

Description

Added IPxlat instance for interface InterfaceLuid.

Message #

Added IPxlat instance for interface %1

Fields #

Name	Description
`InterfaceLuid` UInt64
`FallbackIPv4Address` UInt32
`SyntheticIPv4Address` UInt32
`SyntheticIPv6Address` Binary
`RemotePrefix` Binary
`RemotePrefixLength` UInt32
`LocalPrefix` Binary
`LocalPrefixLength` UInt32

Event ID 1042: Modified IPxlat instance for interface InterfaceLuid.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatIPxlatInstanceModify

Description

Modified IPxlat instance for interface InterfaceLuid.

Message #

Modified IPxlat instance for interface %1

Fields #

Name	Description
`InterfaceLuid` UInt64
`FallbackIPv4Address` UInt32
`SyntheticIPv4Address` UInt32
`SyntheticIPv6Address` Binary
`RemotePrefix` Binary
`RemotePrefixLength` UInt32
`LocalPrefix` Binary
`LocalPrefixLength` UInt32

Event ID 1043: Deleted IPxlat instance for interface InterfaceLuid.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatIPxlatInstanceDelete

Description

Deleted IPxlat instance for interface InterfaceLuid.

Message #

Deleted IPxlat instance for interface %1

Fields #

Name	Description
`InterfaceLuid` UInt64
`FallbackIPv4Address` UInt32
`SyntheticIPv4Address` UInt32
`SyntheticIPv6Address` Binary
`RemotePrefix` Binary
`RemotePrefixLength` UInt32
`LocalPrefix` Binary
`LocalPrefixLength` UInt32

Event ID 1044: XLAT.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatIPxlatGenericTrace

Description

XLAT: Info

Message #

XLAT: %1

Fields #

Name	Description
`Info` UnicodeString

Event ID 1045: Added internal address IPAddress, IfIndex IfIndex to NAT instance InstanceName.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMInternalAddressAddition

Description

Added internal address IPAddress, IfIndex IfIndex to NAT instance InstanceName.

Message #

Added internal address %3, IfIndex %4 to NAT instance %1

Fields #

Name	Description
`InstanceName` UnicodeString
`AddressLength` UInt32
`IPAddress` Binary
`IfIndex` UInt32

Event ID 1046: Removed internal address IPAddress: IfIndex IfIndex from NAT instance InstanceName.

Provider: Microsoft-Windows-WinNat
Channel: Trace
Task: WinNatMInternalAddressRemoval

Description

Removed internal address IPAddress: IfIndex IfIndex from NAT instance InstanceName.

Message #

Removed internal address %3: IfIndex %4 from NAT instance %1

Fields #

Name	Description
`InstanceName` UnicodeString
`AddressLength` UInt32
`IPAddress` Binary
`IfIndex` UInt32

Event ID 1047: Driver state: PortChunkSize=PortChunkSize, RSCAware=RSCAware, UROAware=UROAware, FragmentAware=FragmentAware, ForceInternalRoute=ForceInternalRoute, UdpSessionTimeout=UdpSessionTimeout, ClampMssEna...

Provider: Microsoft-Windows-WinNat
Channel: Trace
Also via: realtime ETW trace
Level: Informational
Task: WinNatDriverStateRundown
Opcode: win:Info

Description

Driver state: PortChunkSize=PortChunkSize, RSCAware=RSCAware, UROAware=UROAware, FragmentAware=FragmentAware, ForceInternalRoute=ForceInternalRoute, UdpSessionTimeout=UdpSessionTimeout, ClampMssEnabled=ClampMssEnabled.

Message #

Driver state: PortChunkSize=%1, RSCAware=%2, UROAware=%3, FragmentAware=%4, ForceInternalRoute=%5, UdpSessionTimeout=%6, ClampMssEnabled=%7

Fields #

Name	Description
`PortChunkSize` UInt32
`RSCAware` Boolean
`UROAware` Boolean
`FragmentAware` Boolean
`ForceInternalRoute` Boolean
`UdpSessionTimeout` UInt32
`ClampMssEnabled` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinNat",
    "guid": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}",
    "event_source_name": "",
    "event_id": 1047,
    "version": 0,
    "level": 4,
    "task": 1047,
    "opcode": 0,
    "keywords": "0x0000000000000008",
    "time_created": "2026-06-02T06:08:06.772+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{66C07ECD-6667-43FC-93F8-05CF07F446EC}"
    },
    "execution": {
      "process_id": 9736,
      "thread_id": 10668
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ClampMssEnabled": false,
    "ForceInternalRoute": false,
    "FragmentAware": false,
    "PortChunkSize": 100,
    "RSCAware": true,
    "UROAware": true,
    "UdpSessionTimeout": 300
  },
  "message": "WinNatDriverStateRundown"
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {66C07ECD-6667-43FC-93F8-05CF07F446EC}

Defined in winnat.sys, the binary that emits these events.

Observed on:

Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)