Okta-account

15 operations, identified by eventType in the audit log.

eventType	Description
account.aerial_template_condition.apply	Apply an Aerial template condition. Audit application of template conditions for Aerial accounts. This event is fired in the Aerial org when a template condition is applied to the org. Includes template condition details such as ID and name.
account.aerial_template_condition.create	Create an Aerial template condition. Audit creation of template conditions for Aerial accounts. This event is fired when a new template condition is created. Includes template condition details such as ID and name.
account.aerial_template_condition.delete	Delete an Aerial template condition. Audit deletion of template conditions for Aerial accounts. This event is fired when a template condition is deleted. Includes template condition details such as ID and name.
account.aerial_template_condition.remove	Remove an Aerial template condition. Audit removal of template conditions for Aerial accounts. This event is fired in the Aerial org when a template condition is removed from the org. Includes template condition details such as ID and name.
account.aerial_template_condition.update	Update an Aerial template condition. Audit updates to template conditions for Aerial accounts. This event is fired when a template condition is updated. Includes template condition details such as ID and name.
account.org.add	Org is added to an Aerial account. Triggered when an org is added to an Aerial account. This event is fired in both the Aerial org and the added target org.
account.org.delete.cancel	Org deletion request is cancelled. Triggered when the deletion request is cancelled. This event is fired in the Aerial org. The recovered org will be in the target.
account.org.delete.request	Org is requested to be deleted. Triggered when a org is requested to be deleted. This event is fired in the Aerial org. The user or API client who requested the delete will be the actor and the org to be deleted will be in the target.
account.org.product.update	Products are updated on an org. Triggered when Products are updated on an org. This event is fired only in the Aerial org.
account.org.status.update	Org status is updated. Triggered when the status of an org is updated. This event is fired only in the Aerial org.
account.org_group.create	Create an org group. Triggered when an org group is created in an Aerial account. This event is fired in the Aerial org when a new org group is created.
account.org_group.delete	Delete an org group. Triggered when an org group is deleted from an Aerial account. This event is fired in the Aerial org when an org group is deleted.
account.org_group.org.assign	Assign an org to an org group. Triggered when an org is assigned to an org group in an Aerial account. This event is fired in the Aerial org when an org is assigned to an org group. The target array contains the container (OrgGroup) followed by the member (Org).
account.org_group.org.revoke	Revoke an org from an org group. Triggered when an org is revoked from an org group in an Aerial account. This event is fired in the Aerial org when an org is revoked from an org group. The target array contains the container (OrgGroup) followed by the member (Org).
account.org_group.update	Update an org group. Triggered when an org group is updated in an Aerial account. This event is fired in the Aerial org when an org group is updated.

account.aerial_template_condition.apply

Namespace: Okta-account

Description

Apply an Aerial template condition. Audit application of template conditions for Aerial accounts. This event is fired in the Aerial org when a template condition is applied to the org. Includes template condition details such as ID and name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.aerial_template_condition.apply https://developer.okta.com/docs/reference/api/event-types/#account-aerial_template_condition-apply
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.aerial_template_condition.create

Namespace: Okta-account

Description

Create an Aerial template condition. Audit creation of template conditions for Aerial accounts. This event is fired when a new template condition is created. Includes template condition details such as ID and name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.aerial_template_condition.create https://developer.okta.com/docs/reference/api/event-types/#account-aerial_template_condition-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.aerial_template_condition.delete

Namespace: Okta-account

Description

Delete an Aerial template condition. Audit deletion of template conditions for Aerial accounts. This event is fired when a template condition is deleted. Includes template condition details such as ID and name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.aerial_template_condition.delete https://developer.okta.com/docs/reference/api/event-types/#account-aerial_template_condition-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.aerial_template_condition.remove

Namespace: Okta-account

Description

Remove an Aerial template condition. Audit removal of template conditions for Aerial accounts. This event is fired in the Aerial org when a template condition is removed from the org. Includes template condition details such as ID and name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.aerial_template_condition.remove https://developer.okta.com/docs/reference/api/event-types/#account-aerial_template_condition-remove
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.aerial_template_condition.update

Namespace: Okta-account

Description

Update an Aerial template condition. Audit updates to template conditions for Aerial accounts. This event is fired when a template condition is updated. Includes template condition details such as ID and name.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.aerial_template_condition.update https://developer.okta.com/docs/reference/api/event-types/#account-aerial_template_condition-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org.add

Namespace: Okta-account

Description

Org is added to an Aerial account. Triggered when an org is added to an Aerial account. This event is fired in both the Aerial org and the added target org.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org.add https://developer.okta.com/docs/reference/api/event-types/#account-org-add
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org.delete.cancel

Namespace: Okta-account

Description

Org deletion request is cancelled. Triggered when the deletion request is cancelled. This event is fired in the Aerial org. The recovered org will be in the target.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org.delete.cancel https://developer.okta.com/docs/reference/api/event-types/#account-org-delete-cancel
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org.delete.request

Namespace: Okta-account

Description

Org is requested to be deleted. Triggered when a org is requested to be deleted. This event is fired in the Aerial org. The user or API client who requested the delete will be the actor and the org to be deleted will be in the target.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org.delete.request https://developer.okta.com/docs/reference/api/event-types/#account-org-delete-request
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org.product.update

Namespace: Okta-account

Description

Products are updated on an org. Triggered when Products are updated on an org. This event is fired only in the Aerial org.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org.product.update https://developer.okta.com/docs/reference/api/event-types/#account-org-product-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org.status.update

Namespace: Okta-account

Description

Org status is updated. Triggered when the status of an org is updated. This event is fired only in the Aerial org.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org.status.update https://developer.okta.com/docs/reference/api/event-types/#account-org-status-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org_group.create

Namespace: Okta-account

Description

Create an org group. Triggered when an org group is created in an Aerial account. This event is fired in the Aerial org when a new org group is created.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org_group.create https://developer.okta.com/docs/reference/api/event-types/#account-org_group-create
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org_group.delete

Namespace: Okta-account

Description

Delete an org group. Triggered when an org group is deleted from an Aerial account. This event is fired in the Aerial org when an org group is deleted.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org_group.delete https://developer.okta.com/docs/reference/api/event-types/#account-org_group-delete
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org_group.org.assign

Namespace: Okta-account

Description

Assign an org to an org group. Triggered when an org is assigned to an org group in an Aerial account. This event is fired in the Aerial org when an org is assigned to an org group. The target array contains the container (OrgGroup) followed by the member (Org).

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org_group.org.assign https://developer.okta.com/docs/reference/api/event-types/#account-org_group-org-assign
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org_group.org.revoke

Namespace: Okta-account

Description

Revoke an org from an org group. Triggered when an org is revoked from an org group in an Aerial account. This event is fired in the Aerial org when an org is revoked from an org group. The target array contains the container (OrgGroup) followed by the member (Org).

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org_group.org.revoke https://developer.okta.com/docs/reference/api/event-types/#account-org_group-org-revoke
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

account.org_group.update

Namespace: Okta-account

Description

Update an org group. Triggered when an org group is updated in an Aerial account. This event is fired in the Aerial org when an org group is updated.

Fields #

Name	Description
`actor.id`	Unique ID of the actor performing the event.
`actor.type`	Type of actor: User, Client, System, PublicClientApp, etc.
`actor.alternateId`	Username or email of the actor.
`actor.displayName`	Display name of the actor.
`target[].id`	ID of each target object (user, group, application, ...).
`target[].type`	Type of each target object.
`target[].alternateId`	Username or email of each target object.
`outcome.result`	Result: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN.
`outcome.reason`	Human-readable reason for the outcome.
`client.ipAddress`	IP address of the client.
`client.userAgent.rawUserAgent`	Raw user agent string.
`client.geographicalContext.country`	Country of origin for the request.
`securityContext.isProxy`	Whether the request came through a proxy or anonymizer.
`authenticationContext.externalSessionId`	Session ID correlating events in one user session.
`transaction.id`	Transaction ID correlating multiple log entries for one action.

References #

Okta Event Types Catalog: account.org_group.update https://developer.okta.com/docs/reference/api/event-types/#account-org_group-update
Okta System Log API Reference https://developer.okta.com/docs/reference/api/system-log/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)