Elastic Inferred Detection Coverage

954 inferred rule mappings across 46 events and 2 providers, covering 398 unique Elastic detection rules.

Most Elastic detection rules don't explicitly filter by Windows event ID. Instead, they query using EQL event categories (like process where or file where) or match on fields that only appear in specific event types. This embeds the connection between a rule and the Windows events it operates on in the query logic rather than stating it directly.

To surface these relationships, this analysis parses each rule's query into an abstract syntax tree and extracts the EQL categories and field names it references. Where a category or field maps to a known set of Windows events, the mappings below link the rule to those events: answering the question: if I collect this Windows event, which Elastic rules could use it as a data source?

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Elastic Inferred Detection Coverage

Microsoft-Windows-Security-Auditing (32 events, 264 rules) #

Channel: Security Event ID 4610: An authentication package has been loaded by the Local Security Authority. (4 low)

Channel: Security Event ID 4611: A trusted logon process has been registered with the Local Security Authority. (4 low)

Channel: Security Event ID 4624: An account was successfully logged on. (6 medium, 2 low)

Channel: Security Event ID 4625: An account failed to log on. (7 medium)

Channel: Security Event ID 4634: An account was logged off. (10 medium)

Channel: Security Event ID 4647: User initiated logoff. (10 medium)

Channel: Security Event ID 4648: A logon was attempted using explicit credentials. (10 medium)

Channel: Security Event ID 4649: A replay attack was detected. (4 low)

Channel: Security Event ID 4657: A registry value was modified. (3 low)

Channel: Security Event ID 4659: A handle to an object was requested with intent to delete. (2 low)

Channel: Security Event ID 4661: A handle to an object was requested. (4 low)

Channel: Security Event ID 4663: An attempt was made to access an object. (2 low)

Channel: Security Event ID 4688: A new process has been created. (133 medium)

Channel: Security Event ID 4691: Indirect access to an object was requested. (2 low)

Channel: Security Event ID 4700: A scheduled task was enabled. (4 low)

Channel: Security Event ID 4701: A scheduled task was disabled. (4 low)

Channel: Security Event ID 4720: A user account was created. (1 low)

Channel: Security Event ID 4741: A computer account was created. (1 low)

Channel: Security Event ID 4742: A computer account was changed. (1 low)

Channel: Security Event ID 4798: A user's local group membership was enumerated. (1 low)

Channel: Security Event ID 4799: A security-enabled local group membership was enumerated. (1 low)

Channel: Security Event ID 5050: An attempt to programmatically disable the Windows Firewall using a call to INetFwProfile.FirewallEnabled(FALSE) interface was rejected. (1 low)

Channel: Security Event ID 5136: A directory service object was modified. (3 low)

Channel: Security Event ID 5137: A directory service object was created. (2 low)

Channel: Security Event ID 5140: A network share object was accessed. (2 low)

Channel: Security Event ID 5141: A directory service object was deleted. (5 low)

Channel: Security Event ID 5142: A network share object was added. (2 low)

Channel: Security Event ID 5143: A network share object was modified. (2 low)

Channel: Security Event ID 5144: A network share object was deleted. (2 low)

Channel: Security Event ID 5169: A directory service object was modified. (14 low)

Channel: Security Event ID 5170: A directory service object was modified during a background cleanup task. (14 low)

Channel: Security Event ID 5380: Vault Find Credential. (1 low)

Microsoft-Windows-Sysmon (14 events, 690 rules) #

Channel: Operational Event ID 1: Process creation (229 medium, 1 low)

Channel: Operational Event ID 2: A process changed a file creation time (40 medium)

Channel: Operational Event ID 3: Network connection (52 medium)

Channel: Operational Event ID 5: Process terminated (21 medium)

Channel: Operational Event ID 6: Driver loaded (2 medium)

Channel: Operational Event ID 7: Image loaded (7 medium)

Channel: Operational Event ID 8: CreateRemoteThread (5 low)

Channel: Operational Event ID 11: FileCreate (51 medium)

Channel: Operational Event ID 12: RegistryEvent (Object create and delete) (53 medium)

Channel: Operational Event ID 13: RegistryEvent (Value Set) (53 medium)

Channel: Operational Event ID 14: RegistryEvent (Key and Value Rename) (53 medium)

Channel: Operational Event ID 15: FileCreateStreamHash (39 medium)

Channel: Operational Event ID 23: FileDelete (File Delete archived) (42 medium)

Channel: Operational Event ID 26: FileDeleteDetected (File Delete logged) (42 medium)