Navigation Reference

The homepage search spans events, detection rules, and providers. Use the filter dropdowns below the search bar (Type / Vendor / Tactic / More) for the most common filters, or type operators directly in the search box. Dropdown selections and typed operators stay in sync: picking a dropdown value injects the matching operator, and typing one highlights the dropdown.

The URL hash mirrors all search state, so you can share a query like #q=tactic:credential_access vendor:sigma as a link and the back button restores it. Every query also records your current result-list density as a view=compact or view=expanded hash parameter (for example #q=value:schtasks&view=compact), so the recipient sees your view without it overwriting their own saved preference. Compact view pages 50 results at a time; expanded view pages 25.

Search operators#

Every operator is written name:value. Combine operators with spaces (logical AND), and prefix any of them with - to exclude (see Modifiers). The facet operators (vendor:, tactic:/ta:, technique:/tech:, severity:/sev:, stages:, correlation:, kind:) also take a comma list of alternatives that OR together, and repeating one of these facets merges its values the same way (vendor:sigma vendor:elastic equals vendor:sigma,elastic, rather than the last occurrence winning).

Singular and plural spellings are interchangeable wherever only one form is canonical: vendors: works like vendor:, severities: like severity:, stage: like stages:, and type:event folds to type:events. The same tolerance covers closed values (correlation:sequences folds to sequence) and the rule flags (has:thresholds is has:threshold). Autocomplete always inserts the canonical form.

The tables below group operators by what they filter; the columns are uniform throughout:

Operator: the token you type.
Aliases: interchangeable spellings of the same operator (not values).
Argument: what follows the colon (a fixed value set, or a free argument).
Effect: what the operator returns.

Scope#

Operator	Aliases	Argument	Effect
`type:`		`events`, `rules`, `providers`, `all` (default); the singular spellings `event`, `rule`, `provider` fold to the plurals	Restrict results to one type. `type:rules` with no other term browses the whole rule corpus
`vendor:`	`vendors:`	a vendor value (see Vendor values)	Filter rules to one or more detection vendors. Each value also works as a standalone prefix: `sigma:` = `vendor:sigma`. A comma list ORs the alternatives (`vendor:sigma,elastic`), and the bare shorthands merge the same way (`sigma: elastic:` selects both). An unrecognized item leaves the whole token in free text

MITRE ATT&CK#

Operator	Aliases	Argument	Effect
`tactic:`	`tactics:`, `ta:`	tactic slug, display name, or TA-id (e.g. `credential_access`, `TA0006`)	Rules tagged with the tactic. ATT&CK v19: `TA0005` is `stealth` (legacy `defense_evasion` folds onto it); `TA0112` is `defense_impairment`
`technique:`	`techniques:`, `tech:`	technique ID (e.g. `T1003`, `T1003.001`)	Rules tagged with the technique

Severity#

Operator	Aliases	Argument	Effect
`severity:`	`severities:`, `sev:`	`critical`, `high`, `medium`, `low`, `informational` (also accepts `info`)	Rules at the given severity

Rule structure#

Operator	Aliases	Argument	Effect
`stages:`	`stage:`	an integer N	Rules with exactly N pipeline stages (Splunk SPL, Elastic EQL, Kusto operators, Sigma selectors)
`correlation:`	`correlations:`	`single_event`, `sequence`, `alternatives`, `alternatives_cross_log`, `all_required`, `correlated`; the number-variants `sequences` and `alternative` fold to their canonical forms	Rules of that correlation shape
`with:`		an event ID (stackable)	Rules that watch the event ID alongside ≥1 other event. `with:4624 with:4769` requires both; a comma list in one occurrence is an either-or group (`with:4624,4769` binds either id); a single `with:N` drops single-event rules
`has:` / `no:`		`timewindow`, `threshold`, `newterms` (also `timewindows`, `thresholds`, `newterm`)	Rule-structure flags: has / lacks a time window, a threshold-cardinality rule, or an Elastic new-terms baseline
`like:`		a rule slug	Rules in the same canonical-form equivalence class or a subsumption pair with the seed; cards label each as `equivalent`, `stricter`, or `broader`

Predicate fields#

These list operators stack with AND across occurrences, but a comma list inside one occurrence is an OR-group: uses:Image,CommandLine matches a rule touching either field, while uses:Image uses:CommandLine requires both.

Operator	Aliases	Argument	Effect
`uses:`		a field name (substring, stackable)	Rules whose predicate tree touches the field (any value, any kind). Returns rule cards (`field:` also returns rule cards, narrowed to a matching predicate leaf, plus indicator cards)
`excludes:`		a field name (substring, stackable)	Rules with a top-level `not()` clause on the field: the community's FP-whitelist tradecraft, per field
`groupby:`	`group_by:`, `by:`	a field name (substring, stackable)	Rules whose `group_by_keys` contain the term (case-insensitive)

Indicators#

The field: / value: / indicator: operators search detection-rule predicates: "has anyone written a rule for this IOC?" They drive two result kinds at once. The indicator tier shows the field+value pair, the predicate kind, the total rule count with vendor breakdown, and the first 5 contributing rules; the card's +N more button expands the rest in place, so every contributing rule is one click away. The rule tier narrows rule cards to those carrying a predicate leaf that matches the filter (the card's matching-indicators line shows which leaf matched).

Operator	Aliases	Argument	Effect
`field:`		a field name; quote for exact (`field:"Image"`)	Predicate field. Substring + `*`-glob by default, so `field:Image` also matches `ParentImage`. Takes the whole argument verbatim, with no comma-splitting, since real predicate values carry literal commas
`value:`		a value; quote for exact / spaces (`value:"net user"`)	Predicate value. Substring + ``-glob by default (`value:mimikatz*`). Like `field:`, never comma-split (literal commas)
`indicator:`		`F=V` (`indicator:Image=*\powershell.exe`)	Shorthand for `field:F value:V`; quote either half for an exact match. Neither half is comma-split
`kind:`	`kinds:`, `op:`, `operator:`, `match:`	a predicate kind (see Predicate kinds)	Filter by that predicate kind. A comma list ORs the kinds (`kind:cidr_match,regex_match`); an unknown alternative beside a known one is ignored, and the diagnostic fires only when every alternative is unknown

kind: / field: / value: now narrow rule cards to those carrying a matching predicate leaf, ANDing with every other structural filter (vendor:elastic kind:cidr_match returns Elastic rules with a cidr_match leaf; type:rules kind:is_null returns rules with an is_null leaf). They still drive the indicator tier in parallel, and the card's matching-indicators line shows which leaf matched. Note: match: is an alias of the kind: operator, while match as a value folds into contains, so match:contains, kind:match, and kind:contains are equivalent.

Event attributes#

The "More" dropdown surfaces these as checkboxes; you can also type them inline.

Operator	Aliases	Argument	Effect
`has:` / `no:`		an event flag (see Event flags)	Events that have (`has:`) or lack (`no:`) the attribute

Modifiers#

Operator	Argument	Effect
`-`	any negatable operator	Exclude matches (`-vendor:splunk`). Stacks and refines a query; pair it with a positive term. A `-` on a bare word (`-foo`) stays free text. A comma list under a negation excludes each alternative (`-vendor:sigma,elastic` drops both). Standalone `-kind:`/`-field:`/`-value:` (with no positive `field:`/`value:`/`kind:` in the query) exclude at rule level: they drop every rule carrying a matching predicate leaf, so `type:rules -kind:is_null` lists the rules that never null-check. Alongside a positive indicator filter they instead refine which leaves count as a match. Negatable: `vendor:` (and the vendor shorthands like `sigma:`), `tactic:`, `technique:`, `severity:`, `correlation:`, `stages:`, `with:`, `uses:`, `excludes:`, `groupby:`, `field:`, `value:`, `kind:`, `indicator:`. Each singular/plural alias negates in the same bucket as its canonical form (`-vendors:sigma` is `-vendor:sigma`). Not negatable: `type:`, `like:`, `has:`, `no:` (use `no:<flag>` to exclude a rule flag)
`"…"`	a value or phrase	Exact match. On `field:`/`value:` it anchors the indicator match (and allows spaces); standalone in free text it matches an exact multi-word phrase
`*`	inside a value	Wildcard glob, e.g. `value:mimikatz`

Value reference#

The enumerated vocabularies referenced above. Columns are uniform: Value (canonical), Aliases (other spellings of the value), Meaning.

Vendor values#

Used with vendor:. Each value also works as a standalone prefix shorthand: sigma: is exactly vendor:sigma.

Value	Aliases	Meaning
`sigma`		Sigma
`elastic`		Elastic
`splunk`	`spl`	Splunk
`kusto`	`kql`, `sentinel`, `defender`	Kusto (Microsoft Sentinel + Defender XDR)
`chronicle`	`secops`	Chronicle (Google SecOps)

Predicate kinds#

Used with kind:. The kind is the canonical predicate operator (how a rule matches a value), normalized across vendor lingo (kind:contains covers both Sigma's |contains modifier and Splunk's contains function).

Value	Aliases	Meaning
`contains`	`has`, `match`, `substring`	Substring match (folds the `contains` and `match` kinds together)
`eq`	`equals`, `=`	Exact equality
`starts_with`	`startswith`, `prefix`	Prefix match
`ends_with`	`endswith`, `suffix`	Suffix match
`regex_match`	`regex`, `regexp`	Regular-expression match
`cidr_match`	`cidr`	IP / CIDR range match
`wildcard`	`glob`	Wildcard / glob match
`in`		Membership in a value set
`ne`	`not_equals`	Not-equal
`gt` / `lt` / `ge` / `le`		Numeric comparators
`length_compare`	`length`, `len`	String / array length comparison (flags suspiciously long or empty fields)

Examples: value:10.0.0.0/8 kind:cidr_match, field:Image value:c:\windows\ kind:starts_with, field:CommandLine kind:regex, kind:in field:process_name.

is_null / is_not_null narrow rule cards AND produce presence indicator cards: kind:is_null lists the fields the corpus null-checks (with rule counts and vendor breakdown). Having no value, the card shows just the field and the kind. like folds into contains / wildcard in the indicator tier (so kind:like narrows rule cards and its values surface under contains); cross_field_compare is value-bearing but rare (below the 2-rule indicator floor). macro (opaque vendor constructs) stays unsearchable.

Event flags#

Used with has: / no:. has: requires the flag; no: excludes it.

Value	Aliases	Meaning
`sample`	`samples`	Events with real `.evtx` sample data
`field`	`fields`, `fielddesc`	Events with human-written field descriptions
`notes`	`note`	Events with community analyst notes
`refs`	`ref`, `reference`, `references`	Events with external reference links
`trace`	`etw`, `etwtrace`, `traces`	Trace events from MOF-based providers
`thirdparty`	`3rdparty`, `3rd`	Events from non-Microsoft vendors
`rule`	`rules`	Events with any detection rule
`pattern`	`patterns`	Events that link to detection patterns
`sigma` / `elastic` / `splunk` / `kusto` / `chronicle`	`spl`, `kql`, `sentinel`, `defender`, `secops`	Events with rules from that specific vendor

Free text & exact match#

Bare words (no operator) match event titles, fields, and descriptions, and, for rules, the title, description, and indexed predicate field/value tokens, so a keyword that lives only in a rule's logic still surfaces it.

"process creation": match that exact phrase.
"logon type" 4624: exact phrase plus a free-text term; both must match.
field:"Image" / value:"net user": quote a field:/value: argument for an anchored exact indicator match (the default is substring + *-glob).

Examples#

Query	What it does
`4624`	Event 4624 (Security Auditing logon) first, then rules referencing it
`kerberos`	Provider matches, then Kerberos rules, then Kerberos events
`tactic:credential_access vendor:sigma`	All Sigma rules tagged with the Credential Access tactic
`vendor:sigma,elastic technique:T1003.001`	LSASS-dumping rules authored in Sigma or Elastic (comma = OR), then ANDed with the technique
`severities:high,critical tactics:execution`	The plural spellings parse identically to `severity:high,critical tactic:execution`
`technique:T1003.001 severity:high`	High-severity rules tagged with LSASS Memory dumping
`tactic:execution -vendor:splunk`	Execution-tagged rules from every vendor except Splunk
`chronicle:lsass`	Chronicle (SecOps) rules matching "lsass" (prefix shorthand for `vendor:chronicle`)
`field:CommandLine value:mimikatz`	Rules that filter `CommandLine` for `mimikatz` substrings
`indicator:Image=*\powershell.exe`	Rules checking the Image field for paths ending in `\powershell.exe`
`field:CommandLine kind:contains`	Substring-match `CommandLine` indicators, ranked by rule count
`field:CommandLine -value:powershell`	`CommandLine` indicators whose value isn't `powershell`
`type:rules -kind:is_null`	Every rule except those carrying an `is_null` presence check (standalone indicator negation excludes at rule level)
`vendor:elastic kind:cidr_match`	Elastic rules carrying a CIDR-range predicate leaf (kind narrows the rule cards)
`with:4624 with:4769`	Rules that watch both Logon (4624) and TGS-REQ (4769): Kerberoasting-flavored correlations
`like:win_system_krbrelayup_service_installation`	The KrbRelayUp detection's equivalence class: sibling rules from sigma + splunk on the same service-install signature
`groupby:host technique:T1059.001`	Per-host PowerShell-execution detections
`uses:CommandLine technique:T1003.001`	LSASS-dumping rules that filter on `CommandLine` (any value, any kind)
`uses:Image -uses:CommandLine`	Rules touching `Image` but not `CommandLine`
`excludes:ParentImage`	Rules that whitelist a parent-process path to suppress FPs; handy when tuning a new rule on the same field
`"privilege escalation" has:sample no:thirdparty`	Exact phrase, with sample event data, Microsoft providers only
`has:rule no:pattern`	Events with detection rules but no linked detection patterns

Result types#

Each result card carries a small label in the leading edge showing its type:

EVENT: Windows event log entry (provider / event ID / title)
RULE: detection rule (vendor badge + title + MITRE technique tags), vendor-colored left border
PROVIDER: Windows event provider with its event and sample counts
INDICATOR: field+value combination from rule predicates, with the first 5 contributing rules below and a +N more button that expands the rest

A single query collects at most 200 rule cards and 100 indicator cards. The rule count shown on an indicator card is not capped (it reflects every contributing rule), so for an exact rule total on a query that hits the 200-card ceiling, either read the indicator card counts or split the query by vendor: and sum the five results.

Click behaviour#

Each rule card has a Show stages & exclusions button that inlines the rule's stages, predicates, exclusions, and indicators in a scrollable panel beneath the card: fetches the rule page once, caches per-rule for subsequent toggles. Useful for peeking at structural detail across several search hits without losing query context.

A Compact view / Expanded view toggle sits at the left of the toolbar above the cards: compact collapses every card to a single line for scanning large result sets. The choice persists across visits, and toggling writes a view= parameter into the URL hash so a copied link reproduces the same density.

When every result on the current search is a rule, a Copy as markdown / Copy as JSON toolbar appears above the cards. Markdown export is a 12-column table (Type, Title, Vendor / Provider, Severity, Events, Technique IDs, Technique Names, Tactics, Author, Description (~2 sentences), Source (GitHub URL minus the host prefix), URL). JSON export is a flat array with the same 12 columns as snake_case keys (type, title, vendor_or_provider, severity, event_ids, technique_ids, technique_names, tactics, author, description, source_url, url): every cell is a plain string, lists join with semicolons, and descriptions stay untruncated, so the output pastes straight into a JSON-to-CSV converter for spreadsheet use. Both cover every result in the current set, not just the visible page.

Click: open in the current tab
Ctrl+click / Cmd+click / Shift+click / middle-click: open in a new tab

Keyboard shortcuts#

The site provides Vimium-style navigation:

Scrolling#

j and k to scroll down/up

d and u to scroll one-half page down/up

gg to scroll to the top

G to scroll to the bottom

Link hints#

f to show a single character per link that you can enter to open in the same tab

Searching#

/ to start a search (note that it will take you to the home page)

Search results#

Arrow Down and Arrow Up to navigate results

Enter to open the highlighted result

Escape to close results

h to go back in page history

l to go forward in page history

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)