Detection rules › By event

Microsoft-Windows-Security-Auditing Event ID 4648

21 detection rules reference this event. View event page.

Sigma (3)

Privilege escalation via runas (command) severity medium T1134, T1134.002
Suspicious Remote Logon with Explicit Credentials severity medium T1078
SystemNightmare by GentilKiwi - External printer mapped (CVE-2021-1675 / CVE-2021-34527) severity high T1547, T1547.010, T1574, T1574.002

Splunk (5)

ADExplorer Execution (Windows Event Log) T1003, T1003.003, T1552, T1552.001
Windows Identify PowerShell Web Access IIS Pool T1190
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials severity medium T1110, T1110.003
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials severity low T1110, T1110.003
WMIC Explicit Credentials (Windows Event Log) T1047, T1078

Kusto (1)

EatonForeseer - Unauthorized Logins severity high T1078

YARA-L (12)

ADFS DKM Key Access severity high T1552, T1552.004
GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage T1550, T1550.001
GeoIP User Login From Multiple States Or Countries severity low
Logins From Terminated Employees severity medium T1078
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One severity medium T1110, T1110.001
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity severity medium T1110, T1110.001
MITRE ATT&CK T1110.003 RW Windows Password Spray severity medium T1110, T1110.003
Okta Multiple Failed Requests To Access Applications severity medium T1550, T1550.004
sap break glass account login severity low T1078
sap impossible travel severity medium T1078
sap multi terminal logon severity medium T1078
Windows Short Term Account Use severity medium

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Security-Auditing Event ID 4648

Sigma (3)

Splunk (5)

Kusto (1)

YARA-L (12)

Keyboard shortcuts

Search operators