Rules referencing Microsoft-Windows-Security-Auditing Event ID 4656

Sigma (18)

Azure AD Health Monitoring Agent Registry Keys Access severity medium T1012
Azure AD Health Service Agents Registry Keys Access severity medium T1012
BlueSky Ransomware Artefacts severity high T1486
CVE-2023-23397 Exploitation Attempt severity critical
LSASS Access From Non System Account severity medium T1003, T1003.001
LSASS credential dump with LSASSY (kernel access) severity high T1003, T1003.001
LSASS process dump by a non system account severity high T1003, T1003.001
Password Dumper Activity on LSASS severity high T1003, T1003.001
Potential Secure Deletion with SDelete severity medium T1027, T1027.005, T1070, T1070.004, T1485, T1553
Potentially Suspicious AccessMask Requested From LSASS severity medium T1003, T1003.001
Processes Accessing the Microphone and Webcam severity medium T1123
SAM Registry Hive Handle Request severity high T1012, T1552, T1552.002
SCM Database Handle Failure severity medium T1010
Sticky key sethc file failed replacement severity high T1546, T1546.008
SysKey Registry Keys Access severity high T1012
WCE wceaux.dll Access severity critical T1003
Windows Defender Exclusion Registry Key - Write Access Requested severity medium T1685
WinRM listening service reconnaissance (WS-Management) severity medium T1021, T1021.006

Elastic (1)

LSASS Memory Dump Handle Access severity medium T1003, T1003.001

Splunk (15)

Kusto (4)

Microsoft Entra ID Health Monitoring Agent Registry Keys Access severity medium T1005
Microsoft Entra ID Health Service Agents Registry Keys Access severity medium T1005
Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access severity medium T1012
Starting or Stopping HealthService to Avoid Detection severity medium T1562, T1562.001

YARA-L (1)

MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report severity low T1090

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Security-Auditing Event ID 4656

Sigma (18)

Elastic (1)

Splunk (15)

Kusto (4)

YARA-L (1)

Keyboard shortcuts

Search operators