References

• Collection Priority: According to authoritative sources (Microsoft, Australian Signals Directorate, Yamato Security, ...)
• Sigma Rules: Mapped to 222 events across 47 providers (3,700 rule mappings)
• Elastic Detection Rules: Mapped to 30 events across 5 providers (89 rule mappings)
• Elastic Inferred Detection Coverage: 954 inferred rule-to-event mappings across 46 events (medium/low confidence)
• Splunk Detection Rules: Mapped to 104 events across 17 providers (796 rule mappings)

• Access Mask: Bitmask values for file, registry, AD, and SAM objects in Security events 4656, 4657, 4661, 4662, 4657
• Logon Type: Values in Security events 4624, 4625, 4648
• NTSTATUS Codes: Complete table from Windows 11 25H2
• Privilege Constants: Seen in Security events 4672, 4673, 4674
• Process Access Rights: Bitmasks in Sysmon Event 10 and Security event 4663
• UAC Flags: Bitmask flags in Security events 4738, 4720

• Navigation: Search operators, filter syntax, and keyboard shortcuts