Navigation Reference
Search filters#
Click the filter chips below the search bar to cycle through require / exclude / any. You can also type filters directly in the search query:
| Inclusion | Exclusion | Aliases | Purpose |
|---|---|---|---|
| has:sigma | no:sigma | Events with linked Sigma detection rules | |
| has:elastic | no:elastic | Events with linked Elastic detection rules | |
| has:splunk | no:splunk | spl | Events with linked Splunk detection rules |
| has:sample | no:sample | samples | Events with real .evtx sample data |
| has:field | no:field | fields, fielddesc | Events with human-written field descriptions |
| has:ref | no:ref | refs, references, reference | Events with external reference links |
| has:note | no:note | notes | Events with community analyst notes |
| has:vendor | no:vendor | 3rdparty, vendors | Events from non-Microsoft vendors |
| has:trace | no:trace | etw, etwtrace, traces | Trace events from MOF-based providers |
| has:rule | no:rule | rules | Events with any detection rule (Sigma, Elastic, or Splunk) |
| has:pattern | no:pattern | patterns | Events linked to detection patterns |
Filter chips and inline has:/no: operators can be combined. Inline filters override chip state when both target the same filter.
Exact-match syntax#
Wrap a phrase in double quotes to require an exact match:
"process creation" — matches that exact phrase
"logon type" 4624 — exact phrase plus free text term, both must match
Examples#
kerberos has:sigma — Kerberos events with Sigma rules
"privilege escalation" has:sample no:vendor — exact phrase, with sample event, Microsoft only
4688 has:field — Event 4688 entries that have field descriptions
sysmon has:sample no:sigma — Sysmon events with sample data but no Sigma rules
has:rule no:pattern — events with detection rules but no linked detection patterns
4698 has:pattern — Event 4698 entries linked to detection patterns
Keyboard shortcuts#
The site provides Vimium-style navigation:
Scrolling#
j and k to scroll down/up
d and u to scroll one-half page down/up
gg to scroll to the top
G to scroll to the bottom
Link hints#
f to show a single character per link that you can enter to open in the same tab
Searching#
/ to start a search (note that it will take you to the home page)
Search results#
Arrow Down and Arrow Up to navigate results
Enter to open the highlighted result
Escape to close results
Navigation#
h to go back in page history
l to go forward in page history