Windows.Sigma.Base Model #

This model is designed for triage of dead disk, or file based live analysis. The rules that use this model will be evaluated once on all events.

After all relevant rules are evaluated, the collection is complete.

Log Sources #

Following is a list of recognized log sources.

Log Source	Desc
*/windows/application	This Log Source generates events from the Application Channel.
*/windows/applocker	This Log Source generates combined events from the Windows `AppLocker service`.
*/windows/appmodel-runtime	This Log Source generates combined events from the Windows `AppModel Runtime`.
*/windows/appxdeployment-server
*/windows/appxpackaging-om
*/windows/bits-client	This Log Source generates combined events from the Windows Bits Client service.
*/windows/capi2
*/windows/certificateservicesclient-lifecycle-system
*/windows/codeintegrity-operational
*/windows/diagnosis-scripted
*/windows/dns-client
*/windows/dns-server
*/windows/dns-server-analytic
*/windows/driver-framework
*/windows/firewall-as
*/windows/ldap_debug
*/windows/lsa-server
*/windows/microsoft-servicebus-client
*/windows/msexchange-management
*/windows/ntlm
*/windows/openssh
*/windows/powershell
*/windows/powershell-classic
*/windows/security
*/windows/security-mitigations
*/windows/shell-core
*/windows/smbclient-security
*/windows/sysmon
*/windows/system
*/windows/taskscheduler
*/windows/terminalservices-localsessionmanager
*/windows/vhdmp
*/windows/windefend
*/windows/wmi
process_creation/windows/*
ps_classic_provider_start/windows/*
ps_classic_start/windows/*
ps_module/windows/*
ps_script/windows/*
registry_add/windows/*
registry_event/windows/*
registry_set/windows/*
antivirus/windows/windefend

Field Mappings #

The following field mappings can be used to access fields within the event. Note that it is also possible to access the fields directly (e.g. EventData.AccessMask)

View all Field Mappings

Name	Mapping
	x=>serialize(item=x.EventData)
AccessList	x=>x.EventData.AccessList
AccessMask	x=>x.EventData.AccessMask
Accesses	x=>x.EventData.Accesses
AccountDomain	x=>x.EventData.AccountDomain
AccountName	x=>x.EventData.AccountName
Account_Name	x=>x.EventData.Account_Name
Action	x=>x.EventData.Action
Address	x=>x.EventData.Address
AllowedToDelegateTo	x=>x.EventData.AllowedToDelegateTo
AppName	x=>x.EventData.Data[0]
ApplicationPath	x=>x.EventData.ApplicationPath
AttributeLDAPDisplayName	x=>x.EventData.AttributeLDAPDisplayName
AttributeValue	x=>x.EventData.AttributeValue
AuditPolicyChanges	x=>x.EventData.AuditPolicyChanges
AuditSourceName	x=>x.EventData.AuditSourceName
AuthenticationPackageName	x=>x.EventData.AuthenticationPackageName
CallTrace	x=>x.EventData.CallTrace
CallerProcessName	x=>x.EventData.CallerProcessName
Caller_Process_Name	x=>x.EventData.Caller_Process_Name
CallingProcessName	x=>x.EventData.CallingProcessName
Caption	x=>x.EventData.Caption
CategoryName	x=>x.EventData.`Category Name`
CertThumbprint	x=>x.EventData.CertThumbprint
Channel	x=>x.System.Channel
ClassName	x=>x.EventData.ClassName
ClientAddress	x=>x.EventData.ClientAddress
ClientName	x=>x.EventData.ClientName
Client_Address	x=>x.EventData.Client_Address
CommandLine	x=>x.EventData.CommandLine \|\| x.CommandLine
Company	x=>x.EventData.Company
Computer	x=>x.System.Computer
ComputerName	x=>x.System.Computer
Contents	x=>x.EventData.Contents
ContextInfo	x=>x.EventData.ContextInfo
CreationUtcTime	x=>x.EventData.CreationUtcTime
CurrentDirectory	x=>x.EventData.CurrentDirectory
Data	x=>serialize(item=x.EventData)
Description	x=>x.EventData.Description
DestAddress	x=>x.EventData.DestAddress
DestPort	x=>x.EventData.DestPort
Destination	x=>x.EventData.Destination
DestinationAddress	x=>x.EventData.DestinationAddress
DestinationHostname	x=>x.EventData.DestinationHostname
DestinationIp	x=>x.EventData.DestinationIp
DestinationIsIpv6	x=>x.EventData.DestinationIsIpv6
DestinationPort	x=>x.EventData.DestinationPort
Details	x=>x.EventData.Details
DetectionSource	x=>x.EventData.DetectionSource
DetectionUser	x=>x.EventData.`Detection User`
Device	x=>x.EventData.Device
DeviceClassName	x=>x.EventData.DeviceClassName
DeviceDescription	x=>x.EventData.DeviceDescription
DeviceInstanceID	x=>x.UserData.InstallDeviceID.DeviceInstanceID
DeviceName	x=>x.EventData.DeviceName
DomainName	x=>x.EventData.SubjectDomainName
DriverDescription	x=>x.UserData.InstallDeviceID.DriverDescription
DriverProvider	x=>x.UserData.InstallDeviceID.DriverProvider
DvrFmwk2003InstanceId	x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId
DvrFmwkInstanceId	x=>x.UserData.UMDFHostDeviceRequest.InstanceId
EngineVersion	x=>x.EventData.EngineVersion
ErrorCode	x=>x.EventData.ErrorCode
EventData	x=>x.EventData
EventID	x=>x.System.EventID.Value
EventType	x=>x.EventData.EventType
ExecutionProcessID	x=>x.System.Execution.ProcessID
FailureCode	x=>x.EventData.FailureCode
Feature_Name	x=>x.EventData.`Feature Name`
FilePath	x=>x.EventData.FilePath
FileVersion	x=>x.EventData.FileVersion
Filename	x=>x.EventData.Filename
GrandParentCommandLine	x=>x.EventData.GrandParentCommandLine
GrandParentImage	x=>x.EventData.GrandParentImage
GrantedAccess	x=>x.EventData.GrantedAccess
GroupName	x=>x.EventData.GroupName
GroupSid	x=>x.EventData.GroupSid
Hash	x=>x.EventData.Hash
Hashes	x=>x.EventData.Hashes
HiveName	x=>x.EventData.HiveName
HostApplication	x=>x.EventData.HostApplication
HostName	x=>x.EventData.HostName
HostVersion	x=>x.EventData.HostVersion
Image	x=>x.EventData.Image
ImageLoaded	x=>x.EventData.ImageLoaded
ImagePath	x=>x.EventData.ImagePath
Imphash	x=>x.EventData.Hashes
Initiated	x=>x.EventData.Initiated
InstallStatus	x=>x.UserData.InstallDeviceID.InstallStatus
InstanceID	x=>x.UserData.UMDFHostDeviceArrivalBegin.InstanceId
IntegrityLevel	x=>x.EventData.IntegrityLevel
IpAddress	x=>x.EventData.IpAddress
IpPort	x=>x.EventData.IpPort
JobTitle	x=>x.EventData.name
KeyLength	x=>x.EventData.KeyLength
Keywords	x=>x.System.Keywords
LDAPDisplayName	x=>x.EventData.LDAPDisplayName
LayerRTID	x=>x.EventData.LayerRTID
Level	x=>x.System.Level
LocalIP	x=>x.EventData.LocalIP
LocalPort	x=>x.EventData.LocalPort
LogFileClearedChannel	x=>x.UserData.LogFileCleared.Channel
LogFileClearedSubjectUserName	x=>x.UserData.LogFileCleared.SubjectUserName
LogonID	x=>x.EventData.LogonID
LogonId	x=>x.EventData.LogonId
LogonProcessName	x=>x.EventData.LogonProcessName
LogonType	x=>x.EventData.LogonType
Logon_Account	x=>x.EventData.Logon_Account
Logon_Type	x=>x.EventData.LogonType
MD5	x=>x.EventData.MD5
MachineName	x=>x.EventData.MachineName
MandatoryLabel	x=>get(item=MandatoryLabelLookup, member=x.EventData.MandatoryLabel \|\| "-")
MemberName	x=>x.EventData.MemberName
MemberSid	x=>x.EventData.MemberSid
Message	x=>x.EventData
ModifyingApplication	x=>x.EventData.ModifyingApplication
ModuleMD5	x=>x.EventData.ModuleMD5
ModuleName	x=>x.EventData.ModuleName
ModulePath	x=>x.EventData.ModulePath
ModuleSHA1	x=>x.EventData.ModuleSHA1
ModuleSHA256	x=>x.EventData.ModuleSHA256
NewName	x=>x.EventData.NewName
NewProcessId	x=>x.EventData.NewProcessId
NewProcessName	x=>x.EventData.NewProcessName
NewTemplateContent	x=> x.EventData.NewTemplateContent
NewUacValue	x=>x.EventData.NewUacValue
NewValue	x=>x.EventData.NewValue
New_Value	x=>x.EventData.`New Value`
ObjectClass	x=>x.EventData.ObjectClass
ObjectName	x=>x.EventData.ObjectName
ObjectServer	x=>x.EventData.ObjectServer
ObjectType	x=>x.EventData.ObjectType
ObjectValueName	x=>x.EventData.ObjectValueName
OldUacValue	x=>x.EventData.OldUacValue
OperationEssStartedNamespaceName	x=>x.UserData.Operation_EssStarted.NamespaceName
OperationEssStartedPossibleCause	x=>x.UserData.Operation_EssStarted.PossibleCause
OperationEssStartedProcessid	x=>x.UserData.Operation_EssStarted.Processid
OperationEssStartedProvider	x=>x.UserData.Operation_EssStarted.Provider
OperationEssStartedQuery	x=>x.UserData.Operation_EssStarted.Query
OperationEssStartedUser	x=>x.UserData.Operation_EssStarted.User
Origin	x=>x.EventData.Origin
OriginalFileName	x=>x.EventData.OriginalFileName
OriginalFilename	x=>x.EventData.OriginalFileName
PID	x=>x.EventData.ProcessId
PackageFullName	x=>x.UserData.PackageFullName
ParentCommandLine	x=>x.EventData.ParentCommandLine
ParentImage	x=>x.EventData.ParentImage
ParentMD5	x=>x.EventData.ParentMD5
ParentProcessId	x=>x.EventData.ParentProcessId
ParentProcessName	x=>x.EventData.ParentProcessName
ParentSHA1	x=>x.EventData.ParentSHA1
ParentSHA256	x=>x.EventData.ParentSHA256
ParentUser	x=>x.EventData.ParentUser
PasswordLastSet	x=>x.EventData.PasswordLastSet
Path	x=>x.EventData.Path
Payload	x=>x.EventData.Payload
PipeName	x=>x.EventData.PipeName
PossibleCause	x=>x.UserData.PossibleCause
PreAuthType	x=>x.EventData.PreAuthType
PreviousCreationUtcTime	x=>x.EventData.PreviousCreationUtcTime
PrivilegeList	x=>x.EventData.PrivilegeList
ProcessCommandLine	x=>x.EventData.ProcessCommandLine
ProcessGuid	x=>x.EventData.ProcessGuid
ProcessId	x=>x.EventData.ProcessId
ProcessName	x=>x.EventData.ProcessName
Product	x=>x.EventData.Product
Properties	x=>x.EventData.Properties
Protocol	x=>x.EventData.Protocol
Provider	x=>x.UserData.Provider
ProviderName	x=>x.System.Provider.Name
Provider_Name	x=>x.System.Provider.Name
QNAME	x=>x.EventData.QNAME
Query	x=>x.UserData.Query
QueryName	x=>x.EventData.QueryName
QueryResults	x=>x.EventData.QueryResults
QueryStatus	x=>x.EventData.QueryStatus
RelativeTargetName	x=>x.EventData.RelativeTargetName
RemoteIP	x=>x.EventData.RemoteIP
RemoteName	x=>x.EventData.RemoteName
RemotePort	x=>x.EventData.RemotePort
RuleName	x=>x.EventData.RuleName
SAMAccountName	x=>x.EventData.SamAccountName
SHA1	x=>x.EventData.SHA1
SHA256	x=>x.EventData.SHA256
SamAccountName	x=>x.EventData.SamAccountName
ScriptBlockText	x=>x.EventData.ScriptBlockText
SearchFilter	x=>x.System.SearchFilter
SecurityUserID	x=>x.System.Security.UserID
ServerName	x=>x.System.ServerName
Service	x=>x.EventData.Service
ServiceFileName	x=>x.EventData.ServiceFileName
ServiceName	x=>x.EventData.ServiceName
ServicePrincipalNames	x=>x.EventData.ServicePrincipalNames
ServiceStartType	x=>x.EventData.ServiceStartType
ServiceType	x=>x.EventData.ServiceType
SeverityID	x=>x.EventData.`Severity ID`
SeverityName	x=>x.EventData.`Severity Name`
ShareLocalPath	x=>x.EventData.ShareLocalPath
ShareName	x=>x.EventData.ShareName
SidHistory	x=>x.EventData.SidHistory
Signature	x=>x.EventData.Signature
SignatureStatus	x=>x.EventData.SignatureStatus
Signed	x=>x.EventData.Signed
Source	x=>x.System.Provider_Name
SourceAddress	x=>x.EventData.SourceAddress
SourceHostname	x=>x.EventData.SourceHostname
SourceImage	x=>x.EventData.SourceImage
SourceIp	x=>x.EventData.SourceIp
SourceIsIpv6	x=>x.EventData.SourceIsIpv6
SourceNetworkAddress	x=>x.EventData.SourceNetworkAddress
SourcePort	x=>x.EventData.SourcePort
Source_Name	x=>x.EventData.`Source Name`
Source_Network_Address	x=>x.EventData.Source_Network_Address
Source_WorkStation	x=>x.EventData.Source_WorkStation
StartAddress	x=>x.EventData.StartAddress
StartFunction	x=>x.EventData.StartFunction
StartModule	x=>x.EventData.StartModule
StartType	x=>x.EventData.StartType
State	x=>x.EventData.State
Status	x=>x.EventData.Status
SubStatus	x=>x.EventData.SubStatus
SubjectDomainName	x=>x.EventData.SubjectDomainName
SubjectLogonId	x=>x.EventData.SubjectLogonId
SubjectUserName	x=>x.EventData.SubjectUserName
SubjectUserSid	x=>x.EventData.SubjectUserSid
SysmonVersion	x=>x.EventData.SysmonVersion
TargetDomainName	x=>x.EventData.TargetDomainName
TargetFilename	x=>x.EventData.TargetFilename
TargetImage	x=>x.EventData.TargetImage
TargetInfo	x=>x.EventData.TargetInfo
TargetLogonId	x=>x.EventData.TargetLogonId
TargetObject	x=>x.EventData.TargetObject
TargetOutboundUserName	x=>x.EventData.TargetOutboundUserName
TargetProcessAddress	x=>x.EventData.TargetProcessAddress
TargetServerName	x=>x.EventData.TargetServerName
TargetSid	x=>x.EventData.TargetSid
TargetUserName	x=>x.EventData.TargetUserName
TaskDate	x=>x.EventData.TaskContent
TaskName	x=>x.EventData.TaskName
TemplateContent	x=>x.EventData.TemplateContent
ThreatName	x=>x.EventData.`Threat Name`
TicketEncryptionType	x=>x.EventData.TicketEncryptionType
TicketOptions	x=>x.EventData.TicketOptions
Timestamp	x=>x.Timestamp
TokenElevationType	x=>get(item=TokenElevationTypeLookup, member=x.EventData.TokenElevationType \|\| "-")
Type	x=>x.EventData.Type
Url	x=>x.EventData.url
User	x=>x.EventData.User
UserDataAddress	x=>x.UserData.EventXML.Address
UserDataCode	x=>x.UserData.Operation_StartedOperational.Code
UserDataConsumer	x=>x.UserData.Operation_ESStoConsumerBinding.CONSUMER
UserDataESS	x=>x.UserData.Operation_ESStoConsumerBinding.ESS
UserDataHostProcess	x=>x.UserData.Operation_StartedOperational.HostProcess
UserDataNamespace	x=>x.UserData.Operation_ESStoConsumerBinding.Namespace
UserDataNamespaceName	x=>x.UserData.Operation_TemporaryEssStarted.NamespaceName
UserDataParam1	x=>x.UserData.EventXML.Param1
UserDataParam2	x=>x.UserData.EventXML.Param2
UserDataParam3	x=>x.UserData.EventXML.Param3
UserDataPossibleCause	x=>x.UserData.Operation_ESStoConsumerBinding.PossibleCause
UserDataProcessID	x=>x.UserData.Operation_StartedOperational.ProcessID
UserDataProcessid	x=>x.UserData.Operation_TemporaryEssStarted.Processid
UserDataProviderName	x=>x.UserData.Operation_StartedOperational.ProviderName
UserDataProviderPath	x=>x.UserData.Operation_StartedOperational.ProviderPath
UserDataQuery	x=>x.UserData.Operation_TemporaryEssStarted.Query
UserDataSessionID	x=>x.UserData.EventXML.SessionID
UserDataUser	x=>x.UserData.EventXML.User
UserName	x=>x.EventData.UserName
Value	x=>x.EventData.Value
Version	x=>x.System.Version
VhdType	x=>x.EventData.VhdType
WindowsDefenderProcessName	x=>x.EventData.`Process Name`
Workstation	x=>x.EventData.Workstation
WorkstationName	x=>x.EventData.WorkstationName
image	x=>x.EventData.Image
md5	x=>parse_string_with_regex(string=x.EventData.Hash \|\| '', regex='MD5=([^,]+)').g1
param1	x=>x.EventData.param1
param2	x=>x.EventData.param2
param3	x=>x.EventData.param3
param4	x=>x.EventData.param4
param5	x=>x.EventData.param5
processPath	x=>x.EventData.processPath
query	x=>x.EventData.Query
service	x=>x.EventData.Service
sha1	x=>x.EventData.Hashes
sha256	x=>parse_string_with_regex(string=x.EventData.Hash \|\| '', regex='SHA256=([^,]+)').g1

`*/windows/application` #

This Log Source generates events from the Application Channel.

These are usually stored in the file C:\Windows\System32\WinEvt\Logs\Application.evtx

The channel stores a wide variety of system events from multiple services.

Details

`*/windows/applocker` #

This Log Source generates combined events from the Windows AppLocker service.

Events are usually stored in the files:

C:\Windows\System32\WinEvt\Logs\Microsoft-Windows-AppLocker%4MSI and Script.evtx
C:\Windows\System32\WinEvt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx
C:\Windows\System32\WinEvt\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx
C:\Windows\System32\WinEvt\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx

Details

`*/windows/appmodel-runtime` #

This Log Source generates combined events from the Windows AppModel Runtime.

Events are usually stored in the files:

C:\Windows\System32\WinEvt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Details

`*/windows/appxdeployment-server` #

Details

`*/windows/appxpackaging-om` #

Details

`*/windows/bits-client` #

This Log Source generates combined events from the Windows Bits Client service.

Events are usually stored in the files:

C:\Windows\System32\WinEvt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx

The BITS service is used to download files and it is often misused by threat actors to download malicious payloads.

Details

VQL Query #

SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS Timestamp, *
FROM parse_evtx(filename=ROOT + "/Microsoft-Windows-Bits-Client%4Operational.evtx")
WHERE Timestamp >= DateAfterTime AND Timestamp <= DateBeforeTime

Sample Events #

EventID 3 - New Job Creation #

{"Timestamp":"2025-01-13T13:48:20.745705604Z","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":{"Value":3},"Version":3,"Level":4,"Task":0,"Opcode":0,"Keywords":4611686018427387904,"TimeCreated":{"SystemTime":1736776100.7457056},"EventRecordID":1320,"Correlation":{},"Execution":{"ProcessID":8936,"ThreadID":9100},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"WIN-SJE0CKQO83P","Security":{"UserID":"S-1-5-18"}},"EventData":{"jobTitle":"Chrome Component Updater","jobId":"B73C90F1-5FA7-4445-8E49-6C40870E4502","jobOwner":"WIN-SJE0CKQO83P\\Administrator","processPath":"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe","processId":3616,"ClientProcessStartKey":1407374883553491},"Message":"The BITS service created a new job.\nTransfer job: Chrome Component Updater\nJob ID: B73C90F1-5FA7-4445-8E49-6C40870E4502\nOwner: WIN-SJE0CKQO83P\\Administrator\nProcess Path: C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\nProcess ID: 3616\r\n"}

Sample use in a sigma rule: #

logsource:
  product: windows
  service: bits-client

`*/windows/capi2` #

Details

`*/windows/certificateservicesclient-lifecycle-system` #

Details

`*/windows/codeintegrity-operational` #

Details

`*/windows/diagnosis-scripted` #

Details

`*/windows/dns-client` #

Details

`*/windows/dns-server` #

Details

`*/windows/dns-server-analytic` #

Details

`*/windows/driver-framework` #

Details

`*/windows/firewall-as` #

Details

`*/windows/ldap_debug` #

Details

`*/windows/lsa-server` #

Details

`*/windows/microsoft-servicebus-client` #

Details

`*/windows/msexchange-management` #

Details

`*/windows/ntlm` #

Details

`*/windows/openssh` #

Details

`*/windows/powershell` #

Details

`*/windows/powershell-classic` #

Details

`*/windows/security` #

Details

`*/windows/security-mitigations` #

Details

`*/windows/shell-core` #

Details

`*/windows/smbclient-security` #

Details

`*/windows/sysmon` #

Details

`*/windows/system` #

Details

`*/windows/taskscheduler` #

Details

`*/windows/terminalservices-localsessionmanager` #

Details

`*/windows/vhdmp` #

Details

`*/windows/windefend` #

Details

`*/windows/wmi` #

Details

`process_creation/windows/*` #

Details

`ps_classic_provider_start/windows/*` #

Details

`ps_classic_start/windows/*` #

Details

`ps_module/windows/*` #

Details

`ps_script/windows/*` #

Details

`registry_add/windows/*` #

Details

`registry_event/windows/*` #

Details

`registry_set/windows/*` #

Details

`antivirus/windows/windefend` #

Details

Windows.Sigma.Base Model #

Log Sources #

Field Mappings #

*/windows/application #

VQL Query #

Sample use in a sigma rule: #

*/windows/applocker #

VQL Query #

Sample use in a sigma rule: #

*/windows/appmodel-runtime #

VQL Query #

Sample use in a sigma rule: #

*/windows/appxdeployment-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/appxpackaging-om #

VQL Query #

Sample use in a sigma rule: #

*/windows/bits-client #

VQL Query #

Sample Events #

EventID 3 - New Job Creation #

Sample use in a sigma rule: #

*/windows/capi2 #

VQL Query #

Sample use in a sigma rule: #

*/windows/certificateservicesclient-lifecycle-system #

VQL Query #

Sample use in a sigma rule: #

*/windows/codeintegrity-operational #

VQL Query #

Sample use in a sigma rule: #

*/windows/diagnosis-scripted #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/dns-server-analytic #

VQL Query #

Sample use in a sigma rule: #

*/windows/driver-framework #

VQL Query #

Sample use in a sigma rule: #

*/windows/firewall-as #

VQL Query #

Sample use in a sigma rule: #

*/windows/ldap_debug #

VQL Query #

Sample use in a sigma rule: #

*/windows/lsa-server #

VQL Query #

Sample use in a sigma rule: #

*/windows/microsoft-servicebus-client #

VQL Query #

Sample use in a sigma rule: #

*/windows/msexchange-management #

VQL Query #

Sample use in a sigma rule: #

*/windows/ntlm #

VQL Query #

Sample use in a sigma rule: #

*/windows/openssh #

VQL Query #

Sample use in a sigma rule: #

*/windows/powershell #

VQL Query #

Sample use in a sigma rule: #

*/windows/powershell-classic #

VQL Query #

Sample use in a sigma rule: #

*/windows/security #

VQL Query #

Sample use in a sigma rule: #

*/windows/security-mitigations #

VQL Query #

Sample use in a sigma rule: #

`*/windows/application` #

`*/windows/applocker` #

`*/windows/appmodel-runtime` #

`*/windows/appxdeployment-server` #

`*/windows/appxpackaging-om` #

`*/windows/bits-client` #

`*/windows/capi2` #

`*/windows/certificateservicesclient-lifecycle-system` #

`*/windows/codeintegrity-operational` #

`*/windows/diagnosis-scripted` #

`*/windows/dns-client` #

`*/windows/dns-server` #

`*/windows/dns-server-analytic` #

`*/windows/driver-framework` #

`*/windows/firewall-as` #

`*/windows/ldap_debug` #

`*/windows/lsa-server` #

`*/windows/microsoft-servicebus-client` #

`*/windows/msexchange-management` #

`*/windows/ntlm` #

`*/windows/openssh` #

`*/windows/powershell` #

`*/windows/powershell-classic` #

`*/windows/security` #

`*/windows/security-mitigations` #

`*/windows/shell-core` #

`*/windows/smbclient-security` #

`*/windows/sysmon` #

`*/windows/system` #

`*/windows/taskscheduler` #

`*/windows/terminalservices-localsessionmanager` #

`*/windows/vhdmp` #

`*/windows/windefend` #

`*/windows/wmi` #

`process_creation/windows/*` #

`ps_classic_provider_start/windows/*` #

`ps_classic_start/windows/*` #

`ps_module/windows/*` #

`ps_script/windows/*` #

`registry_add/windows/*` #

`registry_event/windows/*` #

`registry_set/windows/*` #

`antivirus/windows/windefend` #