Analytics
Field Explorer
Explore which fields are targeted in Sigma detections, how they're matched, and what values are most commonly used - per logsource. Useful for logging coverage planning, SIEM field mapping, and detection engineering.
Global Modifier Usage
exact2,919
79% of rules use this modifier
endswith2,609
70% of rules use this modifier
contains2,281
62% of rules use this modifier
contains·all819
22% of rules use this modifier
startswith362
10% of rules use this modifier
regex118
3% of rules use this modifier
contains81
2% of rules use this modifier
CIDR25
1% of rules use this modifier
Logsource Explorer
1,398 rules in scope · 17 fields
contains·all…add…27
contains…\AppData\Local\Temp\…24
contains…rundll32…22
contains…http…21
contains…:\Users\Public\…18
contains…\Users\Public\…17
contains….dll…17
contains…powershell…17
endswith…\powershell.exe156
endswith…\pwsh.exe144
endswith…\cmd.exe115
endswith…\rundll32.exe85
endswith…\cscript.exe64
endswith…\wscript.exe64
endswith…\regsvr32.exe58
endswith…\mshta.exe53
exactpwsh.dll76
exactPowerShell.EXE71
exactCmd.Exe39
exactwmic.exe35
exactRUNDLL32.EXE31
exactreg.exe30
exactnet.exe19
exactnet1.exe19
endswith…\cmd.exe24
endswith…\powershell.exe24
endswith…\pwsh.exe21
endswith…\wscript.exe18
endswith…\cscript.exe16
endswith…\rundll32.exe15
endswith…\explorer.exe14
endswith…\mshta.exe13
contains·all…:\Users\…3
contains…/r…2
contains…\ProgramData\Microsoft\Windows Defender Advanced Threat Protection…2
contains…JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw…2
contains…cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA…2
contains…nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA…2
contains…:\Users\Public\…2
contains…:\Windows\Temp\…2
exactGnuPG’s OpenPGP tool4
contains…7-Zip…3
exactCommand line RAR3
exactAnyDesk3
exactWindows PowerShell2
exactActive Directory Editor2
exactSystem activity monitor2
exactWMI Commandline Utility2
exactThe curl executable5
exactPowerShell Core 63
exactAnyDesk3
exactPing Castle2
contains…NetSupport Remote Control…2
exactRemote Utilities2
exactNode.js2
exactSQLite2
contains…SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29…2
contains…SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8…2
contains…SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039…2
contains…SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28…2
contains…SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7…2
contains…SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373…2
contains…SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670…2
contains…SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a…2
exactSystem24
exactS-1-16-1638424
exactHigh16
exactS-1-16-1228816
exactMedium3
exactS-1-16-81923
exactAnyDesk Software GmbH3
exactLogMeIn, Inc.2
exactMicrosoft Corporation1
contains…SpecterOps…1
contains…evil corp…1
exactCube0x01
exactSecurityXploded1
exactREvol Corp1
contains…AUTHORI…16
contains…AUTORI…16
endswith…\SYSTEM1
endswith…\Système1
endswith…\СИСТЕМА1
contains…TrustedInstaller…1
contains…NETWORK SERVICE…1
contains…NETZWERKDIENST…1
contains…\AppData\Local\Temp\…1
contains…\Desktop\…1
contains…\Downloads\…1
contains…\Users\Public\…1
contains…\Windows\Temp\…1
exactc:\windows\system32\1
exactc:\windows\sysWOW64\1
exactC:\Program Files\Windows Defender\Offline\1
startswith7.0.…1
startswith7.1.…1
startswith8.0.1…1
startswith8.0.2…1
startswith8.0.3…1
startswith8.0.4…1
startswith8.0.5…1
startswith8.0.6…1
exact0x3e73
exactnull1
contains…AUTHORI…2
contains…AUTORI…2
endswith…\NETWORK SERVICE1
endswith…\LOCAL SERVICE1
exactSystemTraceProvider-Process1
endswith…\rundll32.exe1