The AlphaSOC Analytics Engine (AE) performs fast multi-dimensional processing of network telemetry to identify anomalies and highlight compromised hosts. AE is commonly consumed as a multi-tenant cloud service, but can also be run locally on-premise. AlphaSOC users send raw network telemetry to AE, which processes the data to generate high fidelity alerts.
AE is origin agnostic and can process data from many sources, including:
- EDR tools (via agents such as CrowdStrike Falcon and Cisco Umbrella)
- Cloud infrastructure (e.g. AWS and Azure VPC flow logs)
- Network infrastructure (e.g. firewalls, web proxies, and DNS servers)
- Network sensors (e.g. Corelight / Zeek, Suricata, and Splunk Stream)
The way in which AE runs as a cloud service is described in the diagram below. Users submit telemetry to the engine via https://api.alphasoc.net and retrieve alerts for escalation via SIEM, SOAR, and other mechanisms (e.g. ticketing and chatops).
When AE is run on-premise, it leverages the Wisdom API in order to gather live reputation data, as shown below. In this case, the raw telemetry is stored and processed locally within the customer environment, but particular destinations (i.e. Internet-based domain names and IP addresses) are leaked to the Wisdom API during operation.