AlphaSOC Architecture
AlphaSOC is a scalable security analytics platform that ingests telemetry from diverse sources, normalizes and enriches it, and applies multi-layered analysis to detect threats. This page provides a system-level overview of the AlphaSOC architecture and how its components operate across deployment models.
Telemetry Ingestion
AlphaSOC supports structured telemetry ingestion from a wide range of environments:
- Sources: EDR tools (e.g., CrowdStrike, SentinelOne), network sensors (Zeek, Suricata), cloud platforms (AWS, Azure, GCP), DNS infrastructure, proxies, and SaaS applications (e.g., Okta, GitHub).
- Formats: OCSF, JSON, Syslog, CSV, and other structured formats.
- Ingestion methods: HTTPS API, Syslog forwarders, SIEM connectors, or lightweight agents.
Normalization & Enrichment
Ingested data is normalized into a unified schema and enriched with metadata such as:
- IP geolocation and ASN.
- DNS resolver fingerprinting.
- Normalized identity, protocol, and timestamp fields.
This allows consistent downstream processing, correlation, and storage regardless of log source.
Detection Flow
AlphaSOC applies a multi-layered detection pipeline that includes fingerprinting, reputation scoring, prevalence analysis, time-based modeling, and threat intelligence correlation.
For details on detection capabilities, categories, and anomaly modeling, refer to the Capabilities page.
Correlation & Escalation Logic
After initial detections are scored, AlphaSOC applies correlation logic across identities, endpoints, and timeframes to produce higher-confidence results. This includes:
- Aggregation of related detections into composite alerts.
- Incident modeling of multi-stage activity.
- Enrichment with user and asset context.
This reduces noise and prioritizes relevant security outcomes.
Custom Rules
AlphaSOC supports custom detections using the Sigma rule format, allowing organizations to:
- Extend built-in logic.
- Author private rules for environment-specific use cases.
- Adjust severity and scoring per rule.
Alert Delivery & Integration
Alerts are formatted in standard structures and delivered via:
- Formats: JSON, OCSF, custom formats available on request
- Destinations:
- REST API (pull or push)
- SIEM tools (Cribl, Elastic, Splunk)
- SOAR and ticketing systems (Jira, Opsgenie, Slack)
- Network Behavior Analytics for Splunk
- AlphaSOC Web Console
Data Lake & Retrospective Detection
AlphaSOC stores all normalized telemetry in a customer-specific data lake:
- Supports retroactive detection using updated rules or threat intelligence.
- Enables deep forensic investigations and compliance reporting.
- Available across SaaS and on-prem deployments.
Deployment Models
Cloud Architecture
In the SaaS model, customers forward telemetry via HTTPS
(https://api.alphasoc.net). AlphaSOC performs real-time analysis and returns
alerts:
- Multi-tenant analytics engine optimized for speed and scale.
- Output available via API or integrations.
- Customers retain full control over log forwarding and routing.
On-Premise Architecture
AlphaSOC also supports local processing in customer-controlled environments. All raw telemetry is handled internally, with only metadata sent to the Wisdom API for threat enrichment:
- Suited for air-gapped, regulated, or privacy-sensitive deployments.
- No raw data leaves the environment.
- Local web interface on port
3001for configuration and alert review.
Summary
AlphaSOC architecture supports:
- Scalable ingestion from diverse telemetry sources.
- Real-time normalization, enrichment, and multi-stage analysis.
- Custom rule support and flexible alert delivery.
- Cloud-native and on-premise deployments.
- Retrospective detection via a structured data lake.
Questions? Contact support@alphasoc.com.