Wisdom Support for Sigma

Overview

Wisdom is AlphaSOC's threat intelligence that provides additional context to your detections—identifying C2 servers, malicious domains, cryptominers, and other threats.

By adding the wisdom-v1 resolver in the alphasoc section of a Sigma rule, you can incorporate this intelligence directly into your detections by referencing Wisdom flags or by matching against specified domains.

Using Wisdom Flags in Sigma Rules

detection:
  selection:
    wisdom.flags.c2: true
  condition: selection
alphasoc:
  logschema:
    wisdom: wisdom-v1

Use the flags field to reference Wisdom flags in your detection. The value should be either true (flag present) or false.

Using Domains in Sigma Rules

detection:
  selection:
    wisdom.domain: example.com
  condition: selection
alphasoc:
  logschema:
    wisdom: wisdom-v1

Use the domain field to specify a domain.

Overview​

Using Wisdom Flags in Sigma Rules​

Using Domains in Sigma Rules​

Overview

Using Wisdom Flags in Sigma Rules

Using Domains in Sigma Rules