Overview
AlphaSOC extends the standard Sigma rule format with the alphasoc section,
enabling you to leverage additional field formats beyond the default Sigma
schema. These extensions allow you to:
- Use Wisdom threat intelligence directly in detection logic
- Write rules using OCSF standardized field names
- Access raw vendor telemetry without normalization
The AlphaSOC Section
To use AlphaSOC extensions, add an alphasoc section at the end of your Sigma
rule. This section defines the logschema mapping, which tells AlphaSOC how to
resolve field names with custom prefixes.
alphasoc:
logschema:
wisdom: wisdom-v1
In your detection logic, reference fields using the prefix you defined:
detection:
selection:
wisdom.flags.c2: true
condition: selection
Defining Multiple Prefixes
You can define multiple prefixes in a single rule to combine different field formats:
alphasoc:
logschema:
.: sigma
ocsf: ocsf-v1.5
wisdom: wisdom-v1
The . key sets the default format for fields without a prefix. If omitted,
AlphaSOC uses sigma as the default.
Supported Formats
| Format | Description |
|---|---|
sigma | Standard Sigma field names (default) |
raw | Original vendor field names without normalization |
ocsf-v1.5 | OCSF v1.5 standardized field names |
wisdom-v1 | AlphaSOC Wisdom threat intelligence fields |
Raw Format
By default, AlphaSOC normalizes CrowdStrike and SentinelOne telemetry to Sysmon
field names for compatibility with community Sigma rules. Use the raw format
to bypass this normalization and access the original vendor field names.
OCSF Format
The Open Cybersecurity Schema Framework (OCSF) provides standardized field names
that work consistently across different log sources and vendors. Use ocsf-v1.5
to write portable rules without maintaining vendor-specific versions.
See OCSF Support for Sigma for usage details and field availability.
Wisdom Format
Wisdom is AlphaSOC's threat intelligence that identifies C2 servers, malicious
domains, cryptominers, and other threats. Use wisdom-v1 to incorporate threat
intelligence flags directly into your detection logic.
See Wisdom Support for Sigma for available flags and examples.
Further Reading
- OCSF Support for Sigma - Write rules using standardized OCSF field names
- Wisdom Support for Sigma - Incorporate threat intelligence into detections
- Wisdom Flags Reference