OCSF Support
Overview
AlphaSOC supports the Open Cybersecurity Schema Framework (OCSF) v1.5, enabling you to write Sigma detection rules using standardized field names that work consistently across different log sources and vendors.
What is OCSF?
The Open Cybersecurity Schema Framework (OCSF) is an open standard that defines
a common language for telemetry. Instead of using different field names for each
vendor (e.g., sourceIPAddress for AWS, LocalAddressIP4 for CrowdStrike), you
can use consistent OCSF field names like src_endpoint.ip across all sources.
Writing Sigma rules with OCSF field names provides several benefits:
- Standardization - Use the same field names regardless of the underlying log source.
- Portability - Rules work across your organization's entire infrastructure.
- Simplicity - No need to maintain multiple versions of the same rule for different vendors.
How to Use OCSF in Sigma Rules
When writing Sigma rules in AlphaSOC, you can use OCSF field names directly in
the detection section. AlphaSOC automatically maps the OCSF fields to the
appropriate vendor-specific fields during rule execution.
To write Sigma rules using OCSF fields in AlphaSOC:
- Log in to AlphaSOC.
- Navigate to the Rule Management > Sigma Rules page.
- Click the New sigma rule button.
- In the rule editor:
- use OCSF field names in the
detectionsection - specify OCSF as the resolver format in the
alphasocsection
- Save the rule by clicking the Save button.
After that, your Sigma rule will appear in the Sigma Rules list. It's that simple! AlphaSOC handles the rest.
AlphaSOC Section in Sigma Rules
The rule in the example below detects DNS queries for .onion domains,
indicating potential Tor usage. It uses standard Sigma fields and the flags
field, which references
Wisdom flags.
Example Sigma rule using the AlphaSOC section
title: Match Tor nodes
id: af453e24-1903-45c1-8cfe-c8c4ec86a49a
status: test
description: Match connections to known Tor nodes
logsource:
category: dns
detection:
selection:
query|endswith: .onion
wisdom.flags.tor_dns: true
condition: selection
alphasoc:
logschema:
wisdom: wisdom-v1
The alphasoc section specifies the resolver formats. This AlphaSOC extension
allows you to define which field format to use for the detection. You can use
multiple formats in one rule by specifying different prefixes.
Prefixes
Specify custom format prefixes under logschema. For example:
alphasoc:
logschema:
.: sigma # default; no prefix needed
customPrefix1: ocsf-v1.5
customPrefix2: wisdom-v1
# ...
. indicates the default format used when no prefix is specified in the rule.
If you don't use the alphasoc field, AlphaSOC assumes the sigma format by
default.
Supported Formats
Available formats include:
sigmarawocsf-v1.5wisdom-v1
Below are the descriptions of each format and their usage.
Raw format
To support community detection standards, AlphaSOC maps CrowdStrike and SentinelOne telemetry to Sysmon fields by default.
Use the raw format to bypass this normalization and access the original vendor
field names.
OCSF format
Use the ocsf-v1.5 format to write Sigma rules using
OCSF field names. With OCSF, you can write a
single detection rule that works across all your log sources.
detection:
selection:
ocsf.field_name: value
alphasoc:
logschema:
ocsf: ocsf-v1.5
Wisdom format
Wisdom is AlphaSOC's threat intelligence that provides additional context to
your detections. By using the wisdom-v1 format, you can reference
Wisdom flags or specify a
domain in your Sigma rule.
Using Wisdom flags in Sigma rules
detection:
selection:
wisdom.flags.c2: true
condition: selection
alphasoc:
logschema:
wisdom: wisdom-v1
Use the flags field to reference
Wisdom flags in your
detection. The value should be either true (flag present) or false.
Using domains in Sigma rules
detection:
selection:
wisdom.domain: example.com
condition: selection
alphasoc:
logschema:
wisdom: wisdom-v1
Use the domain field to specify a domain.
OCSF Field Availability
AlphaSOC populates a subset of OCSF fields depending on the log source and event type. Use the OCSF schema documentation to understand field semantics.
See OCSF Mappings Overview for the list of OCSF fields AlphaSOC populates for each supported event family.