Supported Attributes
AlphaSOC supports the following detection attributes in Sigma rules. These attributes can be used in both community and custom rules to define detection logic.
Sigma Basics
Modifiers
Modifiers transform field values during rule matching and enable flexible pattern matching in Sigma rules. The following table details AlphaSOC's current support status for each modifier:
| Modifier | Support Status |
|---|---|
all | SUPPORTED |
base64/base64offset | SUPPORTED |
cased | SUPPORTED |
cidr | SUPPORTED |
contains | SUPPORTED |
endswith | SUPPORTED |
exists | IN PROGRESS |
expand | NOT SUPPORTED |
fieldref | SUPPORTED |
gt | SUPPORTED |
gte | SUPPORTED |
lt | SUPPORTED |
lte | SUPPORTED |
re | SUPPORTED |
startswith | SUPPORTED |
utf16/utf16le/utf16be/wide | NOT SUPPORTED |
windash | PARTIAL Limited to 2 flags |
Conditions
Conditions define the logical structure for combining field matches in Sigma rules using boolean operators and pattern matching. The following tables detail AlphaSOC's current support status for each condition:
Basic Conditions
| Condition | Support Status |
|---|---|
not | SUPPORTED |
and | SUPPORTED |
or | SUPPORTED |
brackets | SUPPORTED |
Advanced Conditions
| Condition | Support Status |
|---|---|
1 of (search pattern) | SUPPORTED |
all of (search pattern) | SUPPORTED |
1 of them | SUPPORTED |
all of them | SUPPORTED |
Logsources
AlphaSOC maps external Sigma logsources to internal data origins.
Standard Logsources
The following Sigma Standard Logsources are supported:
| Product | Category | Service | AlphaSOC Data Origin |
|---|---|---|---|
aws | cloudtrail | AWS CloudTrail | |
azure | azureactivity | Azure Activity | |
gcp | gcp.audit | GCP Audit | |
okta | okta | Okta | |
microsoft365portal | auditlogs | Microsoft 365 PLANNING | |
windows | all | all | CrowdStrike FDR |
macos | process_creation | CrowdStrike FDR | |
linux | process_creation | CrowdStrike FDR | |
linux | sshd | Journald | |
zeek | httpdns | Zeek |
For details on how data from these sources is processed and standardized, see Data Normalization. For specific field mappings between source data and AlphaSOC's internal format, refer to Product Field Mappings.
AlphaSOC Custom
AlphaSOC implements a custom logsource following Sigma's approach. This provides a filter mechanism to select events based on specific data origins, allowing rules to target particular data sources.
The AlphaSOC custom logsource uses the following format:
logsource:
product: alphasoc
service: [data_origin]
Where [data_origin] corresponds to any of the data origins supported by
AlphaSOC. See the Data Origins Overview for a
complete list of available data origins by product.
Detection
The detection section defines the logic and patterns that Sigma rules use to identify security events in log data.
Keyword searches
AlphaSOC Support: NOT SUPPORTED
Keyword searches perform unstructured text matching across all fields in a log entry, searching for specific strings without targeting particular field names. This search type is not supported by AlphaSOC.
Field searches
AlphaSOC Support: SUPPORTED
Field searches match specific values within named fields using key-value pairs. This structured approach allows precise targeting of log attributes, such as matching a specific user name, IP address, or command.
Field list searches
AlphaSOC Support: SUPPORTED
Field list searches extend field searches by allowing multiple values for a single field name. This enables matching when any value in the list appears in the specified field, effectively creating an OR condition across the values while maintaining the field-specific targeting.