Sigma Arrays
Overview
Standard Sigma does not natively support matching values within arrays in log events. This limitation affects many common log sources including CloudTrail, GCP Audit Logs, Okta, and Kubernetes audit logs, all of which use arrays extensively in their event structures. AlphaSOC extends Sigma with array matching capabilities as a custom feature, enabling detection rules that evaluate conditions against individual array elements.
Array support is currently available for raw event processing only. OCSF-normalized events do not support array matching at this time.
Array Matching Syntax
Array matching in Sigma uses nested detection blocks. When a field references an
array, you define a nested condition and selection structure that specifies
how array elements should be matched. This approach allows for multiple
selectors on a single array object, including NOT conditions.
Match any (default)
By default, array matching returns true if any element in the array matches the condition:
detection:
condition: selection
selection:
arrayField:
condition: selection
selection:
fieldInArrayObject: "value"
Match all
Use the |arrayAll modifier to require that all elements in the array match
the condition:
detection:
condition: selection
selection:
arrayField|arrayAll:
condition: selection
selection:
fieldInArrayObject: "value"
Nested arrays
For log sources with deeply nested array structures, you can chain array matching across multiple levels:
detection:
condition: selection
selection:
authorizationInfo|arrayAll:
condition: selection
selection:
resourceAttributes:
condition: selection
selection:
values|arrayAll:
condition: selection
selection:
key: "request.auth.claims.groups"
value|contains: "system:authenticated"
Dot pseudo-field
Use the . pseudo-field to match simple values (strings or numbers) directly
within an array:
detection:
condition: selection
selection:
eventType: "AwsApiCall"
resourceTypeFilters:
condition: selection
selection:
.|startswith: "prefix:"
Examples
GCP: authorizationInfo HAS ANY (granted IS true AND resource CONTAINS "/kube-system/configmaps/")
detection:
condition: selection
selection:
authorizationInfo:
condition: selection
selection:
granted: "true"
resource|contains: "/kube-system/configmaps/"
GCP: authorizationInfo HAS ALL (granted IS false)
Use the |arrayAll modifier to require that all elements in the array match
the condition:
detection:
condition: selection
selection:
authorizationInfo|arrayAll:
condition: selection
selection:
granted: "false"
GCP: authorizationInfo HAS ANY (permission ENDS WITH .update AND resource IS NOT "/kube-system/configmaps/")
Array detection blocks support the full range of Sigma condition logic,
including multiple selections and NOT conditions:
detection:
condition: selection
selection:
authorizationInfo:
condition: sel_permission and not sel_resource
sel_permission:
permission|endswith: ".update"
sel_resource:
resource: "/kube-system/configmaps/"
CloudTrail: eventType IS AwsApiCall AND ANY resourceTypeFilters STARTS WITH elasticache
When an array contains simple values (strings, numbers) rather than objects, use
the pseudo-field . to reference the array element value directly:
detection:
condition: selection
selection:
eventType: "AwsApiCall"
resourceTypeFilters:
condition: selection
selection:
.|startswith: "elasticache:"
CloudTrail: eventType IS AwsApiCall AND ALL resourceTypeFilters STARTS WITH elasticache
detection:
condition: selection
selection:
eventType: "AwsApiCall"
resourceTypeFilters|arrayAll:
condition: selection
selection:
.|startswith: "elasticache:"
Limitations
- OCSF not supported: Array matching is currently available only for raw event processing. OCSF-normalized events do not support this feature.
Further Reading
- Sigma Supported Attributes - Full list of supported Sigma modifiers and conditions
- Sigma Correlations - Aggregate multiple events for complex detection patterns