Detection-as-Code CI/CD Pipeline

Overview

You can automate Sigma rule deployment by adding a GitHub Actions workflow to your repository. The workflow zips your rule files and uploads them to AlphaSOC via the POST /v1/detections endpoint on every push.

Prerequisites

An AlphaSOC API key — see Credentials: Adding a New API Key.

Configuration

Before configuring the workflow, add your AlphaSOC API key to your repository's secrets under Settings > Secrets and variables > Actions > Repository secrets as ALPHASOC_API_KEY.

Create a new workflow file in your repository, for example .github/workflows/upload-sigma-rules.yml:

name: Upload Sigma Rules to AlphaSOC

on:
  push:
    branches:
      - main
    paths:
      - "**/*.yaml"
      - "**/*.yml"

permissions:
  contents: read

concurrency:
  group: alphasoc-sigma-upload
  cancel-in-progress: true

jobs:
  upload-rules:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Zip Sigma rule files
        env:
          SIGMA_RULES_DIRECTORY: "."
        run: |
          find "$SIGMA_RULES_DIRECTORY" -not -path '*/.*' \( -name '*.yaml' -o -name '*.yml' \) | zip /tmp/rules.zip -@
...

info

The workflow uses the replace import mode. Any changes made in the repository will be reflected in AlphaSOC.

Once the workflow is configured, every push to the main branch syncs Sigma rules from your repository to your AlphaSOC console. You can find them under Detections > Sigma.

Learn More

For complete information about request parameters, response codes, and service limits, see the Detection Management API.

Overview​

Prerequisites​

Configuration​

Learn More​

Overview

Prerequisites

Configuration

Learn More