Supported Attributes
AlphaSOC supports the following detection attributes in Sigma rules. These attributes can be used in both community and custom rules to define detection logic.
Sigma Basics
Modifiers
Modifiers transform field values during rule matching and enable flexible pattern matching in Sigma rules. The following table details AlphaSOC's current support status for each modifier:
| Modifier | Support Status |
|---|---|
all | SUPPORTED |
base64/base64offset | SUPPORTED |
cased | SUPPORTED |
cidr | SUPPORTED |
contains | SUPPORTED |
endswith | SUPPORTED |
exists | IN PROGRESS |
expand | NOT SUPPORTED |
fieldref | SUPPORTED |
gt | SUPPORTED |
gte | SUPPORTED |
lt | SUPPORTED |
lte | SUPPORTED |
re | SUPPORTED |
startswith | SUPPORTED |
utf16/utf16le/utf16be/wide | NOT SUPPORTED |
windash | PARTIAL Limited to 2 flags |
Conditions
Conditions define the logical structure for combining field matches in Sigma rules using boolean operators and pattern matching. The following tables detail AlphaSOC's current support status for each condition:
Basic Conditions
| Condition | Support Status |
|---|---|
not | SUPPORTED |
and | SUPPORTED |
or | SUPPORTED |
brackets | SUPPORTED |
Advanced Conditions
| Condition | Support Status |
|---|---|
1 of (search pattern) | SUPPORTED |
all of (search pattern) | SUPPORTED |
1 of them | SUPPORTED |
all of them | SUPPORTED |
Logsources
AlphaSOC maps external Sigma logsources to internal data origins.
Standard Logsources
The following Sigma Standard Logsources are supported:
| Sigma logsource | Product | Category | Service | AlphaSOC Data Origin |
|---|---|---|---|---|
AWS | aws | cloudtrail | AWS CloudTrail | |
Azure | azure | azureactivity | Azure Activity | |
GCP | gcp | gcp.audit | GCP Audit | |
Okta | okta | okta | Okta | |
Microsoft365 | microsoft365portal | auditlogs | Microsoft 365 PLANNING | |
Windows | windows | all | all | CrowdStrike FDR |
macOS | macos | process_creation | CrowdStrike FDR | |
Linux | linux | process_creation | CrowdStrike FDR | |
Linux | linux | sshd | Journald | |
Zeek | zeek | httpdns | Zeek |
For details on how data from these sources is processed and standardized, see Data Normalization. For specific field mappings between source data and AlphaSOC's internal format, refer to Product Field Mappings.
AlphaSOC Custom
AlphaSOC implements a custom logsource following Sigma's approach. This provides a filter mechanism to select events based on specific data origins, allowing rules to target particular data sources.
The AlphaSOC custom logsource uses the following format:
logsource:
product: alphasoc
service: [data_origin]
Where [data_origin] corresponds to any of the data origins supported by
AlphaSOC. The following table lists all available data origins by product:
| Product | Data Origins |
|---|---|
| 1Password | 1password-event-audit, 1password-item-audit, 1password-login-audit |
| Amazon Web Services | aws-vpc-flow, aws-cloudtrail, aws-route53 |
| Atlassian | atlassian-audit |
| Azure | azure-device-network, azure-nsg-flow, azure-vnet-flow, azure-activity-audit |
| Carbon Black Netconn | carbonblack-netconn |
| Confluence | confluence-audit |
| CrowdStrike | crowdstrike-aid-master, crowdstrike-data |
| DNSTap | dnstap |
| GitHub | github-audit |
| Google Cloud Platform | gcp-vpc-flow, gcp-dns, gcp-kube-audit, gcp-audit |
| Google Security Operations | google-secops-udm |
| Jira | jira-audit |
| Kubernetes | kube-audit |
| Microsoft 365 | microsoft-365-audit |
| Microsoft Entra | microsoft-entra-audit |
| Okta | okta-audit |
| Slack | slack-audit |
| Systemd Journal | journald |
| Zeek | zeek-conn, zeek-dns, zeek-http, zeek-ssl, zeek-dhcp |