Data Normalization
Network
Network events provide insight into network traffic within the organization. Log entries contain details about an egress connection.
DNS
This type of telemetry captures egress DNS query events for valid internet domains, providing visibility into domain resolution activity.
AlphaSOC can process DNS data from these sources: AWS Route 53, Zeek, GCP Cloud DNS, Crowdstrike FDR, DNSTap, Azure Device Network.
| AlphaSOC field | Description |
|---|---|
query | A fully qualified domain name (FQDN) |
qtype | A DNS record type |
rcode | A DNS response code |
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
srcIP | The IP address of the device that initiated the connection |
srcPort | The source port used by the originating device |
srcHost | Name or ID of the computer where the detection occurred |
srcMac | The physical (MAC) address of the device that initiated the connection |
srcUser | Username of the account that ran the process responsible for the event |
connID | Connection ID |
dataOrigin | The service from which the logs originate (e.g., AWS CloudTrail). For the full list, please refer to Processing Data: Product Field Mappings |
srcID | Source ID |
labels | Metadata |
dataScope | A value that uniquely identifies the environment from which the data originates |
HTTP
This type of telemetry captures HTTP request and response metadata, including headers, status codes, URL paths, and user-agent information, providing visibility into web traffic.
AlphaSOC can process HTTP data from Zeek.
| AlphaSOC field | Description |
|---|---|
url | The HTTP request URL |
method | The HTTP request method |
status | The HTTP response status code |
app | The application layer protocol used |
action | Specifies whether the event was allowed or denied |
bytesIn | The number of incoming bytes |
bytesOut | The number of outgoing bytes |
contentType | The MIME type of the HTTP event payload |
userAgent | The user agent used in HTTP event |
referrer | The HTTP referer |
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
srcIP | The IP address of the device that initiated the connection |
srcPort | The source port used by the originating device |
srcHost | Name or ID of the computer where the detection occurred |
srcMac | The physical (MAC) address of the device that initiated the connection |
srcUser | The username associated with the process that generated the event |
dataOrigin | The service from which the logs originate (e.g., AWS CloudTrail). For the full list, please refer to Processing Data: Product Field Mappings |
srcID | Source ID |
connID | Connection ID |
labels | Metadata |
dataScope | A value that uniquely identifies the environment from which the data originates |
IP
This type of telemetry captures egress IPv4 and IPv6 connections to internet destinations, providing visibility into network communication.
AlphaSOC can process IP data from these sources: AWS VPC Flow, Zeek, GCP VPC Flow, Carbon Black Netconn, Crowdstrike FDR, Azure VNet Flow, Azure NSG Flow, Azure Device Network.
| AlphaSOC field | Description |
|---|---|
proto | The transport layer protocol used |
bytesIn | The number of incoming bytes |
bytesOut | The number of outgoing bytes |
packetsIn | The number of incoming packets |
packetsOut | The number of outgoing packets |
app | The application layer protocol used |
action | Specifies whether the event was allowed or denied |
duration | The duration of the connection |
destIP | The IP address of the responding device |
destPort | The destination port used by the responding device |
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
srcIP | The IP address of the device that initiated the connection |
srcPort | The source port used by the originating device |
srcHost | Name or ID of the computer where the detection occurred |
srcMac | The physical (MAC) address of the device that initiated the connection |
srcUser | The username associated with the process that generated the event |
dataOrigin | The service from which the logs originate (e.g., AWS CloudTrail). For the full list, please refer to Processing Data: Product Field Mappings |
srcID | Source ID |
connID | Connection ID |
labels | Metadata |
dataScope | A value that uniquely identifies the environment from which the data originates |
TLS
This type of telemetry captures TLS session details, including JA3 fingerprints and X.509 certificate information, providing insight into web traffic.
AlphaSOC can process TLS data from Zeek.
| AlphaSOC field | Description |
|---|---|
certHash | Certificate fingerprint |
issuer | Organization that issued the certificate; issuer field in the certificate |
subject | The subject field in the certificate, identifying the entity to which the certificate was issued |
validFrom | The date and time when the certificate was issued |
validTo | The expiration date of the certificate |
destIP | The IP address of the responding device |
destPort | The destination port used by the responding device |
ja3 | Client's JA3 fingerprint |
ja3s | Server's JA3 fingerprint |
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
srcIP | The IP address of the device that initiated the connection |
srcPort | The source port used by the originating device |
srcHost | Name or ID of the computer where the detection occurred |
srcMac | The physical (MAC) address of the device that initiated the connection |
srcUser | The username associated with the process that generated the event |
dataOrigin | The service from which the logs originate (e.g., AWS CloudTrail). For the full list, please refer to Processing Data: Product Field Mappings |
srcID | Source ID |
connID | Connection ID |
labels | Metadata |
dataScope | A value that uniquely identifies the environment from which the data originates |
Audit
Audit logs are records of actions and events within an organization's software infrastructure. Log entries include details about what occurred, when it happened, who initiated it, which resources were affected, and any additional context relevant to the event.
In addition to the normalized fields specified in the tables below, AlphaSOC uses product-specific fields to analyze telemetry.
AWS CloudTrail
AlphaSOC can analyze AWS CloudTrail events to detect anomalies. To see query log examples, visit the AWS CloudTrail documentation.
| AlphaSOC field | Description |
|---|---|
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
srcID | Source ID |
dataOrigin | The service from which the logs originate (e.g., AWS CloudTrail). For the full list, please refer to Processing Data: Product Field Mappings |
dataScope | A value that uniquely identifies the environment from which the data originates |
GitHub
AlphaSOC can analyze GitHub audit logs to detect anomalies. To see a full list of GitHub audit log events, visit the GitHub documentation.
| AlphaSOC field | Description |
|---|---|
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
srcID | Source ID |
srcUser | The username associated with the process that generated the event |
dataScope | A value that uniquely identifies the environment from which the data originates |
callerIP | The source IP address of the caller |
userAgent | The user agent associated with the caller |
action | Specifies whether the event was allowed or denied |
Kubernetes
AlphaSOC can analyze Kubernetes cluster events to detect anomalies.
| AlphaSOC field | Description |
|---|---|
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
srcID | Source ID |
callerIP | The source IP address of the incoming Kubernetes API request |
userAgent | The user agent associated with the incoming Kubernetes API request |
auditBody | The name of the Kubernetes resource involved in the API request |
code | The HTTP status code returned by the Kubernetes API response |
dataScope | A value that uniquely identifies the environment from which the data originates |
Okta
AlphaSOC can analyze Okta System Logs to detect anomalies. To see a full list of Okta event types, visit the Okta documentation.
| AlphaSOC field | Description |
|---|---|
srcID | Source ID |
srcUser | The username associated with the process that generated the event |
userAgent | The user agent associated with the caller |
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
callerIP | The source IP address of the caller |
action | Okta event type |
result | Specifies whether the event was allowed or denied |
Slack
AlphaSOC can analyze Slack audit events to detect anomalies. To see query log example, visit the Slack API documentation.
| AlphaSOC field | Description |
|---|---|
srcID | Source ID |
srcUser | The username associated with the process that generated the event |
userAgent | The user agent associated with the caller |
ts | The associated event time for the log is in the format: YYYY-MM-DDTHH:MM:SSZ |
dataScope | A value that uniquely identifies the environment from which the data originates |
callerIP | The source IP address of the caller |
action | Specifies whether the event was allowed or denied |