The AlphaSOC Analytics Engine (AE) performs
multi-dimensional processing of telemetry to highlight
anomalies and uncover compromised systems. AE can
be consumed as a cloud service or set up locally
on-premise within a customer environment.

AE is vendor agnostic and can process data from any source, including:
Big data indexing platforms(e.g. Elastic and Splunk)
Cloud infrastructure(e.g. VPC flow logs)
Network infrastructure(e.g. firewalls, web proxies, and appliances)
Network sensors(e.g. Corelight / Zeek and Elastic Packetbeat)
Servers(e.g. DNS and Active Directory servers)
Endpoints(via agents such as Cisco Umbrella)

The subsequent sections describe the AlphaSOC
service elements, which are summarized by the
diagram below. The web console is used to
configure and monitor the AE instance, which
receives telemetry via the ingestion layer,
processes it to identify threats, and relays alerts to
external services (e.g. SIEM and SOAR platforms)
via the escalation layer.

The modular nature of the AlphaSOC architecture
means that AE can receive data from, and escalate
data to different locations. For example, an
end-user organization can submit data to AE for
scoring, and escalate alerts to both their own
in-house SIEM and a third-party MSSP.

Data Ingestion

The data ingestion layer includes elements that can push or pull raw network
telemetry from different sources to AE for scoring. The ingestion section of the
AE documentation describes both the native plug-and-play integration options,
and how to directly interact with our API

Telemetry Processing

Once received for scoring, network telemetry is processed by AE, which is run by AlphaSOC as a cloud service, and can
also be run on-premise. When running in either mode, AE uses an API known as Wisdom to retrieve reputation data
and real-time context for telemetry elements (e.g. domain names, IP addresses, X.509 certificate hashes, and JA3
hashes), as demonstrated by the figures below.

The AlphaSOC cloud infrastructure running AE in a secure enclave

When run in a single tenant configuration, raw telemetry is stored and processed locally by the on-premise AE
instance. During processing, AE interacts with Wisdom to retrieve reputation data for particular telemetry fields (e.g.
Internet domain names).

AE running on-premise within a customer environment
Alert Escalation

AlphaSOC alerts are presented within the web console, and can also be
relayed to third-party services and SIEM / SOAR platforms via the escalation
layer. The escalation section of the AE documentation describes both the
native plug-and-play integration options, and how to ship alert data using open
standards such as CEF, GELF, and JSON.

AlphaSOC Console
Web Console

The AlphaSOC web console is used to manage the
service elements across cloud and on-premise AE
deployments, including licensing, setup of ingestion
and alert escalation paths, engine configuration and
maintenance, and presentation of alerts.