Sigma Array Support: OCSF Mappings & Audit Logs

Standard Sigma engines can't evaluate individual elements within arrays, which breaks detection logic for most cloud telemetry. To address this, we’ve introduced custom Sigma extensions for handling arrays in detection rules.

We’ve now extended this capability to support OCSF fields. Our array extensions can be used directly with OCSF schema paths, enabling portable detections that work across OCSF-normalized data sources, including audit logs (currently AWS CloudTrail and Okta Login).