Detect Anything™ with
Cribl and AlphaSOC
Supercharge your Cribl deployment and cut SIEM costs.
AlphaSOC reveals unknown threats hidden within your cloud, network, application, and endpoint logs. Send raw telemetry from Cribl Stream to reduce SIEM overheads and increase your threat detection coverage.
THE CHALLENGE
Security teams are stuck between two broken approaches; send everything to the SIEM and face spiralling costs, or keep telemetry in a Data Lake and lose the detection capabilities they depend on.
Native Plug-and-Play Integration
AlphaSOC fits into your existing Cribl deployment without disruption. Logs continue to flow the way they always have. Our detection engine handles the hard part.
Cut the Noise, Keep the Signal
Instantly refine raw logs without restriction to produce actionable alerts.
Collect
Load your cloud, application, network, and endpoint logs.
Normalize
We map all data fields to OCSF for consistent analysis.
Enrich
We add threat intelligence and prevalence data.
Detect
Harness custom Sigma and managed AlphaSOC rules.
Alert
Escalate OCSF detection findings to your team.
Measurable Benefits
The benefits are not abstract. Each traces directly to a specific capability.
Cost control
Cut your SIEM and Data Lake costs by up to 80%
You can stop indexing high-volume telemetry in your SIEM or Data Lake to fuel detection logic. AlphaSOC performs deep inspection upstream. Your tools receive refined, enriched alerts, not raw logs, which cuts high data ingestion costs at the source.
Detection depth
Reveal unknown threats, including patient zero events
Along with deep enrichment, AlphaSOC measures the prevalence of every indicator, both within your environment and across its global customer base. Indicators unique to your environment can uncover targeted campaigns that are unknown to security vendors.
Extensibility
Combine our detections with your own Sigma rules
AlphaSOC maintains a comprehensive library of production-ready detections covering cloud, network, identity, and endpoint threats. You can also deploy custom Sigma rules to hunt threats without having to translate them first to KQL, SPL, or other query languages.
Consistency
Unified coverage across every source
We apply the same detection logic, prevalence scoring, and enrichment regardless of where the data comes from. AWS CloudTrail, Azure Activity Logs, CrowdStrike Falcon telemetry, and Kubernetes audit logs all run through the same unified pipeline.
Harness Field Tested Detections
AlphaSOC maintains a comprehensive library of managed detections that align with MITRE ATT&CK to highlight known threat actor tactics, techniques, and procedures.
Source
Detection
Severity
MITRE ATT&CK
GitHub API calls by a malicious caller
Initial Access
Okta actions indicating impersonation
Defense Evasion
AWS GuardDuty disabled
Defense Evasion
Potential ransomware note uploaded to an AWS S3 bucket
Impact
Outbound TCP port scan indicating hacking tool use or infection
Discovery
Slack team member logged out due to a compromised device
Initial Access
AWS MFA device disabled
Persistence
Azure Storage account modified to allow public blob access
Exfiltration
Azure VM command run
Execution
Use of Azure APIs by a likely malicious caller
Initial Access
GCP KMS key destroyed
Defense Evasion
Telegram Bot API traffic indicating possible infection
Command & Control
Out-of-band application security testing traffic requiring investigation
Discovery
Quarantine applied to possibly compromised AWS credentials
Initial Access
Multiple requests to long hostnames indicating DNS tunneling
Command & Control
DNS misconfiguration leading to potential compromise
Initial Access
Azure VNet flow logs deleted
Defense Evasion
1Password values exported
Exfiltration
Anonymizing circuit setup indicating infection or evasion attempt
Defense Evasion
Okta FastPass blocked a phishing attempt
Credential Access
AWS API calls indicating EKS privilege escalation in multiple clusters
Persistence
Traffic to a destination serving malicious JavaScript
Execution
AWS S3 bucket modified to allow public access
Exfiltration
Successful Okta login after multiple MFA pushes
Credential Access
AWS console login from an EC2 instance
Defense Evasion
AWS EBS snapshot modified to allow public access
Exfiltration
MFA disabled for GitHub organization or Enterprise account
Persistence
Unexpected Slack API calls indicating malware share
Execution
Atlassian actions by a likely malicious caller
Initial Access
GitHub branch protections were disabled for the repository
Defense Evasion
AWS Security Hub disabled
Defense Evasion
Slack organization deleted
Impact
Suspicious hosting provider traffic
Command & Control
Azure Front Door WAF policy deleted
Defense Evasion
AWS IAM user created with admin policy attached
Persistence
Confluence site exported
Exfiltration
GCP GKE control plane exposed to internet
Defense Evasion
Okta suspicious session cookie
Credential Access
AWS decoy resource accessed
Discovery
Okta MFA bypass attempt detected
Defense Evasion
AWS policy modified to allow any principal to assume an IAM role
Initial Access
Traffic to a malicious spear phishing site
Initial Access
AWS RDS snapshot modified to allow public access
Exfiltration
AWS IAM role assumed by an unknown external principal
Initial Access
GCP BigQuery dataset made public
Exfiltration
GitHub SSH key added by suspicious IP address
Persistence
Azure PostgreSQL firewall allows public access
Defense Evasion
Jira user added to administrative group
Privilege Escalation
Outbound SSH traffic indicating brute force activity
Credential Access
GitHub secret scanning disabled or bypassed
Defense Evasion
Azure disk snapshot export URI generated
Exfiltration
Secret found in a GitHub repository
Credential Access
AWS EC2 credential used from an unknown external location
Credential Access
AWS API calls indicating Lambda privilege escalation
Privilege Escalation
Google Drive file shared publicly
Exfiltration
AWS KMS customer managed key disabled or scheduled for deletion
Defense Evasion
Atlassian admin API token created
Persistence
Google Workspace suspicious login
Initial Access
Cryptomining indicating infection or resource abuse
Execution
AWS access key created by the root account
Persistence
GitHub repository deploy key modified or created
Persistence
GCP IAM workforce pool modified
Persistence
AWS policy modified to allow unknown principal to assume an IAM role
Initial Access
Azure network security group modified to allow public access
Defense Evasion
GCP GCS bucket made public
Exfiltration
AWS network infrastructure modification opening a wide range of ports
Defense Evasion
Possible 1Password login brute force
Credential Access
GCP BigQuery data exfiltration
Exfiltration
Unusual excessive AWS S3 bucket deletion requests
Impact
1Password service account token activity
Persistence
GitHub audit log stream modified
Defense Evasion
AWS access key created
Persistence
GCP VPC flow logging disabled
Defense Evasion
Google Workspace account hijacked
Initial Access
Multiple Okta login failures from a single source
Credential Access
Jira actions by a likely malicious caller
Initial Access
High number of non-public GitHub repositories downloaded
Exfiltration
New Okta API token generated
Persistence
Atlassian administrator impersonated another user
Defense Evasion
Slack EKM unenrolled
Defense Evasion
Traffic to malicious infrastructure capturing credentials
Credential Access
Slack application access expanded
Persistence
Slack actions by likely malicious caller
Initial Access
Multiple rejected Okta MFA push notifications for a single user
Credential Access
P2P activity
Defense Evasion
Okta suspicious activity reported
Defense Evasion
GCP Logging sink deleted
Defense Evasion
Azure Network Watcher deleted
Defense Evasion
Traffic to a known malware distribution site
Execution
Confluence public link for a page turned on
Exfiltration
GitHub repository made public
Exfiltration
Traffic to a known sinkhole indicating infection
Command & Control
AWS identity added to an admin group
Privilege Escalation
Excessive disruption of Slack user sessions via invalidation
Defense Evasion
Okta admin role assigned
Privilege Escalation
Azure diagnostic setting deleted
Defense Evasion
AWS API calls indicating setup of mass mailer script
Privilege Escalation
Several unsuccessful Slack login attempts indicating brute force activity
Credential Access
1Password actions by a likely malicious caller
Initial Access
GitHub API calls by a malicious caller
Initial Access
Okta actions indicating impersonation
Defense Evasion
AWS GuardDuty disabled
Defense Evasion
Potential ransomware note uploaded to an AWS S3 bucket
Impact
Outbound TCP port scan indicating hacking tool use or infection
Discovery
Slack team member logged out due to a compromised device
Initial Access
AWS MFA device disabled
Persistence
Azure Storage account modified to allow public blob access
Exfiltration
Azure VM command run
Execution
Use of Azure APIs by a likely malicious caller
Initial Access
GCP KMS key destroyed
Defense Evasion
Telegram Bot API traffic indicating possible infection
Command & Control
Out-of-band application security testing traffic requiring investigation
Discovery
Quarantine applied to possibly compromised AWS credentials
Initial Access
Multiple requests to long hostnames indicating DNS tunneling
Command & Control
DNS misconfiguration leading to potential compromise
Initial Access
Azure VNet flow logs deleted
Defense Evasion
1Password values exported
Exfiltration
Anonymizing circuit setup indicating infection or evasion attempt
Defense Evasion
Okta FastPass blocked a phishing attempt
Credential Access
AWS API calls indicating EKS privilege escalation in multiple clusters
Persistence
Traffic to a destination serving malicious JavaScript
Execution
AWS S3 bucket modified to allow public access
Exfiltration
Successful Okta login after multiple MFA pushes
Credential Access
AWS console login from an EC2 instance
Defense Evasion
AWS EBS snapshot modified to allow public access
Exfiltration
MFA disabled for GitHub organization or Enterprise account
Persistence
Unexpected Slack API calls indicating malware share
Execution
Atlassian actions by a likely malicious caller
Initial Access
GitHub branch protections were disabled for the repository
Defense Evasion
AWS Security Hub disabled
Defense Evasion
Slack organization deleted
Impact
Suspicious hosting provider traffic
Command & Control
Azure Front Door WAF policy deleted
Defense Evasion
AWS IAM user created with admin policy attached
Persistence
Confluence site exported
Exfiltration
GCP GKE control plane exposed to internet
Defense Evasion
Okta suspicious session cookie
Credential Access
AWS decoy resource accessed
Discovery
Okta MFA bypass attempt detected
Defense Evasion
AWS policy modified to allow any principal to assume an IAM role
Initial Access
Traffic to a malicious spear phishing site
Initial Access
AWS RDS snapshot modified to allow public access
Exfiltration
AWS IAM role assumed by an unknown external principal
Initial Access
GCP BigQuery dataset made public
Exfiltration
GitHub SSH key added by suspicious IP address
Persistence
Azure PostgreSQL firewall allows public access
Defense Evasion
Jira user added to administrative group
Privilege Escalation
Outbound SSH traffic indicating brute force activity
Credential Access
GitHub secret scanning disabled or bypassed
Defense Evasion
Azure disk snapshot export URI generated
Exfiltration
Secret found in a GitHub repository
Credential Access
AWS EC2 credential used from an unknown external location
Credential Access
AWS API calls indicating Lambda privilege escalation
Privilege Escalation
Google Drive file shared publicly
Exfiltration
AWS KMS customer managed key disabled or scheduled for deletion
Defense Evasion
Atlassian admin API token created
Persistence
Google Workspace suspicious login
Initial Access
Cryptomining indicating infection or resource abuse
Execution
AWS access key created by the root account
Persistence
GitHub repository deploy key modified or created
Persistence
GCP IAM workforce pool modified
Persistence
AWS policy modified to allow unknown principal to assume an IAM role
Initial Access
Azure network security group modified to allow public access
Defense Evasion
GCP GCS bucket made public
Exfiltration
AWS network infrastructure modification opening a wide range of ports
Defense Evasion
Possible 1Password login brute force
Credential Access
GCP BigQuery data exfiltration
Exfiltration
Unusual excessive AWS S3 bucket deletion requests
Impact
1Password service account token activity
Persistence
GitHub audit log stream modified
Defense Evasion
AWS access key created
Persistence
GCP VPC flow logging disabled
Defense Evasion
Google Workspace account hijacked
Initial Access
Multiple Okta login failures from a single source
Credential Access
Jira actions by a likely malicious caller
Initial Access
High number of non-public GitHub repositories downloaded
Exfiltration
New Okta API token generated
Persistence
Atlassian administrator impersonated another user
Defense Evasion
Slack EKM unenrolled
Defense Evasion
Traffic to malicious infrastructure capturing credentials
Credential Access
Slack application access expanded
Persistence
Slack actions by likely malicious caller
Initial Access
Multiple rejected Okta MFA push notifications for a single user
Credential Access
P2P activity
Defense Evasion
Okta suspicious activity reported
Defense Evasion
GCP Logging sink deleted
Defense Evasion
Azure Network Watcher deleted
Defense Evasion
Traffic to a known malware distribution site
Execution
Confluence public link for a page turned on
Exfiltration
GitHub repository made public
Exfiltration
Traffic to a known sinkhole indicating infection
Command & Control
AWS identity added to an admin group
Privilege Escalation
Excessive disruption of Slack user sessions via invalidation
Defense Evasion
Okta admin role assigned
Privilege Escalation
Azure diagnostic setting deleted
Defense Evasion
AWS API calls indicating setup of mass mailer script
Privilege Escalation
Several unsuccessful Slack login attempts indicating brute force activity
Credential Access
1Password actions by a likely malicious caller
Initial Access
KEY INSIGHT
Security teams combine Cribl and AlphaSOC to cut their SIEM and Data Lake costs by up to 80%. AlphaSOC is not a SIEM replacement. Offload deep processing to a dedicated engine and reduce downstream event volume while improving the quality of every alert that reaches your team.
Leverage Cribl Lake and Search
Upon moving detection logic closer to your data with Cribl Stream and AlphaSOC, you can migrate data from your SIEM to Cribl Lake to further optimize the pipeline.
Stop Paying for a Broken SIEM
Your SIEM was not designed to perform deep inspection of terabytes of raw telemetry at an affordable cost. AlphaSOC was. Connect to Cribl Stream, normalize and enrich your data, and give your team accurate alerts that are worth investigating.