Enhanced Threat Detection with Sigma and AlphaSOC Wisdom

A DNS query on its own is just noise. A DNS query to a young domain, on an unusual port, tied to C2-like infrastructure? That’s something you want to look at.

To help you make more confident decisions, we’re adding Wisdom—AlphaSOC Threat Intelligence—to Sigma detections, enriching matches with real context and making alerts far more credible.

What’s New

With Wisdom integration, you can enrich your Sigma detections with threat intelligence directly inside the rule—without external feeds or custom enrichment pipelines. In addition to using intelligence flags, you can also directly query and match specific domains using Wisdom.

Wisdom provides a broad set of flags that describe domain reputation, infrastructure type, and behavioral risk. This makes it easier to create precise, meaningful, and trustworthy detections. For the full list, see the Wisdom flags section of the AlphaSOC documentation.

When you combine Sigma logic with Wisdom intelligence, you cut down on false positives and give analysts stronger signals they can act on with confidence.

Wisdom in Action

Wisdom is enabled through the alphasoc section of a Sigma rule. This section tells AlphaSOC which resolver format to use when evaluating fields.

The following Sigma rule detects DNS lookups to known Tor nodes by checking the Wisdom tor_dns flag:

title: DNS queries to Tor destinations
id: af453e24-1903-45c1-8cfe-c8c4ec86a49a
status: test
description: Match connections to known Tor nodes
logsource:
  category: dns
detection:
  selection:
    wisdom.flags.tor_dns: true
  condition: selection
alphasoc:
  logschema:
    wisdom: wisdom-v1
level: high

This rule provides low-maintenance detection of DNS traffic to Tor infrastructure — excellent for surfacing potential privacy circumvention or covert adversary communications.

Let’s look at another example of a Sigma rule using a Wisdom flag, this time to detect blocklisted infrastructure.

title: DNS queries to blocklisted destinations
id: bf674e12-3a9f-4d2b-9e1c-5f8d7a2b3c4e
status: test
description:
  Match DNS resolutions to items found on third-party blocklists (e.g. malware,
  phishing, C2)
logsource:
  category: dns
detection:
  selection:
    wisdom.flags.blocklist: true
  condition: selection
alphasoc:
  logschema:
    wisdom: wisdom-v1
level: high

With the blocklist flag enabled, the rule automatically catches DNS queries resolving to third-party blocklisted destinations — providing an easy, low-effort technique for detecting domains that may be tied to malware, phishing campaigns, or command and control (C2) servers.

Using Wisdom Flags in Sigma Rules

Now that you've seen what Wisdom flags can do, let's look at how to use them in practice.

detection:
  selection:
    wisdom.flags.c2: true
  condition: selection
alphasoc:
  logschema:
    wisdom: wisdom-v1

Use the flags field to reference Wisdom flags in your detection. For each flag, you can use either true to check whether the signal is present, or false to check that it is not.

Using Domains in Sigma Rules

You can also match against a specific domain using Wisdom:

detection:
  selection:
    wisdom.domain: example.com
  condition: selection
alphasoc:
  logschema:
    wisdom: wisdom-v1

This greatly simplifies targeted monitoring of specific domains and allows detection to be narrowed down to individual domains with ease.

Why This Matters

Domain-based detections often come with constant IOC maintenance and manual checks, which quickly become time-consuming. With Wisdom integrated directly into Sigma, you can offload risk evaluation to AlphaSOC. This means:

• No need to maintain or update domain reputation lists
• No manual lookups to determine if a domain is suspicious
• Higher-confidence detections based on recent data

All of this happens directly inside your Sigma rules, with no additional setup or extra work required.