Security Operations Agent, AI Agent-Security Center(Security Center)-阿里云帮助中心

Agentic SOC is powered by the Agentic AI engine and uses a layered, multi-agent collaborative architecture. A Team Leader coordinates multiple specialized Agent teams to cover the entire security operations lifecycle, including threat detection, incident investigation, response coordination, and security reporting. Each Agent leverages the ReAct reasoning framework to perform autonomous reasoning and decision-making. This allows them to perceive environmental changes in real time, dynamically analyze the attack chain, and automatically execute end-to-end responses. This reduces traditional security incident investigation and response times from hours or days to minutes.

Overview

Deeply integrated with Alibaba Cloud's cloud-native security data domain infrastructure and built on a large security model, the Agentic SOC architecture provides a team of AI Agent security experts capable of end-to-end automated perception, deep reasoning, collaborative investigation, and rapid closed-loop response. The architecture has three layers.

Layer	Components	Responsibilities
Cloud-native engine layer	Simple Log Service (SLS), Flink/Scheduled SQL detection engine, iGraph graph computing, Qwen large security model, SOAR orchestration engine	Provides the foundation for data storage, computation, and AI capabilities.
Agent management platform	Built on AgentRun	Agent lifecycle management, task scheduling, memory management, and tool-call orchestration.
Agent intelligence layer	Team Leader + multiple specialized Agent teams	Performs autonomous reasoning and decision-making to execute security operations tasks.

Each Agent operates on the ReAct reasoning framework: Perceive environment → Reason and analyze → Plan action → Execute operation → Observe result. This cycle repeats until the task is complete.

Important

Agent capabilities vary by your Agentic SOC edition. For differences between Agentic SOC (Basic Platform) and Security Operations Agent (add-on module), see Differences between the Agentic SOC Basic Platform and the Security Operations Agent.

Team organization and agent overview

Agentic SOC uses a layered, multi-agent collaborative architecture composed of a Team Leader and multiple specialized Agent teams. The Team Leader handles global scheduling, complex decision-making, and task decomposition, while each specialized Agent team executes tasks independently and collaborates within its domain.

Team leader

The Team Leader is built on the Qwen series of models and serves as the central coordination node for the entire Agent architecture. It has the following responsibilities:

Global scheduling: Receives and understands user input or system-triggered events to plan tasks, breaking down complex security operations tasks into subtasks.
Task decomposition: Decomposes high-level security operations goals into specific, executable subtasks and assigns them to the appropriate specialized Agent teams.
Complex decision-making: Coordinates decisions among multiple Agent teams, determining the execution order and priority of tasks.

Specialized agent teams

Agent	Description
Security AI Assistant	Answers product questions, explains alerts, and summarizes incidents.
Threat Detection Agent	Performs malicious web traffic traceback and other detection tasks.
Incident Investigation Agent	Generates incidents, performs in-depth investigations, conducts traceability analysis, and assesses impact.
Response Coordination Agent	Handles incident response and entity analysis.
Security Reporting Agent	Generates alert analysis reports, security operations reports, and incident investigation reports.

Core agents

Log standardization agent

The Log Standardization Agent uses semantic recognition technology to automatically understand multi-source, heterogeneous logs and generate high-quality Search Processing Language (SPL) queries. It unifies semantics and eliminates the need for manual query writing. It requires only minor fine-tuning and significantly lowers the learning curve for log standardization.

Core capabilities:
- Automatically understands the structure and field meanings of raw logs in various formats.
- Generates SPL syntax with a single click to map raw log fields to a standardized security data model.
- Allows you to fine-tune standardization rules with simple point-and-click actions, removing the need to manually write complex parsing statements.
Usage example:
1. Go to the Security Center console > Agentic SOC > Management > Access Settings. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
2. On the Integration Settings page, on the Standardized Rule tab, modify or create a custom access rule. After you enter the Sample Log, you can invoke the Security AI Assistant to get optimization suggestions.

Incident investigation agent

The Incident Investigation Agent is built on the ReAct/Chain of Thought (CoT) reasoning framework. It continuously perceives environmental changes. When a new host or network alert is associated with an incident and the incident status is "Unprocessed", the Agent autonomously begins investigation and analysis. This compresses tedious investigation work, which previously took hours or days, into minutes.

Core capabilities:
- The Incident Investigation Agent provides a clear conclusion: Confirmed Attack, Suspected False Positive, or Insufficient Information.
- Its core investigation capabilities are built on the Qwen series of models, supporting incident classification, entity recognition, and attack path inference. Based on the investigation results, it analyzes the scope of impact and reconstructs the attack chain and timeline.
Usage example:
- The Agentic SOC > Security Incidents page displays the AI analysis results.
- On the incident details page, view the incident summary, impact scope, involved attack chain stages, detection rules, and alert sources. Use the traceability graph to view the complete attack chain and timeline.
- On the incident details page, the Agent Chain-of-Thought displays information such as the background context, reasoning steps, and conclusion summary to help you understand the Agent's investigation process and reasoning.

Incident investigation report agent

The Incident Investigation Report Agent generates a complete technical investigation report. This report reviews the security incident, consolidates evidence and response actions, and provides systematic improvement recommendations. The report includes an incident classification and summary, an attack chain and timeline, an impact assessment, root cause analysis, indicators of compromise (IOCs), and systematic hardening recommendations.
Usage example: Go to the details page of the target incident and click Full Report at the top to view the report details page.

Entity analysis agent

The Entity Analysis Agent uses AI to assess the risk level of malicious entities and autonomously reasons to decide which playbook or tool to use for response.

Core capabilities:
- Displays the analysis process for an entity, including its basic information, the analysis process, the conclusion, and recommended actions.
- Supports invoking entity analysis through the Security AI Assistant to analyze entities such as IPs, files, processes, domain names, hosts, and containers.
- If the Agent determines an entity is malicious, it automatically recommends a response policy for one-click execution.
Usage example: On the incident details page, go to the Entity tab, locate the entity you want to handle, and click AI Analysis.

Incident response agent

This Agent analyzes the scope of impact based on investigation results and provides phased, cautious response recommendations that are executed automatically after manual review.

Core capabilities:
- Intelligent response recommendation: Retrieves logs, vulnerability data, threat intelligence, and business context to accurately validate response plans.
- Response in seconds: Automatically invokes tools (playbooks, threat intelligence, sandboxes, OpenAPI, etc.) to perform operations like blocking, isolation, and verification.
- Manual review mechanism: Supports manual confirmation at critical decision points to balance efficiency and security.
Usage example:
1. On the Security Incidents page, find the target incident. In the Actions column, click Recommended Response.
2. In the Agent Recommended Policy panel, select the malicious entities you want to handle.
  
  Note
  The Agent automatically selects the appropriate playbook and configures the relevant parameters. No manual modification is required.
3. After manual confirmation, click Resolve.

Threat detection agent

Core capability: Multiple domain-specific intelligent agents perform deep semantic understanding, correlation, and attack attribution on massive, heterogeneous datasets. This creates a comprehensive digital security hub that automatically and precisely identifies both known and unknown security threats around the clock.
Usage example: The Malicious Web Traffic Traceback Agent traces malicious web traffic based on host-side anomaly alerts. It correlates host alerts with WAF flow logs to build a complete analysis chain from alert to attribution clue and from new alert to cross-domain correlated incident, and then generates corresponding security alerts.

Agent-driven incident response workflow

In a typical security incident response, multiple Agents work together to complete the end-to-end process from detection to response. The workflow is divided into the following five stages:

Stage	Goal	Output
Incident Summary	Determine what happened	Incident summary, attack timeline, list of attacker vectors, involved ATT&CK attack stages, and attack technique types.
Traceability Investigation	Assess the scope of impact	Alert context reasoning, list of affected assets, list of malicious entities (IPs, files, processes, hosts, etc.), and malicious entity analysis.
Root Cause Analysis	Identify the initial intrusion point	Log evidence investigation, suspicious intrusion point analysis, suspicious behavior analysis, exploited weakness analysis (vulnerabilities, baselines, access keys), and analysis conclusion.
Response Recommendations	Develop containment and hardening plans	Emergency response recommendations, vulnerability remediation suggestions, system hardening recommendations, false positive whitelisting suggestions, and log source supplementation suggestions.
Incident Response	Take action and invoke tools	The Agent outputs a formatted response plan for human review. Then, tools (such as playbooks, threat intelligence, sandboxes, and OpenAPI) are automatically invoked for execution.

Performance metrics

Key metric	Description
Autonomous investigation rate: 81%	AI Agents independently complete L1/L2 incident analysis, validated against full alert data with no human intervention.
Alert-to-incident convergence rate: 99.94%	Hundreds of thousands to millions of alerts are processed weekly and converged into a few hundred security incidents.
Investigation report efficiency: 100x improvement	Improves the efficiency of generating investigation reports 100-fold. Full attack chain reports are automatically generated, slashing the generation time from hours to minutes.
Log standardization efficiency: 90%	Semantic recognition technology automatically parses and maps logs from heterogeneous sources to a unified security model, generating SPL with one click.