Agentic SOC uses predefined detection rules to analyze ingested alerts and logs, reconstruct attack chains and timelines, and generate aggregated alerts and detailed security events. You can also create custom detection rules to build a threat detection system tailored to your business.
Overview
The rule management feature in Agentic SOC analyzes standardized logs or runs built-in playbooks to generate aggregated analysis alerts and custom analysis alerts. It then creates security incidents from these alerts using methods such as graph computing, alert pass-through, and same-type aggregation to help you respond to threats. Rule management supports the following rule bodies to generate alerts and security incidents:
SQL syntax: Uses SQL queries to perform correlation analysis on logs within a specified scope. This includes filtering logs, pattern matching, and performing window-based statistics to detect alerts and generate security incidents.
Playbook: Calls cloud service APIs and follows a predefined workflow to detect alerts and generate security incidents. This method is typically used for business status warnings.
Rule types
Rule type | Description |
Predefined | Predefined rules provide out-of-the-box threat detection. They analyze logs that have been ingested into Agentic SOC and fall within the rule's effective scope. When a rule is matched, the resulting security alert is displayed on the Aggregate and Analyze Alerts tab of the page. Predefined rules use graph computing to aggregate alerts that share the same asset or IOC into a security incident. This aggregation process applies to all alerts except for custom analysis alerts. |
Custom | Custom rules allow you to define your own detection logic. To help you get started, Agentic SOC provides rule templates for complex threat detection scenarios. You can create custom rules based on SQL syntax or a playbook. Security alerts generated from custom rules are displayed on the Custom Alert Analysis tab of the page. Custom rules generate security incidents by using either alert pass-through or same-type aggregation. |
Incident generation methods
Graph computing: Aggregates alerts that share the same asset or IOC into a single security incident. This method is applied to all alerts except for custom analysis alerts.
Alert pass-through: Generates one security incident for each alert from an analysis rule.
Same-type aggregation: Aggregates all alerts from the same analysis rule into a single security incident.
Availability
When you activate the Agentic SOC service, the billing model and billing items you select determine your available rule management features. For details, see Purchase and activate Agentic SOC.
Subscription:
Purchase only Log Ingestion Traffic: Predefined rules and Custom rules, which only support logs standardized using "Scan Query".
NoteIf you also purchase the pay-as-you-go Log Management feature, all custom rules are supported.
Purchase Log Ingestion Traffic and Log Storage Capacity: Predefined and Custom rules.
Purchase only Log Storage Capacity: Not supported.
Pay-as-you-go: Predefined rules and Custom rules, which only support logs standardized using "Scan Query".
NoteIf you also purchase the pay-as-you-go Log Management feature, all custom rules are supported.
Workflow
Enable or disable predefined rules
Predefined rules are enabled by default. You can enable, disable, or view the details of predefined rules. You cannot edit or delete predefined rules.
Navigate to the Agentic SOC > Management > Detection Rules page in the Security Center console. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Predefined tab, find the desired predefined rule. In the Actions column, click Details to view its basic information, alert generation settings, and incident generation settings.
To enable or disable a rule, click its Rule Status: switch.
NoteAlternatively, in the list of predefined rules, you can click Enable or Disabled in the Enabling Status column to toggle the rule's status.

Alerts generated by matched predefined rules are displayed on the Aggregate and Analyze Alerts tab of the page.
Create and enable custom rules
Go to the Security Center console > Agentic SOC > Manage > Detection Rules page. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Rule Template tab, click Create Rule in the Actions column of the target template. Alternatively, go to the Custom tab and click Create Custom Rule.
ImportantCreating rules from rule templates is simpler and more efficient.
In the Create Custom Rule panel, on the Basic Information tab, enter a rule name and description, and then click Next.
On the Alert Settings tab, configure how alerts are generated.
You can view the generated alerts under Custom Alert Analysis on the page. The available configuration items and their values vary depending on the configured rule body. The following sections provide details:
SQL syntax
This method uses SQL to perform correlation analysis, such as filtering, feature matching, and window-based statistics, on logs within the specified scope to detect alerts and generate events.
Rule body
Parameter
Description
Rule Body
The default value is SQL.
Log Scope
Select the scope of logs for the rule to analyze. You must specify the standardized category and structure for the logs. You can select multiple standardized log structures.
Click the Standard Fields link to view descriptions of the log fields for the current standardized log structure.
SQL Statement
The SQL statement queries for records of specified events to identify potential malicious behavior. For more information on configuring an SQL query statement, see the following topics:
For more information about SQL syntax, see SQL analysis syntax and functions.
You can also use the Log Service (SLS) Copilot tool to help generate and optimize SQL query statements. For details, see Use AI to intelligently generate query and analysis statements (Copilot).
Scheduling settings
When you enable an SQL-based custom rule, Agentic SOC creates a corresponding scheduled SQL job in Log Service (SLS) based on the Scheduling Settings. SLS then generates multiple execution instances based on the scheduling interval. For details, see Manage scheduled SQL jobs and Query data of scheduled SQL jobs.
Scheduling parameters
Parameter
Description
Scheduling Interval
Set the frequency at which SQL queries are executed. The following methods are supported:
Fixed Interval: The value must be in the range of 5 minutes to 24 hours.
Cron: The minimum precision is minutes, and the format is 24-hour. Examples:
0/5 * * * *: Executes every 5 minutes, starting at minute 0.0 0/1 * * *: Executes every hour, starting from 00:00.0 18 * * *: Executes daily at 18:00.0 0 1 * *: Executes at 00:00 on the first day of every month.
SQL Time Window
Specify the time range of logs to query for each scheduled SQL instance. The value must be in the range of 5 minutes to 24 hours.
ImportantThe SQL time window must be greater than or equal to the scheduling interval.
Start Time
The time when scheduled SQL instances start to run after the rule is enabled. The following methods are supported:
Rule Enabled At: The moment the rule is enabled.
Specified Time: A specific time that you set, accurate to the minute.
Execution parameters
Job scheduling time: Determined by the Start Time and Scheduling Interval. This time is not affected by execution timeouts, delays, or backfills of the previous instance.
For example, if the start time of the rule is 10:58:45 on May 16, 2025, and the scheduling interval is 5 minutes, the scheduled times are 10:58:45 on May 16, 2025, 11:03:45 on May 16, 2025, 11:08:45 on May 16, 2025, and so on.
Job execution time: The actual time a scheduled SQL job starts to run. If a job is retried, this is the time when the last retry started.
NoteA scheduled SQL job may time out, be delayed, or be backfilled. This can cause the job execution time to differ from the job scheduling time.
SQL query time range: The time range for SQL analysis, determined by the Job scheduling time and SQL Time Window. It is independent of the actual job execution time. The range is calculated as follows: [Scheduled time rounded down to the minute - SQL time window, Scheduled time rounded down to the minute).
For example, the rule start time is 10:58:45 on May 16, 2025, the scheduling interval is 5 minutes, and the SQL time window is 5 minutes.
The SQL query range for the first scheduled job is as follows:
Scheduling time: 2025-05-16 10:58:45
Query time range: [2025-05-16 10:53:00, 2025-05-16 10:58:00)
The SQL query range for the second scheduled job is as follows:
Scheduling time: 2025-05-16 11:03:45
Query time range: [2025-05-16 10:58:00, 2025-05-16 11:03:00)
Alert log generation
Agentic SOC generates alert logs based on the Alert Log Generation settings. You can view these logs on the page.
Alert attribute definition
Generation Structure: Select the log category for the alert, such as Endpoint Detection & Response or firewall.
NoteClick View Standard Fields in the drop-down list to view the field details for the log type.
Alert Type: Set the specific type of alert that the current rule detects.
Alert Level:
Purpose: Defines the risk level of the alert.
Valid values: Information, Low, Medium, High, and Critical.
ATT&CK Phase
Purpose: Associates the attack behavior detected by the rule with the corresponding attack phases and techniques.
Configuration:
Click
+ Add Attack Phaseto map multiple attack phases.Within each attack phase, you can select multiple attack techniques.
Limit: You can select a maximum of 5 attack techniques across all phases.
Entity Mapping
Converts unstructured fields in query results, such as IP addresses or filenames, into structured entity objects. This process allows the system to aggregate all related activities for an entity, build a threat profile, and improve analysis efficiency.
Procedure
Select an entity type
From the drop-down list, select the type of entity to map, such as host, file, IP address, or process.
Click Add Entity Mapping to configure multiple types of entities.
Map entity properties
Configure the properties for each entity. Properties fall into two categories:
Required properties: The unique identifier for the entity. For example, the required property for an IP address entity is the address itself.
Optional properties: Supplementary information for the entity. For example, you can associate a hostname with an IP address entity as an optional property.
Click Add Entity Attribute Mapping to set multiple properties for an entity.
Set property values
Assign a value to each selected property.
Format: Two formats are supported:
Variable reference:
$field_name$(References a field from the query results).Constant: A fixed string value that you enter directly.
Example:

Alert Enrichment
You can dynamically generate alert names and descriptions by referencing query fields as variables.
Alert Name:
Length and format: The maximum length is 50 characters.
Reference format:
$SQL_query_returned_field$.Default (if left blank): The Rule Name is used.
Example: High-frequency, multi-type network attack from $src_ip$ detected.
Alert description:
Length: The maximum length is 1,000 characters.
Variable reference format:
$SQL_query_returned_field$.Default (if left blank): The Rule Description is used.
Example: Alert from: $product_code$, network attack from $src_ips$ detected, affected assets include: $dst_ips$.
ImportantIf the final content generated after variable substitution exceeds the length limit, the excess part is automatically truncated.
Alert suppression
The Alert Suppression settings cap the number of security alerts generated but do not affect alert log generation or delivery.
Agentic SOC groups alerts based on all possible combinations of the suppression condition field values. A maximum of 100 security alerts can be generated for each group within a suppression window. Matching records that exceed this cap are suppressed.
Parameter
Description
Suppression Window
The Suppression Window sets the time window for counting alerts.
The suppression window starts when the rule generates the first alert log.
The value must be in the range of 5 minutes to 24 hours.
NoteAssume that a rule generates its first alert log at 10:58:45 on May 16, 2025, and the suppression window is set to 10 minutes. The first suppression window is from 10:58:45 to 11:08:45, the second is from 11:08:45 to 11:18:45, and so on.
Suppression Condition
Enter the column name or alias defined in the
SELECTclause of the SQL statement. If this is not configured, the system uses therule_idfield of the custom analysis rule as the suppression condition by default.Agentic SOC groups alerts based on all possible combinations of the suppression condition field values.
For example, if you have two fields,
aandb, as suppression conditions, where the value set ofais {1,2} and the value set ofbis {3,4}, a total of four combinations are created: {1,3}, {1,4}, {2,3}, and {2,4}. Each combination is a group.A maximum of 100 security alerts can be generated for each group within the suppression window.
ImportantThe suppression condition is optional. If you do not configure a suppression condition, a maximum of 100 security alerts can be generated by the rule within the entire suppression window.
Playbook
This method calls cloud product APIs and uses a playbook to evaluate conditions for alert detection and event generation. This is typically used for business status warnings.
NoteIf a rule is created from a rule template (playbook-based), a corresponding custom playbook is automatically created. You can view it on the Custom Playbooks tab of the page.
Rule body
Parameter
Description
Rule Body
Select Script.
Playbook Name
If you create a rule from a rule template (playbook-based), you can change the playbook name, but it must be unique.
If you create a rule by clicking Create Custom Rule on the Custom tab, select a playbook from the drop-down list.
ImportantOnly playbooks that meet all the following conditions appear in the drop-down list:
The playbook type is custom.
The playbook status is published.
The input parameter type of the playbook's start node must be Custom.
The playbook is not associated with any other analysis and detection rules.
Playbook Description
If you create the rule from a rule template (playbook-based), you can modify the description.
If you create the rule by clicking Create Custom Rule on the Custom tab, the description of the target playbook from response orchestration is automatically retrieved and cannot be modified.
Parameter settings
You need to configure parameters only when you create a rule from a rule template (playbook-based). Different playbooks require different parameters. You can click the
icon next to a parameter to view its definition and configuration instructions.Authorization
You need to configure authorization only when you create a rule from a rule template (playbook-based).
Execution Role: If you have not created a role, click Go to RAM Console to Create Role. On the RAM quick authorization page, click Confirm Authorization. A role named AliyunSiemSoarExecutionDefaultRole is automatically created.
NoteIf you do not have the permissions to create a role, contact a RAM administrator (a RAM user with resource management permissions or your Alibaba Cloud account) to create the role and attach a trust policy in the RAM console. For details, see Create a RAM role for a trusted Alibaba Cloud service. The configuration is as follows:
Trusted Entity: Alibaba Cloud Service.
Trusted Service: cloudsiem.sas.aliyuncs.com.
Role Name: AliyunSiemSoarExecutionDefaultRole
Access Policy: The system lists the permission policies required to run the playbook based on the selected template. If a required policy is not attached, click Modify Policy, select the ungranted policies, and then click Authorize in RAM Console. Complete the authorization on the RAM quick authorization page.
ImportantIf you do not have the required permissions, contact a RAM administrator (a RAM user with resource management permissions or your Alibaba Cloud account) to attach the required permission policy to the AliyunSiemSoarExecutionDefaultRole role. For details, see Manage the permissions of a RAM role.
Scheduling settings
For a custom rule whose rule body is a playbook, after the rule is enabled, Agentic SOC creates a scheduled playbook task based on the Scheduling Settings.
NoteIf a scheduled task fails, the system retries it once after 30 seconds. If the retry also fails, the task is terminated and waits for the next scheduled cycle.
You can view playbook execution records on the details page of the custom playbook in the Response Rules module.
Parameter
Description
Scheduling Interval
Set the time interval at which the playbook is run. The following methods are supported:
Fixed Interval: The value must be in the range of 5 minutes to 24 hours.
Cron: The minimum precision is minutes, and the format is 24-hour. Examples:
0/5 * * * *: Executes every 5 minutes, starting at minute 0.0 0/1 * * *: Executes every hour, starting from 00:00.0 18 * * *: Executes daily at 18:00.0 0 1 * *: Executes at 00:00 on the first day of every month.
Start Time
The time when the playbook starts to run after the rule is enabled. The following methods are supported:
Rule Enabled At: The moment the rule is enabled.
Specified Time: A specific time that you set, accurate to the minute.
Alert log generation
Agentic SOC generates alert logs based on the Alert Log Generation settings. You can view these logs on the page.
Generation Structure: Only the Other Alert Logs structure is supported.
NoteClick View Standard Fields in the drop-down list to view the field details for this log type.
Alert Type: Set the specific type of alert that the current rule detects.
Alert Level:
Purpose: Defines the risk level of the alert.
Valid values: Information, Low, Medium, High, and Critical.
ATT&CK Phase
Purpose: Associates the attack behavior detected by the rule with the corresponding attack phases and techniques.
Configuration:
Click
+ Add Attack Phaseto map multiple attack phases.Within each attack phase, you can select multiple attack techniques.
Limit: You can select a maximum of 5 attack techniques across all phases.
Alert suppression
The Alert Suppression settings cap the number of security alerts generated but do not affect alert log generation or delivery.
Agentic SOC groups alerts based on all possible combinations of the suppression condition field values. A maximum of 100 security alerts can be generated for each group within a suppression window. Matching records that exceed this cap are suppressed.
Parameter
Description
Suppression Window
The Suppression Window sets the time window for counting alerts.
The suppression window starts when the rule generates the first alert log.
The value must be in the range of 5 minutes to 24 hours.
NoteAssume that a rule generates its first alert log at 10:58:45 on May 16, 2025, and the suppression window is set to 10 minutes. The first suppression window is from 10:58:45 to 11:08:45, the second is from 11:08:45 to 11:18:45, and so on.
Suppression Condition
The drop-down list options come from the standardized log fields corresponding to the alert log selected for Generation Structure in the Alert Log Generation settings.
NoteOn the Standardized Rule tab of the page, click View Standard Fields to view field details of the target log.
Agentic SOC groups alerts based on all possible combinations of the suppression condition field values.
For example, if you have two fields,
aandb, as suppression conditions, where the value set ofais {1,2} and the value set ofbis {3,4}, a total of four combinations are created: {1,3}, {1,4}, {2,3}, and {2,4}. Each combination is a group.A maximum of 100 security alerts can be generated for each group within the suppression window.
ImportantThe suppression condition is optional. If you do not configure a suppression condition, a maximum of 100 security alerts can be generated by the rule within the entire suppression window.
On the Incident Generation Settings tab, configure how security incidents are generated.
You can view and handle the generated incidents on the page.
Parameter
Description
Generate Event
Specify whether to generate a security incident when an alert matches the rule.
Incident Generation Method
Alert pass-through: Generates one security incident for each alert created by the current rule.
Same-type aggregation: Aggregates all alerts generated by the current rule into a single security incident.
Aggregation Window
You need to configure the window size only for the Incident Aggregation by Type scenario. The value must be in the range of 5 minutes to 24 hours.
For example, if the aggregation window is set to 5 minutes, all security alerts generated within this 5-minute period are aggregated into a single security incident.
Enable the custom rule: A newly created rule is Disabled by default. You can change its status in the Status column of the custom rules list.
NoteWe recommend testing the custom rule before enabling it.
Test a custom rule (optional)
Before enabling a custom rule, you can change its Enabling Status to Testing and view the alert test results to verify the rule's output. The system uses built-in logic to calibrate alert fields, their values, and standardized fields. You can review the calibration results in the console and adjust the rule's SQL or playbook to ensure that alerts generated by the rule meet calibration requirements.
Testing is optional. The calibration results do not prevent you from enabling the rule.
Alerts generated during testing are not displayed on the Security Alerts page.
Procedure:
On the Custom tab, change the Enabling Status of the target rule to Testing.
In the target rule's actions column, click View Alert Test Result.
On the test result details page, view the alert trend chart and the alert list. You can also click Details in an alert's actions column to view its calibration results.
View and handle security alerts and incidents
After a threat detection rule takes effect, the system generates security alerts and security incidents when ingested logs match the rule. You can handle them as described below:
On the page, view the generated alerts on the Custom Alert Analysis and Aggregate and Analyze Alerts tabs. For details, see security alerts.
On the page, view and handle the generated incidents. For details, see security incidents.