Standardized rules and datasets

更新时间:
复制 MD 格式

Agentic SOC log ingestion policies must be bound to standardized rules. Standardized rules use the SPL syntax of Simple Log Service (SLS) to parse and normalize logs.

Standardized rules

Rule Sources

Standardized rules use the SPL syntax to map incoming raw logs to standardized log structures and define key field mappings. This provides the data foundation for generating alerts from normalized logs.

Rule Source

Description

Supported Operations

Predefined

Agentic SOC pre-initializes a set of parsing rules with SPL syntax and binds them to ingestion policies. The 50+ built-in rule templates incorporate Alibaba Cloud security expertise.

  • View

  • Copy and Create

Custom

  • Created by users, with the option to reference predefined rules and existing custom rules as templates.

  • You must first ingest log data into the data source that requires custom standardized parsing; otherwise, you cannot complete rule creation.

  • Add

  • View

  • Modify

  • Delete

  • Copy and Create

Create custom standardized rules

  1. Access the Security Center console - Agentic SOC - Management - Access Settings. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  2. Configure the following parameters for the basic settings.

    Parameter

    Description

    Rule Name

    A custom name for the rule.

    Service Provider

    Predefined vendors: Alibaba Cloud, Fortinet, Chaitin, Microsoft, Sangfor, Tencent Cloud, Huawei Cloud, Hillstone Networks, DbappSecurity, Microsoft Cloud, and others.

    Custom vendors: For information about how to create vendors, see Product integration.

    Service

    Automatically lists all products under the selected vendor, such as Security Center for Alibaba Cloud and Fortinet Firewall. For the list of supported products, see Integration settings.

    Remarks

    Add a description for the standardized rule to facilitate search and improve readability.

  3. On the Log Standardization Test tab, configure the field mappings for the standardization rule.

    1. Select a log sample source:

      • Based on data source

        • Data source: Automatically synchronizes existing data source instances.

        • Log sample: Automatically queries log samples from the last 7 days. You can also select a custom time range.

      • Based on manual input: Paste raw log data into the JSON editor. The editor supports formatting and validation.

    2. Create a parsing plan by using either the AI-recommended configuration or manual configuration.

      AI-recommended configuration

      Invoke the Security AI Assistant from the console. Agentic SOC automatically assigns a log standardization agent to analyze log samples, recommend a standardization classification, structure, and field mapping, and generate SPL syntax.

      1. In the Parse test section, click Security AI Assistant. The AI assistant dialog panel appears on the right.

      2. Obtain the recommended configuration: After analyzing the log sample, the Security AI Assistant returns the recommended configuration.

        • Standardization classification and structure: The AI identifies the log type based on the log content and recommends a classification.

          • Standardization classifications: Network Log, Host Log, Security Log, Audit Log, Snapshot Log, Logon Log, and Other Log.

          • Standardization structure:

            • Each standardization classification contains multiple standardization structures.

            • Each standardization structure corresponds to a set of standardized fields and a dataset (StoreView). A dataset can be mapped to multiple standardization structures.

            • For information about how to view the dataset and standardized fields for a classification or structure, see View standardized fields and datasets.

        • Mapping results table: Displays the mapping between each log field and its standardized field, and indicates whether the field is required or optional. For fields that the AI does not automatically match, select a standardized field from the drop-down list.

      3. Generate SPL syntax: Below the recommended configuration, click Generate SPL. The AI generates the SPL syntax based on the mapping results, and provides a mapping decision table and a compliance self-check.

      4. Populate the configuration form: Below the generated SPL syntax, click Apply. The AI-recommended standardization classification, structure, and SPL syntax are automatically filled into the rule editing form.

      Manual configuration

      • Standardization classification and structure: For the default standardization classifications and structures supported by Agentic SOC, and their field descriptions, see View standardized fields and datasets.

      • SPL syntax:

        • Use predefined rules and existing custom rules as templates. View the SPL syntax for each rule on its details page.

        • Or write custom syntax by referencing SPL syntax documentation.

    3. Configure extended fields and syntax type

      • Extended field ingestion:

        • Pass-through: Raw log fields that are not mapped to standardized fields are stored directly in the dataset as key-value pairs. This preserves all original data but increases log volume and traffic costs.

        • Not Ingested (Default): Raw log fields that are not mapped by the standardized rules are discarded.

      • Syntax type:

        • General syntax: When you configure a log ingestion policy, you can select either Real-time Consumption or Scan Query. For more information, see the standardization method comparison in Product logs.

        • Real-time consumption: When you configure a log ingestion policy, the standardization method supports only Real-time Consumption.

    4. Parse test

      1. After configuring the standardization classification and parsing syntax, click Parse.

      2. View the parse results in the Parse Results section.

      3. Manage extended fields (optional)

        If the SPL parsing results contain fields that are not mapped to standardized fields and extended field ingestion is set to Pass-through, we recommend creating indexes for these fields to facilitate quick searches after ingestion. For more information, see Manage standardized rules.

  4. After the test passes, click Complete in the lower-left corner.

Manage standardized rules

Modify standardized rules

Click Edit in the Actions column of the target rule. You can modify the rule name, remarks, and SPL syntax. For configuration instructions, see Create custom standardized rules.

Note

Only custom rules support modification.

Delete standardized rules

Click Delete in the Actions column of the target rule.

Important
  • Predefined rules cannot be deleted.

  • Standardized rules that are bound to ingestion policies cannot be deleted.

Standardized fields and datasets

View standardized fields and datasets

  1. Access the Security Center console - Agentic SOC - Management - Access Settings. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  2. In the Standard Fields list on the left, the items under Log Activity Category are the Standardization Category supported by Agentic SOC. The root nodes represent the Standardization Structure.

  3. Click the expand icon next to a Standardization Category (for example, Network Log) to view the Standardization Structure under it (for example, 5-tuple Log, DNS Log, and HTTP Log).

  4. Click a Standardization Structure (for example, API Risk Log). The following information appears on the right:

    • Standardized Field: Displays the standardized fields for the selected structure, including field name, type, description, required status, and sample values.

    • Extended Fields: Displays user-defined extended fields, including field name, type, description, tokenization status, and update time.

    • Dataset: Displays the Dataset for the selected structure.

Manage extended fields

Create new standardization structure (optional)

  1. On the Standardized Field tab, click the image icon next to the target Standard Fields in the standard fields list.

  2. In the Standardization Structure dialog box, configure the following parameters.

    • Standardization Structure: Enter a name for the structure to facilitate identification when configuring standardized rules.

    • Structure Identifier: Must start with custom-. Letters and digits are supported.

    • Log Storage Location: Select the LogStore to store logs

      • Create Logstore:

        • Name: Must start with custom-.

        • Storage Location: The LogStore is created under the log project (aliyun-cloudsiem-data-{aliUid}-{regionId}). You can view it in the Simple Log Service console.

      • Existing LogStore: You can select only custom LogStores (names start with custom-).

Add extended fields

If the ingested logs contain fields that are not mapped to Standardized Field and Add Extended Fields is set to Keep Original, we recommend creating indexes for these fields to facilitate quick searches after ingestion.

Batch add
  1. On the Standardized Rule tab, when you create or modify a custom rule, click Manage Custom Fields in the Parse Test section.

  2. On the Extension Field Management page, click Auto-generate Index Property.

  3. The system automatically synchronizes the log fields that are extracted from the sample using SPL syntax but not mapped to Standardized Field as extended fields.

  4. Select an addition method:

    • Append: Retains existing index attributes and appends new extended field indexes.

    • Overwrite: Replaces existing index attributes and deletes the old index data.

  5. Modify field information (optional):

    • Field Name: The name of the raw log field that is not mapped to a standardized field.

    • Type: Supported types are text, long, double, and JSON.

    • Enable Tokenization:

      • Supported for text fields and controlled by a toggle switch.

      • Supported delimiters: comma (,), space, single quote ('), double quote ("), semicolon (;), equals sign (=), parentheses (()), square brackets ([]), braces ({}), question mark (?), at sign (@), ampersand (&), angle brackets (<>), forward slash (/), colon (:), line break (\n), tab (\t), and carriage return (\r).

Single add
  1. On the Standardized Field tab, expand the target Standardization Category and click the target Standardization Structure.

  2. On the Extended Fields tab on the right, click Add Field.

  3. On the extended field management tab, click Add Field and configure the following parameters.

    • Field Name: The name of the raw log field that is not mapped to a standardized field.

    • Type: Supported types are text, long, double, and JSON.

    • Enable Tokenization:

      • Supported for text fields and controlled by a toggle switch.

      • Supported delimiters: comma (,), space, single quote ('), double quote ("), semicolon (;), equals sign (=), parentheses (()), square brackets ([]), braces ({}), question mark (?), at sign (@), ampersand (&), angle brackets (<>), forward slash (/), colon (:), line break (\n), tab (\t), and carriage return (\r).

Dataset

What is Dataset

A dataset (StoreView) is a virtual resource based on a LogStore that manages associations among multiple LogStores. You can use datasets to query logs from multiple LogStores in a unified manner. However, datasets do not support log modification.

Mapping between datasets and standardized fields

Standardized rules require a Standardization Classification/Structure configuration. Each standardization classification contains multiple standardization structures. Each structure corresponds to a dataset (StoreView) and a set of standardized fields. A dataset (StoreView) can also be mapped to multiple standardization structures. The following figure illustrates the mapping:

image

Dataset usage notes

  • During product integration, Agentic SOC parses product logs by using the SPL syntax and the standard data fields in the dataset, then matches threat detection rules to identify security risks.

  • If a dataset (StoreView) is already bound to five ingestion policies in scan query mode, new policies can only use Real-time Consumption as the standardization method and do not support Scan Query. For more information about standardization methods, see Product logs.

Common datasets

The following table lists common datasets:

Standardization classification

Standardization structure

Dataset

Logstore

Network log

5-tuple log

network_activity

network-activity

DNS log

HTTP log

Host log

Process outbound network connection log

process_activity

process-activity

Process file write log

Process start log

Process DNS request log

Security log

API security risk log

risk_activity

risk-activity

Cloud service baseline log

Host baseline log

Cloud platform operation alert log

alert_activity

alert-activity

API security alert log

Endpoint detection and response (EDR) alert log

Firewall alert log

Host network alert log

WAF alert log

Other alert log

Crawler alert log

Vulnerability log

vulnerability_activity

vulnerability-activity

Audit log

bastion host audit log

audit_activity

audit-activity

NoSQL database audit log

Cloud platform operation audit log

Kubernetes audit log

Windows security event log

API gateway audit log

Relational database audit log

Object storage audit log

Azure Active Directory audit log

Azure Active Directory logon log

Snapshot log

Account snapshot

account_activity

account-activity

Process start snapshot

process_activity

process-activity

Network connection snapshot

Logon log

Cloud platform logon log

login_activity

login-activity

Host logon failure log

Host logon log