Agentic SOC log ingestion policies must be bound to standardized rules. Standardized rules use the SPL syntax of Simple Log Service (SLS) to parse and normalize logs.
Standardized rules
Rule Sources
Standardized rules use the SPL syntax to map incoming raw logs to standardized log structures and define key field mappings. This provides the data foundation for generating alerts from normalized logs.
Rule Source | Description | Supported Operations |
Predefined | Agentic SOC pre-initializes a set of parsing rules with SPL syntax and binds them to ingestion policies. The 50+ built-in rule templates incorporate Alibaba Cloud security expertise. |
|
Custom |
|
|
Create custom standardized rules
Access the Security Center console - Agentic SOC - Management - Access Settings. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
Configure the following parameters for the basic settings.
Parameter
Description
Rule Name
A custom name for the rule.
Service Provider
Predefined vendors: Alibaba Cloud, Fortinet, Chaitin, Microsoft, Sangfor, Tencent Cloud, Huawei Cloud, Hillstone Networks, DbappSecurity, Microsoft Cloud, and others.
Custom vendors: For information about how to create vendors, see Product integration.
Service
Automatically lists all products under the selected vendor, such as Security Center for Alibaba Cloud and Fortinet Firewall. For the list of supported products, see Integration settings.
Remarks
Add a description for the standardized rule to facilitate search and improve readability.
On the Log Standardization Test tab, configure the field mappings for the standardization rule.
Select a log sample source:
Based on data source
Data source: Automatically synchronizes existing data source instances.
Log sample: Automatically queries log samples from the last 7 days. You can also select a custom time range.
Based on manual input: Paste raw log data into the JSON editor. The editor supports formatting and validation.
Create a parsing plan by using either the AI-recommended configuration or manual configuration.
AI-recommended configuration
Invoke the Security AI Assistant from the console. Agentic SOC automatically assigns a log standardization agent to analyze log samples, recommend a standardization classification, structure, and field mapping, and generate SPL syntax.
In the Parse test section, click Security AI Assistant. The AI assistant dialog panel appears on the right.
Obtain the recommended configuration: After analyzing the log sample, the Security AI Assistant returns the recommended configuration.
Standardization classification and structure: The AI identifies the log type based on the log content and recommends a classification.
Standardization classifications: Network Log, Host Log, Security Log, Audit Log, Snapshot Log, Logon Log, and Other Log.
Standardization structure:
Each standardization classification contains multiple standardization structures.
Each standardization structure corresponds to a set of standardized fields and a dataset (StoreView). A dataset can be mapped to multiple standardization structures.
For information about how to view the dataset and standardized fields for a classification or structure, see View standardized fields and datasets.
Mapping results table: Displays the mapping between each log field and its standardized field, and indicates whether the field is required or optional. For fields that the AI does not automatically match, select a standardized field from the drop-down list.
Generate SPL syntax: Below the recommended configuration, click Generate SPL. The AI generates the SPL syntax based on the mapping results, and provides a mapping decision table and a compliance self-check.
Populate the configuration form: Below the generated SPL syntax, click Apply. The AI-recommended standardization classification, structure, and SPL syntax are automatically filled into the rule editing form.
Manual configuration
Standardization classification and structure: For the default standardization classifications and structures supported by Agentic SOC, and their field descriptions, see View standardized fields and datasets.
SPL syntax:
Use predefined rules and existing custom rules as templates. View the SPL syntax for each rule on its details page.
Or write custom syntax by referencing SPL syntax documentation.
Configure extended fields and syntax type
Extended field ingestion:
Pass-through: Raw log fields that are not mapped to standardized fields are stored directly in the dataset as key-value pairs. This preserves all original data but increases log volume and traffic costs.
Not Ingested (Default): Raw log fields that are not mapped by the standardized rules are discarded.
Syntax type:
General syntax: When you configure a log ingestion policy, you can select either Real-time Consumption or Scan Query. For more information, see the standardization method comparison in Product logs.
Real-time consumption: When you configure a log ingestion policy, the standardization method supports only Real-time Consumption.
Parse test
After configuring the standardization classification and parsing syntax, click Parse.
View the parse results in the Parse Results section.
Manage extended fields (optional)
If the SPL parsing results contain fields that are not mapped to standardized fields and extended field ingestion is set to Pass-through, we recommend creating indexes for these fields to facilitate quick searches after ingestion. For more information, see Manage standardized rules.
After the test passes, click Complete in the lower-left corner.
Manage standardized rules
Modify standardized rules
Click Edit in the Actions column of the target rule. You can modify the rule name, remarks, and SPL syntax. For configuration instructions, see Create custom standardized rules.
Only custom rules support modification.
Delete standardized rules
Click Delete in the Actions column of the target rule.
Predefined rules cannot be deleted.
Standardized rules that are bound to ingestion policies cannot be deleted.
Standardized fields and datasets
View standardized fields and datasets
Access the Security Center console - Agentic SOC - Management - Access Settings. In the upper-left corner of the page, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
In the Standard Fields list on the left, the items under Log Activity Category are the Standardization Category supported by Agentic SOC. The root nodes represent the Standardization Structure.
Click the expand icon next to a Standardization Category (for example, Network Log) to view the Standardization Structure under it (for example, 5-tuple Log, DNS Log, and HTTP Log).
Click a Standardization Structure (for example, API Risk Log). The following information appears on the right:
Standardized Field: Displays the standardized fields for the selected structure, including field name, type, description, required status, and sample values.
Extended Fields: Displays user-defined extended fields, including field name, type, description, tokenization status, and update time.
Dataset: Displays the Dataset for the selected structure.
Manage extended fields
Create new standardization structure (optional)
On the Standardized Field tab, click the
icon next to the target Standard Fields in the standard fields list.In the Standardization Structure dialog box, configure the following parameters.
Standardization Structure: Enter a name for the structure to facilitate identification when configuring standardized rules.
Structure Identifier: Must start with
custom-. Letters and digits are supported.Log Storage Location: Select the LogStore to store logs
Create Logstore:
Name: Must start with
custom-.Storage Location: The LogStore is created under the log project (
aliyun-cloudsiem-data-{aliUid}-{regionId}). You can view it in the Simple Log Service console.
Existing LogStore: You can select only custom LogStores (names start with
custom-).
Add extended fields
If the ingested logs contain fields that are not mapped to Standardized Field and Add Extended Fields is set to Keep Original, we recommend creating indexes for these fields to facilitate quick searches after ingestion.
Batch add
On the Standardized Rule tab, when you create or modify a custom rule, click Manage Custom Fields in the Parse Test section.
On the Extension Field Management page, click Auto-generate Index Property.
The system automatically synchronizes the log fields that are extracted from the sample using SPL syntax but not mapped to Standardized Field as extended fields.
Select an addition method:
Append: Retains existing index attributes and appends new extended field indexes.
Overwrite: Replaces existing index attributes and deletes the old index data.
Modify field information (optional):
Field Name: The name of the raw log field that is not mapped to a standardized field.
Type: Supported types are text, long, double, and JSON.
Enable Tokenization:
Supported for text fields and controlled by a toggle switch.
Supported delimiters: comma (,), space, single quote ('), double quote ("), semicolon (;), equals sign (=), parentheses (()), square brackets ([]), braces ({}), question mark (?), at sign (@), ampersand (&), angle brackets (<>), forward slash (/), colon (:), line break (\n), tab (\t), and carriage return (\r).
Single add
On the Standardized Field tab, expand the target Standardization Category and click the target Standardization Structure.
On the Extended Fields tab on the right, click Add Field.
On the extended field management tab, click Add Field and configure the following parameters.
Field Name: The name of the raw log field that is not mapped to a standardized field.
Type: Supported types are text, long, double, and JSON.
Enable Tokenization:
Supported for text fields and controlled by a toggle switch.
Supported delimiters: comma (,), space, single quote ('), double quote ("), semicolon (;), equals sign (=), parentheses (()), square brackets ([]), braces ({}), question mark (?), at sign (@), ampersand (&), angle brackets (<>), forward slash (/), colon (:), line break (\n), tab (\t), and carriage return (\r).
Dataset
What is Dataset
A dataset (StoreView) is a virtual resource based on a LogStore that manages associations among multiple LogStores. You can use datasets to query logs from multiple LogStores in a unified manner. However, datasets do not support log modification.
Mapping between datasets and standardized fields
Standardized rules require a Standardization Classification/Structure configuration. Each standardization classification contains multiple standardization structures. Each structure corresponds to a dataset (StoreView) and a set of standardized fields. A dataset (StoreView) can also be mapped to multiple standardization structures. The following figure illustrates the mapping:
Dataset usage notes
During product integration, Agentic SOC parses product logs by using the SPL syntax and the standard data fields in the dataset, then matches threat detection rules to identify security risks.
If a dataset (StoreView) is already bound to five ingestion policies in scan query mode, new policies can only use Real-time Consumption as the standardization method and do not support Scan Query. For more information about standardization methods, see Product logs.
Common datasets
The following table lists common datasets:
Standardization classification | Standardization structure | Dataset | Logstore |
Network log | 5-tuple log | network_activity | network-activity |
DNS log | |||
HTTP log | |||
Host log | Process outbound network connection log | process_activity | process-activity |
Process file write log | |||
Process start log | |||
Process DNS request log | |||
Security log | API security risk log | risk_activity | risk-activity |
Cloud service baseline log | |||
Host baseline log | |||
Cloud platform operation alert log | alert_activity | alert-activity | |
API security alert log | |||
Endpoint detection and response (EDR) alert log | |||
Firewall alert log | |||
Host network alert log | |||
WAF alert log | |||
Other alert log | |||
Crawler alert log | |||
Vulnerability log | vulnerability_activity | vulnerability-activity | |
Audit log | bastion host audit log | audit_activity | audit-activity |
NoSQL database audit log | |||
Cloud platform operation audit log | |||
Kubernetes audit log | |||
Windows security event log | |||
API gateway audit log | |||
Relational database audit log | |||
Object storage audit log | |||
Azure Active Directory audit log | |||
Azure Active Directory logon log | |||
Snapshot log | Account snapshot | account_activity | account-activity |
Process start snapshot | process_activity | process-activity | |
Network connection snapshot | |||
Logon log | Cloud platform logon log | login_activity | login-activity |
Host logon failure log | |||
Host logon log |