Differences between Agentic SOC 2.0 and Agentic SOC 1.0 -

Agentic SOC 2.0 standardizes logs using the cloud-native capabilities of Simple Log Service (SLS). This enables quick integration of logs from Alibaba Cloud services, third-party cloud providers, and on-premises security vendors, reducing the complexity of data ingestion.

Version guide

If you activate the Agentic SOC service after April 3, 2025, you can use the features of the Agentic SOC 2.0 architecture. Existing users will be upgraded at a later date. For more information about the upgrade, see [Notice] Threat Analysis and Response upgrade.

Feature comparison

Note

In Agentic SOC 2.0, the procedures for features such as security alerts, security event handling, and response orchestration are the same as in Agentic SOC 1.0.

Feature	Agentic SOC 1.0	Agentic SOC 2.0
Service integration	Designed for integration with Alibaba Cloud cloud-native products using a service-to-service approach. Supports log ingestion from third-party cloud providers and on-premises security products. This requires logs to have a strict structure.	Upgraded to the Integration Center. The center uses standardized rules to enable universal log ingestion from Alibaba Cloud cloud-native products, third-party cloud providers, and security vendor products. Provides two standardized log ingestion methods: real-time consumption and scan-based query. Important Product data that is integrated with Agentic SOC 1.0 is not deleted.
Rule management	You can configure custom rules using a graphical interface.	Upgraded to support custom rules that use SQL syntax. This enables threat detection through batch processing and allows threat analysis of historical data. Supports custom rules based on playbooks.
Log management	Uses a single Logstore with a wide table storage model. All logs are stored in the Logstore (cloud_siem) of the project (cloud_siem-data-Alibaba Cloud account-RegionID). Does not support the delivery of native logs from Security Center. Logs must be delivered after service integration. The delivery switch is controlled based on the integrated vendor and product.	Multiple Logstores share a standardized structure. Important After the upgrade, incremental logs are no longer written to the original V1.0 project Logstore (cloud_siem), but you can still query historical logs. Incremental logs are written to new Logstores based on the service integration policy. Native logs from Security Center are delivered directly to Log Management from the service side. This does not depend on the service integration policy. You can enable or disable the delivery switch. Logs ingested through real-time consumption are automatically delivered if you purchase Log Storage Capacity. You cannot enable or disable the delivery switch for these logs. Agentic SOC 2.0 updates the standardized log fields. For more information about the field changes, see Standardized log field changes.
Multi-account management	A delegated administrator (DA) is designated as the global account administrator. The DA account can switch between the global account view and the current account view.	Multi-account management settings for threat analysis are merged into the multi-account management settings of Security Center. The delegated administrator (DA) is set uniformly through the multi-account management feature of Security Center. In multi-account scenarios for Agentic SOC, alert logs from member accounts are ingested using the multi-account integration settings feature in the Integration Center. View switching is no longer supported.

Console feature comparison

Console feature	Agentic SOC 1.0	Agentic SOC 2.0
Dashboard	Logstore log statistics	Not supported yet
Security alert	Alert level: Reminder, Suspicious, Urgent.	Alert level (excluding CWPP): Info, Low, Medium, High, Critical.
Security event handling	Event level: Reminder, Suspicious, Urgent.	Event level: Info, Low, Medium, High, Critical.
Response orchestration	Alert trigger alert_level: Reminder, Suspicious, Urgent. Event trigger threat_level: Reminder, Suspicious, Urgent.	Alert trigger alert_level: Info, Low, Medium, High, Critical. Event trigger threat_level: Info, Low, Medium, High, Critical.
Log management	Log classification: Alibaba Cloud, Tencent Cloud, Huawei Cloud, and security vendors. Note Service integration is required for log delivery from Security Center.	Log types: Security Center logs: Logs generated by Security Center are delivered directly by default and do not require service integration. Standardized logs: Logs from services integrated through the Integration Center. Note Tencent Cloud, Huawei Cloud, and other security vendors are integrated through standardized logs. Log management settings: Delivery switch and date merge.
Rule management	Predefined rules use the SQL syntax of the Flink engine and cannot be modified. Custom rules use the SQL syntax of the Flink engine. Datasets	Predefined rules use the SQL syntax of the Flink engine and cannot be modified. Custom rules use the SQL syntax of SLS. Rule templates provide templates for common scenarios to reduce the cost of creating and understanding custom rules.
Integration Center/Service integration	Vendor type (fixed, cannot be added): Alibaba Cloud Tencent Cloud Huawei Cloud Other security vendors: Chaitin WAF, Fortinet Firewall, Microsoft Active Directory, F5 BIG-IP Local Traffic Manager (LTM), Sangfor Endpoint Secure (aES), and cloudsiem-dedicated Simple Log Service (SLS) for alert logs and traffic logs from firewalls and WAFs. Log management settings	Vendor type (customizable, can be added): Alibaba Cloud Tencent Cloud Huawei Cloud Fortinet Chaitin Sangfor ... Note To add a custom vendor, you must manually configure the standardization rule, standardization method, and data source. Data source Standardization rules Watchlists (formerly Datasets)
Multi-account management	A delegated administrator (DA) is designated as the global account administrator. The DA account can switch between the global account view and the current account view.	Multi-account management settings for threat analysis are merged into the multi-account management settings of Security Center. The delegated administrator (DA) is set uniformly through the multi-account management feature of Security Center. You no longer need to configure multi-account management settings for the Agentic SOC module separately. In multi-account scenarios for Agentic SOC, alert logs from member accounts are ingested using the multi-account integration settings feature in the Integration Center. View switching is no longer supported.