Get started with Agentic SOC

Updated at:
Copy as MD

Agentic SOC in Security Center centralizes alerts and logs across multi-cloud environments, multiple accounts, and multiple products. It applies response policies to promptly address security threats, helping you improve security operations efficiency and reduce potential risks.

Agentic SOC workflow

The Agentic SOC workflow is as follows:

  1. Activate the Agentic SOC service.

  2. Ingest logs from cloud products or security vendors.

  3. Set up and enable predefined or custom threat detection rules to analyze the collected logs in depth and reconstruct complete attack chains.

  4. Identify security threats and generate security alerts.

  5. Aggregate multiple security alerts to generate security events.

  6. Based on response policies (recommended or custom) or automated response orchestration, coordinate with relevant cloud products to execute security measures such as blocking or isolating malicious entities.

Important

Currently, only logs from Alibaba Cloud, Huawei Cloud, and Tencent Cloud can generate security events and complete automated event handling. Logs from other security vendors can generate alerts only and do not support automated handling. For more information, see Add logs from security vendors.

image

Example

This example demonstrates how Agentic SOC automatically blocks attack IPs through WAF using automated response orchestration, resolving common issues when directly using Web Application Firewall (WAF) to block attack IPs, such as accidentally blocking legitimate users and complex configurations.

Prerequisites

  • Purchase a WAF 3.0 instance.

  • You have added the domain names or cloud products that require protection in the WAF console. This example uses an ECS instance. For detailed steps, see Enable WAF protection for an ECS instance.

    Access workflow: In the left-side navigation pane, click Access Management. Select the Cloud Product Access > Access tab. In the cloud product list, select ECS. In the Access Assets - ECS dialog box that appears, click Add Port for the target instance, select the instance check box, configure Whether a Layer 7 proxy is deployed before WAF and Resource Group as needed, and then click OK to complete the access configuration.

    image

  • You have clicked Enable Log Service for WAF in the WAF console and enabled log delivery for the WAF-protected object. For detailed steps, see Enable Simple Log Service for WAF.

    image

Procedure

Step 1: Activate pay-as-you-go for Agentic SOC

  1. Log on to the Security Center console. On the Agentic SOC page, click Activate Pay-as-you-go.

  2. On the activation page, clear the Enable Log Access Policy check box, and then click Activate and Authorize.

    Warning

    The Access Policy automatically ingests logs from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail, and bills you based on the actual volume of ingested logs. Exercise caution when selecting this check box. This example uses only Web Application Firewall access with the recommended access policy disabled.

  3. After activation, the service-linked role for Security Center is automatically authorized. For more information, see Service-linked role for Security Center.

Step 2: Ingest Web Application Firewall logs

Important

If you selected Enable Log Access Policy in Step 1, Agentic SOC automatically ingests Web Application Firewall logs. You can skip this step.

  1. Go to the Integration Center page in the Agentic SOC console. In the top-left corner of the page, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  2. In the Operations column of the Web Application Firewall row, click Ingestion Settings, and then enable the Access Policy.

    Note

    The system automatically discovers the Web Application Firewall Logstore and writes it to the corresponding Data Source.

Step 3: Enable predefined detection rules

  1. In the Security Center console, navigate to the Agentic SOC > Detection Rules page.

  2. On the Predefined tab, search for WAF-related rules, and then turn on the Enabling Status switch for the corresponding rules.

    For example, search for waf in the Rule Name field to filter the two predefined rules: WAF Alert Malicious Payload IP Associated with Host Outbound IP and WAF Alert Malicious Payload DNS Associated with Host Request DNS. Turn on the Enable Status switch for both rules.

    image

Step 4: Configure automated response rules

  1. In the Security Center console, navigate to the Agentic SOC > Response Rules page.

  2. On the Automated Rules tab, click Create Rule. Select Event Trigger, and then complete the creation of the Automated Rules by referring to the following configuration.

    Configuration example: Set the Rule Name to waf_event_handle. In the Rule Policy section, set Feature to incident_type, Condition to in, and Condition Value to net-attack. In the Rule Action section, set Action to Run Playbook and Specific Action to Use System Recommended Built-in Playbook, and then click OK.

    image

Step 5: Verify the IP blocking result

  1. After an attack occurs on an ECS instance that has been added to WAF, view the corresponding event on the Security Incidents page.

  2. On the Incident Response tab, view the response policies and response tasks that the playbook issued for the attack IP after the automated response rule is triggered.

    • View the response policies created by the automated response rule

      On the Security Center > Response Center page, click the Response Policies tab to view the response policies created by the automated response rule. The statistics bar at the top of the page displays the number of response policies, valid policies, invalid policies, response tasks, IPs being blocked, files being isolated, and terminated processes. The policy list includes columns such as Policy ID, Entity Object, Entity Type, Playbook Name (for example, Built-in Alibaba Cloud WAF Block Inbound High-risk IP), Playbook Parameters, Target Account, and Policy Status. When the policy status shows Valid, the automated blocking rule has taken effect.

      image

    • View the response tasks created by the automated response rule

      On the Security Center > Response Center page, click the Response Tasks tab to view the list of response tasks created by the automated response rule. The list includes columns such as Task ID, Entity Object, Entity Type, Response Component, and Task Status. When the task status shows In Effect, the high-risk IP has been successfully blocked through the AliYunWafBlockIP component. To unblock the IP, click Unblock in the Actions column.

      image

  3. In the Web Application Firewall console, view the attack IP blocking rule that Agentic SOC automatically added.

    The following steps use the WAF 3.0 console as an example.

    1. Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of the WAF instance.

    2. In the left-side navigation pane, choose Protection Config > Core Web Protection.

    3. On the Core Web Protection page, in the Custom Rule section, view the attack IP blocking rule that Agentic SOC automatically issued.

      The rule template name is similar to siem_block_ip_template-1. The rule condition is IP is in the attack IP addresses, the rule action is Block, the type is Access Control, and the status is Enabled.

      image

Related topics