purchase and activate Agentic SOC, activate Agentic SOC - Security Center

Agentic SOC is a threat detection and response module built into Security Center. It provides security capabilities such as unified log analysis, automated event response, and out-of-the-box threat detection rules. This topic describes how to select a billing method and activate the service.

Purchase options

Select a billing method that suits your needs. Agentic SOC is billed based on ingested log traffic and storage capacity used. The following table provides a comparison.

Note

You have the flexibility to select different billing methods for log traffic and log storage capacity. For example, you can use a subscription for log traffic and the pay-as-you-go billing method for the Log Management service.

Purchasing	Scenarios	Billing description
Subscription	Predictable resource usage cycle. Stable business scenarios. Long-term resource usage.	Log ingestion traffic: Tiered pricing. The minimum purchase is 100 GB/day. The purchase increment is 100 GB/day. Log storage capacity: The minimum purchase is 1,000 GB. The purchase increment is 1,000 GB.
Pay-as-you-go	Unpredictable resource usage cycle. Large fluctuations in service traffic.	Agentic SOC: Billed based on the tiered daily log traffic. The minimum billing increment is 1 GB. Log Management: Billed based on the daily cumulative storage usage. The minimum billing increment is 1 TB.

Purchase procedure

Subscription

Log on to the Security Center console.
In the navigation pane on the left, choose Detection and Response > Agentic SOC.
On the Agentic SOC page, click Activate Subscription.
On the Quick Purchase tab, leave Billing Method set to its default value, Subscription. In the Agentic SOC section, set Purchase or Not to Yes.
Click Create Service-linked Role to authorize Agentic SOC to access other Alibaba Cloud services. If you have already created the role, you can skip this step.
Note
After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSasCloudSiem service-linked role. This role allows Agentic SOC to access resources in your other cloud products. For more information, see Security Center service-linked role.

After you grant the authorization, specify the Log Ingestion Traffic and Log Storage Capacity that you want to purchase.

Important

If you have not purchased an edition of Security Center, you must first select an edition that meets your protection requirements. For more information about how to select a Security Center edition and purchase other services, see Purchase Security Center.
If a paid Agentic SOC service is already activated, the Log Ingestion Traffic option is not displayed in the subscription purchase options.
If the pay-as-you-go Log Management service is already activated, the Log Storage Capacity option is not displayed in the subscription purchase options.

You can configure the purchase parameters for Agentic SOC based on the following information:

Purchase item	Billing description

Log ingestion traffic	Select the daily log traffic to ingest into Agentic SOC for analysis. Unit: GB/day. Tiered pricing is used. The minimum purchase is 100 GB/day. The purchase increment is 100 GB/day. The following table describes the pricing details. X is the traffic ingested per day. X=100 GB: USD 0.45/GB/day. 200 GB=<X<9,999,999,999 GB: USD 0.42/GB/day. You can estimate the log ingestion traffic to purchase in one of the following ways: Based on the capacity of the activated Simple Log Service project: Log ingestion traffic (GB/day) = Log storage capacity/TTL Log storage capacity is the used log storage of the log source that you want to ingest into Agentic SOC. TTL is the log retention period. Based on the number of events per second (EPS): Log ingestion traffic (GB/day) = EPS × 86,400s × SIZE/(1024 × 1024) EPS indicates the number of raw logs ingested for threat analysis per day. SIZE is the size of each log, which is typically 3 KB to 7 KB.
Log storage capacity	Select the log storage capacity to use. The minimum purchase is 1,000 GB. The purchase increment is 1,000 GB. The price is USD 100/1,000 GB/month. We recommend that you configure 120 GB of log storage capacity for each server, or three times the storage capacity for log analysis in Security Center. For more information, see Log Management.

Select the Access Policy checkbox as needed.
- If you select this checkbox, logs from specific sources in Security Center, Web Application Firewall (WAF), Cloud Firewall, and ActionTrail for the current Alibaba Cloud account are automatically ingested after you activate Agentic SOC. For more information, see Recommended log access policy.
- If you do not select this checkbox, no predefined ingestion settings are configured. After the purchase, you can customize which product logs to ingest. For more information, see Product integration.

Read the Security Center Product Terms of Service and click Place Order. The following table describes the features that are available after activation.

Agentic SOC module	Agentic SOC 1.0		Agentic SOC 2.0
Agentic SOC module	Purchase only Log Ingestion Traffic	Purchase Log Ingestion Traffic and Log Storage Capacity	Purchase only Log Ingestion Traffic	Purchase only Log Storage Capacity	Purchase Log Ingestion Traffic and Log Storage Capacity
Dashboard	Not supported	Supported	❌	❌	Unsupported
Security Incident	Supported	Supported	Supported	Not supported	Supported
Alert	Supported	Supported	Supported Note The Custom Alert Analysis feature is fully supported only after you purchase the pay-as-you-go Log Management feature.	❌	Supported
Disposal Center	Supported	Supported	Supported	❌	Supported
SOAR	Supported	Supported	Supported	❌	Supported
Log Management	❌	Supported	Security Center logs: ❌ Standardized logs: ✅ You can query only logs that are standardized using the "Scan Query" method. Note If you also enable the pay-as-you-go Log Management feature, all services are supported.	Security Center Logs: ✅ Standardized Log: ❌	Supported
Rule Management	Predefined: ✅ Custom: ❌	Supported	Predefined: ✅ Custom: ✅ You can detect only logs that are standardized using the "Scan Query" method. Note If you also enable the pay-as-you-go Log Management feature, all services are supported.	❌	Supported
Integration Center/Service Integration	Supported	Supported	Supported	Not supported	Supported

Pay-as-you-go

Important

If you use a subscription for log ingestion traffic, you cannot enable the pay-as-you-go billing method for Agentic SOC.

Log on to the Security Center console.
In the navigation pane on the left, choose Detection and Response > Agentic SOC.
On the Agentic SOC page, click Activate Pay-as-you-go.

In the dialog box that appears, carefully read the billing rules. After you activate the pay-as-you-go billing method, fees are calculated based on the tiered daily log traffic ingested from products. Your final daily bill is the sum of the fees from all usage tiers. The following table provides a billing example.

Note

The minimum billing unit for pay-as-you-go Agentic SOC is 1 GB. Any usage less than 1 GB is billed as 1 GB.

Log ingestion traffic tier	Price	Fee calculation formula (Y is the traffic ingested per day in GB)
1 to 10 (GB/day)	USD 2.20/GB	2.2×Y (USD)
11 to 50 (GB/day)	1.6 USD/GB	2.2 × 10 + 1.6 × (Y - 10) (USD)
51 to 100 (GB/day)	USD 1.4/GB	2.2 × 10 + 1.6 × 40 + 1.4 × (Y - 50) (USD)
>100 (GB/day)	USD 1.2/GB	2.2 × 10 + 1.6 × 40 + 1.4 × 50 + 1.2 × (Y - 100) (USD)

Select or clear the Enable Log Access Policy checkbox as needed.
- If you select the Enable Log Access Policy checkbox, data from specific sources in Security Center, WAF, Cloud Firewall, and ActionTrail for the current Alibaba Cloud account are automatically ingested after you activate Agentic SOC. For more information, see Recommended log access policy.
  Important
  After you enable the recommended log access policy, Agentic SOC automatically ingests the specified log types. A bill is generated on the following day based on the actual amount of ingested log data.
- If you do not select the Enable Log Access Policy checkbox, you can customize which product logs to ingest. For more information, see Product integration.

Click Activate and Authorize.

Note

After you complete this operation, Security Center automatically creates the AliyunServiceRoleForSasCloudSiem service-linked role. This role allows Agentic SOC to access resources in your other cloud products. For more information, see Security Center service-linked role.

After activation, you can use the following features:

Agentic SOC module	Agentic SOC 1.0	Agentic SOC 2.0
Dashboard	❌	❌
Security Incident	Supported	Supported
Alert	Supported	Supported
Disposal Center	Supported	Supported
SOAR	Supported	Supported
Log Management	❌	Security Center logs: ❌ Standardized logs: ✅ You can query only logs that are standardized using the "Scan Query" method. Note If you also enable the pay-as-you-go Log Management feature, all services are supported.
Rule Management	Predefined: ✅ Custom: ❌	Predefined: ✅ Custom: ✅ You can detect only logs that are standardized using the "Scan Query" method. Note If you also enable the pay-as-you-go Log Management feature, all services are supported.
Integration Center/Service Integration	Supported	Supported

Product integration

After you enable Agentic SOC, you must add product logs to enable unified monitoring and analysis of alerts and log data across different resources. This improves the efficiency of alert analysis and response. For more information, see Product Integration.

Unsubscription

If you no longer need the Agentic SOC service, you can disable it.

If you use the subscription billing method: On the Overview page, in the Subscription section, click Change > Downgrade. On the upgrade/downgrade page, on the Order Downgrade tab, in the Agentic SOC section, set Purchase or Not to No. For more information, see Downgrade.
Note
The refund amount is the amount displayed on the Downgrade page. For more information about fund flow, see Refund destinations.
If you use the pay-as-you-go billing method: On the Overview page of the Security Center console, in the Pay-as-you-go section, turn off the Agentic SOC or Log Management switch.
Important
- After you turn off the switch, no new fees are generated. Data and configurations, excluding user-delivered logs, are cleared after 15 days. This includes security alerts, security events, and ingestion configurations.
- After you turn off the Log Management switch, log delivery is automatically disabled and the corresponding Logstore is deleted. The deleted log data cannot be recovered. We recommend that you proceed with caution.

Appendix

Other purchase entries

You can also purchase and activate Agentic SOC from the Security Center purchase page or the Overview page in the console. For more information about how to select a Security Center edition and purchase other value-added services, see Purchase Security Center.

Recommended log access policy

If you use the recommended log access policy, no manual configuration is required. Agentic SOC automatically ingests logs from Security Center, WAF, Cloud Firewall, and ActionTrail from the current Alibaba Cloud account. The following table describes the ingested data sources and supported security capabilities.

Important

If you use the Free Edition of Security Center or purchase only value-added services, Agentic SOC does not ingest ActionTrail event logs.

No.	Alibaba Cloud product	Data source name	Standardization rule name	Standardization method	Standardization category/structure	Supported security capabilities
1	Security Center	DNS request log	Host DNS request log standardization rule	Scan query	Host log - Process DNS request log	Predefined analysis rule Predefined playbook
2		Baseline log	Baseline log standardization rule	Scan query	Security log - Host baseline log	Event investigation and tracing Predefined playbook
3		Logon stream log	Logon stream log standardization rule	Scan query	Logon log - Host logon log	Custom analysis rule Event investigation and tracing Predefined playbook
4		Network connection log	Network connection log standardization rule	Scan query	Host log - Process outbound network connection log	Predefined analysis rule Predefined playbook
5		Process startup log	Process startup log standardization rule	Scan query	Host log - Process startup log	Predefined analysis rule Custom analysis rule Event investigation and tracing Predefined playbook
6		Security alert log	Security alert log standardization rule	Real-time consumption	Security log - Other alert logs	Predefined playbook
7		Vulnerability log	Vulnerability log standardization rule	Scan query	Security log - Vulnerability log	Event investigation and tracing Predefined playbook
8	Web Application Firewall	WAF alert log	WAF alert log standardization rule	Real-time consumption	Security log - Web Application Firewall alert log	Predefined analysis rule Custom analysis rule Predefined playbook
9	Web Application Firewall	WAF all/blocked/blocked and observed logs	WAF all/blocked/blocked and observed log standardization rule	Real-time consumption	Network log - HTTP log	Predefined analysis rule Custom analysis rule Event investigation and tracing Predefined playbook
10	Cloud Firewall	Cloud Firewall alert log	Cloud Firewall alert log standardization rule	Real-time consumption	Security log - Firewall alert log	Predefined analysis rule Custom analysis rule Predefined playbook
11	ActionTrail	ActionTrail event log	ActionTrail event log standardization rule	Real-time consumption	Audit log - Cloud platform operation audit log	Custom analysis rule Event investigation and tracing

References

For more information about how to select a Security Center edition and purchase value-added services, see Purchase Security Center.
For more information about the Agentic SOC architecture, see Agentic SOC Version Comparison.
After you activate the Agentic SOC service, you must ingest product logs. For more information, see Agentic SOC 2.0 Product Integration.