Configure detection rules for security events and business status alerts - Security Center

Agentic SOC includes predefined detection rules to analyze ingested alerts and logs, reconstruct threat attack chains and timelines, and generate aggregated alerts and detailed security events. Create custom detection rules to build a threat detection system tailored to your business needs.

How it works

The rule management feature analyzes standardized logs and uses built-in playbooks to generate aggregation and analysis alerts and custom analysis alerts. It creates security events using graph computing, alert pass-through, and same-type aggregation to help you handle threat events.

Rules use one of two formats to generate alerts and events:

SQL syntax: Detects alerts and generates events by filtering logs, matching features, running window statistics, and performing association analysis on logs within the specified scope.
Playbook: Detects alerts and generates events by calling Alibaba Cloud service APIs and making decisions based on the playbook flow. Typically used for business status alerts.

Rule types

Rule type	Description
Predefined	Out-of-the-box threat detection. Analyzes logs within the effective scope that have been ingested into Agentic SOC. Generated alerts appear on the Aggregate and Analyze Alerts tab of the Agentic SOC > Alert page. Uses graph association technology to aggregate alerts that share the same asset or Indicators of Compromise (IOCs) into events. Includes all alerts except custom analysis alerts.
Custom	Flexible rule extension with templates for complex threat detection scenarios. Supports SQL syntax or playbooks. Generated alerts appear on the Custom Alert Analysis tab of the Agentic SOC > Alert page. Generates security incidents through alert pass-through or same-type aggregation.

Rule type

Description

Predefined

Out-of-the-box threat detection. Analyzes logs within the effective scope that have been ingested into Agentic SOC. Generated alerts appear on the Aggregate and Analyze Alerts tab of the Agentic SOC > Alert page. Uses graph association technology to aggregate alerts that share the same asset or Indicators of Compromise (IOCs) into events. Includes all alerts except custom analysis alerts.

Custom

Flexible rule extension with templates for complex threat detection scenarios. Supports SQL syntax or playbooks. Generated alerts appear on the Custom Alert Analysis tab of the Agentic SOC > Alert page. Generates security incidents through alert pass-through or same-type aggregation.

Event generation methods

Method	How it works
Graph computing	Uses graph association technology to aggregate alerts that share the same assets or IOCs into events. Applies to all alerts except custom analysis alerts.
Alert pass-through	Generates one security event for each alert produced by an analysis rule.
Same-type aggregation	Aggregates all alerts produced by the same analysis rule into a single security event.

Choose a rule format

Ask yourself	Rule format	When to use
Do I need to filter logs, match patterns, or run time-window statistics?	SQL syntax	Log-based correlation analysis across a defined scope
Do I need to call cloud service APIs and make decisions based on a workflow?	Playbook	Business status alerts

Scope

The billing model and billing items you select when activating Agentic SOC determine which rule management features are available. For more information, see Purchase and activate Agentic SOC.

Subscription:

Purchase combination	Available rules
Log Ingestion Traffic only	Predefined rules; Custom rules (Scan Query normalization method only)
Log Ingestion Traffic + Log Storage Capacity	Predefined rules; Custom rules (all)
Log Storage Capacity only	Not supported

If you also purchase the pay-as-you-go Log Management feature, all custom rules are available regardless of your subscription combination.

Pay-as-you-go:

Predefined rules and Custom rules (Scan Query normalization method only) are available.

If you also purchase the pay-as-you-go Log Management feature, all custom rules are available.

Workflow

Enable or disable predefined rules

Predefined rules are enabled by default. You can view rule details and toggle rules on or off, but cannot edit or delete them.

Go to the Agentic SOC > Rule ManagementRule Management page in the Security Center console. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Predefined tab, view the list of predefined rules. In the Actions column, click Details to view a rule's basic information, alert generation settings, and incident generation settings.
Click the Rule Status switch to enable or disable the rule.
Alternatively, click Enable or Disabled in the Enabling Status column for the target rule.
View alerts generated when predefined rules are hit on the Aggregate and Analyze Alerts tab of the Agentic SOC > Alert page.

Create and enable custom rules

Go to the Agentic SOC > Rule ManagementRule Management page in the Security Center console. In the upper-left corner, select the region where the assets you want to protect are located: Chinese Mainland or Outside Chinese Mainland.
Create a rule using one of the following methods:
- On the Rule Template tab, click Create Rule in the Actions column for the target template. (Recommended — simpler and more efficient configuration.)
- On the Custom tab, click Create Custom Rule.
In the Create Custom Rule panel, on the Basic Information tab, enter the rule name and description, then click Next.

On the Alert Settings tab, configure the alert generation rule. Alerts are visible on the Custom Alert Analysis tab of the Agentic SOC > Alert page. The available configuration items vary by rule type.

SQL syntax

SQL rules detect alerts and generate events by filtering logs, matching features, running window statistics, and performing association analysis on logs within the specified scope.

Rule body

Configuration item	Description
Rule Body	The default is SQL.
Log Scope	Select the standardized category and standardized structure of logs to detect. Multiple standardized log structures can be selected. Click Standard Fields to view the field descriptions for the current log structure.
SQL Statement	Write an SQL statement to query log records and identify potential malicious behavior. For SQL syntax reference, see SQL analysis syntax and features.

Scheduling settings

When a SQL rule is enabled, Agentic SOC creates a scheduled SQL job in Simple Log Service (SLS) based on the scheduling settings. SLS then generates execution instances based on the scheduling interval. For more information, see Manage a scheduled SQL job and Query the result data of a scheduled SQL job. How task scheduling works:

Configuration item	Description
Scheduling Interval	How often SQL queries run. Options: Fixed Interval (5 minutes to 24 hours) or Cron (minimum precision: minutes, 24-hour format). Cron examples: `0/5 * * * ` (every 5 minutes from minute 0), `0 0/1 * ` (every hour from 0:00), `0 18 * ` (daily at 18:00), `0 0 1 *` (00:00 on the first day of each month).
SQL Time Window	The time range of logs each scheduled SQL instance queries. Valid range: 5 minutes to 24 hours. Important The time window must be greater than or equal to the scheduling interval.
Start Time	When scheduled instances start running after the rule is enabled. Options: Rule Enabled At (the moment the rule is enabled) or Specified Time (a specific time, accurate to the minute).

Alert log generation

Agentic SOC generates alert logs based on the Alert Log Generation configuration. View these logs under Agentic SOC > Log Management.

Alert attribute definition

Configuration item	Description
Generation Structure	The log category for the alert, such as Endpoint Detection & Response or Firewall. Click View Standard Fields in the drop-down list to view field details for the log type.
Alert Type	The type of alert detected by the current rule.
Alert Level	The risk level of the alert. Valid values: Information, Low, Medium, High, and Critical.
ATT&CK Phase	Maps the attack behavior detected by the rule to MITRE ATT&CK attack stages and techniques. Click + Add Attack Stage to map multiple stages. Multiple techniques can be selected per stage. The total number of attack techniques across all stages must not exceed 5.

Entity mapping

Entity mapping maps unstructured fields from query results — such as IP addresses or filenames — to structured entity objects. This lets the system aggregate all related activities for an entity, build a threat profile, and improve analysis efficiency. To configure entity mapping:

Select an entity type from the drop-down list, such as host, file, IP address, or process. Click Add Entity Mapping to configure additional entity types.
Configure properties for each entity. Properties are divided into two categories: Click Add Entity Attribute Mapping to configure multiple properties for an entity.
- Required properties: The unique identifier of the entity — for example, the IP address for an IP address entity.
- Optional properties: Supplementary information — for example, associating a hostname with an IP address entity.
Assign a value to each property. Two formats are supported:
- Variable reference: $field_name$ — references a field from the query results.
- Constant: A fixed string value.

Important

If the final content after variable substitution exceeds the length limit, the excess part is automatically truncated.

Alert enrichment

Dynamically generate alert names and descriptions by referencing query fields as variables.

Configuration item	Description
Alert Name	Maximum 50 characters. Variable reference format: $SQL query returned field$ . If left blank, the Rule Name is used. Example: `High-frequency multi-type network attack from $src_ip$ detected.`
Alert Description	Maximum 1,000 characters. Variable reference format: $sql_query_return_field$ . If left blank, the Rule Description is used. Example: `Alert from: $product_code$. Network attack from $src_ips$ detected. Affected assets include the following: $dst_ips$.`

Alert suppression

Alert suppression controls the number of security alerts generated without affecting alert log generation and delivery. Agentic SOC groups alerts based on the Cartesian product of the values of the fields specified in the suppression conditions. Each group can generate a maximum of 100 security alerts within a suppression window. When the number of alert records exceeds this limit, subsequent records that meet the same conditions do not generate security alerts.

Configuration item Description

Suppression Window The statistical period for counting alert records. Starts when the rule generates its first alert log. Valid range: 5 minutes to 24 hours. Example: If the first alert log is generated at 10:58:45 on May 16, 2025 and the window is 10 minutes, the first window runs from 10:58:45 to 11:08:45, the second from 11:08:45 to 11:18:45, and so on.

Configuration item	Description
Suppression Window	The statistical period for counting alert records. Starts when the rule generates its first alert log. Valid range: 5 minutes to 24 hours. Example: If the first alert log is generated at 10:58:45 on May 16, 2025 and the window is 10 minutes, the first window runs from 10:58:45 to 11:08:45, the second from 11:08:45 to 11:18:45, and so on.
Suppression Condition	Enter the column name, field name, or alias defined after the `SELECT` keyword in the SQL statement. If not configured, the system uses the `rule_id` field as the default condition. Example: If fields `a` and `b` are specified as suppression conditions, where the value set of `a` is {1,2} and `b` is {3,4}, four groups are generated: {1,3}, {1,4}, {2,3}, and {2,4}. Each group allows up to 100 alerts within the window. Important The suppression condition is optional. If no condition is specified, a maximum of 100 alerts can be generated by the rule within the entire window.

Suppression Condition

Enter the column name, field name, or alias defined after the SELECT keyword in the SQL statement. If not configured, the system uses the rule_id field as the default condition. Example: If fields a and b are specified as suppression conditions, where the value set of a is {1,2} and b is {3,4}, four groups are generated: {1,3}, {1,4}, {2,3}, and {2,4}. Each group allows up to 100 alerts within the window.

Important

The suppression condition is optional. If no condition is specified, a maximum of 100 alerts can be generated by the rule within the entire window.

Playbook

Playbook rules detect alerts and generate events by calling Alibaba Cloud service APIs and making decisions based on the playbook flow. This method is typically used for business status alerts.

If you create a rule from a rule template (playbook), a corresponding custom playbook is automatically created. View it on the Custom Playbook tab under Agentic SOC > SOAR.

Rule body

Configuration item	Description
Rule Body	Select Script.
Playbook Name	If creating from a rule template (playbook): enter a unique playbook name. If creating by clicking Create Custom Rule on the Custom tab: select a playbook from the drop-down list. Only playbooks that meet all of the following conditions appear in the list: the playbook is a custom playbook, is published, has a start node with input parameter type set to Custom, and is not associated with other analysis and detection rules.
Playbook Description	If creating from a rule template (playbook class): editable. If creating by clicking Create Custom Rule: automatically pulled from the playbook in response orchestration and cannot be modified.

Parameter settings

Parameter settings are required only when creating a rule from a rule template (playbook). Different playbooks require different parameters. Click the icon next to a parameter to view its description and configuration instructions.

Authorization configuration

Authorization configuration is required only when creating a rule from a rule template (playbook).

Execution Role: If you have not created a role, click Go to RAM Console to Create Role. On the RAM quick authorization page, click Confirm Authorization. A role named AliyunSiemSoarExecutionDefaultRole is automatically created. > Note: If you do not have permission to create a role, contact your RAM administrator (a RAM user with Resource Management permissions or an Alibaba Cloud account) to create a role and attach a trust policy in the RAM console. For more information, see Create a RAM role for a trusted Alibaba Cloud service. Configure the role with the following settings: > - Trusted entity: Alibaba Cloud Service > - Trusted entity name: cloudsiem.sas.aliyuncs.com > - Role name: AliyunSiemSoarExecutionDefaultRole
Access Policy: Lists the permission policies required to run the selected playbook template. If the required policies are not attached, click Modify Policy, select the policies to authorize, and click Authorize in RAM Console to complete the authorization. > Important: If you do not have authorization permissions, contact a RAM administrator to attach the required access policies to the AliyunSiemSoarExecutionDefaultRole role. For more information, see Manage permissions for a RAM role.

Scheduling settings

After a playbook rule is enabled, Agentic SOC uses the scheduling settings to create a scheduled task that calls the playbook.

- If a scheduled task fails to run the playbook within a single cycle, the system automatically retries after 30 seconds. If the retry also fails, the current task flow stops and enters a waiting state. The task restarts in the next scheduled cycle. - View playbook execution records on the details page of the custom playbook in the SOAR module.

Configuration item	Description
Scheduling Interval	How often the playbook runs. Options: Fixed Interval (5 minutes to 24 hours) or Cron (minimum precision: minutes, 24-hour format). Cron examples: `0/5 * * * ` (every 5 minutes from minute 0), `0 0/1 * ` (every hour from 0:00), `0 18 * ` (daily at 18:00), `0 0 1 *` (00:00 on the first day of each month).
Start Time	When the playbook starts running after the rule is enabled. Options: Rule Enabled At (the moment the rule is enabled) or Specified Time (a specific time, accurate to the minute).

Alert log generation

Agentic SOC generates alert logs based on the Alert Log Generation configuration. View the generated alert logs under Agentic SOC > Log Management. For playbook rules, Generation Structure supports only Other Alert Logs.

Click View Standard Fields in the drop-down list to view field details for this log type.

Configuration item	Description
Alert Type	The type of alert detected by the current rule.
Alert Level	The risk level of the alert. Valid values: Information, Low, Medium, High, and Critical.
ATT&CK Phase	Maps attack behavior to MITRE ATT&CK stages and techniques. Click + Add Attack Stage to map multiple stages. Multiple techniques can be selected per stage. The total number of attack techniques across all stages must not exceed 5.

Alert suppression

Configuration item	Description
Suppression Window	The statistical period for counting alert records. Starts when the rule generates its first alert log. Valid range: 5 minutes to 24 hours. Example: If the first alert log is generated at 10:58:45 on May 16, 2025 and the window is 10 minutes, the first window runs from 10:58:45 to 11:08:45, the second from 11:08:45 to 11:18:45, and so on.
Suppression Condition	The data is sourced from the standardized log fields that correspond to the alert log selected in Generation Structure. To view field details, go to Agentic SOC > Integration Center, click the Standardized Rule tab, and then click View Standard Fields. Agentic SOC groups alerts based on the Cartesian product of the field values. A maximum of 100 alerts can be generated per group within the window. Important The suppression condition is optional. If no condition is specified, a maximum of 100 alerts can be generated by the rule within the entire window.

Configuration item

Description

Suppression Window

The statistical period for counting alert records. Starts when the rule generates its first alert log. Valid range: 5 minutes to 24 hours. Example: If the first alert log is generated at 10:58:45 on May 16, 2025 and the window is 10 minutes, the first window runs from 10:58:45 to 11:08:45, the second from 11:08:45 to 11:18:45, and so on.

Suppression Condition

The data is sourced from the standardized log fields that correspond to the alert log selected in Generation Structure. To view field details, go to Agentic SOC > Integration Center, click the Standardized Rule tab, and then click View Standard Fields. Agentic SOC groups alerts based on the Cartesian product of the field values. A maximum of 100 alerts can be generated per group within the window.

Important

The suppression condition is optional. If no condition is specified, a maximum of 100 alerts can be generated by the rule within the entire window.

On the Incident Generation Settings tab, configure the security event generation rules. View and handle generated incidents on the Agentic SOC > Security Incident page.

Configuration item	Description
Generate Event	Select whether to generate a security event when an alert hits the rule.
Incident Generation Method	Alert pass-through: generates one security event per alert. Same-type aggregation: aggregates all alerts from the current rule into a single security event.
Aggregation Window	Required for Same-type aggregation only. Valid range: 5 minutes to 24 hours. Example: A 5-minute window aggregates all security alerts generated within that period into a single security event.

Enable the custom rule. Newly created rules have a status of Disabled by default. Change the status in the Enabled Status column or the Actions column.
Test the custom rule before enabling it. See Test custom rules.

Test custom rules (optional)

Before enabling a custom rule, set its Enabling Status to Testing to verify that the alert output meets your expectations.

The system calibrates alert fields, alert field values, and standardized fields based on built-in calibration logic. Review the calibration results in the console and adjust the SQL syntax or playbook as needed to ensure that the generated alert logs meet the calibration requirements.

Testing is optional. Calibration results do not affect whether the rule can be enabled.

Alerts generated during testing are not displayed on the Security Alerts page.

To test a custom rule:

On the Custom tab, set the Enabling Status of the target rule to Testing.
In the Actions column, click View Alert Test Result.
On the test results details page, view the alert trend graph and alert list. Click Details in the Actions column for an alert to view its calibration results.

View and handle security alerts and events

After a detection rule is enabled, security alerts and events are generated when ingested logs trigger the rule.

Alerts: On the Agentic SOC > Alert page, view generated alert information on the Custom Alert Analysis and Aggregate and Analyze Alerts tabs. For more information, see Security alerts.
Incidents: View and handle generated incidents on the Agentic SOC > Security Incident page. For more information, see Security Incident Response.