Agentic SOC collects logs from connected products using Alibaba Cloud Simple Log Service (SLS) and normalizes them with standardization rules based on SLS SPL syntax. Normalization maps logs from different sources into a unified schema, enabling cross-source correlation and consistent detection rule evaluation. For non-standard fields, use the extended field ingestion feature and select preserve as-is to retain all original log fields. After normalization, Agentic SOC applies detection rules to the ingested logs to identify threats, reconstruct complete attack chains, and generate detailed security events that streamline alert analysis and response.
Log ingestion architecture
Ingestion solution overview
Connect to Alibaba Cloud
Integrate with third-party clouds
Integrate custom applications
Supported products and logs
Agentic SOC natively supports logs from Alibaba Cloud, Huawei Cloud, Tencent Cloud, Fortinet, Chaitin, and Sangfor, as well as custom products.
Note: For details about the default ingestion policies, data sources, and standardization rules provided by Agentic SOC, go to the console.
| Vendor | Product | Log types |
|---|---|---|
| Alibaba Cloud | Security Center | Network defense alert logs, cloud platform configuration check logs, baseline logs, security alert logs, vulnerability logs, Runtime Application Self-Protection (RASP) alert logs, and cloud security posture management logs; account snapshot logs, network snapshot logs, and process snapshot logs; host logon failure logs, DNS request logs, logon trail logs, process startup logs, network connection logs, and brute-force attack logs |
| Web Application Firewall (WAF) | WAF full logs, blocked logs, blocked and observed logs, anti-crawler full logs, API security event alert logs, API risk logs, and WAF alert logs | |
| Cloud Firewall | Cloud Firewall alert logs, Cloud Firewall traffic logs, NDR HTTP logs, NDR DNS logs, and NDR event alert logs | |
| Anti-DDoS | Anti-DDoS Pro and Anti-DDoS Premium full logs | |
| Bastionhost | Bastionhost logs | |
| CDN | CDN flow logs | |
| Edge Security Acceleration (ESA) | DCDN user access logs and DCDN WAF blocked logs | |
| API Gateway | API Gateway logs | |
| Container Service for Kubernetes (ACK) | Kubernetes audit logs | |
| PolarDB | PolarDB-X 1.0 SQL audit logs and PolarDB-X 2.0 SQL audit logs | |
| ApsaraDB for MongoDB | MongoDB audit logs | |
| ApsaraDB RDS | RDS SQL audit logs | |
| Virtual Private Cloud (VPC) | VPC flow logs | |
| Elastic IP Address (EIP) | Elastic IP Address logs | |
| Server Load Balancer (SLB) | ALB access logs and CLB access logs | |
| Object Storage Service (OSS) | OSS access logs | |
| ActionTrail | ActionTrail event logs | |
| CloudConfig | Configuration audit logs | |
| File Storage NAS | NAS NFS operational logs | |
| AI Guardrails | Alibaba Cloud AI Security Guardrail logs | |
| Tencent Cloud | Web Application Firewall | Tencent Cloud Web Application Firewall alert logs |
| Cloud Firewall | Tencent Cloud Firewall alert logs | |
| Huawei Cloud | Web Application Firewall | Huawei Cloud Web Application Firewall alert logs |
| Cloud Firewall | Huawei Cloud Firewall alert logs | |
| Azure | Windows Defender for Endpoint | Endpoint alert logs |
| Azure Active Directory | Audit logs and logon logs | |
| Activity | Audit logs | |
| SQL Database | SQL Server audit logs | |
| AWS | CloudTrail | CloudTrail logs |
| Redshift | Redshift audit logs | |
| GuardDuty | GuardDuty finding alert logs | |
| PostgreSQL on Amazon RDS | PostgreSQL event logs | |
| Volcengine | Security Center | HIDS alert logs |
| Fortinet | Fortinet Firewall | Fortinet Firewall alert logs, Fortinet Firewall flow logs, and Fortinet audit logs |
| Chaitin | Chaitin WAF | Chaitin WAF alert logs and Chaitin WAF flow logs |
| Microsoft | Endpoint event logs | Windows security event logs |
| Sangfor | Sangfor Endpoint Secure aES (EDR) | Endpoint detection and response alert logs |
| Hillstone Networks | Hillstone Networks Firewall | Hillstone Networks Firewall alert logs |
| Tophant | Tophant Full-Traffic Security Computing and Analysis Platform | Tophant Full-Traffic Security Computing and Analysis Platform product alert logs |
| SkyGuard | DLP | DLP alert logs |
| Azure | Azure Active Directory | Azure Active Directory audit logs and Azure Active Directory logon audit logs |
| Threatbook | OneSEC | OneSEC alert logs |
| Cisco | Cisco Firepower Firewall | Firewall alert logs |
| Palo Alto | Next-Generation Firewall | Firewall alert logs |
| Cortex XDR | Palo Alto Cortex alert logs and endpoint alert logs | |
| Panorama | Panorama product logs | |
| Ege Cloud | Polaris | Layer 4 internal network access logs and data audit logs |
| Custom vendor | Custom product | Firewall alert logs, firewall traffic logs, Web Application Firewall (WAF) alert logs, and WAF traffic logs |