Agentic SOC pulls logs exclusively from Alibaba Cloud Simple Log Service (SLS). Before you attach a product log ingestion policy, configure a data source that points to the SLS Logstore containing the logs you want to analyze.
Prerequisites
Before you begin, ensure that you have:
Purchased and activated the Agentic SOC service
Data source types
Agentic SOC supports three data source types. Choose the one that matches your current log setup:
| Type | Use when | Cost | Operations |
|---|---|---|---|
| Custom Log Capability | Logs are already in SLS (user-created or product-created Logstores) | Billed through SLS — not covered by Agentic SOC | Add, view, modify, delete |
| Agentic SOC Dedicated Data Collection Channel | Logs are not yet in SLS; Agentic SOC creates and manages the Logstore | Covered by the Agentic SOC service | Add, view, modify, delete |
| Predefined Log Capability | Alibaba Cloud security products (such as Web Application Firewall (WAF) and Cloud Firewall) deliver alert logs directly to Agentic SOC without configuration | N/A | View only |
How Agentic SOC initializes Custom Log Capability sources
Agentic SOC auto-initializes some Custom Log Capability data sources for Alibaba Cloud products:
Standard Logstore naming conventions — Agentic SOC completes initialization automatically. Examples include vulnerability logs and baseline logs from Security Center, and flow logs from WAF.
WarningIf the corresponding product has not activated its log service, the initialized data source remains unavailable. Activate the log service in that product's console before using the data source.
Non-standard Logstore naming conventions — Enter the Logstore name manually on the edit page. Examples include VPC and ActionTrail.
Cross-account member account logs — After you ingest member account logs across accounts, Agentic SOC automatically creates a data source with the naming convention
access template name_region ID_member account UID. For details, see Multi-account management.
Add a data source
Log in to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console and select your region (China or Outside China) in the upper-left corner.
In the left navigation pane, choose Agentic SOC > Integration Center.
On the Data Source tab, click Add Data Source.
The data source type cannot be modified after creation. Choose carefully.
Logs already in SLS (Custom Log Capability)
If your logs are already in an SLS Logstore, select Custom Log Capability to avoid duplicate ingestion and reduce costs.
If your product logs are not yet in SLS but you still want to use Custom Log Capability, first create a Logstore in the SLS console and ingest the logs into it before creating the data source.
| Parameter | Description |
|---|---|
| Data Source Name | Any name you choose |
| Data Source Type | Custom Log Capability |
| Region | The region where the Logstore is stored |
| Project | Synchronizes all SLS projects under your account. Select the target project. |
| Logstore | Synchronizes all Logstores under the selected project. Select the target Logstore. |
Click OK in the lower-left corner to create the data source.
Logs not yet in SLS (Agentic SOC Dedicated Data Collection Channel)
If your logs are not yet in SLS, select Agentic SOC Dedicated Data Collection Channel. Agentic SOC creates and manages the SLS project on your behalf, and the cost is covered by the service.
If multiple products in the same region use this channel, their logs are stored in a single project: aliyun-cloudsiem-channel-{account UID}-cn-{region ID}.
| Parameter | Description |
|---|---|
| Data Source Name | Any name you choose |
| Data Source Type | Agentic SOC Dedicated Data Collection Channel |
| Region | The region where the Logstore will be stored |
| Project | Fixed project name: aliyun-cloudsiem-channel-{account UID}-cn-{region ID}. Cannot be changed. |
| Logstore | Enter a Logstore name manually. See Create a Logstore below. |
Create a Logstore
Click Create Logstore and enter a Logstore name. Use only lowercase letters, numbers, hyphens (
-), and underscores (_).Confirm the details in the prompt and click OK.
After creation, find the project (
aliyun-cloudsiem-channel-{account UID}-cn-{region ID}) and Logstore in the SLS console.
If a dedicated project already exists in the same region, the system does not create a duplicate. New Logstores are appended to the existing project without affecting existing data.
If the specified Logstore already exists, the system does not create a duplicate. New log data is appended to the existing Logstore. If you need to separate log data by source, plan your Logstore names carefully before creating.
Click OK in the lower-left corner to create the data source.
Edit a data source
The following data sources cannot be modified:
Data sources of the Predefined Log Capability type
Data sources attached to an enabled access policy. To modify the data source, disable the access policy first.
Data sources auto-created from cross-account member account log ingestion. To modify these, cancel the access configuration. See Remove Alibaba Cloud from the service provider list.
Log in to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console and select your region.
In the left navigation pane, choose Agentic SOC > Integration Center.
On the Data Source tab, find the data source and click Edit in the Operation column.
Update the parameters as needed:
Parameter Description Data Source Name Any name you choose Region The region where the Logstore is stored Project Custom Log Capability: synchronizes all SLS projects under your account. Agentic SOC Dedicated Data Collection Channel: fixed project name, cannot be changed. Logstore Custom Log Capability: synchronizes all Logstores under the project. Agentic SOC Dedicated Data Collection Channel: enter the Logstore name manually. Click OK in the lower-left corner.
Delete a data source
The following data sources cannot be deleted:
Data sources of the Predefined Log Capability type
Data sources attached to an access policy (including cross-account access policies). Detach the data source from all policies before deleting it.
Log in to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console and select your region.
In the left navigation pane, choose Agentic SOC > Integration Center.
On the Data Source tab, find the data source and click Delete in the Operation column.
Next steps
To attach a data source to an access policy, see Product access.
To see which Alibaba Cloud products have predefined data sources, see Integration Center.
To learn more about Agentic SOC 2.0, see Agentic SOC 2.0.
If you run into issues, see the FAQ.