Configure data sources - Security Center - Alibaba Cloud Documentation Center

Product log ingestion policies must be attached to data sources. Agentic SOC currently only accepts logs from Alibaba Cloud Simple Log Service (SLS). Agentic SOC supports both custom Logstores and Agentic SOC-dedicated Logstores.

Prerequisites

You have purchased and activated service.

Data source type description

Data source type	Recommended scenarios	Description	Supported operations
Custom Log Capability	Logs are already integrated with SLS.	Project Logstores created in Simple Log Service (SLS) by users or other Alibaba Cloud products. The costs generated by this data source are not related to Agentic SOC. Agentic SOC initializes some custom log service data sources for Alibaba Cloud products. The initialization rules are as follows: If the product has a standard Logstore naming convention, Agentic SOC automatically completes the initialization, such as vulnerability logs and baseline logs from Security Center, and flow logs from WAF. Warning If the corresponding product has not activated the log service, the initialized data source remains unavailable. Please go to the corresponding product console to activate the log service. If the product does not have a standard Logstore naming convention, users need to manually enter it on the edit page, such as VPC and ActionTrail. After ingesting member account logs across accounts, a data source with the naming convention "access template name_region ID_member account UID" is automatically created. For cross-account access information, see multi-account management feature.	Add View Modify Delete
Agentic SOC Dedicated Data Collection Channel	Logs are not yet integrated with SLS.	Project Logstores created by Agentic SOC service in Simple Log Service (SLS) dedicated for Agentic SOC. The costs generated by this data source are covered by the Agentic SOC service. The project naming convention is aliyun-cloudsiem-channel-Alibaba Cloud account ID-cn-region ID. The Logstore name can be customized by users. Note If a Agentic SOC-dedicated project already exists in the same region, the system will not create a duplicate. New Logstores will be automatically appended to the Agentic SOC project without affecting existing Logstores.	Add View Modify Delete
Predefined Log Capability	Logs directly delivered by Alibaba Cloud products.	Alibaba Cloud products provide some logs directly to Agentic SOC without configuration. For example, alert logs from Alibaba Cloud security products: WAF alert logs, Cloud Firewall alert logs, etc.	View

Create a data source: Logs already integrated with Simple Log Service (SLS)

Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the navigation pane on the left, choose Agentic SOC > Integration Center.

On the Data Source tab, click Add Data Source in the upper-left corner. You can refer to the following information for configuration.

Parameter	Description
Data Source Name	Customizable.
Data Source Type	If your product logs are already integrated with Alibaba Cloud SLS, it is recommended to select Custom Log Capability to avoid duplicate integration and reduce costs. Important If your product is not yet integrated with Alibaba Cloud SLS but you still want to choose this method, please first go to the Simple Log Service console to create the corresponding Logstore, and then integrate the logs into that Logstore.
Region	The storage region of the Logstore.
Project	Custom Log Capability: Synchronizes all projects in SLS under this account. Select the target project.
Logstore	Custom Log Capability: Synchronizes all Logstores under the Project. Select the target Logstore.

Click the OK button in the lower-left corner of the creation page. After creation, you can view the newly created data in the data source list.

Create a data source: Logs not integrated with Simple Log Service (SLS)

Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the navigation pane on the left, choose Agentic SOC > Integration Center.

On the Data Source tab, click Add Data Source in the upper-left corner. Different data source types have different configurations. You can refer to the following information for configuration.

Important

The data source type cannot be modified. Please choose carefully.

Custom Log Service

Warning

If your product is not yet integrated with Alibaba Cloud SLS but you still want to use the Custom Log Capability type, please first go to the Simple Log Service console to create the corresponding Logstore, and then integrate the logs into that Logstore.

Parameter	Description
Data Source Name	Customizable.
Data Source Type	Custom Log Capability
Region	The storage region of the Logstore.
Project	Custom Log Capability: Synchronizes all projects in SLS under this account. Select the target project.
Logstore	Custom Log Capability: Synchronizes all Logstores under the Project. Select the target Logstore.

Agentic SOC dedicated collection channel

Parameter	Description
Data Source Name	Customizable.
Data Source Type	Select Agentic SOC Dedicated Data Collection Channel Important If you have multiple products in the same region and all choose this method, the logs of these products will be stored in one Project (aliyun-cloudsiem-channel-account UID-cn-region ID).
Region	The storage region of the Logstore.
Project	Agentic SOC Dedicated Data Collection Channel: Fixed project name aliyun-cloudsiem-channel-account UID-cn-region ID, cannot be changed.
Logstore	Agentic SOC Dedicated Data Collection Channel: You need to manually enter the Logstore name. For specific operations, see Create a Logstore.

Create a Logstore

If you select the Logstore type as Agentic SOC Dedicated Data Collection Channel, you need to first complete the project and Logstore creation in SLS. The steps are as follows:

Click Create Logstore and enter the Logstore name. The Logstore name only supports lowercase letters, numbers, hyphens (-), and underscores (_).
In the Logstore creation prompt box, confirm the information and click OK.
After creation, you can view the created Project (aliyun-cloudsiem-channel-account UID-cn-region ID) and Logstore in the Simple Log Service console.

Important

If a Agentic SOC-dedicated Project has already been created, the system will not create a duplicate. New Logstores will be automatically appended to the Agentic SOC project without affecting existing Logstores.
If the Logstore has already been created, the system will not create a duplicate. New log data will be automatically appended to that Logstore. If you have log data classification storage requirements, please set carefully.

Click the OK button in the lower-left corner of the creation page. After creation, you can view the newly created data in the data source list.

Edit a data source

Note

Data sources with the type Predefined Log Service cannot be modified.
If the data source is already attached to an access policy and the access policy is enabled, modification is not allowed. If you want to modify it, please first disable the access policy. For more information, see Why can't the data source be modified?
The automatically created data source after cross-account access to member account logs does not support modification. If you want to modify it, you need to cancel the access configuration. For more information, see Remove Alibaba Cloud from the service provider list.

Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the navigation pane on the left, choose Agentic SOC > Integration Center.

On the Data Source tab, find the data source you want to edit and click Edit in the Operation column. You can refer to the following information for configuration.

Parameter	Description
Data Source Name	Customizable
Region	The storage region of the Logstore.
Project	Custom Log Capability: Synchronizes all projects in SLS under this account. Agentic SOC Dedicated Data Collection Channel: Fixed project name aliyun-cloudsiem-channel-account UID-cn-region ID, cannot be changed.
Logstore	Custom Log Capability: Synchronizes all Logstores under the Project. Agentic SOC Dedicated Data Collection Channel: You need to manually enter the Logstore name. For specific operations, see Create a Logstore.

Click the OK button in the lower-left corner of the edit page.

Delete a data source

Important

Data sources with the type Predefined Log Service cannot be deleted.
Data sources that are attached to access policies (including cross-account access policies) cannot be deleted.

Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the navigation pane on the left, choose Agentic SOC > Integration Center.
On the Data Source tab, find the data source you want to delete and click the Delete button in the Operation column.

References

To attach a data source to an access policy, see Product access.
To learn about the products supported by default data sources, see Integration Center.
To learn more about Agentic SOC 2.0, see Agentic SOC 2.0.
If you encounter problems during operation, see FAQ for solutions.