How to use Agentic SOC, how to use threat and response analysis - Security Center

Agentic SOC in Security Center manages alert and log data from multiple products, accounts, and cloud environments. It uses response policies to promptly process security threats, helping you improve O&M efficiency and mitigate potential risks.

Agentic SOC workflow

The Agentic SOC workflow is as follows:

Activate the Agentic SOC service.
Ingest logs from cloud products or security vendors.
Set up and enable predefined or custom threat detection rules to analyze collected logs and reconstruct complete attack chains.
Identify security threats and generate security alerts.
Aggregate multiple security alerts to generate security events.
Use response policies (recommended or custom) or automated response orchestration to coordinate with related cloud products to block, isolate, or apply other security measures against malicious entities.

Important

Currently, only logs ingested from Alibaba Cloud, Huawei Cloud, and Tencent Cloud can be used to generate security events and trigger automated responses. Logs from other security vendors can be used to generate security alerts but do not support automated responses. For more information, see Add logs from security vendors.

Usage example

This topic provides an example of how Agentic SOC uses automated response orchestration to automatically block attack IP addresses with Web Application Firewall (WAF). This approach addresses common issues that are associated with using WAF to block attack IP addresses, such as inadvertently blocking legitimate users and dealing with complex configurations.

Prerequisites

Purchase a WAF 3.0 instance.
In the WAF console, add the domain names or cloud products that you want to protect. This topic uses an ECS instance as an example. For more information, see Enable WAF protection for an ECS instance.
In the WAF console, Enable Log Service for WAF. Then, for the WAF protected object, enable log delivery. For more information, see Enable Simple Log Service for WAF.

Procedure

Step 1: Enable pay-as-you-go for Agentic SOC

Log in to the Security Center console. On the Agentic SOC page, click Activate Pay-as-you-go.
On the activation page, deselect the Enable Log Access Policy checkbox, and then click Activate and Authorize.
Warning
The Access Policy automatically ingests logs from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail. You are billed based on the actual volume of ingested logs. Therefore, exercise caution when you clear this checkbox. This topic provides an example where only Web Application Firewall is integrated and the recommended integration policy is not enabled.
After you activate the service, the service-linked role for Security Center is automatically granted. For more information, see Service-linked role for Security Center.

Step 2: Ingest Web Application Firewall logs

Important

If you selected Enable Log Access Policy in Step 1, you can skip this step. Agentic SOC automatically ingests Web Application Firewall logs.

Go to the Integration Center page in the Agentic SOC console. In the top-left corner of the page, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
In the Operations column of the Web Application Firewall row, click Access Settings, and then enable the Access Policy.
Note
The system automatically discovers the Web Application Firewall Logstore and adds it as a Data Source.

Step 3: Enable predefined detection rules

In the Security Center console, navigate to the Agentic SOC > Rule Management page.
On the Predefined tab, search for WAF rules and turn on the Enabling Status switch.

Step 4: Configure automated response rules

In the Security Center console, navigate to Agentic SOC > SOAR.
On the Automatic Response Rule tab, click Create Rule. Then, select Incident Trigger and configure the Automatic Response Rule as shown in the following figure.

Step 5: Confirm the automatic blocking effect

When an attack event occurs on an ECS instance connected to WAF, view the corresponding event on the Security Incident page.
On the Disposal Center tab, you can view the response policies and tasks issued by the playbook for the attack IP after the event hits the automated response rule.
- Response policies created by the automated response rule
- Response tasks created by the automated response rule
In the Web Application Firewall console, view the attack IP address blocking rule that Agentic SOC automatically adds.
The following steps use the WAF 3.0 console as an example.
1. Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the region (Chinese Mainland or Outside Chinese Mainland) and resource group of the WAF instance.
2. In the left navigation pane, choose Protection Config > Core Web Protection.
3. On the Core Web Protection page, you can find the attack IP blocking rule automatically issued by Agentic SOC in the Custom Rule section.

References

For more information about how to purchase and configure Agentic SOC, see Purchase Security Center.
For more information about how to ingest logs from cloud products into Agentic SOC, see Ingest logs from cloud products and User guide.
For more information about threat detection rules, see Configure threat detection rules.
For more information about response orchestration, see Response orchestration.