View and process events
When a large number of assets are connected, alerts generated by Agentic NDR can be numerous, noisy, and lack semantic correlation. The Agentic NDR Event Center addresses these issues by automatically aggregating existing alerts by attacker to form structured attack events. This provides a unified Traceability View to simplify the analysis of attack paths and impact scope, reducing alert management overhead.
Go to the Event Center
Log on to the Agentic NDR console. In the left-side navigation pane, click .View the event overview
The top of the Events page displays the Total Events and Risk Level Distribution for the selected time range. To adjust the time range, click the calendar icon in the upper-right corner.NoteRisk level descriptions:
Critical: Indicates a confirmed asset compromise or successful attack. This event includes a compromised asset or an exploited vulnerability.
High: A high-intensity attack attempt was detected. This event has a wide impact and affects a large number of assets.
Medium: Clear attack reconnaissance or probing was detected. The attack intent is clear, but the scope of affected assets is contained.
Low: An attack attempt was blocked by defense mechanisms or failed due to an environment mismatch. It involves a small number of assets.
View and process a specific event
The lower section of the page lists all events within the selected time range. You can use the filter bar to filter or search by criteria such as Status, Risk Level, or Event Name.
Click an event's Event Name to open the details panel, where you can respond to the event.
Event report from the agent
The top of the event details panel shows a summary of the event report generated by the agent. Click Full Report to view detailed content, including attack-related information and response recommendations.
Analysis views
In the event details panel, Agentic NDR provides the following three analysis views:
Traceability View: Displays a topology graph of the attack path between the attacker and the victim.
Entity View: Summarizes all IP Address and Domain Name entities associated with the event, including External Threat and Internal Asset.
Alert View: Summarizes all alerts associated with the event.
Traceability View
The Traceability View visualizes the attack path and supports the following interactions:
Click Timeline to sort alerts by time, from newest to oldest (top to bottom).
Click any alert to highlight its corresponding attack path, which helps you reconstruct the entire attack process.
The following table describes the icons. Click an icon to open the Entity Details page, which displays related Alibaba Cloud threat intelligence.
Icon | Description |
| The primary attacker in this event, representing the initial point of compromise. |
| An internal asset or victim. The |
| An external attacker, such as a scanner or brute-force source, that is not a C2 server. |
| An external, malicious C2 (Command and Control) server associated with a domain name, which remotely controls a victim host. |
icon indicates a compromised asset.
Entity View
The Entity View lists all entities associated with the current event and supports the following actions:
Filter and search: In the filter bar, you can filter or search for entities by criteria such as Source, IP Address, Domain Name, or Entity Value.
View threat intelligence: Click the Entity Value of a target entity to view its related information in Alibaba Cloud threat intelligence.
Add to allowlist: In the Actions column for a target entity, click Whitelist to add the entity to the allowlist. After an entity is added to the allowlist, the system stops generating alerts for it.
Alert View
The Alert View lists all alerts associated with the current event and supports the following actions:
Aggregate and filter: In the aggregation bar, you can group alerts By Alert Name or Attack Type. In the filter bar, you can filter or search for alerts by criteria such as Attack result or Attacker IP.
View alert details: Click the Alert Name of a target alert to go to its Alert details p*.
View AI results: In the AI Analysis column, click the
icon to view the AI-generated alert analysis and corresponding defense recommendations.Add to allowlist: In the Actions column for a target alert, click Whitelist to go to the Configure Alert allowlist page and add the alert to the allowlist.
Respond to and update event status
In the event details panel, you can update an event's status or take response actions based on the analysis to support subsequent tracking and management:
Respond to an event by adding to the allowlist: Click Recommended Actions in the upper-right corner or One-Click Response in the lower-left corner to go to the Recommended Actions page. On this page, in the Actions column for a target entity, click Whitelist to add the entity to the allowlist. The system will no longer generate alerts for this entity.
Update event status: In the Status area in the upper-right corner, click the
icon to change the Update Status to Processing or Processed.
These actions can also be performed from the event list in the Event Center. In the event list, click Recommended Actions or Update Event Status in the Actions column for a target event to perform the same functions.
Threat analysis overview
Threat analysis is a core capability of Agentic NDR. Based on Alibaba Cloud's proprietary intrusion detection, threat intelligence, behavior analysis, and security sandbox engines, it provides enterprise users with full-traffic attack detection and threat analysis capabilities. It also offers statistical, aggregation, and correlation analysis of alert data.
Agentic NDR can also restore files transmitted over the network for risk analysis, generate alerts for suspicious files, and provide sample data for user analysis.
Alert analysis
Sign in to the Agentic NDR Console.
In the left-side navigation pane, select Detection.
On the Alerts tab, view the current number of compromises and the total number of alerts, and view the detection time and the connection between the attacker and victim for each alert.
You can query alert analysis data for a specific scope by using multiple filter conditions and group the data by Alert Name, Attacker IP, and Victim IP Address for aggregated statistics. The Attacker IP and Victim IP Address have a cascading relationship. A specific Attacker IP can be linked to a corresponding Victim IP Address, and vice versa. When you select an Attacker IP or a Victim IP Address, the alert data in the section below updates in real time. Click a Victim IP Address address to view its asset details in a dialog box.
Alert details
The alert details page provides a detailed analysis of the alert, organized into five modules: basic alert information, detailed alert logs, a list of related packets, correlated alert information, and ATT&CK technique information. This helps you quickly assess and respond to the alert.
AI alert analysis
When you open the details page, the Security AI Assistant automatically generates and displays the following explanations for the alert:
Component | Description |
Alert summary | Summarizes the alert information, including basic details like the attacker, victim, alert name, and detection engine, and outlines the attack intent. |
Payload analysis | Explains the detected payload, including its content, the attack technique used, and potential threats. |
Attack result analysis | Explains the attack result from the detection engine. If the engine marks the result as an attempt, the large language model (LLM) determines the final result by analyzing request and response packets. |
Threat intelligence | Queries threat intelligence for the attacker IP address and any domain names or IP addresses found in the payload, and explains the findings. |
Correlated alert analysis | Summarizes related alerts for the attacker and victim within a 48-hour window to analyze the attack intent and determine the attack stage. |
Attacker IP threat analysis | Summarizes the alert activity for the attacker IP over the last 24 hours. It analyzes the threat posture of the attacker IP based on the distribution of attack counts, times, results, and affected assets. |
Defense recommendations | Provides defense recommendations for log investigation, application analysis, and access control based on the alert content and analysis. |
Basic information
In the Basic Information area, you can view information about CVEs that may be related to the alert. Click View CVE Information to access the Alibaba Cloud vulnerability database for disclosure and analysis information, as well as the vulnerability's impact scope and recommended upgrade solutions. This area also provides details such as Attack Time, Alert Count, Alert Time, and Alert Name.
Related alerts
In the Related Alerts area, view the alert information. In the Raw Data column, click payload to analyze the alert payload's key information. The portion that triggered the alert rule is highlighted. Click the Decoding Tools at the bottom right of the payload to decode the payload section of the raw traffic. The Agentic NDR decoding tool supports various decoding methods, such as ASCII, UTF-8, and hexadecimal.
In the AI Analysis column, click the
icon. The Security AI Assistant automatically generates and displays an explanation for the alert, improving readability and response efficiency.In the Actions column, click Packet Analysis to open the Online PCAP Parsing page and view the packet analysis. For more information, see Packet analysis management.
In the Actions column, click Packet Query to go to the Attack Forensics page. On this page, you can retrieve the raw packets related to the alert by using the traffic 5-tuple and download the PCAP file of the related packets for further analysis.
Related protocol logs
In the Related Protocol Log area, view the log overview. Click Log Details to open the protocol log analysis page for further investigation.
Related packets
In the Related Packet area, you can perform the following actions:
Packet Analysis: View the packet analysis on the Online PCAP Parsing page. For more information, see Packet analysis management.
Packet Query Details: Navigate to the Risks page based on the source and destination IP address 2-tuple to retrieve the raw packets related to the alert.
Generate PCAP: Download the PCAP file of the raw packets.
Correlated alerts timeline
In the Associated Alert Timeline area, you can use a timeline to analyze multiple alerts triggered by the same attacker and victim IP addresses around the time of the current alert. This helps you understand temporal relationships between events and identify the attacker's behavior patterns. Click an alert name on a related alert card to open its details in a new page.
ATT&CK technique
In the ATT&CK technique information area, you can view a detailed analysis of the underlying attack technique.
ATT&CK Matrix
On the ATT&CK Matrix tab, Agentic NDR allows you to analyze alerts based on ATT&CK labels.
This tab displays statistics for alerts related to different attack techniques. Techniques with active alerts are highlighted and moved to the top for visibility. Click the number on an alert item to view details in the ATT&CK technique information pop-up. To view specific alert information, click Click to view specific alert. You will be redirected to the Alerts tab.
Configure alert allowlist
Agentic NDR provides an alert allowlist feature for managing alert priorities. You can use it to mark specific types of alerts as safe or acknowledged, to avoid repeatedly processing them. By creating an allowlist, you can effectively manage alert priorities.
The IP addresses of Security Center scanners are blocked by default and do not generate alerts.
Sign in to the Agentic NDR Console.
In the left-side navigation pane, select Detection.
On the Alert Whitelist tab, click Create Rule.
In the Alert Rule Filter panel, configure the relevant fields.
Click Confirm.
During the trial period, alert logs are retained for a maximum of 90 days. The system overwrites logs that exceed this retention period, starting with the oldest ones.