A security incident in Agentic SOC is a complete record of a security threat — correlated alerts, extracted entities (hosts, IPs, files, and processes), AI-generated conclusions, and a full attack chain reconstruction. Instead of triaging hundreds of raw alerts individually, you work at the incident level, where context is already assembled and priority is established.
After you enable Agentic SOC, security incidents generated from Cloud Workload Protection Platform (CWPP) alerts are migrated to Agentic SOC for processing. The handling workflow is the same as for natively generated Agentic SOC incidents. For details, see Overview of CWPP security incidents.
How incidents are generated
Agentic SOC generates security alerts based on predefined or custom rules, then analyzes context across multiple related alerts and aggregates them into a single incident.
Incidents are generated differently depending on the alert source:
Network-side: Agentic SOC detects malicious reconnaissance activities — such as scans or probing — using predefined rules, and groups them into incidents. This surfaces early-stage attacker behavior before they can gather more information about your environment.
Host-side: Agentic SOC uses graph computing technology to correlate related host alerts — for example, alerts that share the same MD5 hash or parent process ID — and aggregates them into one incident. This lets you trace an attack entry point quickly, rather than piecing together dozens of individual alerts.
Not every alert triggers incident creation. The following conditions apply:
All host-side alerts generate incidents. A single host-side alert with no related alerts is still promoted to an incident.
Network-side alerts generate incidents only when they match an incident aggregation policy defined in a predefined or custom rule.
If an incident whitelisting rule is configured, alerts that match the rule do not generate incidents.
When only predefined rules are enabled, incidents are generated only from alerts that match the Graph Compute or Expert Rules generation methods.
Incident retention: The Security Events page shows incidents from the last 180 days.
Risk levels
Each incident is assigned one of five risk levels. Use the level to decide how urgently to respond.
| Risk level | What it means | What to do |
|---|---|---|
| Serious | A service interruption occurred. Key features are inaccessible or the network is down. Clear malicious behavior or entities were detected, and the impact spans multiple servers. | Review and handle immediately. |
| High Risk | Clear malicious behavior or entities were detected — for example, a reverse shell or other abnormal process behavior. A successful intrusion has likely already affected your assets. Impact is typically limited to a single machine. | Review and handle immediately. |
| Medium Risk | Suspected malicious behavior or entities were detected. The incident may be a successful intrusion, or it may be caused by unusual O&M operations such as an abnormal logon. | Review the incident details to determine whether a real threat exists, then act accordingly. |
| Low Risk | A possible intrusion, or continuous attack probes from an external source (for example, access from 106.11.XX.XX). | Monitor the incident if your assets have high security requirements. |
| Reminder | Alerts from job automation software. These indicate that a scheduled job ran or reached a milestone. | No action required. |
What an incident contains
Each incident aggregates two types of objects for investigation and handling.
Security alerts
Agentic SOC aggregates the source alerts that triggered the incident. Alert aggregation limits apply:
Graph computing incidents: up to 2,000 alerts
Other generation methods (such as same-type aggregation): up to 10,000 alerts
Aggregation behavior varies based on incident status:
| Incident status | Aggregation behavior |
|---|---|
| Unhandled | New alerts that match the incident continue to be aggregated into it. |
| Handling, Handled, or Failed | New alerts are not merged into the existing incident. A new incident is created in the Unhandled state. |
To view alert details, go to the Aggregate and Analyze Alerts and Custom Alert Analysis tabs on the Agentic SOC > Alert page. For information about configuring predefined and custom rules, see Rule management.
Entities
Entities are the specific objects and actors associated with an incident — hosts, IP addresses, files, processes, and more. Security Center extracts and aggregates entities from correlated alerts, classifies them as malicious or non-malicious based on threat intelligence tags, and lets you run playbooks or query Alibaba Cloud threat intelligence directly from the entity view.
The following entity types are supported:
| Entity | Asset entity | Can be identified as malicious |
|---|---|---|
| Host | Yes | No |
| IP address | Yes | Yes |
| Alibaba Cloud account | Yes | No |
| AccessKey pair | Yes | No |
| Domain name | Yes | Yes |
| File | No | Yes |
| Host process | No | Yes |
| Host account | No | No |
| URL | No | No |
| Registry | No | Yes |
| Container | Yes | No |
| Cluster | Yes | No |
| Object Storage Service (OSS) | Yes | No |
Investigation reports and AI analysis
Investigation reports and AI analysis require the Security Operations Agent service in addition to Agentic SOC. For a comparison of the basic edition and Security Operations Agent, see Differences between the basic edition of Agentic SOC and Security Operations Agent.
After upgrading to Security Operations Agent, Agentic AI automatically analyzes each incident and generates an investigation report. The system triggers an investigation when an incident is created and again whenever new alerts are correlated with it.
Each report delivers a clear verdict:
| Verdict | Confidence threshold |
|---|---|
| True positive | Above 85% |
| False positive | At or below 10% |
| Insufficient information | Between 30% and 60% |
The report also includes the affected assets, attack chain, payload analysis, and an attack timeline.
For details on reviewing and acting on a report, see Assess and handle Agentic SOC security incidents.
Incident handling
Agentic SOC supports two incident types:
Complete incidents formed by aggregating multiple Agentic SOC alerts based on predefined or custom rules
Security incidents migrated from CWPP alerts
The following handling methods are available:
| Method | Description |
|---|---|
| Recommended handling policies | Choose from Agent Recommended Policy or System Recommended Policy. |
| Update incident status | Manually move an incident through its lifecycle. |
| Whitelisting | Agentic SOC incidents: automatic response rules only. CWPP incidents: automatic response rules and alert whitelisting. |
| Run playbooks | Execute automated response actions against the incident. |
| Automatic handling | Use response orchestration to handle incidents without manual intervention. |
Security incident handling flowchart
