After you configure behavior control rules for an agent's assets, triggered events are recorded as security events. This topic describes how to view detailed records and correlation information for access control, anomaly detection, and data leakage events in the Security Events console.
View security events generated by agent behavior control rules
Access the console: Log on to the Cloud Firewall console.In the left-side navigation pane, choose Agent Firewall > Incidents.
Prerequisites: You have enabled protection for the target asset on the Runtime Environment page, and configured Behavioral control rules. The Data Leakage and Skill File Threat Detection rules are built-in to the system and do not require manual configuration.
Access control events
Go to the Access Control tab to view the list of security events that matched the Model Restrictions, Network Protection, or Agent Outbound Control rules. You can use the search box above the list to filter events by time and agent network environment.
This page supports the following operations:
View events that matched rules: The list below displays detailed event records, including the time, network environment, associated agent, matched rule module, five-tuple, and action taken.
View associated agent information: Find the target security event and click the
icon in the Associated Agents column to view the name and type of the associated agent.
Anomaly detection events
Go to the Anomaly Detection tab to view the list of security events that matched the Skill Usage Anomaly Detection, Tool Call Anomaly Detection, or Skill File Threat Detection rules.
Skills & Tools Invocation Anomaly Detection
Go to the Skills & Tools Invocation Anomaly Detection tab to perform the following operations:
Filter security events: Use the search box above the list to filter events by time, rule type, blacklist/whitelist type, IP address, and other criteria.
View events that matched rules: The list displays detailed event records, including the time, associated agent, source and destination IP addresses, rule type, and action taken.
View associated agent information: Find the target security event and click the
icon in the Associated Agents column to view the name and type of the associated agent.
Skill File Threat Detection
Go to the Skill File Threat Detection tab to perform the following operations:
Filter security events: Use the search box above the list to filter events by time, risk level, agent network environment, IP address, and other criteria.
View events that matched rules: The list displays detailed event records, including the skill file name and type, time, agent network environment, associated agent, five-tuple, and risk level.
View associated agent information: Find the target security event and click the
icon in the Associated Agents column to view the name and type of the associated agent.View detailed event report: Click View Details in the Actions column of the target event to view the AI-generated Skill Security Detection Report, which includes a risk overview, vulnerability details, remediation plans, and more.
Download event report: Click Download Report in the Actions column of the target event to download the report to your local machine.
Data leakage events
Go to the Data Leak tab to view the list of security events that matched the AccessKey/API Key Leak Detection, Personal Data Leak Detection, or Sensitive File Exfiltration Detection rules.
Sensitive Data
Go to the Sensitive Data tab to perform the following operations:
Filter security events: Use the search box above the list to filter events by time, protocol type, sensitive data type, risk level, instance ID, and other criteria.
View events that matched rules: The list displays detailed event records, including the instance ID, time, associated agent, risk level, sensitivity level, and sensitive data type.
View associated agent information: Find the target security event and click the
icon in the Associated Agents column to view the name and type of the associated agent.View sensitive information details: Click View Details in the Actions column of the target event to view specific sensitive information, including the peer IP address and port, the specific sensitive content, and the resource identifier.
Sensitive Files
Go to the Sensitive Files tab to perform the following operations:
Filter security events: Use the search box above the list to filter events by time, direction, sensitive data level, instance ID, and other criteria.
View events that matched rules: The list displays detailed event records, including the instance ID, IP address, port, time, associated agent, direction, sensitivity level, and number of sensitive files.
View associated agent information: Find the target security event and click the
icon in the Associated Agents column to view the name and type of the associated agent.View data types of sensitive files: Find the target security event and click the
icon in the Sensitive Files column to view the Top 5 Sensitive Data Types by Hits.View sensitive file details: Click View Details in the Actions column of the target event to view specific sensitive information, including the peer IP address and port, file name, file type, and resource identifier. Click File Details in the Actions column to view the specific sensitive information within the file.