By default, Alibaba Cloud Agentic NDR allows users to view and download the details of sensitive data and related packet payloads. To prevent leaks, use Resource Access Management (RAM) to create deny policies that block specific RAM users from accessing or exporting this data.
Supported sensitive data types
Agentic NDR detects 47 sensitive data types. The following table lists all supported types.
A hyphen (—) in the table indicates an empty cell.
| No. | Type | No. | Type | No. | Type | No. | Type | No. | Type | No. | Type |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Debit card | 9 | ID card (the Chinese mainland) | 17 | AccessKeyId | 25 | Mainland Travel Permit for Hong Kong and Macao Residents | 33 | Passport number (the Chinese mainland) | 41 | Officer ID card |
| 2 | Private key | 10 | ID card (Hong Kong, China) | 18 | Name (Simplified Chinese) | 26 | Address (the Chinese mainland) | 34 | Mobile phone number (the Chinese mainland) | 42 | Email address |
| 3 | License plate number (the Chinese mainland) | 11 | Landline number (the Chinese mainland) | 19 | Gender | 27 | Ethnicity | 35 | Province (the Chinese mainland) | 43 | City (the Chinese mainland) |
| 4 | Name (Traditional Chinese) | 12 | Name (English) | 20 | ID card number (Malaysia) | 28 | ID card number (Singapore) | 36 | International Bank Account Number (SWIFT code) | 44 | U.S. Social Security Number (SSN) |
| 5 | Landline number (United States) | 13 | Religious belief | 21 | MAC address | 29 | JDBC connection string | 37 | PEM certificate | 45 | AccessKeySecret |
| 6 | IMEI | 14 | MEID | 22 | Linux passwd file | 30 | Linux shadow file | 38 | Business license number | 46 | Tax registration certificate number |
| 7 | Organization code | 15 | Unified Social Credit Code | 23 | Vehicle Identification Number (VIN) | 31 | Alibaba Cloud AccessKey pair | 39 | Password | 47 | LegacyOpenaiApiKey |
| 8 | ProjectOpenaiApiKey | 16 | BailianApiKey | 24 | HuggingFaceApiKey | 32 | GroqApiKey | 40 | PaiEasToken | 48 | — |
Permissions for data access and export
The following table lists the RAM actions that control sensitive data access and export in Agentic NDR. Include these actions in your deny policies to block the corresponding operations.
| Action | Description |
|---|---|
yundun-cloudfirewall:DescribeDecryptData | Decrypts sensitive data. |
yundun-cloudfirewall:DescribeAssetRiskDataPublicLogPayload | Views the packet payload that transmits sensitive data. |
yundun-cloudfirewall:CreateExportTask | Exports data. |
Prerequisites
Before you begin, make sure you have:
A RAM user to apply the policies to. For instructions, see Create a RAM user
Management account permissions to use RAM, create RAM users, and manage RAM policies
Create and apply deny policies
Deny policies take precedence over allow policies. Attach the deny policies alongside a system policy (read-only or full access) so the user retains baseline access to Agentic NDR while the restricted actions are blocked.
Create custom policies
In the RAM console, go to Permissions > Policies, click Create Policy, and select the JSON tab.
On the JSON tab, enter the following policy document, then click Next to edit basic information.
{ "Version": "1", "Statement": [ { "Action": "yundun-cloudfirewall:DescribeDecryptData", "Resource": "*", "Effect": "Deny" }, { "Action": "yundun-cloudfirewall:DescribeAssetRiskDataPublicLogPayload", "Resource": "*", "Effect": "Deny" } ] }In the Create Policy dialog box, set the policy name to
Deny Query Sensitive Dataand click OK.On the Policies page, click Create Policy. On the JSON tab, enter the following policy document, then click Next to edit basic information.
{ "Version": "1", "Statement": [ { "Action": "yundun-cloudfirewall:CreateExportTask", "Resource": "*", "Effect": "Deny" } ] }In the Create Policy dialog box, set Name to
Deny Export Data, set Description toPrevents authorized users from exporting data, and click OK.
Attach the policies to a RAM user
In the RAM console, go to Identities > Users. Find the target user and click Add Permissions in the Actions column.
Select the two custom policies you created and at least one system policy for Agentic NDR.
Policy name Description AliyunYundunCloudFirewallReadOnlyAccessGrants read-only access to Cloud Firewall. AliyunYundunCloudFirewallFullAccessGrants full management access to Cloud Firewall. Deny Query Sensitive DataPrevents a RAM user from viewing sensitive data. Deny Export DataPrevents a RAM user from exporting data. 
Click OK.
Verify the policies
Sign in to the Agentic NDR console as the RAM user.
In the left-side navigation pane, click Risks.
Click the Logon Activity tab. On the Privileged Account, Weak Password, Plaintext Password, and Leaked AKSK tabs, confirm the following:
Click Sensitive Information. The operation is denied and a notification appears.
Click the export icon
. The operation is denied and a notification appears.Click Details in the Actions column. In the Details panel, click View Payload or the export icon
. Both attempts fail and a notification appears.
Click the Sensitive Data tab and confirm the following:
Click the export icon
. The operation is denied and a notification appears.Click Details in the Actions column. In the Details panel:
Click a number in the Sensitive Information Items column or click View Payload. The attempt fails and a notification appears.
Click the export icon
. The attempt fails and a notification appears.