When your network traffic triggers an alert, Agentic NDR gives you the tools to triage it, understand the attack context, and suppress false positives—without switching between multiple consoles. This topic describes how to use alert analysis, the ATT&CK matrix, and alert whitelists in Agentic NDR.
How it works
Agentic NDR uses four detection engines—intrusion detection, threat intelligence, behavior analysis, and sandboxed containers—to perform full-traffic attack detection. The system aggregates and correlates alert data to surface meaningful threat signals, and analyzes suspicious files found in network traffic to generate file-based alerts with sample data for investigation.
Alert analysis
The Alert Analysis tab is the primary triage workspace. It shows the number of compromised assets, the total number of alerts, and for each alert, its discovery time and the access relationship between the attacker and the victim.
To open alert analysis:
Log on to the Agentic NDR console.
In the left navigation pane, choose Detection and Response > Threat Analysis.
Click the Alert Analysis tab.
Filter and group alerts
Use filter conditions to scope the alert list. Group and aggregate statistics by Alert Name, Attacker IP, or Victim IP Address.
Attacker IP and Victim IP Address have a cascading relationship: selecting a specific attacker IP filters the victim IP list, and vice versa. When you select either field, the alert list below updates in real time. Click a Victim IP Address to view its asset details in a dialog box.
Alert details
Each alert opens a details page with five modules: basic information, detailed alert logs, related messages, associated alerts, and ATT&CK technique details. Together, these modules give you a full picture of the alert event so you can assess and respond quickly.
AI-powered alert explanation
When you open an alert details page, the Security AI Assistant automatically generates an explanation covering the following:
| Section | What it covers |
|---|---|
| Alert summary | Attacker, victim, alert name, and detection engine; summarizes the attack intent |
| Payload content analysis | Detected payload content, the attack method, and potential threats |
| Attack result analysis | Attack outcome from the engine; if the engine marks the result as an attempt, the large language model (LLM) determines the result from request and response messages |
| Threat intelligence | Queries the attacker IP, plus domain names and IP addresses in the payload, against threat intelligence data. It then explains the threat intelligence information. |
| Associated alert analysis | Related alerts for the attacker and victim within the past 48 hours, analyzed for attack intent and attack stage |
| Attacker IP threat analysis | Alerts from the attacker IP in the past 24 hours; assesses threat posture based on attack distribution, timing, outcomes, and victim assets |
| Defense recommendations | Actionable recommendations covering log investigation, application inspection, and access control |
Basic information
The Basic Information section shows Attack Time, Alert Count, Alert Time, and Alert Name. If the alert is linked to a known vulnerability, click View CVE Information to open the Alibaba Cloud vulnerability database, where you can find disclosure details, impact scope, analysis, and upgrade solutions.
Related alerts
The Related Alerts section lists the raw alert data.
Payload inspection: In the Raw Data column, click payload to open the payload viewer. The portion that triggered the alert rule is highlighted. Click Decoding Tools (upper right) to decode the payload in formats such as ASCII, UTF-8, or hexadecimal.
AI analysis: In the AI Analysis column, click the
icon to have the Security AI Assistant generate an explanation for that specific alert log. This improves readability and speeds up response.Packet retrieval: In the Actions column, click Packet Query to open the Packet Retention page. Retrieve raw messages using the 5-Tuple Information, or download the PCAP file for offline analysis.
Related protocol logs
The Related Protocol Log section shows a log overview. Click Log Details to open the protocol log analysis page for deeper investigation.
Related messages
The Related Packet section lets you retrieve raw network messages linked to the alert. Click Packet Query Details or Generate PCAP to go to the Tracing Analysis page, filtered by the source and destination IP address tuple. From there, download the PCAP file for further analysis.
Associated alert timeline
The Associated Alert Timeline section shows all alerts triggered by the same attacker IP and victim IP before and after the current alert. Use the timeline to understand the temporal sequence of events and reconstruct the attacker's behavior pattern. Click an alert name on any related alert card to open that alert's details in a new page.
ATT&CK technique information
The ATT&CK Technique Information section provides a detailed breakdown of the attack technique associated with this alert.
ATT&CK matrix
The ATT&CK Matrix tab gives you a technique-level view of all active alerts, organized by the MITRE ATT&CK framework.
Techniques with active alerts are highlighted and sorted to the top by default. Click the count next to any technique to view a summary in the ATT&CK Technology Information tooltip. To drill into the specific alerts, click Click to view specific alert—this takes you to the Alert Analysis tab with the relevant alerts pre-filtered.
Configure an alert whitelist
Use the alert whitelist to mark specific alert types as safe or as already handled. This prevents the same alert from requiring repeated review and helps you focus on genuinely new threats.
The IP addresses of related Security Center scanners are blocked by default and do not generate alerts.
During the trial period, alert logs are retained for a maximum of 90 days. Logs older than 90 days are overwritten, starting with the oldest.
To create a whitelist rule:
Log on to the Agentic NDR console.
In the left navigation pane, choose Detection and Response > Threat Analysis.
Click the Alert Whitelist tab, then click Create Rule.
In the Alert Rule Filter panel, configure the rule conditions.
Click OK.