SecOps Agent leverages large language models to deeply analyze business traffic and attack data, and automatically recommends precise protection rule tuning solutions. By providing flexible strategies such as one-click application and manual adjustment, it helps you achieve an efficient and visualized closed-loop security operations while ensuring smooth business operations.
Benefits
Intelligent tuning for precise protection:
Based on the analytical capabilities of large language models, SecOps Agent deeply analyzes your actual business traffic and attack data, and automatically recommends protection rule tuning solutions and configuration optimization suggestions for more precise and efficient web application security protection.Flexible application for all scenarios:
Supports adding and updating protection templates, and provides two modes: one-click automatic application and manual application, flexibly adapting to different business scenarios such as routine environment O&M and fine-grained control in production environments.Transparent visibility for easy management:
Provides clear optimization suggestions, reason analysis, and comparisons of rules before and after updates. Supports manual adjustment of rule status and actions, and allows you to trace historical application records, ensuring controllability and auditability of protection policy adjustments.
Limitations
Feature limitations: Security Operations Agent is currently in public preview and only supports intelligent tuning for System Protection Rules and Adaptive Protection Rules under the Core Protection Rule module. It does not support the Bot Management and Custom Rule modules.
Version requirements:
The subscription-based Basic edition does not support this feature.
Security Operations Agent is only applicable to WAF instances that use the new Web core protection rules module. You can determine this by checking the style of Core Protection Rule on the page in the WAF console.
New version
Old version
Enable Security Operations Agent
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, click Security Operations Agent.
Click Request Public Preview and follow the on-screen instructions to complete the activation.
View and apply the protection rules recommended by Security Operations Agent
After the feature is enabled, the Security Operations Agent page displays the recommended rules. If no data is displayed, click the Refresh button in the upper-right corner.
Recommended rules are updated every hour. If you do not apply the recommended rules in time, the data will be overwritten during the next update and cannot be retained.
View recommended rule details
Security Operations Agent supports intelligent tuning for System Protection Rules under the Core Protection Rule module, and automatically generates Adaptive Protection Rules that System Protection Rules cannot cover.
The generated Adaptive Protection Rules suggestions are uniformly labeled as "Adaptive Protection Rule Optimization" on the page. All other recommended rules are tuning suggestions for System Protection Rules.
Locate the target recommended rule and click View Details to view the rule details on the page that appears.
Rule overview: The top of the page displays the rule summary, AI recommendation reasons, the target protection template name, and the rule generation time, and indicates the type of change to the protection template after the rule is applied (add or update).
Update Summary: Displays the number of rules that AI plans to add or update. Click View Update Comparison to view the details of specific protection rules, including the rule ID, name, and content comparison before and after the update.
Risk Analysis: Displays the risk analysis information generated by AI based on the current rule configuration.
Top 3 IP Details: Displays the details of the top 3 IP addresses associated with this rule.
Apply recommended rules
For the recommended rules generated by Security Operations Agent, the following two application methods are supported:
Automatically apply rules recommended every hour
Applicable scenario: Routine environments and most common scenarios.
Procedure: Turn on the Auto-Deploy switch in the upper-right corner of the Security Operations Agent page. The system will automatically apply the recommended rules generated every hour.
Manually apply a single rule
Applicable scenario: Scenarios in production environments that require fine-grained control over highly sensitive businesses.
Procedure: Locate the target recommended rule, click Apply Policy, view the comparison details of the rule before and after the update on the page that appears, and manually adjust the rule status and actions based on your actual needs. After confirming the information, click OK to complete the application.
After a rule is applied, you can view and verify the effect in the following two ways:
View delivery records
Click Deployment Records in the upper-right corner of the Security Operations Agent page to view the historical details of manually and automatically applied rules.View updated rules
Go to . In the Core Protection Rule section, click the
icon on the left side of the target protection template, and select Configure Engine to view the specific content of the updated rules.
FAQ
After the Auto-Deploy switch is turned on, will a large number of rules that mistakenly block normal business traffic be generated?
Generally not. The core mechanism of Security Operations Agent is rule tuning, rather than simply adding rules. The system deeply analyzes the historical traffic characteristics of your business based on large language models, and proactively checks and evaluates the effectiveness of existing protection rules. The agent optimizes and updates existing rules or adds new rules only after confirming that the rules can precisely defend against potential attacks without interfering with normal business traffic.
What is the difference between System Protection Rules and Adaptive Protection Rules in the Core Protection Rule module?
System Protection Rules: Preset default rules provided by the system with initial action and status configurations.
Adaptive Protection Rules: No rules are included by default. After Security Operations Agent is enabled, the system automatically generates rules based on historical business traffic characteristics to cover the gaps that System Protection Rules cannot address.
Both System Protection Rules and Adaptive Protection Rules support manual modification. You can go to the section to customize the actions and status of the rules.
The specific rule content of System Protection Rules and Adaptive Protection Rules cannot be viewed or customized, and rules cannot be deleted.
If no traffic from any protected object hits Adaptive Protection Rules within 7 days, Security Operations Agent will generate a suggestion to delete that rule.
Why does an error occur when the Advanced edition WAF instance is recommended to enable Intelligent Whitelist Engine after configuring Auto-Deploy?
After the subscription-based Advanced edition WAF instance enables the Auto-Deploy feature of Security Operations Agent, the system may push a recommended configuration to enable "Core Protection Rule - Intelligent Whitelist Engine". Because the Advanced edition WAF instance does not support this feature, automatically applying this recommended configuration will cause a delivery failure and trigger an error.
Solution
Upgrade the WAF edition: Upgrade your WAF instance to a higher edition that supports the "Intelligent Whitelist Engine" feature to be compatible with this recommended configuration.
Manually adjust the delivery policy (no upgrade required): If you do not want to upgrade the WAF edition, perform the following operations:
Turn off the Auto-Deploy feature of Security Operations Agent.
Wait about one hour for the system to push recommended rules again.
In the recommended configuration list, manually select and deliver other rules except "Enable Intelligent Whitelist Engine".