AI-powered alert analysis and handling

View AI analysis results

1. Log on to the Security Center console.

2. In the left-side navigation pane, choose Detection and Response > Alert. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

   Note

   If the Agentic SOC service (an advanced AI-powered security operations feature) is purchased, the left-side navigation pane entry changes to Agentic SOC > Manage > Alert.

3. On the Alert page, click the CWPP tab. For a specific alert, click the icon in the AI Analysis column, or click Details in the Actions column to view its details and AI analysis results.

   Note

   If no AI icon appears in the AI Analysis column, or if the AI Security Assistant section shows no results, AI-powered analysis is not available for this alert type. In this case, review the alert details manually and handle the alert using the standard workflow.

4. In the AI Security Assistant section, view the alert explanation and remediation suggestions. The following example shows the analysis results for a web exploitation alert.

   Confirm that the AI Security Assistant section displays the alert explanation, analysis suggestions, and attack tracing information. If the section is empty or missing, AI-powered analysis is not available for this alert type—handle the alert manually using the standard workflow.

   Important

   Available details vary by alert type. Some information, such as remediation suggestions or host-level alert correlations, may not appear for certain alerts. This is expected.

   Alert explanation

   The left side of the AI Security Assistant panel displays alert details (including the vulnerability type, CVE ID, source IP, and process information). The center shows an attack tracing graph that visualizes the attack path using nodes and connections. The right side, in the AI alert analysis area, shows the alert explanation, including a description of the attack technique, vulnerability information (such as CVE IDs), and details about the attack source and time.

   Analysis conclusion and remediation suggestions

   This area displays the AI analysis conclusion (such as confirming the event as a real attack and explaining the attack method), along with a numbered list of remediation suggestions. Suggestions may include immediately isolating the affected server, reviewing logs, patching vulnerabilities, checking security tools, and conducting in-depth investigation.

   View the alert tracing report

   The alert tracing report includes a root cause analysis (summarizing the attack entry point, exploitation technique, and scope of impact) and a timeline-based alert chain analysis (showing security alert events in chronological order, such as the detection of malicious scripts, abnormal command execution, web exploitation, suspicious command execution, and backdoor processes). The report also includes a summary and remediation suggestions.

   View suspicious behaviors on the alert host in the last 60 days

   This area displays a summary of suspicious behaviors detected on the alert host in the last 60 days, including the count of abnormal behaviors, threat intelligence information for external IP addresses and domains, and a time-sorted table of suspicious activities (with columns for external target, type, threat tags, and access time). Quick-access links at the bottom allow you to query relationships and view other related security alerts.

5. Handle the alert based on the alert details and AI analysis report (explanation, tracing, and remediation suggestions):

   • Determine whether the alert is a real attack or a false positive.

   • For a real attack, click Alert Handling and follow the on-screen instructions to resolve the alert.

     Note

     For more information, see Assess and handle security alerts.

AI-powered alert noise reduction helps you handle alerts more efficiently. Key capabilities:

• Intelligent filtering and noise reduction: Filters out false positives and low-risk noise, helping you focus on high-risk events.

• AI Alert Noise Reduction: Filters low-risk noise and false positives based on AI analysis, enabling batch response actions.

Procedure

1. Enable AI-Powered Alert Triage

   Go to the Alert page and select the CWPP tab. In the upper-right corner of the alert list, turn on the AI-Powered Alert Triage switch.

2. View AI analysis results

   After you enable this feature, the system automatically analyzes new alerts in depth daily. In the AI Analysis column of the alert list, you can view the verdict for each alert:

   • Confirmed Attack: A high-confidence confirmation of a real threat. We recommend handling these alerts with high priority.

   • Likely False Positive: Indicates that the alert is likely a false positive. You can handle these alerts with a lower priority.

   • Insufficient Information (Unknown): AI cannot determine a verdict for the alert, typically due to a lack of information.

   

3. Perform an AI-powered automated response

   1. Go to the AI-Powered Remediation page

      In the security alert list, set the AI Analysis Result filter to All or another value as needed. Select the alerts that you want AI to automatically handle, and then click AI Auto-remediate at the bottom of the list.

      Note

      You can also hover over the AI-Powered Alert Triage switch and click Handle Now in the pop-up.

   2. Evaluate and confirm the response plan

      1. On the AI-Powered Remediation page, you can review the entities (such as malicious files, abnormal processes, and risky IP addresses) to be handled and the recommended response plan.

      2. Carefully review the response plan. Once you confirm the plan is appropriate, click Confirm.

   

4. View the response results

   1. After the response is complete, return to the security alert list and set the Handled or Not filter to Handled.

   2. Alerts automatically handled by AI have the status AI Response.

Quotas and limitations

• Scope: This feature analyzes and handles only new alerts generated after you enable it. Historical alerts are not processed.

• Daily analysis limit:

  • AI can analyze a maximum of 20 alerts per host, per day.

  • If multiple alerts are triggered for analysis at the same time, the system processes them in chronological order.

• Automated response scope:

  The automated AI response feature applies only to alerts that meet both of the following conditions:

  • The AI verdict for the alert is Confirmed Attack.

  • The alert contains a clearly actionable entity (such as a file, process, or IP address).

AI analysis results do not appear

• Cause: The alert type is not supported for AI-powered analysis. See the Appendix: Supported alert types for the full list of supported alert types.

• Solution: Review the alert details manually and handle the alert using the standard workflow.

AI analysis results are incomplete or missing details

• Cause: Available details vary by alert type. Some alerts do not collect enough information to generate certain analysis fields, such as remediation suggestions or host-level alert correlations.

• Solution: This is expected behavior. Use the available analysis fields as reference and supplement with manual investigation as needed.

How to verify the feature is enabled

• Ensure the Security Center instance meets the edition requirements listed in Prerequisites.

• Navigate to Detection and Response > Alert and check if the AI icon appears in the AI Analysis column for supported alert types.