SecOps Agent

更新时间:
复制 MD 格式

SecOps Agent uses large language models to analyze business traffic and attack data, and automatically recommends precise protection rule tuning solutions. It supports one-click or manual rule application for efficient, visualized security operations.

Benefits

  • Intelligent tuning for precise protection:
    Analyzes your business traffic and attack data using large language models to automatically recommend protection rule tuning solutions and configuration optimization suggestions for more precise web application security.

  • Flexible application for all scenarios:
    Supports adding and updating protection templates, and provides one-click automatic and manual rule application, adapting to routine O&M and fine-grained production control.

  • Transparent visibility for easy management:
    Shows optimization suggestions, reason analysis, and before-and-after rule comparisons. Supports manual rule adjustment with full history tracking for auditability.

Limitations

  • Feature limitations: Security Operations Agent is currently in public preview and only supports intelligent tuning for System Protection Rules and Adaptive Protection Rules under the Core Protection Rule module. It does not support the Bot Management and Custom Rule modules.

  • Version requirements:

    • The subscription-based Basic edition does not support this feature.

    • Security Operations Agent is only applicable to WAF instances that use the new Web core protection rules module. You can determine this by checking the style of Core Protection Rule on the Protection Config > Core Web Protection page in the WAF console.

      New version

      image

      Old version

      image

Enable Security Operations Agent

  1. Log on to the WAF 3.0 console . In the top navigation bar, select the resource group and region of the WAF instance (Chinese Mainland or Outside Chinese Mainland ).

  2. In the left-side navigation pane, click Security Operations Agent .

  3. Click Request Public Preview and follow the on-screen instructions to complete the activation.

View and apply the protection rules recommended by Security Operations Agent

After you enable the feature, the Security Operations Agent page displays recommended rules. If no data appears, click Refresh.

Note

Recommended rules refresh every hour. Unapplied rules are overwritten in the next update and cannot be retained.

View recommended rule details

Security Operations Agent supports intelligent tuning for System Protection Rules under the Core Protection Rule module, and automatically generates Adaptive Protection Rules that System Protection Rules cannot cover.

The generated Adaptive Protection Rules suggestions are uniformly labeled as " Adaptive Protection Rule Optimization " on the page. All other recommended rules are tuning suggestions for System Protection Rules .

Locate a recommended rule and click View Details to view rule details.

  • Rule overview : The top of the page displays the rule summary, AI recommendation reasons, target protection template, generation time, and change type (add or update).

  • Update Summary: Displays the number of rules that AI plans to add or update. Click View Update Comparison to view rule details, including ID, name, and before-and-after content comparison.

  • Risk Analysis: Displays the risk analysis generated by AI based on the current rule configuration.

  • Top 3 IP Details: Displays the details of the top 3 IP addresses associated with this rule.

Apply recommended rules

Rules recommended by Security Operations Agent can be applied in two ways:

  1. Automatically apply rules recommended every hour

    • Applicable scenario: Routine environments and most common scenarios.

    • Procedure: Turn on the Auto-Deploy switch in the upper-right corner of the Security Operations Agent page. The system automatically applies recommended rules every hour.

  2. Manually apply a single rule

    • Applicable scenario: Production environments requiring fine-grained control over highly sensitive businesses.

    • Procedure: Locate the target recommended rule, click Apply Policy, review the before-and-after rule comparison, adjust rule status and actions as needed, and click OK.

After a rule is applied, verify the effect in two ways:

  1. View delivery records
    Click Deployment Records in the upper-right corner of the Security Operations Agent page to view the history of manually and automatically applied rules.

  2. View updated rules
    Go to Protection Config > Core Web Protection. In the Core Protection Rule section, click the image icon on the left side of the target protection template, and select Configure Engine to view updated rule content.

FAQ

After the Auto-Deploy switch is turned on, will a large number of rules that mistakenly block normal business traffic be generated?

Generally not. The core mechanism of Security Operations Agent is rule tuning, not just adding rules. The system analyzes your historical traffic with large language models, evaluates existing protection rules, and only updates or adds rules after confirming they defend against attacks without blocking normal traffic.

What is the difference between System Protection Rules and Adaptive Protection Rules in the Core Protection Rule module?

  • System Protection Rules: Preset default rules provided by the system with initial action and status configurations.

  • Adaptive Protection Rules : No rules are included by default. After Security Operations Agent is enabled, the system automatically generates rules based on historical business traffic characteristics to cover the gaps that System Protection Rules cannot address.

Both System Protection Rules and Adaptive Protection Rules support manual modification. Customize rule actions and status in the Protection Config > Core Web Protection > Core Protection Rule section.

Note
  • The specific rule content of System Protection Rules and Adaptive Protection Rules cannot be viewed, customized, or deleted.

  • If no traffic from any protected object hits Adaptive Protection Rules within 7 days, Security Operations Agent suggests deleting that rule.

Why does an error occur when the Advanced edition WAF instance is recommended to enable Intelligent Whitelist Engine after configuring Auto-Deploy?

After the subscription-based Advanced edition WAF instance enables the Auto-Deploy feature of Security Operations Agent, the system may recommend enabling "Core Protection Rule - Intelligent Whitelist Engine". The Advanced edition does not support this feature, so auto-applying this recommendation causes a delivery failure and triggers an error.

Solution

  1. Upgrade the WAF edition: Upgrade your WAF instance to an edition that supportsIntelligent Whitelist Engine.

  2. Manually adjust the delivery policy (no upgrade required): If you prefer not to upgrade:

    1. Turn off the Auto-Deploy feature of Security Operations Agent.

    2. Wait about one hour for the system to refresh recommended rules.

    3. In the recommended configuration list, manually select and deliver all rules except "Enable Intelligent Whitelist Engine".