.. _nAnalystPolicies: AI-Generated Network Policies ============================== nAnalyst can translate a plain-English security or operational requirement into an executable network policy that generates ntopng alerts when violated. .. figure:: ../img/nAnalyst_policy.png :align: center :alt: nAnalyst AI Policy nAnalyst AI Policy How policy generation works ---------------------------- 1. **Describe the requirement** — state what behaviour should be detected or forbidden: .. code-block:: text "No SSH for host 192.168.2.38 during business hours" "Alert if any host's traffic is more than 2x its hourly baseline" "Detect outbound connections to non-approved countries" 2. **Agent generates the SQL** — nAnalyst writes a ClickHouse query that captures the policy condition. The query is shown to you for review before it is saved. 3. **Execution schedule** — you choose how often the policy query runs: every 1 minute, 5 minutes, 1 hour, or daily. 4. **Alert registration** — when the query detects a violation, ntopng generates a standard alert that appears in the alert dashboard as a new AI Policy alert and can trigger any configured notification channel (email, Slack, syslog, etc.). 5. **Interpretability** — nAnalyst executes the query once immediately and explains the results in plain language so you can validate the policy catches what you expect before it goes live. Reviewing and managing policies -------------------------------- Saved policies are listed in the nAnalyst policy panel. For each policy you can see: - The plain-English description - The underlying SQL query - The execution schedule - The last run time and result - The alert history generated by this policy Policies can be edited, paused, or deleted from the same panel. .. figure:: ../img/nAnalyst_policy_edit.png :align: center :alt: nAnalyst Policy Edit nAnalyst Policy Edit Complex policy examples ----------------------- nAnalyst can express sophisticated conditions that would be time-consuming to write manually: - Traffic volume anomalies (e.g., 2× hourly baseline) - Protocol violations (e.g., unencrypted HTTP from a specific subnet) - Geolocation rules (e.g., outbound to sanctioned countries) - Time-based access controls (e.g., no RDP outside business hours) - Peer relationship changes (e.g., a host contacting a new external IP for the first time) The agent validates that the SQL it generates is syntactically correct and semantically consistent with the described intent before presenting it for confirmation.