Alert Management

nAnalyst can investigate, contextualise, and suppress alerts without requiring the analyst to manually correlate data across multiple views.

Alert investigation

When an alert fires, you can ask nAnalyst to explain it:

"Why did host 10.0.1.20 trigger a port scan alert?"

"Is the DNS tunnelling alert on 192.168.5.3 a false positive?"

nAnalyst will:

  1. Retrieve the alert details and associated flows

  2. Pull historical traffic context for the involved hosts

  3. Cross-reference with the asset inventory and known good behaviour

  4. Return an explanation with supporting evidence

Alert suppression (silencing)

For alerts that are confirmed false positives or known-good behaviour, nAnalyst can create exclusions directly from the chat:

"Silence the certificate expiry alert for internal.corp.example.com"

"Add an exclusion for the domain alert on cdn.vendor.com"

Supported exclusion types:

  • Host alert exclusions — suppress a specific alert type for a given host

  • Domain alert exclusions — suppress alerts triggered by a known-good domain

  • Certificate alert exclusions — suppress TLS certificate warnings for internal or known hosts

All exclusions are recorded in the audit log with the responsible user and the reason provided.

Incident response workflow

A typical AI-assisted incident workflow with nAnalyst:

  1. Alert fires in ntopng

  2. Analyst asks nAnalyst: “Investigate this alert”

  3. nAnalyst pulls flows, host history, and geolocation data

  4. Evidence log is assembled and shown

  5. nAnalyst suggests: confirm malicious → create policy; or confirm benign → silence alert

  6. Analyst approves the action; nAnalyst executes it

  7. Action is recorded in the audit log