This topic describes how to configure the event monitoring rules for Web Application Firewall (WAF) in the CloudMonitor console. You can configure CloudMonitor to monitor events on the domains protected by WAF and send alerts to you. This can help you recover your workloads at the earliest opportunity. CloudMonitor can detect WAF events detected by access control, HTTP flood attack protection, web attack protection, and anti-scanning.

Background information

CloudMonitor is a service that monitors Internet applications and Alibaba Cloud resources. It supports event monitoring, which allows you to query and analyze system events occur on cloud services. With event monitoring, you can easily track how your cloud services are used.

You can query the access control, HTTP flood attacks, web attacks, and anti-scanning events that have been detected on the domains protected by WAF and add alert rules for the events. You can configure CloudMonitor to alert you about critical events by sending messages or returning callbacks. Supported messages include SMS messages, emails, and DingTalk messages. With the event monitoring feature, you can build an automated operations and maintenance system to detect and handle events at the earliest opportunity. For more information, see An overview of event monitoring.

CloudMonitor supports monitoring the following WAF events.

Table 1. WAF events
Event Description Type Status value Event level
waf_event_aclattack Access control events acl start/end CRITICAL
waf_event_ccattack HTTP flood attack events cc start/end CRITICAL
waf_event_webattack Web attack events web start/end CRITICAL
waf_event_webscan Anti-scanning events webscan start/end CRITICAL

Procedure

  1. Log on to the CloudMonitor console.
  2. Optional: Add an alert recipient. If you have already specified a recipient, you can skip this step.
    1. In the left-side navigation pane, choose Alarms > Alarm Contacts.
    2. On the Alarm Contacts tab, click Create Alarm Contact in the upper-right corner.Add a recipient
    3. In the Set Alarm Contact dialog box that appears, enter the required contact information. Verify the Phone or Email ID, and then click Save.Specify contact information
      The alert recipient is saved.
  3. Optional: Create an alert contact group. If you have already created an alert contact group, you can skip this step.
    Note The recipients of alert notifications must be contact groups. You can add one or more recipients to a contact group.
    1. In the left-side navigation pane, choose Alarms > Alarm Contacts.
    2. On the Alarm Contact Group tab, click Create Alarm Contact Group in the upper-right corner.Create a contact group
    3. In the Create Alarm Contact Group dialog box that appears, enter a group name in the Group Name field. Select recipients from the left-side Existing Contacts list and add them to the right-side Selected Contacts list. Click OK.Specify contact information
      The contact group is created.
  4. Create an event alert rule for WAF.
    1. In the left-side navigation pane, click Event Monitoring.
    2. On the Alarm Rules tab, select System Event, and click Create Event Alert.Create an event alert rule
    3. Configure the alert rule in the Create/Modify Event Alert pane and click OK. The parameters are described as follows.
      Category Configuration item Description
      Basic information Alarm Rule Name Enter the name of the alert rule.
      Event alert Event Type Select System Event.
      Product Type Select WAF.
      Event Type Select WAF attack events.
      Event Level Select the level of the event. Valid values:CRITICAL, WARN, and INFO. You can select multiple levels but you must select CRITICAL.
      Event Name Select the type of events which CloudMonitor will alert you about. Valid values:
      • waf_event_aclattack
      • waf_event_ccattack
      • waf_event_webattack
      • waf_event_webscan

      You can select multiple event types. The event levels must be CRITICAL.

      Resource Range Select All Resources.
      Alarm Type Alarm Notification Select Alarm Notification, and configure the Contact Group and Notification Method.
      • Contact Group: Select an existing contact group.
      • Notification Method: Select Warning (Message+Email ID+DingTalk Robot) or Info (Email ID+DingTalk Robot).

      You can click Add to add more contact groups and notification methods.

      MNS queue This option is not required.
      Function service This option is not required.
      URL callback This option is not required.
      Log Service This option is not required.
      Event monitoring alert rules
      You have created a WAF event alert rule. When a specific event occurs on a domain name that is added to WAF, the contact group specified in the alert rule receives an alert.
  5. Optional: Query events. You can also query the recent WAF events in the CloudMonitor console.
    1. Click the Query Event tab of the Event Monitoring page.
    2. Select System Event and WAF, and specify the event type and time period to query the events.Monitor events
    3. You can click View the Detail in the Operation column to view details of an event.