After you create an application security alert rule, when an alert is triggered, the system sends an alert message to the alert contact or DingTalk Group in the specified notification method, so that you can take necessary measures to protect your application in a timely manner.

Create an alert rule

  1. Log on to the ARMS console.
  2. In the left-side navigation pane, choose Application Security > Security Alert Rules. In the top navigation bar, select a region.
  3. In the upper-right corner of the Alerts page, click Create Alert.
  4. On the Create Alert page, enter all required information and click Save.
    Parameter Description
    Alert name The name of the custom application security alert.
    Alert group The default alert group for application security is Alert Metric Group and cannot be modified.
    Alert metrics The metrics that generate alerts. Currently, application security alerts only support the Attacks metric.
    Alert conditions Specify when the number of attacks meets the conditions, an alert is triggered and a notification is sent. For example, an alert is sent when the number of attacks is greater than or equal to 1.
    Filter criteria

    Set the application scope to which the currently configured alert rule applies. If all applications that meet the filtering conditions meet this alert rule, alerts are generated.

    Optional filtering conditions include:
    • Traversal: The alert rule applies to all applications that are connected to application security. By default, the filter condition is traversal.
    • Equal to: If you select this condition, you must enter the application name. The created alert rule applies only to this application. You cannot specify multiple applications at the same time.
    • Not Equal: If you select this condition, you must enter the application name. The created alert rule will apply to applications other than the application. You cannot specify multiple applications at the same time.
    • Regular Expression: If you select this condition, enter a regular expression to match the application name. The created alert rule will apply to all applications that match the regular expression.
    • Regular Expression Mismatch: If you select this condition, enter a regular expression to match the application name. The created alert rule filters all applications that match the regular expression.
    Note After you set the filter conditions, the Data Preview section appears, which displays the corresponding alert settings and the actual metrics of the selected application in the form of time series curves. If you set the filter condition to Traversal, the metrics of related applications are displayed in the Data Preview section by default. You can select the target application and the time range in the filter box of this section to display data.
    Duration The alert is triggered only when the duration of the alert condition is met. For example, if the duration is set to 1 minute, an alert is triggered only when the alert condition is met for 1 minute in a row.
    Alert level The custom alert level. The default alert level is Default Alert. The severity of the alert increases from P4, P3, P2, and P1.
    Alert content The alert information received by the user. You can customize the alert information. The default alert content is Application name: {{$labels.appName}}. The current value is {{$ value}}.
    Notification policy
    • Do not specify a notification rule: If you select this option, you can create a notification policy on the Notification Policy page and specify the dispatch rule and dispatch conditions (such as the name of the alert rule) to match the alert rule. After the alert rule is triggered and an alert event is generated, the alert information is sent to the contact or contact group specified in the notification policy. For more information, see Configure a notification policy.
    • Specify a notification rule: When an alert is triggered, ARMS sends alert notifications by using the notification method that is configured in a specified notification policy. You can select an existing notification policy from the drop-down list. You can also create a notification policy. For more information, see Configure a notification policy.
      Note To view the details of the notification policy, click See.

Handle alerts

On the Application Security > Security Alert Rules page, you can start, stop, edit, delete, and view the alert history.

  1. Log on to the ARMS console.
  2. In the left-side navigation pane, choose Application Security > Security Alert Rules. In the top navigation bar, select a region.
  3. Optional:On the Alerts page, enter an alert name in the search box and click the search icon.
    Note You can enter the keyword of the name in the search box to perform a fuzzy search.
  4. In the search results, find the alert rule that you want to manage. You can perform the following operations in the Operation column:
    • To edit an alert rule, click Edit. On the Edit Alert page, edit the alert rule and click Save.
    • To delete an alert rule, click Delete. In the Note message, click OK.
    • To start a stopped alert rule, click Start. In the Note message, click OK.
    • To stop an alert rule, click Stop. In the Note message, click OK.
    • Click Alarm history. Then, you can click Alert Event History or Alert sending History in the left-side navigation pane to view historical alert events or historical alerts on the page that appears.