Application Real-Time Monitoring Service:Create and manage an Application Security alert rule

Create an alert rule

1. Log on to the ARMS console.
2. In the left-side navigation pane, choose Application Security > Application Security Alert Rules. In the top navigation bar, select a region.
3. In the upper-right corner of the Application Security Alert Rules page, click Create Application Security Alert Rule.
4. On the Create Application Security Alert Rule page, set the required parameters and click Save.
   Note

   • If you click Save, the Create Alert Rule page remains open.
   • If you click Completed, you are redirected to the Alert Rules page.

   Parameter	Description
   Alert Name	The name of the Application Security alert rule.
   Alert Contact Group	The default alert contact group for Application Security is Alert Metric Group and cannot be modified.
   Alert Metric	The metric that is monitored. Application Security supports only the Number of Attacks metric.
   Alert Condition	The condition that triggers an alert. If the number of attacks meets the specified condition, an alert is triggered and a notification is sent. For example, an alert notification is sent if the number of attacks is greater than or equal to 1.
   Filter Condition	The applications to which the alert rule applies. If an application meets both the filter condition and the alert condition, an alert event is generated. Valid values: Traversal: The alert rule applies to all applications that are connected to Application Security. By default, the filter condition is set to Traversal. Equal To: If you select this filter condition, you must enter an application name. The alert rule applies only to the specified application. You cannot specify only one application. Not Equal To: If you select this filter condition, you must enter an application name. The alert rule applies to applications other than the specified application. You cannot specify only one application. Match Regular Expression: If you select this filter condition, you must enter a regular expression to match application names. The alert rule applies to all applications that match the regular expression. Do Not Match Regular Expression: If you select this filter condition, you must enter a regular expression to match application names. The alert rule applies to all applications except the applications that match the regular expression. Note After you set the filter condition, the Data Preview section appears. The alert settings and the metrics of the specified applications are displayed in time series curves. If you set the filter condition to Traversal, the metrics of related applications are displayed in the Data Preview section by default. You can select a specific application and time range to narrow down the displayed data.
   Data Preview	Displays the values of the metrics configured for the current alert rule in time series curves.
   Duration	The period of time during which the alert condition is continuously met. An alert is triggered only if the alert condition is continuously met for the specified duration. For example, if you set this parameter to 1, an alert is triggered only if the alert condition is continuously met for 1 minute.
   Alert Level	The severity level of the alert. By default, the alert level is set to Default, which has the lowest severity. Valid values: Default, P4, P3, P2, and P1.
   Alert Message	The alert message. You can configure the alert message based on your business scenario. The default alert message is Application name: {{$labels.appName}}. The application is under security attacks. Number of attacks: {{$value}}.
   Advanced Settings
   Specify Notification Policies	Do Not Specify Notification Rules: If you select this option, you can create a notification policy on the Notification Policies page after you create the alert rule. On the Notification Policies page, you can specify dispatch rules and notification conditions (such as the names of alert rules). If the alert rule is triggered, an alert event is generated and an alert notification is sent to the contacts or contact groups that are specified in the notification policy. For more information, see Create and manage a notification policy. You can select an existing notification policy from the drop-down list or create a notification policy. If the alert rule is triggered, ARMS sends alert notifications by using the notification methods that are configured in the notification policy. For more information, see Create and manage a notification policy.
   Tags	Specify tags for the alert rule. The specified tags can be used to match notification policies.
   Annotations	Specify annotations for the alert rule.

Manage an alert rule

After an alert rule is created, the alert rule is displayed on the Application Security > Application Security Alert Rules page. You can enable, disable, modify, or delete the alert rule. You can also view historical alert events.

1. Log on to the ARMS console.
2. In the left-side navigation pane, choose Application Security > Application Security Alert Rules. In the top navigation bar, select a region.
3. Optional:On the Application Security Alert Rules page, enter the alert rule name in the search box and click the Search icon.
   Note You can enter the keyword of an alert rule name in the search box to perform a fuzzy search.
4. Find the alert rule that you want to manage and perform the following operations in the Actions column based on your business requirements:
   • To modify the alert rule, click Edit. On the Edit Application Security Alert Rule page, modify the alert rule and click Save.
   • To delete the alert rule, click Delete. In the Confirm message, click OK.
   • To enable the alert rule, click Start. In the Confirm message, click OK.
   • To disable the alert rule, click Stop. In the Confirm message, click OK.
   • To view historical alert events, click Alert History. On the Alert Event History tab, view the corresponding records.