Web Application Firewall:Configure CloudMonitor notifications

Create an alert contact and an alert contact group

1. Log on to the CloudMonitor console.

2. In the left-side navigation pane, choose Alerts > Alert Contacts.

3. Create an alert contact.

   1. On the Alert Contacts tab, click Create Alert Contact.

   2. In the Set Alert Contact panel, enter the name, email address, and webhook URL of the alert contact. Make sure that the Language of Alert Notifications parameter is set to the default value Automatic.

      Note

      Automatic specifies that CloudMonitor automatically selects the language of alert notifications based on the language that is used to create your Alibaba Cloud account.

   3. Confirm the parameter values and click OK.

4. Create an alert contact group.

   1. On the Alert Contact Group tab, click Create Alert Contact Group.

   2. In the Create Alert Contact Group panel, configure the Group Name parameter, select alert contacts, and then click OK.

5. Add multiple alert contacts to an alert contact group

   1. On the Alert Contacts tab, select the alert contacts that you want to add to an alert contact group and click Add to Contact Group.

   2. In the Add to Contact Group dialog box, click the alert contact group to which you want to add the alert contacts and click OK.

   After you create alert contacts and an alert contact group and add the alert contacts to the alert contact group, the alert contacts can receive monitoring and alerting notifications. Alert contacts must check the alert notifications and handle the alerts at the earliest opportunity.

Configure monitoring and alerting for attack events

1. Log on to the CloudMonitor console.

2. In the left-side navigation pane, choose Event Center > System Event.

3. On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner and then click Create Alert Rule.

4. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK. The following table describes the parameters.

   Parameter	Description
   Alert Rule Name	The name of the event-triggered alert rule.
   Product Type	The cloud service for which you want to configure the event-triggered alert rule. Select Web Application Firewall (WAF).
   Event Type	The event type of the event-triggered alert rule. Valid values: Attack, Exceed, and Event.
   Event Level	The severity level of the event that triggers alerts. The security level of all events that are detected by WAF is CRITICAL.
   Event Name	The name of the event that triggers alerts. Note In the Event Name drop-down list, the events whose names contain v3 are WAF 3.0 events that can be monitored by CloudMonitor. The other events are WAF 2.0 events. For information about the attack events that are detected by WAF 2.0 and can be monitored by CloudMonitor, see Attack events that can be monitored by CloudMonitor.
   Keyword Filtering	The keywords that are used in the alert rule. Valid values: Contains any of the keywords: If the alert rule contains one of the specified keywords, no alert notifications are sent. Does not contain any of the keywords: If the alert rule does not contain one of the specified keywords, no alert notifications are sent.
   SQL Filter	The SQL statements that are used for filtering.
   Resource Range	The range of resources for which you want the event-triggered rule to take effect. Valid values: All Resources and Application Groups.
   Alert Contact Group	The contact groups to which alert notifications are sent. For more information, see Create an alert contact and alert contact group.
   Notification Method	The severity level and notification method of the event-triggered alert. Valid values: Critical (Phone Call + SMS Message + Email + Webhook) Warning (SMS Message + Email + Webhook) Info (Email +Webhook)
   Message Service - Queue	The Message Service (MNS) queue to which the event-triggered alert is delivered.
   Function Compute	The Function Compute function to which the event-triggered alert is delivered.
   URL Callback	The URL that can be accessed over the Internet. CloudMonitor sends HTTP POST requests to push alert notifications to the specified URL. Only HTTP is supported. For information about how to configure alert callbacks, see Configure callbacks for system event-triggered alerts (old).
   Simple Log Service	The Simple Log Service Logstore to which event-triggered alerts are delivered.
   Mute For	The interval at which CloudMonitor resends alert notifications before the alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.

   After you configure an alert rule for attack events, the contacts that you specified in the alert rule can receive alert notifications when specific attacks are detected on the protected objects of WAF.

   To query the recent attack events that are detected by WAF, select Web Application Firewall (WAF) from the All Products drop-down list on the Event Monitoring tab and select an event name that does not contain v3 from the Select Event Name drop-down list. Then, click Search.

Configure monitoring and alerting for service metrics

1. Log on to the CloudMonitor console.

2. In the left-side navigation pane, choose Alerts > Alert Rules.

3. On the Alert Rules page, click Create Alert Rule.

4. In the Create Alert Rule panel, configure the parameters and click OK. The following table describes the parameters.

   Parameter	Description
   Product	Select Web Application Firewall (WAF) from the Product drop-down list.
   Resource Range	The range of resources for which you want the alert rule to take effect. Valid values: All Resources: The alert rule takes effect for all WAF resources. Application Groups: The alert rule takes effect for all resources in the specified application group of WAF. Instances: The alert rule takes effect for the specified resources of WAF.
   Rule Description	The content of the alert rule. If a metric meets the specified condition, an alert is triggered. To specify a condition, perform the following steps: Click Add Rule. In the Config Rule Description panel, configure the Alert Rule, Metric Type, Metric, and Threshold and Alert Level parameters. Then, click OK. Note For information about the service metrics that can be monitored by CloudMonitor, see Service Metrics that can be monitored by CloudMonitor.
   Mute For	The interval at which CloudMonitor resends alert notifications before the alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours. When the condition of an alert rule is met, an alert is triggered. If the alert is retriggered within the mute period, CloudMonitor does not resend an alert notification. If the alert is not cleared after the mute period ends, CloudMonitor resends alert notifications.
   Effective Period	The period of time during which the alert rule is effective. CloudMonitor monitors the specified resources and generates alerts only within the specified period.
   Alert Contact Group	The contact groups to which alert notifications are sent. For more information, see Create an alert contact and alert contact group.
   Alert Callback	The URL that can be accessed over the Internet. CloudMonitor sends HTTP POST requests to push alert notifications to the specified URL. Only HTTP is supported. For information about how to configure an alert callback, see Use the alert callback feature to send notifications about threshold-triggered alerts. Note You can click Advanced Settings to configure this parameter.
   Auto Scaling	If you turn on Auto Scaling, the specified scaling rule is enabled when an alert is triggered based on the alert rule. You must configure the Region, ESS Group, and ESS Rule parameters. For information about how to create a scaling group, see Manage scaling groups. For information about how to create a scaling rule, see Manage scaling rules. Note You can click Advanced Settings to configure this parameter.
   Simple Log Service	If you turn on Simple Log Service and an alert is triggered, the alert information is written to the specified Logstore in Simple Log Service. You must configure the Region, ProjectName, and Logstore parameters. For information about how to create a project and a Logstore, see Getting started. Note You can click Advanced Settings to configure this parameter.
   Message Service - Topic	If you turn on Message Service - Topic and an alert is triggered, the alert information is written to the specified topic in MNS. You must configure the Region and topicName parameters. For information about how to create a topic, see Create a topic. Note You can click Advanced Settings to configure this parameter.
   Method to handle alerts when no monitoring data is found	The method that is used to handle alerts when no monitoring data is found. Valid values: Do not do anything (default) Send alert notifications Treated as normal Note You can click Advanced Settings to configure this parameter.
   Tag	The tag of the alert rule. A tag consists of a name and a value.

   After you create an alert rule, you can view the rule on the Alert Rules page. Select WAF 3.0 from the Product drop-down list and domain from the Metric drop-down list. Then, select one of the metrics that are displayed on the right side to search for the alert rule that you created for the metric.

   Note

   Descriptions of metrics that can be monitored by CloudMonitor:

   • If you select domain from the Metric drop-down list, the metrics that are displayed on the right side are WAF 2.0 metrics that can be monitored by CloudMonitor.

   • If you select resource from the Metric drop-down list, the metrics that are displayed on the right side are WAF 3.0 metrics that can be monitored by CloudMonitor.

   • If you select Instance from the Metric drop-down list, the metrics that are displayed on the right side are Hybrid Cloud WAF metrics that can be monitored by CloudMonitor. Metrics whose names contain v3 are WAF 3.0 metrics that can be monitored by CloudMonitor. The other metrics are WAF 2.0 metrics.

Configure monitoring and alerting for custom metrics

You can use Simple Log Service to configure monitoring and alerting for custom metrics. For more information, see Overview.

Attack events that can be monitored by CloudMonitor

CloudMonitor allows you to configure monitoring and alerting for web attacks, HTTP flood attacks, scan attacks, and access control events on domain names that are added to WAF. You can select a notification method for receiving alerts based on the severity levels of events. The supported notification methods include text messages, emails, DingTalk, and the alert callback feature. For more information, see Configure monitoring and alerting rules for attack events.

Service metrics that can be monitored by CloudMonitor

CloudMonitor allows you to configure monitoring and alerting for WAF service metrics of domain names that are added to WAF. You can specify the method that you want to use to identify exceptions on the metrics and select a notification method, such as text messages, emails, DingTalk, or the alert callback feature. For more information about how to configure monitoring and alerting for WAF service metrics, see Configure monitoring and alerting for service metrics.