Web Application Firewall:Configure CloudMonitor notifications

Prerequisites

Before you begin, ensure that you have:

• A website added to WAF. For more information, see Tutorial

Create an alert contact and an alert contact group

Alert contacts are the people who receive notifications. Organize them into contact groups, then assign a group when creating any alert rule.

1. Log on to the CloudMonitor console.

2. In the left-side navigation pane, choose Alerts > Alert Contacts.

3. Create an alert contact.

   1. On the Alert Contacts tab, click Create Alert Contact.

   2. In the Set Alert Contact panel, enter the name, email address, and webhook URL of the contact. Leave Language of Alert Notifications set to the default value Automatic.

      Note

      Automatic means CloudMonitor selects the notification language based on the language used to create your Alibaba Cloud account.

   3. Click OK.

4. Create an alert contact group.

   1. On the Alert Contact Group tab, click Create Alert Contact Group.

   2. In the Create Alert Contact Group panel, enter a group name, select the contacts to include, and then click Confirm.

5. (Optional) Add contacts to a group in bulk.

   1. On the Alert Contacts tab, select the contacts you want to add, and then click Add to Contact Group.

   2. In the Add to Contact Group dialog box, select the target group and click Confirm.

Configure monitoring and alerting for attack events

Set up event-triggered alert rules to receive notifications when WAF detects specific attack events. When you receive an alert, go to the Event Monitoring tab in the CloudMonitor console to view recent events and identify the attack.

1. Log on to the CloudMonitor console.

2. In the left-side navigation pane, choose Event Center > System Event.

3. On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner, and then click Create Alert Rule.

4. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.

   Parameter	Description
   Alert Rule Name	The name of the event-triggered alert rule.
   Product Type	The cloud service. Select Web Application Firewall (WAF).
   Event Type	The category of event to monitor. Valid values: Attack, Exceed, and Event.
   Event Level	The severity level that triggers alerts. All WAF events are classified as CRITICAL.
   Event Name	The specific event to monitor. Event names that contain v3 are WAF 3.0 events. All other events are WAF 2.0 events. For the full list of WAF 2.0 events, see Attack events that can be monitored by CloudMonitor.
   Keyword Filtering	Filters events by keyword before sending alerts. Contains any of the keywords: suppress alerts when the event matches a keyword. Does not contain any of the keywords: suppress alerts when the event does not match a keyword.
   SQL Filter	SQL statements used for additional filtering.
   Resource Range	The resources this rule covers. Valid values: All Resources and Application Groups.
   Alert Contact Group	The contact groups that receive alert notifications.
   Notification Method	The severity level and delivery channels for notifications. Valid values: Critical (Phone Call + SMS Message + Email + Webhook), Warning (SMS Message + Email + Webhook), Info (Email + Webhook).
   SMQ	The Simple Message Queue (SMQ, formerly MNS) queue to receive alert deliveries.
   Function Compute	The Function Compute function to receive alert deliveries.
   URL Callback	A publicly accessible HTTP URL. CloudMonitor sends HTTP POST requests to push alert notifications to this URL. Only HTTP is supported. For configuration steps, see Configure callbacks for system event-triggered alerts (old).
   Simple Log Service	The SLS Logstore to receive alert deliveries.
   Mute Period	How long CloudMonitor waits before resending an alert that has not been cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.

After the rule is saved, the contacts in the specified groups receive notifications whenever WAF detects the configured attack events.

To view recent attack events, on the Event Monitoring tab, select Web Application Firewall (WAF) from the All Products drop-down list, select an event name that does not contain v3 from the Select Event Name drop-down list, and then click Search.

Configure monitoring and alerting for service metrics

Set up threshold-based alert rules to receive notifications when a WAF service metric crosses a value you define. When you receive an alert, check the Alert Rules page to identify which metric triggered the rule.

1. Log on to the CloudMonitor console.

2. In the left-side navigation pane, choose Alerts > Alert Rules.

3. On the Alert Rules page, click Create Alert Rule.

4. In the Create Alert Rule panel, configure the parameters and click Confirm.

   Parameter	Description
   Product	Select Web Application Firewall (WAF) from the drop-down list.
   Resource Range	The resources this rule covers. Valid values: All Resources (all WAF resources), Application Groups (all resources in a specified application group), Instances (specific WAF resources).
   Rule Description	The alert condition. Click Add Rule, and in the Config Rule Description panel configure the alert rule, metric type, metric, threshold, and alert level. For the list of available service metrics, see Service metrics that can be monitored by CloudMonitor.
   Mute Period	How long CloudMonitor waits before resending an active alert. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours. If the alert condition is met again within the mute period, CloudMonitor suppresses the duplicate notification.
   Effective Period	The time window during which CloudMonitor monitors the resources and generates alerts.
   Alert Contact Group	The contact groups that receive alert notifications.
   Alert Callback	A publicly accessible HTTP URL. CloudMonitor sends HTTP POST requests to push alert notifications to this URL. Only HTTP is supported. For configuration steps, see Use the alert callback feature to send notifications about threshold-triggered alerts. Click Advanced Settings to configure this parameter.
   Auto Scaling	When enabled, triggers the specified scaling rule when an alert fires. Configure Region, ESS Group, and ESS Rule. For details, see Manage scaling groups and Configure scaling rules. Click Advanced Settings to configure this parameter.
   Simple Log Service	When enabled, writes alert data to a specified SLS Logstore. Configure Region, ProjectName, and Logstore. For details, see Getting started. Click Advanced Settings to configure this parameter.
   Simple Message Queue (formerly MNS) - Topic	When enabled, writes alert data to a specified MNS topic. Configure Region and topicName. For details, see Create a topic. Click Advanced Settings to configure this parameter.
   Method to handle alerts when no monitoring data is found	How to handle the alert state when data is unavailable. Valid values: Do not do anything (default), Send alert notifications, Treated as normal. Click Advanced Settings to configure this parameter.
   Tag	A name-value tag attached to the alert rule.

After the rule is saved, find it on the Alert Rules page by selecting Web Application Firewall (WAF) from the Product drop-down list and selecting a metric dimension from the Metric drop-down list.

Configure monitoring and alerting for custom metrics

Use Simple Log Service to configure monitoring and alerting for custom metrics. For more information, see Overview.

Attack events that can be monitored by CloudMonitor

CloudMonitor can monitor web attacks, HTTP flood attacks, scan attacks, and access control events on domain names added to WAF. All WAF events have a severity level of CRITICAL.

Service metrics that can be monitored by CloudMonitor

CloudMonitor can monitor WAF service metrics for domain names added to WAF. All metrics have a domain name dimension.