You can configure alert rules in CloudMonitor for security events and metrics from Web Application Firewall (WAF) to monitor protected objects added to WAF. This topic describes how to configure monitoring and alerting for WAF in CloudMonitor.
Prerequisites
You have added your web services to WAF on the Onboarding page. For more information, see Add a domain name.
Create alert contacts and alert contact groups
-
Log on to the Cloud Monitor console.
-
In the left-side navigation pane, choose .
-
Create an alert contact.
-
On the Alert Contacts tab, click Create Alert Contact.
-
In the Set Alert Contact panel, configure the parameters for the alert contact.
Parameter
Description
Name
The name of the alert contact. The name must be 2 to 40 characters in length, start with a letter or a Chinese character, and can contain Chinese characters, letters, digits, periods (.), and underscores (_).
Region for notification service
The selected region stores and processes your notification service data, such as name and email address.
Mobile
SMS alerts are supported only for mobile numbers with the country and region code +86.
Email
The email address of the alert contact.
Description
A custom description.
DingTalk | Lark | WeCom | Slack Webhook (http|https)
A custom webhook URL. The URL must start with
http://orhttps://.Note-
To test the webhook URL, click Test.
-
The Webhook Test panel shows the status code and test results to verify connectivity.
-
You can also set the Callback Template Type and Language for the webhook, and then click Test again to view the results.
Language of alert notification
The default value is Automatic, meaning CloudMonitor automatically sets the notification language based on your Alibaba Cloud account's registration language.
-
-
After you verify the information, click Confirm.
-
-
Create an alert contact group.
-
On the Alert Contact Group tab, click Add Contact Group.
-
In the Add Contact Group panel, enter a name for the group, select the alert contacts to include, and then click Confirm.
-
-
Add multiple alert contacts to an alert contact group.
-
On the Alert Contacts tab, select the alert contacts to add and click Add to Contact Group.
-
In the Add to Contact Group dialog box, select the target alert contact group and click OK.
After you create alert contacts and groups, the contacts in the specified group will receive WAF alert notifications. The contacts are responsible for reviewing and handling these alerts promptly.
-
Configure WAF security event monitoring
-
In the left-side navigation pane, choose .
-
On the Subscription Policy tab, click Create Subscription Policy.
-
On the Create Subscription Policy page, configure the following parameters.
Section
Parameter
Description
Basic Info
Name
The name of the subscription policy.
Description
A description for the subscription policy.
Alert Subscription
Subscription Type
Select System Events and configure the following parameters in the Subscription Scope section.
-
Product: Select WAF.
-
Event Type: Valid values: Attack, Exceed, or Event.
-
Event name: In the drop-down list, events without the V3 suffix are supported by WAF 2.0. Events with the V3 suffix are supported by WAF 3.0.
-
Event Level: The event level for all WAF 3.0 events is CRITICAL.
You can keep the default values for the other parameters. For more information, see Manage event subscriptions (Recommended).
Combined Noise Reduction
Merge Content
Select an aggregation dimension from the Subscription Scope section of Subscription Type.
Noise Reduction
Configure how to reduce the frequency of alert notifications:
-
Trigger on condition, then suppress: After an alert triggers a specified number of times (default: 5) within a set period (default: 5 minutes), notifications are muted for the next period (default: 5 minutes).
-
Trigger directly, then suppress: Sends a notification immediately when an alert is triggered, then mutes notifications for the next period (default: 5 minutes).
-
Trigger directly, no suppression (uses system default anti-storm setting): Sends a notification immediately for each triggered alert, subject to the system's default anti-storm settings.
NoteThe default anti-storm setting is a maximum of 50 emails every 5 minutes.
Notification
Upgrade strategy
Select an existing configuration, or click Create Notification Configuration to create a new one. Then, select the alert contact group you created.
-
Name: The name of the notification configuration.
-
Notification Settings:
-
Set Notification Group Directly: Directly select an alert notification group.
-
Set the notification group by severity: Select alert notification groups based on the alert level: Critical, Warning, Notification (Info), and Resolved.
-
Custom Notification Method
Click Modify next to a notification method to change the Notification Template and Alert Level.
Push and Integration
Push Channel
The channel for pushing alert notifications. To create a push channel:
-
Click Create new push.
-
Select an existing push channel, or click Add Channel to create a new one.
For information about how to set the parameters for push channels, see Notification push channel parameters.
-
Configure WAF metric monitoring
-
Log on to the Cloud Monitor console.
-
In the left-side navigation pane, choose .
-
On the Alert Rules page, click Create Alert Rule.
-
In the Create Alert Rule panel, configure the following parameters and click Confirm.
Parameter
Description
Product
Select WAF3.0.
Resource Scope
The resources to which the alert rule applies. Valid values:
-
All Resources: The alert rule applies to all resources of WAF 3.0.
-
Application grouping: The alert rule applies to all resources within a specified application group of WAF 3.0.
-
Instance: The alert rule applies to a specified resource of WAF 3.0.
Rule Description
The condition that triggers an alert. To add a condition:
-
Click Add Rule.
-
In the Configure Rule Description panel, set parameters such as the rule name, metric type, metric, threshold, and alert level. Click OK.
NoteFor more information about the WAF 3.0 metrics that you can monitor, see Supported metrics.
Mute Period
The mute period after an alert is triggered. Valid values: 1 minute, 5 minutes, 15 minutes, 30 minutes, 60 minutes, 3 hours, 6 hours, 12 hours, and 24 hours.
When a metric crosses its threshold, CloudMonitor sends an alert. During the subsequent mute period, no more alerts are sent for that metric. If the metric still exceeds the threshold after the mute period expires, CloudMonitor sends another notification.
Effective Period
The period when the alert rule is active. CloudMonitor only evaluates the rule and sends alerts during this time.
Alert Contact Group
Select the alert contact group to which notifications will be sent. For more information, see Create alert contacts and alert contact groups.
Alert Callback
A publicly accessible URL to which CloudMonitor sends alert information by using POST requests. Only the HTTP protocol is supported. For more information about how to configure an alert callback, see Use alert callbacks for threshold-triggered alerts.
NoteClick Advanced Settings to configure this parameter.
Auto Scaling
If you enable Auto Scaling, the corresponding scaling rule is triggered when an alert occurs. You need to configure the Region, ESS Group, and ESS Rule for Auto Scaling.
-
For more information about how to create a scaling group, see Manage scaling groups.
-
For more information about how to create a scaling rule, see Manage scaling rules.
NoteClick Advanced Settings to configure this parameter.
Simple Log Service
If you enable the Simple Log Service switch, alert information is written to a Logstore in Log Service when an alert is triggered. You must specify the Region, ProjectName, and Logstore for Log Service. For more information about how to create a Project and a Logstore, see Collect and analyze ECS text logs by using LoongCollector.
NoteClick Advanced Settings to configure this parameter.
Simple Message Queue (formerly MNS) - Topic
If you enable Simple Message Queue (formerly MNS) - Topic, alert information is written to a topic in Simple Message Queue (MNS) when an alert occurs. You need to set the region and topic for Simple Message Queue (MNS). For more information about how to create a topic, see Create a topic.
NoteClick Advanced Settings to configure this parameter.
NoDataPolicy
Specifies how to handle cases where no monitoring data is reported. Valid values:
-
Do not do anything (Default)
-
Send alert notifications
-
Treat as normal
NoteClick Advanced Settings to configure this parameter.
Tag
The tag of the alert rule, which consists of a key-value pair.
After the rule is created, you can find it on the Alert Rules page. To find the rule, select Product from the WAF3.0 drop-down list. Then, under Metric Name, use the Metric Name tab to filter by metric.
NoteThe WAF metrics that can be monitored are described as follows:
-
Metrics on the domain tab are for WAF 2.0.
-
Metrics on the resource tab are for WAF 3.0. For more information about WAF 3.0 metrics, see Supported metrics.
-
Metrics on the Instance tab are for Hybrid Cloud WAF. Metrics without a V3 suffix are for WAF 2.0, while those with a V3 suffix are for WAF 3.0.
-
Supported security events
CloudMonitor supports monitoring and alerting for the following security events that occur on protected objects in WAF.
|
Event type |
Event name |
Event level |
Trigger logic |
|
Attack |
Access Control Event V3 (Custom rule) |
Critical |
To ensure accurate event monitoring and statistical analysis, a sliding window method is used. A 10-minute sliding window is used, and statistics are updated every minute. The statistic for each minute represents the number of blocked requests in that minute. An event starts when the following conditions are met:
An event ends when the following condition is met:
|
|
Attack |
HTTP Flood Attack Event V3 |
||
|
Attack |
Web Attack Event V3 |
||
|
Attack |
Scan Protection Event V3 |
||
|
Exceed |
QPS Exceeded Event V3 |
Triggered when the QPS limit is exceeded. For more information, see WAF editions. |
|
|
Exceed |
Billing Protection Triggered Event V3 |
Triggered when the traffic billing protection threshold is exceeded. |
|
|
Event |
API Security Event V3 |
Triggered by a High risk API detection or a High risk security event. |
Supported metrics
CloudMonitor lets you configure alerts for the following WAF metrics to monitor for anomalies. You can customize the conditions that trigger these alerts.
Protected objects that are manually added by using the Add Protected Object method do not support traffic-related monitoring metrics, such as 4XX_ratio_v3, 5XX_ratio_v3, QPS_V3, qps_ratio_v3, or qps_ratio_down_v3.
|
Metric |
Dimension |
Description |
Remarks |
|
4XX_ratio_v3 |
protected object |
The percentage of 4xx status codes per minute (excluding 405). |
The value is a decimal. |
|
5XX_ratio_v3 |
protected object |
The percentage of 5xx status codes per minute. |
The value is a decimal. |
|
acl_blocks_5m_v3 |
protected object |
Number of requests blocked by access control rules in the last 5 minutes. |
None |
|
acl_rate_5m_v3 |
protected object |
Percentage of requests blocked by access control rules in the last 5 minutes. |
The value is a decimal. |
|
cc_blocks_5m_v3 |
protected object |
Number of requests blocked by HTTP flood protection rules in the last 5 minutes. |
None |
|
cc_rate_5m_v3 |
protected object |
Percentage of requests blocked by HTTP flood protection rules in the last 5 minutes. |
The value is a decimal. |
|
waf_blocks_5m_v3 |
protected object |
Number of requests blocked by web attack protection rules in the last 5 minutes. |
None |
|
waf_rate_5m_v3 |
protected object |
Percentage of requests blocked by web attack protection rules in the last 5 minutes. |
The value is a decimal. |
|
QPS_V3 |
protected object |
Queries per second (QPS). |
None |
|
qps_ratio_v3 |
protected object |
Minute-over-minute QPS growth rate. |
The value is a percentage. |
|
qps_ratio_down_v3 |
protected object |
Minute-over-minute QPS decrease rate. |
The value is a percentage. |
References
API Security only pushes high-severity alerts through CloudMonitor. To push low or medium-severity alerts, see Best practices for pushing API Security alerts.