When attacks spike or anomalies appear on protected objects, CloudMonitor can notify your team immediately. This topic explains how to create alert rules for WAF security events and traffic metrics so that the right people are alerted the moment a threshold is crossed.
Prerequisites
Before you begin, ensure that you have:
Web services added to WAF on the Website Configuration page. For more information, see Website configuration overview
Set up alert contacts
Before creating alert rules, set up who receives the notifications.
Log on to the CloudMonitor console.
In the left-side navigation pane, choose Alerts > Alert Contacts.
On the Alert Contacts tab, click Create Alert Contact.
In the Set Alert Contact panel, enter the name, email address, and webhook URL of the alert contact. Keep the default values for all other parameters.
Keep Language of Alert Notifications set to Automatic. CloudMonitor then selects the notification language based on the language used to create your Alibaba Cloud account.
Click OK.
On the Alert Contact Group tab, click Create Alert Contact Group.
In the Create Alert Contact Group panel, enter a name for the group, select the alert contacts to add, and click Confirm. Alternatively, to add multiple contacts to an existing group, go back to the Alert Contacts tab, select the contacts, click Add to Contact Group, choose the target group, and click OK.
After completing this setup, the contacts in the group will receive alert notifications for any rules you assign the group to.
Configure alerts for WAF security events
Use event-triggered alert rules to get notified when WAF detects attacks, QPS limit overages, or API security risks on your protected objects.
How detection works
For Attack-type events, WAF uses a sliding window algorithm: a 10-minute window with statistics collected every minute. An alert fires when both conditions are met simultaneously:
The number of blocked attacks in the current minute exceeds 600.
The blocked count in the current minute is more than three standard deviations above the average of the previous 11 minutes.
The alert clears when the blocked count in the current minute drops below the 11-minute average. This design filters out brief spikes and fires only on sustained attack surges, reducing alert fatigue.
Exceed and Event-type events use threshold-based triggers. For details, see Security events that can be detected.
Create a security event alert rule
Log on to the CloudMonitor console.
In the left-side navigation pane, choose Event Center > System Event.
On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner, then click Create Alert Rule. In the dialog box that appears, choose Alert rules for legacy system events are still created.
In the Create/Modify Event-triggered Alert Rule panel, configure the parameters described in the following table, then click Ok.
| Parameter | Description |
|---|---|
| Alert rule name | A name for the alert rule. |
| Product type | The Alibaba Cloud service to monitor. Select WAF. |
| Event type | The category of security events to monitor. Valid values: Attack, Exceed, and Event. |
| Event level | The severity level of the events. All WAF 3.0 security events have a severity level of CRITICAL. |
| Event name | The specific security event to monitor. In the drop-down list, events whose names contain v3 are WAF 3.0 events; the others are WAF 2.0 events. For the full list, see Security events that can be detected. |
| Keyword filtering | An optional content filter. Contains any of the keywords: CloudMonitor sends a notification when the event content includes any of the specified keywords. Does not contain any of the keywords: CloudMonitor sends a notification when none of the specified keywords appear in the event content. |
| SQLFilter | An optional SQL statement for advanced filtering. |
| Resource range | The scope of resources the rule covers. Valid values: All Resources and Application Groups. |
| Notification method | The alert contact group and severity-based notification channels: Critical (text message + email + webhook), Warning (text message + email + webhook), or Info (email + webhook). |
| SMQ | The Simple Message Queue (formerly MNS, also called SMQ) queue to deliver alerts to. |
| Function Compute | The Function Compute function to deliver alerts to. |
| URL callback | A publicly accessible HTTP URL to receive alert notifications via POST requests. For configuration details, see Configure callbacks for system event-triggered alerts (old). |
| Simple Log Service | The Simple Log Service Logstore to deliver alerts to. |
| Mute For | The minimum interval between repeated notifications for an unresolved alert. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours. |
After saving the rule, contacts in the assigned group receive notifications whenever WAF detects a matching security event.
To query recent security events, go to the Event Monitoring tab, select WAF from the cloud service drop-down list, and select an event name containing v3 from the SelectEvent Name drop-down list. Click Search to view WAF 3.0 security events.
After you receive an alert
When you receive a security event notification, go to the WAF console and review the Security Events page for the affected protected object. Check the event type, attack source IPs, and request patterns to determine whether the traffic represents a real attack or a legitimate traffic surge, and take action accordingly.
Configure alerts for WAF metrics
Use threshold-based alert rules to monitor traffic and blocking metrics — such as QPS growth, 4xx/5xx error rates, and block counts — on protected objects.
Log on to the CloudMonitor console.
In the left-side navigation pane, choose Alerts > Alert Rules.
On the Alert Rules page, click Create Alert Rule.
In the Create Alert Rule panel, configure the parameters described in the following table, then click Confirm.
| Parameter | Description |
|---|---|
| Product | The Alibaba Cloud service to monitor. Select WAF3.0. |
| Resource range | The scope of resources the rule covers. All Resources: applies to all WAF 3.0 resources. Application Groups: applies to resources in a specified application group. Instances: applies to specific WAF 3.0 resources. |
| Rule description | The metric condition that triggers the alert. Click Add Rule, configure the alert rule, metric type, metric, threshold, and alert level in the Configure Rule Description panel, then click OK. For available WAF 3.0 metrics, see Metrics that can be monitored. |
| Mute For | The minimum interval between repeated notifications for an unresolved alert. Valid values: 1 Minutes, 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours. An alert fires when the metric condition is met. If the condition is met again before the mute period ends, CloudMonitor does not resend the notification. After the mute period ends, CloudMonitor resends the notification if the alert is still unresolved. |
| Effective period | The time window during which the rule is active. CloudMonitor monitors the resources and generates alerts only within this period. |
| Alert contact group | The alert contact groups to notify. For setup instructions, see Set up alert contacts. |
| Alert callback | A publicly accessible HTTP URL to receive alert notifications via POST requests. Click Advanced Settings to configure. For configuration details, see Use the alert callback feature to send notifications about threshold-triggered alerts. |
| Auto Scaling | When enabled, triggers a scaling rule when an alert fires. Click Advanced Settings and configure the Region, ESS Group, and ESS Rule parameters. For details, see Manage scaling groups and Manage scaling rules. |
| Log Service | When enabled, writes alert information to a Simple Log Service Logstore when an alert fires. Click Advanced Settings and configure the Region, ProjectName, and Logstore parameters. For details, see Getting started. |
| Simple Message Queue (formerly MNS) - Topic | When enabled, writes alert information to a Simple Message Queue (formerly MNS) topic when an alert fires. Click Advanced Settings and configure the Region and topicName parameters. For details, see Create a topic. |
| Method to handle alerts when no monitoring data is found | The behavior when no metric data exists. Valid values: Do not do anything (default), Send alert notifications, and Treated as normal. Click Advanced Settings to configure. |
| Tag | A tag to attach to the alert rule, consisting of a tag name and a tag value. |
After saving the rule, it appears on the Alert Rules page. To find rules for a specific WAF metric, select WAF3.0 from the Product drop-down list, then select resource from the Metric Name drop-down list and choose the metric from the list on the right.
The value you select from the Metric Name drop-down list determines which WAF version's metrics appear:
domain: WAF 2.0 metrics
resource: WAF 3.0 metrics
Instance: Hybrid Cloud WAF metrics (metrics containing v3 are WAF 3.0 metrics; the others are WAF 2.0 metrics)Security events that can be detected
The following table lists the WAF 3.0 security events available for event-triggered alert rules.
| Event type | Event name | Severity | Trigger condition |
|---|---|---|---|
| Attack | wafv3_event_aclattack (custom rule) | CRITICAL | Uses a 10-minute sliding window with per-minute statistics. Fires when the current minute's blocked attack count exceeds 600 and exceeds the 11-minute average by more than three standard deviations. Clears when the blocked count falls below the 11-minute average. |
| Attack | wafv3_event_ccattack | CRITICAL | Same mechanism as above. |
| Attack | wafv3_event_webattack | CRITICAL | Same mechanism as above. |
| Attack | wafv3_event_webscan | CRITICAL | Same mechanism as above. |
| Exceed | xray_wafv3_event_qps_exceed | — | Fires when the QPS limit of your WAF edition is exceeded. For edition limits, see Editions. |
| Exceed | xray_wafv3_event_cost_protection | — | Fires when the traffic billing protection threshold is exceeded. |
| Event | wafv3_event_apisec | — | Fires when the API security module detects high risks or high-risk events. |
Metrics that can be monitored
The following metrics are available for threshold-based alert rules. All metrics are scoped to the protected object dimension.
Protected objects that are manually added in WAF do not support the following traffic-related metrics: 4XX_ratio_v3, 5XX_ratio_v3, qps_v3, qps_ratio_v3, and qps_ratio_down_v3.
| Metric | Description | Unit/format |
|---|---|---|
| 4XX_ratio_v3 | Proportion of HTTP 4xx responses per minute. HTTP 405 responses are excluded. | Decimal (e.g., 0.05 = 5%) |
| 5XX_ratio_v3 | Proportion of HTTP 5xx responses per minute. | Decimal |
| acl_blocks_5m_v3 | Number of requests blocked by access control rules in the previous 5 minutes. | Count |
| acl_rate_5m_v3 | Proportion of requests blocked by access control rules in the previous 5 minutes. | Decimal |
| cc_blocks_5m_v3 | Number of requests blocked by HTTP flood protection rules in the previous 5 minutes. | Count |
| cc_rate_5m_v3 | Proportion of requests blocked by HTTP flood protection rules in the previous 5 minutes. | Decimal |
| waf_blocks_5m_v3 | Number of requests blocked by web application attack prevention rules in the previous 5 minutes. | Count |
| waf_rate_5m_v3 | Proportion of requests blocked by web application attack prevention rules in the previous 5 minutes. | Decimal |
| QPS_V3 | Queries per second (QPS). | Count |
| qps_ratio_v3 | Per-minute QPS growth rate. | Percentage |
| qps_ratio_down_v3 | Per-minute QPS decrease rate. | Percentage |
What's next
To push low- and medium-risk API security alerts (CloudMonitor only covers high-risk alerts), see Best practices for pushing API security alerts.