All Products
Search
Document Center

Web Application Firewall:Configure CloudMonitor notifications

Last Updated:Apr 02, 2026

You can configure alert rules in CloudMonitor for security events and metrics from Web Application Firewall (WAF) to monitor protected objects added to WAF. This topic describes how to configure monitoring and alerting for WAF in CloudMonitor.

Prerequisites

You have added your web services to WAF on the Onboarding page. For more information, see Add a domain name.

Create alert contacts and alert contact groups

  1. Log on to the Cloud Monitor console.

  2. In the left-side navigation pane, choose Alerts > Alert Contacts.

  3. Create an alert contact.

    1. On the Alert Contacts tab, click Create Alert Contact.

    2. In the Set Alert Contact panel, configure the parameters for the alert contact.

      Parameter

      Description

      Name

      The name of the alert contact. The name must be 2 to 40 characters in length, start with a letter or a Chinese character, and can contain Chinese characters, letters, digits, periods (.), and underscores (_).

      Region for notification service

      The selected region stores and processes your notification service data, such as name and email address.

      Mobile

      SMS alerts are supported only for mobile numbers with the country and region code +86.

      Email

      The email address of the alert contact.

      Description

      A custom description.

      DingTalk | Lark | WeCom | Slack Webhook (http|https)

      A custom webhook URL. The URL must start with http:// or https://.

      Note
      • To test the webhook URL, click Test.

      • The Webhook Test panel shows the status code and test results to verify connectivity.

      • You can also set the Callback Template Type and Language for the webhook, and then click Test again to view the results.

      Language of alert notification

      The default value is Automatic, meaning CloudMonitor automatically sets the notification language based on your Alibaba Cloud account's registration language.

    3. After you verify the information, click Confirm.

  4. Create an alert contact group.

    1. On the Alert Contact Group tab, click Add Contact Group.

    2. In the Add Contact Group panel, enter a name for the group, select the alert contacts to include, and then click Confirm.

  5. Add multiple alert contacts to an alert contact group.

    1. On the Alert Contacts tab, select the alert contacts to add and click Add to Contact Group.

    2. In the Add to Contact Group dialog box, select the target alert contact group and click OK.

    After you create alert contacts and groups, the contacts in the specified group will receive WAF alert notifications. The contacts are responsible for reviewing and handling these alerts promptly.

Configure WAF security event monitoring

  1. In the left-side navigation pane, choose Event Center > Event Subscription.

  2. On the Subscription Policy tab, click Create Subscription Policy.

  3. On the Create Subscription Policy page, configure the following parameters.

    Section

    Parameter

    Description

    Basic Info

    Name

    The name of the subscription policy.

    Description

    A description for the subscription policy.

    Alert Subscription

    Subscription Type

    Select System Events and configure the following parameters in the Subscription Scope section.

    • Product: Select WAF.

    • Event Type: Valid values: Attack, Exceed, or Event.

    • Event name: In the drop-down list, events without the V3 suffix are supported by WAF 2.0. Events with the V3 suffix are supported by WAF 3.0.

    • Event Level: The event level for all WAF 3.0 events is CRITICAL.

    You can keep the default values for the other parameters. For more information, see Manage event subscriptions (Recommended).

    Combined Noise Reduction

    Merge Content

    Select an aggregation dimension from the Subscription Scope section of Subscription Type.

    Noise Reduction

    Configure how to reduce the frequency of alert notifications:

    • Trigger on condition, then suppress: After an alert triggers a specified number of times (default: 5) within a set period (default: 5 minutes), notifications are muted for the next period (default: 5 minutes).

    • Trigger directly, then suppress: Sends a notification immediately when an alert is triggered, then mutes notifications for the next period (default: 5 minutes).

    • Trigger directly, no suppression (uses system default anti-storm setting): Sends a notification immediately for each triggered alert, subject to the system's default anti-storm settings.

      Note

      The default anti-storm setting is a maximum of 50 emails every 5 minutes.

    Notification

    Upgrade strategy

    Select an existing configuration, or click Create Notification Configuration to create a new one. Then, select the alert contact group you created.

    • Name: The name of the notification configuration.

    • Notification Settings:

      • Set Notification Group Directly: Directly select an alert notification group.

      • Set the notification group by severity: Select alert notification groups based on the alert level: Critical, Warning, Notification (Info), and Resolved.

    Custom Notification Method

    Click Modify next to a notification method to change the Notification Template and Alert Level.

    Push and Integration

    Push Channel

    The channel for pushing alert notifications. To create a push channel:

    1. Click Create new push.

    2. Select an existing push channel, or click Add Channel to create a new one.

      For information about how to set the parameters for push channels, see Notification push channel parameters.

Configure WAF metric monitoring

  1. Log on to the Cloud Monitor console.

  2. In the left-side navigation pane, choose Alerts > Alert Rules.

  3. On the Alert Rules page, click Create Alert Rule.

  4. In the Create Alert Rule panel, configure the following parameters and click Confirm.

    Parameter

    Description

    Product

    Select WAF3.0.

    Resource Scope

    The resources to which the alert rule applies. Valid values:

    • All Resources: The alert rule applies to all resources of WAF 3.0.

    • Application grouping: The alert rule applies to all resources within a specified application group of WAF 3.0.

    • Instance: The alert rule applies to a specified resource of WAF 3.0.

    Rule Description

    The condition that triggers an alert. To add a condition:

    1. Click Add Rule.

    2. In the Configure Rule Description panel, set parameters such as the rule name, metric type, metric, threshold, and alert level. Click OK.

      Note

      For more information about the WAF 3.0 metrics that you can monitor, see Supported metrics.

    Mute Period

    The mute period after an alert is triggered. Valid values: 1 minute, 5 minutes, 15 minutes, 30 minutes, 60 minutes, 3 hours, 6 hours, 12 hours, and 24 hours.

    When a metric crosses its threshold, CloudMonitor sends an alert. During the subsequent mute period, no more alerts are sent for that metric. If the metric still exceeds the threshold after the mute period expires, CloudMonitor sends another notification.

    Effective Period

    The period when the alert rule is active. CloudMonitor only evaluates the rule and sends alerts during this time.

    Alert Contact Group

    Select the alert contact group to which notifications will be sent. For more information, see Create alert contacts and alert contact groups.

    Alert Callback

    A publicly accessible URL to which CloudMonitor sends alert information by using POST requests. Only the HTTP protocol is supported. For more information about how to configure an alert callback, see Use alert callbacks for threshold-triggered alerts.

    Note

    Click Advanced Settings to configure this parameter.

    Auto Scaling

    If you enable Auto Scaling, the corresponding scaling rule is triggered when an alert occurs. You need to configure the Region, ESS Group, and ESS Rule for Auto Scaling.

    Note

    Click Advanced Settings to configure this parameter.

    Simple Log Service

    If you enable the Simple Log Service switch, alert information is written to a Logstore in Log Service when an alert is triggered. You must specify the Region, ProjectName, and Logstore for Log Service. For more information about how to create a Project and a Logstore, see Collect and analyze ECS text logs by using LoongCollector.

    Note

    Click Advanced Settings to configure this parameter.

    Simple Message Queue (formerly MNS) - Topic

    If you enable Simple Message Queue (formerly MNS) - Topic, alert information is written to a topic in Simple Message Queue (MNS) when an alert occurs. You need to set the region and topic for Simple Message Queue (MNS). For more information about how to create a topic, see Create a topic.

    Note

    Click Advanced Settings to configure this parameter.

    NoDataPolicy

    Specifies how to handle cases where no monitoring data is reported. Valid values:

    • Do not do anything (Default)

    • Send alert notifications

    • Treat as normal

    Note

    Click Advanced Settings to configure this parameter.

    Tag

    The tag of the alert rule, which consists of a key-value pair.

    After the rule is created, you can find it on the Alert Rules page. To find the rule, select Product from the WAF3.0 drop-down list. Then, under Metric Name, use the Metric Name tab to filter by metric.

    Note

    The WAF metrics that can be monitored are described as follows:

    • Metrics on the domain tab are for WAF 2.0.

    • Metrics on the resource tab are for WAF 3.0. For more information about WAF 3.0 metrics, see Supported metrics.

    • Metrics on the Instance tab are for Hybrid Cloud WAF. Metrics without a V3 suffix are for WAF 2.0, while those with a V3 suffix are for WAF 3.0.

Supported security events

CloudMonitor supports monitoring and alerting for the following security events that occur on protected objects in WAF.

Event type

Event name

Event level

Trigger logic

Attack

Access Control Event V3

(Custom rule)

Critical

To ensure accurate event monitoring and statistical analysis, a sliding window method is used.

A 10-minute sliding window is used, and statistics are updated every minute. The statistic for each minute represents the number of blocked requests in that minute.

An event starts when the following conditions are met:

  • The current number of blocked requests is greater than 600.

  • The current number of blocked requests is more than three standard deviations above the average of the past 11 minutes.

An event ends when the following condition is met:

  • The current number of blocked requests is below the average of the past 11 minutes.

Attack

HTTP Flood Attack Event V3

Attack

Web Attack Event V3

Attack

Scan Protection Event V3

Exceed

QPS Exceeded Event V3

Triggered when the QPS limit is exceeded. For more information, see WAF editions.

Exceed

Billing Protection Triggered Event V3

Triggered when the traffic billing protection threshold is exceeded.

Event

API Security Event V3

Triggered by a High risk API detection or a High risk security event.

Supported metrics

CloudMonitor lets you configure alerts for the following WAF metrics to monitor for anomalies. You can customize the conditions that trigger these alerts.

Note

Protected objects that are manually added by using the Add Protected Object method do not support traffic-related monitoring metrics, such as 4XX_ratio_v3, 5XX_ratio_v3, QPS_V3, qps_ratio_v3, or qps_ratio_down_v3.

Metric

Dimension

Description

Remarks

4XX_ratio_v3

protected object

The percentage of 4xx status codes per minute (excluding 405).

The value is a decimal.

5XX_ratio_v3

protected object

The percentage of 5xx status codes per minute.

The value is a decimal.

acl_blocks_5m_v3

protected object

Number of requests blocked by access control rules in the last 5 minutes.

None

acl_rate_5m_v3

protected object

Percentage of requests blocked by access control rules in the last 5 minutes.

The value is a decimal.

cc_blocks_5m_v3

protected object

Number of requests blocked by HTTP flood protection rules in the last 5 minutes.

None

cc_rate_5m_v3

protected object

Percentage of requests blocked by HTTP flood protection rules in the last 5 minutes.

The value is a decimal.

waf_blocks_5m_v3

protected object

Number of requests blocked by web attack protection rules in the last 5 minutes.

None

waf_rate_5m_v3

protected object

Percentage of requests blocked by web attack protection rules in the last 5 minutes.

The value is a decimal.

QPS_V3

protected object

Queries per second (QPS).

None

qps_ratio_v3

protected object

Minute-over-minute QPS growth rate.

The value is a percentage.

qps_ratio_down_v3

protected object

Minute-over-minute QPS decrease rate.

The value is a percentage.

References

API Security only pushes high-severity alerts through CloudMonitor. To push low or medium-severity alerts, see Best practices for pushing API Security alerts.