All Products
Search
Document Center

Web Application Firewall:Alert configuration examples for WAF logs

Last Updated:Apr 25, 2026

This topic provides examples of alert configurations for Web Application Firewall (WAF) logs. Use these examples to add monitoring charts to a WAF log dashboard and configure alerts.

Important

The alert configuration parameters in this topic apply to the original alerting feature of Log Service. If you use the new alerting feature, you can still use the recommended query statements and parameter settings. For more information, see Alert configuration quick start.

Alert for abnormal 4xx percentage

Recommended alert parameters:

  • Chart Name: 4xx Percentage (Blocked Requests Ignored)

  • Search Statement:

    user_id: 

    This chart contains the following fields: aveQPS, 2xx ratio, 3xx ratio, 4xx ratio, and 5xx ratio, which represent the queries per second (QPS) for a domain name and the ratio of each status code type, respectively. The 4xx ratio field excludes status codes 444 and 405 that are caused by HTTP flood attacks and web attacks blocked by Web Application Firewall (WAF). This is to ensure that only status code changes caused by your own services are displayed. When you configure alert trigger conditions, you can combine these fields. For example, aveQPS>10 && 2xx ratio<60 indicates that within the specified statistical period, the QPS of the specified domain name is greater than 10 and the 2xx ratio is less than 60%.

  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.countall > 3000 && $0."4xx Percentage" > 80

  • Notification Trigger Threshold: 2

  • Notification Interval: 10 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain: ${Results[0].RawResults[0].Domain}
    - Product: WAF
    - Total requests in the last 5 minutes: ${Results[0].RawResults[0].countall}
    - 2xx Percentage: ${Results[0].RawResults[0]."2xx Percentage"} %
    - 3xx Percentage: ${Results[0].RawResults[0]."3xx Percentage"} %
    - 4xx Percentage: ${Results[0].RawResults[0]."4xx Percentage"} %
    - 5xx Percentage: ${Results[0].RawResults[0]."5xx Percentage"} %

Alert for abnormal 5xx percentage

Recommended alert parameters:

  • Chart Name: 5xx Percentage

  • Search Statement:

    user_id: 
  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.countall > 3000 && $0."5xx Percentage" > 80

  • Notification Trigger Threshold: 2

  • Notification Interval: 10 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain: ${Results[0].RawResults[0].Domain}
    - Product: WAF
    - Total requests in the last 5 minutes: ${Results[0].RawResults[0].countall}
    - 2xx Percentage: ${Results[0].RawResults[0]."2xx Percentage"} %
    - 3xx Percentage: ${Results[0].RawResults[0]."3xx Percentage"} %
    - 4xx Percentage: ${Results[0].RawResults[0]."4xx Percentage"} %
    - 5xx Percentage: ${Results[0].RawResults[0]."5xx Percentage"} %

Alert for abnormal QPS

Recommended alert parameters:

  • Chart Name: Top 5 QPS

  • Search Statement:

    user_id: 
  • Query Time Range: 1 Minute (relative)

  • Frequency: Every 1 minute

  • Trigger Condition: $0.aveQPS >= 50

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Product: WAF
    - Average QPS in the last minute: ${Results[0].RawResults[0].aveQPS}
    - 2xx status code rate: ${Results[0].RawResults[0].Rate_2XX}%
    - 3xx status code rate: ${Results[0].RawResults[0].Rate_3XX}%
    - 4xx status code rate: ${Results[0].RawResults[0].Rate_4XX}%
    - 5xx status code rate: ${Results[0].RawResults[0].Rate_5XX}%

Alert for QPS surge

Recommended alert parameters:

  • Chart Name: QPS surge monitoring

  • Search Statement:

    user_id: 
  • Query Time Range: 1 Minute (relative)

  • Frequency: Every 1 minute

  • Trigger Condition: $0.now1mqps > 50 && $0.in_ratio > 300

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Product: WAF
    - Average QPS in the last minute: ${Results[0].RawResults[0].now1mqps}
    - QPS surge rate: ${Results[0].RawResults[0].in_ratio}%
    - 2xx status code rate: ${Results[0].RawResults[0].Rate_2XX}%
    - 3xx status code rate: ${Results[0].RawResults[0].Rate_3XX}%
    - 4xx status code rate: ${Results[0].RawResults[0].Rate_4XX}%
    - 5xx status code rate: ${Results[0].RawResults[0].Rate_5XX}%

Alert for QPS drop

  • Chart Name: QPS drop monitoring

  • Search Statement:

    user_id: 

    This chart contains fields such as now1mqps (average QPS in the current minute), past1mqps (average QPS in the past minute), de_ratio (QPS decrease rate), and host. You can use these fields to set alert conditions as needed.

  • Query Time Range: 1 Minute (relative)

  • Frequency: Every 1 minute

  • Trigger Condition: $0.now1mqps > 10 && $0.de_ratio > 50

  • Notification Trigger Threshold: 2

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain name: ${Results[0].RawResults[0].host}
    - Product: WAF (International)
    - Average QPS in the last minute: ${Results[0].RawResults[0].now1mqps}
    - QPS drop rate: ${Results[0].RawResults[0].de_ratio}%
    - 2xx status code rate: ${Results[0].RawResults[0].Rate_2XX}%
    - 3xx status code rate: ${Results[0].RawResults[0].Rate_3XX}%
    - 4xx status code rate: ${Results[0].RawResults[0].Rate_4XX}%
    - 5xx status code rate: ${Results[0].RawResults[0].Rate_5XX}%

Alert for requests blocked by ACL rules

Recommended alert parameters:

  • Chart Name: Requests blocked by ACL rules

  • Search Statement:

    user_id: 
  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.totalblock >= 500 && ($0."Requests Blocked by ACL Policies" >= 500)

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain: ${Results[0].RawResults[0].host}
    - Product: WAF
    - Total blocked requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0]."Requests Blocked by ACL Policies"}
    - Requests blocked by Protection Rules Engine: ${Results[0].RawResults[0]."Requests Blocked by Protection Rules Engine"}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0]."Requests Blocked by HTTP Flood Protection Policies"}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0]."Requests Blocked by Scan Protection Policies"}

Alert for requests blocked by protection rules

Recommended alert parameters:

  • Chart Name: Requests blocked by Protection Rules Engine

  • Search Statement:

    user_id: 
  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.totalblock >= 500 && ($0."Requests Blocked by Protection Rules Engine" >= 500)

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain: ${Results[0].RawResults[0].host}
    - Product: WAF
    - Total blocked requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0]."Requests Blocked by ACL Policies"}
    - Requests blocked by Protection Rules Engine: ${Results[0].RawResults[0]."Requests Blocked by Protection Rules Engine"}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0]."Requests Blocked by HTTP Flood Protection Policies"}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0]."Requests Blocked by Scan Protection Policies"}

Alert for requests blocked by HTTP flood protection

Recommended alert parameters:

  • Chart Name: Requests blocked by HTTP flood protection policies

  • Search Statement:

    user_id: 
  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.totalblock >= 500 && ($0."Requests Blocked by HTTP Flood Protection Policies" >= 500)

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content: Required. The content to be sent. The content can be a variable. For example, you can set the content to ${message}. The variable must be a string. If the content is a JSON string, you must use the json_parse function to convert it into a JSON object. For example, json_parse(${message}). For more information, see JSON functions and String functions.

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain: ${Results[0].RawResults[0].host}
    - Product: WAF
    - Total blocked requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0]."Requests Blocked by ACL Policies"}
    - Requests blocked by Protection Rules Engine: ${Results[0].RawResults[0]."Requests Blocked by Protection Rules Engine"}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0]."Requests Blocked by HTTP Flood Protection Policies"}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0]."Requests Blocked by Scan Protection Policies"}

Alert for requests blocked by scan protection

Recommended alert parameters:

  • Chart Name: Requests blocked by scan protection policies

  • Search Statement:

    user_id: 
  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.totalblock >= 500 && ($0."Requests Blocked by Scan Protection Policies" >= 500)

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain: ${Results[0].RawResults[0].host}
    - Product: WAF (International)
    - Total blocked requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Requests blocked by ACL policies: ${Results[0].RawResults[0]."Requests Blocked by ACL Policies"}
    - Requests blocked by Protection Rules Engine: ${Results[0].RawResults[0]."Requests Blocked by Protection Rules Engine"}
    - Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0]."Requests Blocked by HTTP Flood Protection Policies"}
    - Requests blocked by scan protection policies: ${Results[0].RawResults[0]."Requests Blocked by Scan Protection Policies"}

Alert for attacks from a single IP

Recommended alert parameters:

  • Chart Name: Attack volume from a single IP

  • Search Statement:

    user_id: 

    The chart includes the real_client_ip (attack IP address), blockNum (including requests blocked by ACL policies, requests blocked by the Protection Rules Engine, and requests blocked by HTTP flood protection policies), totalblock (total number of blocked requests), and allRequest (total number of requests) fields. You can use these fields to set alert conditions as needed.

  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.totalblock >= 500

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Product: WAF
    - Top 3 attack IP addresses in the last 5 minutes:
    - ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum})
    - ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum})
    - ${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})

Alert for a single IP attacking multiple domains

Recommended alert parameters:

  • Chart Name: Number of domains attacked by a single IP

  • Search Statement:

    user_id: 

    This chart contains fields such as real_client_ip (attack IP address), totalblock (total number of blocked requests), and domainnum (number of domain names attacked by the IP address). You can combine these fields to configure alert trigger conditions. For example, totalblock>500&& domainnum>5 indicates that the total number of blocked requests from an IP address is greater than 500 and the number of attacked domain names is greater than 5 within the specified time period.

  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 1 minute

  • Trigger Condition: [INVALID] $0.domainnum >= 10

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Product: WAF
    - Attack IP Address: [INVALID FIELD: real_client_ip]
    - Number of attacked domains: [INVALID FIELD: domainnum]
    - Total attack requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
    - Please handle this issue promptly.

Alert for abnormal average latency

Recommended alert parameters:

  • Chart Name: Average latency monitoring

  • Search Statement:

    user_id: 
  • Query Time Range: 5 Minutes (relative)

  • Frequency: Every 5 minutes

  • Trigger Condition: $0.request_time > 1000 && $0.requestnum > 30

  • Notification Trigger Threshold: 2

  • Notification Interval: 10 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Domain: ${Results[0].RawResults[0].host}
    - Product: WAF (International)
    - [Trigger Condition]: ${condition}
    - Top 3 domains with the longest latency in the last 5 minutes (Unit: ms):
    - Host1: ${Results[0].RawResults[0].host} Upstream Latency (ms): ${Results[0].RawResults[0].upstream_time} 
    - Host2: ${Results[0].RawResults[1].host} Upstream Latency (ms): ${Results[0].RawResults[1].upstream_time} 
    - Host3: ${Results[0].RawResults[2].host} Upstream Latency (ms): ${Results[0].RawResults[2].upstream_time}

Alert for abrupt traffic drop

Recommended alert parameters:

  • Chart Name: Traffic drop monitoring

  • Search Statement:

    user_id: 
  • Query Time Range: 1 Minute (relative)

  • Frequency: Every 1 minute

  • Trigger Condition: $0.de_ratio > 50 && $0.now1mqps > 20

  • Notification Trigger Threshold: 1

  • Notification Interval: 5 minutes

  • Send Content:

    - [Time]: ${FireTime}
    - [UID]: ${Results[0].RawResults[0].user_id}
    - Product: WAF
    - Average QPS in the last minute: ${Results[0].RawResults[0].now1mqps}
    - [Trigger condition (Drop Rate & QPS)]: ${condition}
    - QPS drop rate: ${Results[0].RawResults[0].de_ratio}%
    - 2xx status code rate: ${Results[0].RawResults[0].Rate_2XX}%
    - 3xx status code rate: ${Results[0].RawResults[0].Rate_3XX}%
    - 4xx status code rate: ${Results[0].RawResults[0].Rate_4XX}%
    - 5xx status code rate: ${Results[0].RawResults[0].Rate_5XX}%