Use these alert configuration examples to monitor your WAF-protected domains for traffic anomalies, attacks, and performance degradation. Each example includes a ready-to-use SQL query statement, recommended parameter values, and a notification content template.
These examples apply to the original alerting feature in Simple Log Service. If you use the new alerting feature, adapt the query statements and parameter settings here alongside the guidance in Configure an alert monitoring rule in Simple Log Service.
Alert categories
The examples cover two categories of alerts:
Traffic health — abnormal status code rates, QPS spikes or drops, latency increases, and traffic drops. Suitable for operations and reliability teams.
Attack activity — blocked request counts by protection type and attack source IP addresses. Suitable for security teams.
Abnormal percentage of 4xx status codes
This alert fires when a high proportion of requests to a domain return 4xx status codes, excluding WAF-generated 444 and 405 responses (triggered by HTTP flood or web attacks) to focus on application-side errors.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Percentage of 4xx status codes. Blocked requests are not counted. |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.countall>3000&& $0.Percentage of 4xx status codes>80 |
| Notification triggering threshold | 2 |
| Notification interval | 10 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
and not real_client_ip: Blocked IP addresses |
SELECT
user_id,
host AS "Domain name",
Rate_2XX AS "Percentage of 2xx status codes",
Rate_3XX AS "Percentage of 3xx status codes",
Rate_4XX AS "Percentage of 4xx status codes",
Rate_5XX AS "Percentage of 5xx status codes",
countall AS "aveQPS",
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_2XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_2XX,
round(
round(status_3XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_3XX,
round(
round (status_4XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_4XX,
round(
round(status_5XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_5XX,
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM(
SELECT
user_id,
host,
count_if(
status >= 200
and status < 300
) AS status_2XX,
count_if(
status >= 300
and status < 400
) AS status_3XX,
count_if(
status >= 400
and status < 500
and status <> 444
and status <> 405
) AS status_4XX,
count_if(
status >= 500
and status < 600
) AS status_5XX,
COUNT(*) AS countall
FROM log
GROUP BY
host,
user_id
)
)
WHERE
countall > 120
ORDER BY
Rate_4XX DESC
LIMIT
5The chart includes the fields aveQPS, Percentage of 2xx status codes, Percentage of 3xx status codes, Percentage of 4xx status codes, and Percentage of 5xx status codes. aveQPS is the average queries per second (QPS) for the domain. Select one or more fields to build your trigger condition. For example, aveQPS>10 && Percentage of 2xx status codes<60 fires when a domain's QPS exceeds 10 and fewer than 60% of requests return 2xx in the same window.
Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].Domain name}
- Service: WAF
- Requests in the last 5 minutes:${Results[0].RawResults[0].countall}
- Percentage of 2xx status codes: ${Results[0].RawResults[0].Percentage of 2xx status codes} %
- Percentage of 3xx status codes: ${Results[0].RawResults[0].Percentage of 3xx status codes} %
- Percentage of 4xx status codes: ${Results[0].RawResults[0].Percentage of 4xx status codes} %
- Percentage of 5xx status codes: ${Results[0].RawResults[0].Percentage of 5xx status codes} %When you receive this alert: Check whether a recent deployment or configuration change introduced application errors. If the 2xx rate dropped simultaneously, investigate origin server health.
Abnormal percentage of 5xx status codes
This alert fires when a high proportion of requests return 5xx status codes, which typically indicates origin server errors rather than attack activity.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Percentage of 5xx status codes |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.countall>3000&& $0.Percentage of 5xx status codes>80 |
| Notification triggering threshold | 2 |
| Notification interval | 10 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
and not real_client_ip: Blocked IP addresses |
select
user_id,
host AS "Domain name",
Rate_2XX AS "Percentage of 2xx status codes",
Rate_3XX AS "Percentage of 3xx status codes",
Rate_4XX AS "Percentage of 4xx status codes",
Rate_5XX AS "Percentage of 5xx status codes",
countall AS "Requests in a specified relative time range",
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_2XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_2XX,
round(
round(status_3XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_3XX,
round(
round (status_4XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_4XX,
round(
round(status_5XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_5XX,
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM(
SELECT
user_id,
host,
count_if(
status >= 200
and status < 300
) AS status_2XX,
count_if(
status >= 300
and status < 400
) AS status_3XX,
count_if(
status >= 400
and status < 500
) AS status_4XX,
count_if(
status >= 500
and status < 600
) AS status_5XX,
COUNT(*) AS countall
FROM log
GROUP BY
host,
user_id
)
)
WHERE
countall > 120
ORDER BY
Rate_5XX DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].Domain name}
- Service: WAF
- Requests in the last 5 minutes:${Results[0].RawResults[0].countall}
- Percentage of 2xx status codes: ${Results[0].RawResults[0].Percentage of 2xx status codes} %
- Percentage of 3xx status codes: ${Results[0].RawResults[0].Percentage of 3xx status codes} %
- Percentage of 4xx status codes: ${Results[0].RawResults[0].Percentage of 4xx status codes} %
- Percentage of 5xx status codes: ${Results[0].RawResults[0].Percentage of 5xx status codes} %When you receive this alert: Check origin server health and error logs. A spike in 5xx responses unaccompanied by a QPS increase typically points to infrastructure issues rather than an attack.
Abnormal QPS
This alert fires when the average QPS for a domain exceeds a defined threshold, helping you detect unexpected traffic surges before they affect availability.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Top 5 domain names that have the highest QPS |
| Time range | 1 minute (relative) |
| Frequency | 1 minute |
| Trigger condition | $0.aveQPS>=50 |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
and not real_client_ip: Blocked IP addresses |
SELECT
user_id,
host,
Rate_2XX,
Rate_3XX,
Rate_4XX,
Rate_5XX,
countall / 60 as "aveQPS",
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM(
SELECT
user_id,
host,
round(
round(status_2XX * 1.0000 / countall, 4) * 100,
2
) as Rate_2XX,
round(
round(status_3XX * 1.0000 / countall, 4) * 100,
2
) as Rate_3XX,
round(
round (status_4XX * 1.0000 / countall, 4) * 100,
2
) as Rate_4XX,
round(
round(status_5XX * 1.0000 / countall, 4) * 100,
2
) as Rate_5XX,
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM(
SELECT
user_id,
host,
count_if(
status >= 200
and status < 300
) as status_2XX,
count_if(
status >= 300
and status < 400
) as status_3XX,
count_if(
status >= 400
and status < 500
and status <> 444
and status <> 405
) as status_4XX,
count_if(
status >= 500
and status < 600
) as status_5XX,
COUNT(*) as countall
FROM log
GROUP BY
host,
user_id
)
)
WHERE
countall > 120
ORDER BY
aveQPS DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF
- Average QPS in the last 1 minute: ${Results[0].RawResults[0].aveQPS}
- Percentage of 2xx status codes: ${Results[0].RawResults[0].Rate_2XX}%
- Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
- Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
- Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%When you receive this alert: Review the status code distribution in the notification. A QPS spike with a normal 2xx rate is likely legitimate traffic growth. A spike with elevated 4xx or 5xx rates may indicate an attack or misconfiguration.
Abrupt increase in QPS
This alert detects sudden QPS spikes relative to the previous minute. The query uses the compare function to compare the current minute's request count with the prior minute's, firing when QPS grows by more than 300% and the absolute QPS exceeds 50.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Abrupt increase in QPS |
| Time range | 1 minute (relative) |
| Frequency | 1 minute |
| Trigger condition | $0.now1mqps>50&& $0.in_ratio>300 |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account |
SELECT
t1.user_id,
t1.now1mQPS,
t1.past1mQPS,
in_ratio,
t1.host,
t2.Rate_2XX,
Rate_3XX,
Rate_4XX,
Rate_5XX,
aveQPS
FROM (
(
SELECT
user_id,
round(c [1] / 60, 0) AS now1mQPS,
round(c [2] / 60, 0) AS past1mQPS,
round(
round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100 -100,
0
) AS in_ratio,
host
FROM (
SELECT
compare(t, 60) AS c,
host,
user_id
FROM (
SELECT
COUNT(*) AS t,
host,
user_id
FROM log
GROUP by
host,
user_id
)
GROUP by
host,
user_id
)
WHERE
c [3] > 1.1
and (
c [1] > 180
or c [2] > 180
)
) t1
JOIN (
SELECT
user_id,
host,
Rate_2XX,
Rate_3XX,
Rate_4XX,
Rate_5XX,
countall / 60 AS "aveQPS",
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM (
SELECT
user_id,
host,
round(
round(status_2XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_2XX,
round(
round(status_3XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_3XX,
round(
round(status_4XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_4XX,
round(
round(status_5XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_5XX,
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM (
SELECT
user_id,
host,
count_if(
status >= 200
and status < 300
) AS status_2XX,
count_if(
status >= 300
and status < 400
) AS status_3XX,
count_if(
status >= 400
and status < 500
and status <> 444
and status <> 405
) AS status_4XX,
count_if(
status >= 500
and status < 600
) AS status_5XX,
COUNT(*) AS countall
FROM log
GROUP BY
host,
user_id
)
)
WHERE
countall > 1
) t2 on t1.host = t2.host
)
ORDER BY
in_ratio DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF
- Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps}
- Abrupt increase rate of QPS: ${Results[0].RawResults[0].in_ratio}%
- Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}%
- Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
- Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
- Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%When you receive this alert: Check whether the spike is accompanied by a rise in blocked requests (ACL, HTTP flood, or Protection Rules Engine). If so, investigate whether an attack is in progress and consider tightening rate-limiting rules.
Abrupt decrease in QPS
This alert detects sudden QPS drops relative to the previous minute. The query uses compare to flag domains where QPS fell by more than 50% compared to the prior minute, while the absolute QPS stayed above 10 — filtering out low-traffic noise.
The chart includes the fields now1mqps (average QPS of the current minute), past1mqps (average QPS of the previous minute), de_ratio (QPS decrease rate), and host. Select one or more to build your trigger condition.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Abrupt decrease in QPS |
| Time range | 1 minute (relative) |
| Frequency | 1 minute |
| Trigger condition | $0.now1mqps>10&& $0.de_ratio>50 |
| Notification triggering threshold | 2 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
SELECT
t1.user_id,
t1.now1mQPS,
t1.past1mQPS,
de_ratio,
t1.host,
t2.Rate_2XX,
Rate_3XX,
Rate_4XX,
Rate_5XX,
aveQPS
FROM (
(
SELECT
user_id,
round(c [1] / 60, 0) AS now1mQPS,
round(c [2] / 60, 0) AS past1mQPS,
round(
100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100,
2
) AS de_ratio,
host
FROM (
SELECT
compare(t, 60) AS c,
host,
user_id
FROM (
SELECT
COUNT(*) AS t,
host,
user_id
FROM log
GROUP BY
host,
user_id
)
GROUP BY
host,
user_id
)
WHERE
c [3] < 0.9
AND (
c [1] > 180
or c [2] > 180
)
) t1
JOIN (
SELECT
user_id,
host,
Rate_2XX,
Rate_3XX,
Rate_4XX,
Rate_5XX,
countall / 60 AS "aveQPS",
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM (
SELECT
user_id,
host,
round(
round(status_2XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_2XX,
round(
round(status_3XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_3XX,
round(
round(status_4XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_4XX,
round(
round(status_5XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_5XX,
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM (
SELECT
user_id,
host,
count_if(
status >= 200
and status < 300
) AS status_2XX,
count_if(
status >= 300
and status < 400
) AS status_3XX,
count_if (
status >= 400
and status < 500
and status <> 444
and status <> 405
) AS status_4XX,
count_if(
status >= 500
and status < 600
) AS status_5XX,
COUNT(*) AS countall
FROM log
GROUP BY
host,
user_id
)
)
WHERE
countall > 1
) t2 on t1.host = t2.host
)
ORDER BY
de_ratio DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF (International)
- Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps}
- Abrupt decrease rate of QPS: ${Results[0].RawResults[0].de_ratio}%
- Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}%
- Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
- Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
- Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%When you receive this alert: Verify that the origin server is reachable and that no WAF rules are incorrectly blocking legitimate traffic in bulk. A sudden drop often indicates a service outage or an overly aggressive block rule.
Requests blocked by ACL policies in the last 5 minutes
This alert fires when the number of requests blocked by access control list (ACL) policies exceeds 500 in a 5-minute window, which may indicate a targeted attack matching your custom block rules.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Requests blocked by ACL policies |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.totalblock>=500&&($0.Requests blocked by ACL policies>=500) |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
SELECT
user_id,
host,
count_if(
final_plugin = 'waf'
AND final_action = 'block'
) AS "Requests blocked by the Protection Rules Engine",
count_if(
final_plugin = 'cc'
AND final_action = 'block'
) AS "Requests blocked by HTTP flood protection policies",
count_if(
final_plugin = 'acl'
AND final_action = 'block'
) AS "Requests blocked by ACL policies",
count_if(
final_plugin = 'antiscan'
AND final_action = 'block'
) AS "Requests blocked by scan protection policies",
count_if(
(final_plugin = 'waf'
AND final_action = 'block')
OR (final_plugin = 'cc'
AND final_action = 'block')
OR (final_plugin = 'acl'
AND final_action = 'block')
OR (final_plugin = 'antiscan'
AND final_action = 'block')
) AS totalblock
GROUP BY
host,
user_id
HAVING
(
"Requests blocked by ACL policies" >= 0
AND "Requests blocked by the Protection Rules Engine" >= 0
AND "Requests blocked by HTTP flood protection policies" >= 0
AND "Requests blocked by scan protection policies" >= 0
AND totalblock > 10
)
ORDER BY
"Requests blocked by ACL policies" DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF
- Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
- Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
- Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
- Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
- Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}When you receive this alert: Review the top blocked source IPs in WAF logs to determine whether the traffic is malicious. If legitimate users are being blocked, check your ACL rules for overly broad conditions.
Requests blocked by the Protection Rules Engine in the last 5 minutes
This alert fires when requests blocked by the Protection Rules Engine exceed 500 in 5 minutes, which may indicate exploitation attempts targeting known vulnerabilities.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Requests blocked by the Protection Rules Engine |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.totalblock>=500&&($0.Requests blocked by the Protection Rules Engine>=500) |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
SELECT
user_id,
host,
count_if(
final_plugin = 'waf'
AND final_action = 'block'
) AS "Requests blocked by the Protection Rules Engine",
count_if(
final_plugin = 'cc'
AND final_action = 'block'
) AS "Requests blocked by HTTP flood protection policies",
count_if(
final_plugin = 'acl'
AND final_action = 'block'
) AS "Requests blocked by ACL policies",
count_if(
final_plugin = 'antiscan'
AND final_action = 'block'
) AS "Requests blocked by scan protection policies",
count_if(
(final_plugin = 'waf'
AND final_action = 'block')
OR (final_plugin = 'cc'
AND final_action = 'block')
OR (final_plugin = 'acl'
AND final_action = 'block')
OR (final_plugin = 'antiscan'
AND final_action = 'block')
) AS totalblock
GROUP BY
host,
user_id
HAVING
(
"Requests blocked by ACL policies" >= 0
AND "Requests blocked by the Protection Rules Engine" >= 0
AND "Requests blocked by HTTP flood protection policies" >= 0
AND "Requests blocked by scan protection policies" >= 0
AND totalblock > 10
)
ORDER BY
"Requests blocked by the Protection Rules Engine" DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF
- Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
- Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
- Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
- Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
- Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}When you receive this alert: Identify the attack patterns in WAF logs (attack type, targeted URLs, source IPs). Consider enabling stricter protection rule sets or adding targeted ACL rules for the attacking IPs.
Requests blocked by HTTP flood protection policies in the last 5 minutes
This alert fires when requests blocked by HTTP flood protection policies exceed 500 in 5 minutes, indicating a potential HTTP flood (CC) attack.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Requests blocked by HTTP flood protection policies |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.totalblock>=500&&($0.Requests blocked by HTTP flood protection policies>=500) |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
SELECT
user_id,
host,
count_if(
final_plugin = 'waf'
AND final_action = 'block'
) AS "Requests blocked by the Protection Rules Engine",
count_if(
final_plugin = 'cc'
AND final_action = 'block'
) AS "Requests blocked by HTTP flood protection policies",
count_if(
final_plugin = 'acl'
AND final_action = 'block'
) AS "Requests blocked by ACL policies",
count_if(
final_plugin = 'antiscan'
AND final_action = 'block'
) AS "Requests blocked by scan protection policies",
count_if(
(final_plugin = 'waf'
AND final_action = 'block')
OR (final_plugin = 'cc'
AND final_action = 'block')
OR (final_plugin = 'acl'
AND final_action = 'block')
OR (final_plugin = 'antiscan'
AND final_action = 'block')
) AS totalblock
GROUP BY
host,
user_id
HAVING
(
"Requests blocked by ACL policies" >= 0
AND "Requests blocked by the Protection Rules Engine" >= 0
AND "Requests blocked by HTTP flood protection policies" >= 0
AND "Requests blocked by scan protection policies" >= 0
AND totalblock > 10
)
ORDER BY
"Requests blocked by HTTP flood protection policies" DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF
- Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
- Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
- Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
- Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
- Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}When you receive this alert: Check whether origin server load has increased alongside the blocked request count. If the attack is ongoing, tighten your HTTP flood protection rate limits or add IP-based ACL rules for the top attacking sources.
Requests blocked by scan protection policies in the last 5 minutes
This alert fires when requests blocked by scan protection policies exceed 500 in 5 minutes, indicating automated scanning activity targeting your domains.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Requests blocked by scan protection policies |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.totalblock>=500&&($0.Requests blocked by scan protection policies>=500) |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
SELECT
user_id,
host,
count_if(
final_plugin = 'waf'
AND final_action = 'block'
) AS "Requests blocked by the Protection Rules Engine",
count_if(
final_plugin = 'cc'
AND final_action = 'block'
) AS "Requests blocked by HTTP flood protection policies",
count_if(
final_plugin = 'acl'
AND final_action = 'block'
) AS "Requests blocked by ACL policies",
count_if(
final_plugin = 'antiscan'
AND final_action = 'block'
) AS "Requests blocked by scan protection policies",
count_if(
(final_plugin = 'waf'
AND final_action = 'block')
OR (final_plugin = 'cc'
AND final_action = 'block')
OR (final_plugin = 'acl'
AND final_action = 'block')
OR (final_plugin = 'antiscan'
AND final_action = 'block')
) AS totalblock
GROUP BY
host,
user_id
HAVING
(
"Requests blocked by ACL policies" >= 0
AND "Requests blocked by the Protection Rules Engine" >= 0
AND "Requests blocked by HTTP flood protection policies" >= 0
AND "Requests blocked by scan protection policies" >= 0
AND totalblock > 10
)
ORDER BY
"Requests blocked by scan protection policies" DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF (International)
- Requests that are blocked in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
- Requests blocked by ACL policies: ${Results[0].RawResults[0].Requests blocked by ACL policies}
- Requests blocked by the Protection Rules Engine: ${Results[0].RawResults[0].Requests blocked by the Protection Rules Engine}
- Requests blocked by HTTP flood protection policies: ${Results[0].RawResults[0].Requests blocked by HTTP flood protection policies}
- Requests blocked by scan protection policies: ${Results[0].RawResults[0].Requests blocked by scan protection policies}When you receive this alert: Identify the scanning source IPs and targeted paths in WAF logs. Block persistent scanners with ACL rules and review whether the targeted paths expose sensitive endpoints.
Attacks from a single IP address
This alert fires when a single IP address accounts for 500 or more blocked requests across ACL, Protection Rules Engine, and HTTP flood protection policies in 5 minutes.
The chart includes the fields real_client_ip (the attacking IP address), blockNum (blocked request counts broken down by ACL, Protection Rules Engine, and HTTP flood protection policies), totalblock (total blocked requests), and allRequest (total requests from that IP). Select one or more to build your trigger condition.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Attacks from a single IP address |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.totalblock >=500 |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
SELECT
user_id,
real_client_ip,
concat(
'Requests blocked by ACL policies:',
cast(aclblock AS varchar(10)),
' ',
'Requests blocked by the Protection Rules Engine:',
cast(wafblock AS varchar(10)),
'
',
'Requests blocked by HTTP flood protection policies:',
cast(aclblock AS varchar(10))
) AS blockNum,
totalblock,
allRequest
FROM (
SELECT
user_id,
real_client_ip,
count_if(
final_plugin = 'acl'
AND final_action = 'block'
) AS aclblock,
count_if(
final_plugin = 'waf'
AND final_action = 'block'
) AS wafblock,
count_if(
final_plugin = 'cc'
AND final_action = 'block'
) AS ccblock,
count_if(
(
final_plugin = 'acl'
AND final_action = 'block'
)
OR (
final_plugin = 'waf'
AND final_action = 'block'
)
OR (
final_plugin = 'cc'
AND final_action = 'block'
)
) AS totalblock,
COUNT(*) AS allRequest
FROM log
GROUP BY
user_id,
real_client_ip
HAVING
totalblock > 1
ORDER BY
totalblock DESC
LIMIT
5
)Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Service: WAF
- Top 3 IP addresses from which attacks are most frequently launched in the last 5 minutes:
- ${Results[0].RawResults[0].real_client_ip} (${Results[0].RawResults[0].blockNum})
- ${Results[0].RawResults[1].real_client_ip} (${Results[0].RawResults[1].blockNum})
- ${Results[0].RawResults[2].real_client_ip} (${Results[0].RawResults[2].blockNum})When you receive this alert: Add the top attacking IPs to an ACL block rule immediately. If the IP is part of a known malicious range, consider blocking the entire CIDR block.
Large number of domain names under attacks from a single IP address
This alert fires when a single IP address attacks 10 or more domain names in a 5-minute window, indicating broad horizontal scanning across your portfolio.
The chart includes the fields real_client_ip (the attacking IP address), totalblock (total blocked requests from that IP), and domainnum (number of domain names attacked). Select one or more to build your trigger condition. For example, totalblock>500&& domainnum>5 fires when a single IP launches more than 500 attacks across more than 5 domains.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Large number of domain names attacked by a single IP address |
| Time range | 5 minutes (relative) |
| Frequency | 1 minute |
| Trigger condition | $0.domainnum>=10 |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
and not upstream_status :504
and not upstream_addr :'-'
and request_time_msec < 5000
and upstream_status :200
and not ua_browser :bot |
SELECT
user_id,
host,
upstream_time,
request_time,
requestnum
FROM (
SELECT
user_id,
host,
round(avg(upstream_response_time), 2) * 1000 AS upstream_time,
round(avg(request_time_msec), 2) AS request_time,
COUNT(*) AS requestnum
FROM log
GROUP BY
host,
user_id
)
WHERE
requestnum > 30
ORDER BY
request_time DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Service: WAF
- Attack IP address: ${Results[0].RawResults[0].real_client_ip}
- Attacked domain names: ${Results[0].RawResults[0].domainnum}
- Attack requests in the last 5 minutes: ${Results[0].RawResults[0].totalblock}
- Handle the alert at the earliest opportunity.When you receive this alert: Block the attacking IP across all your domains using a global ACL rule. Cross-domain attacks from a single IP are a strong indicator of coordinated reconnaissance.
Abnormal average latency in the last 5 minutes
This alert fires when the average request latency for a domain exceeds 1,000 ms with at least 30 requests in the window. The query filters out bot traffic, 504 errors, and requests with no upstream address to focus on real user-facing latency.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Abnormal average latency |
| Time range | 5 minutes (relative) |
| Frequency | 5 minutes |
| Trigger condition | $0.request_time>1000&& $0.requestnum>30 |
| Notification triggering threshold | 2 |
| Notification interval | 10 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
and not upstream_status :504
and not upstream_addr :'-'
and request_time_msec < 5000
and upstream_status :200
and not ua_browser :bot |
SELECT
user_id,
host,
upstream_time,
request_time,
requestnum
FROM (
SELECT
user_id,
host,
round(avg(upstream_response_time), 2) * 1000 AS upstream_time,
round(avg(request_time_msec), 2) AS request_time,
COUNT(*) AS requestnum
FROM log
GROUP BY
host,
user_id
)
WHERE
requestnum > 30
ORDER BY
request_time DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [Uid]:${Results[0].RawResults[0].user_id}
- Domain name: ${Results[0].RawResults[0].host}
- Service: WAF (International)
- [Trigger Condition]: ${condition}
- Top 3 domain names that have the longest latency in the last 5 minutes. Unit of latency: milliseconds.
- Host1:${Results[0].RawResults[0].host} Delay_time:${Results[0].RawResults[0].upstream_time}
- Host2:${Results[0].RawResults[1].host} Delay_time:${Results[0].RawResults[1].upstream_time}
- Host3:${Results[0].RawResults[2].host} Delay_time:${Results[0].RawResults[2].upstream_time}When you receive this alert: Compare upstream_time (origin response time) and request_time (total WAF-to-client time). If upstream_time is high, the bottleneck is at the origin. If request_time is high but upstream_time is normal, the bottleneck may be in WAF processing or network.
Abrupt decrease in traffic
This alert fires when overall account-level traffic drops by more than 50% compared to the previous minute and the absolute QPS is still above 20 — filtering out low-traffic periods to avoid noise.
Recommended parameters:
| Parameter | Value |
|---|---|
| Chart name | Abrupt decrease in traffic |
| Time range | 1 minute (relative) |
| Frequency | 1 minute |
| Trigger condition | $0.de_ratio>50&& $0.now1mqps>20 |
| Notification triggering threshold | 1 |
| Notification interval | 5 minutes |
Query statement:
user_id: ID of your Alibaba Cloud account
SELECT
t1.user_id,
t1.now1mQPS,
t1.past1mQPS,
de_ratio,
t2.Rate_2XX,
Rate_3XX,
Rate_4XX,
Rate_5XX,
aveQPS
FROM (
(
SELECT
user_id,
round(c [1] / 60, 0) AS now1mQPS,
round(c [2] / 60, 0) AS past1mQPS,
round(
100-round(c [1] / 60, 0) / round(c [2] / 60, 0) * 100,
2
) AS de_ratio
FROM (
SELECT
compare(t, 60) AS c,
user_id
FROM (
SELECT
COUNT(*) AS t,
user_id
FROM log
GROUP BY
user_id
)
GROUP BY
user_id
)
WHERE
c [3] < 0.9
AND (
c [1] > 180
or c [2] > 180
)
) t1
JOIN (
SELECT
user_id,
Rate_2XX,
Rate_3XX,
Rate_4XX,
Rate_5XX,
countall / 60 AS "aveQPS",
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM (
SELECT
user_id,
round(
round(status_2XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_2XX,
round(
round(status_3XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_3XX,
round(
round(status_4XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_4XX,
round(
round(status_5XX * 1.0000 / countall, 4) * 100,
2
) AS Rate_5XX,
status_2XX,
status_3XX,
status_4XX,
status_5XX,
countall
FROM (
SELECT
user_id,
count_if(
status >= 200
AND status < 300
) AS status_2XX,
count_if(
status >= 300
AND status < 400
) AS status_3XX,
count_if (
status >= 400
AND status < 500
AND status <> 444
AND status <> 405
) AS status_4XX,
count_if(
status >= 500
AND status < 600
) AS status_5XX,
COUNT(*) AS countall
FROM log
GROUP BY
user_id
)
)
WHERE
countall > 0
) t2 ON t1.user_id = t2.user_id
)
ORDER BY
de_ratio DESC
LIMIT
5Notification content template:
- [Time]: ${FireTime}
- [UID]:${Results[0].RawResults[0].user_id}
- Service: WAF
- Average QPS in the last 1 minute: ${Results[0].RawResults[0].now1mqps}
- [Trigger condition (abrupt decrease rate of traffic & QPS)]:${condition}
- Abrupt decrease rate of QPS: ${Results[0].RawResults[0].de_ratio}%
- Percentage of 2xx status codes: ${Results[0].RawResults[0].rate_2xx}%
- Percentage of 3xx status codes: ${Results[0].RawResults[0].Rate_3XX}%
- Percentage of 4xx status codes: ${Results[0].RawResults[0].Rate_4XX}%
- Percentage of 5xx status codes: ${Results[0].RawResults[0].Rate_5XX}%When you receive this alert: Check WAF service status and whether any upstream DNS or network changes were made recently. A drop in traffic with a simultaneous rise in 5xx codes suggests an infrastructure failure. A clean drop with no error increase may indicate a DNS or routing issue diverting traffic away.