Configure WAF alerting - Web Application Firewall - Alibaba Cloud Documentation Center

After you add your website to Web Application Firewall (WAF), you can use the alert settings feature to configure alerting. After you configure alerts in the alert settings, WAF sends alert notifications in real time when WAF detects attacks and unusual traffic. This helps you understand the security posture of your website in a timely manner.

Prerequisites

Your website is added to WAF. For more information, see Tutorial.
Optional:The Log Service for WAF feature is enabled for your WAF instance. The log collection feature is enabled for the domain name of your website. For more information, see Get started with the Log Service for WAF feature.
By default, WAF allows you to configure monitoring and alert rules by using Alibaba Cloud CloudMonitor. In the CloudMonitor console, you can configure monitoring and alert rules for the WAF metrics that are supported by CloudMonitor and the attack events that are detected by WAF. For more information about the WAF metrics, see WAF metrics. If the WAF metrics that are supported by CloudMonitor do not meet your business requirements, you can use the Log Service for WAF feature to configure the alert settings for WAF.

If you want to use the Log Service for WAF feature to configure the alert settings, the preceding prerequisites must be met.

Procedure

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Security Operations > Alert Settings.

On the Alert Settings page, configure notification methods based on the type of attack events.


Notification method	Description
CloudMonitor Notifications Create alert rules for different types of events by using the alerting feature provided by CloudMonitor.	CloudMonitor is a service that monitors resources and Internet applications. For more information, see What is CloudMonitor. CloudMonitor provides the alerting feature to monitor events and metrics of cloud services. For more information about the feature, see Overview. If you use the CloudMonitor Notifications method, you can create alert rules for all types of events that are listed on the Alarm Settings page. The event types are Web Attacks, HTTP Flood Attack Events, ACL-based Attacks, Scan Attacks, Traffic Volume Monitoring, Abnormal Traffic Monitoring, Custom Attack Monitoring, Bandwidth Threshold Exceeded, and QPS Threshold Exceeded. When you click CloudMonitor Notifications, you are redirected to the Alert Rules tab of the CloudMonitor console. You can configure alert rules on the Alert Rules tab.
Log Service Configurations Create alert rules for different types of events by using the alerting feature provided by Log Service for WAF.	Log Service for WAF allows you to collect and store the logs for requests that are sent to the domain name of your website that is added to WAF. Then, you can query and analyze the logs. You can use query and analysis results to customize alert rules for WAF metrics based on your business requirements. If you use the Log Service Configurations method, you can create alert rules for different combinations of metrics. This method provides high flexibility and is suitable for business scenarios in which you want to customize alert rules. Compared with the previous method, this method is more complex to use. When you click Log Service Configurations, you are redirected to the Log Service page. You can query and analyze WAF logs and customize alert rules on the Log Service page.