Use CloudMonitor to configure monitoring and alerting for WAF

Supported metrics and attack events

For more information about the WAF-related metrics and attack events that can be monitored by CloudMonitor, see Supported monitoring types and service metrics.

Configure alert contacts

After you configure an alert contact, CloudMonitor sends notifications for the alerts that you configure to the contact. The alert contact must check the alert notifications in time and handle the alerts at the earliest opportunity.

1. Log on to the Cloud Monitor console.
2. Create an alert contact.
   1. In the left-side navigation pane, choose Alerts > Alert Contacts.
   2. On the Alert Contacts tab, click Create Alert Contact.
   3. In the Set Alert Contact panel, enter the contact information, drag the slider to complete verification, and then click OK.
      Note You must retain the default value Automatic of Alert Notification Information Language. Automatic indicates that CloudMonitor automatically determines the language for alert notifications based on the language that you use to create your Alibaba Cloud account.
   4. Optional. Activate the email address and mobile phone number of the alert contact.

      By default, the email address and mobile phone number of the alert contact are in the Pending Activation state. After the alert contact receives an email or a text message that contains the activation link, the alert contact must activate the email address and mobile phone number within 24 hours. Otherwise, the alert contact cannot receive alert notifications. After the email address and mobile phone number are activated, you can view the email address and mobile phone number in the alert contact list.

3. Create an alert group.
   Notice An alert contact must belong to an alert group. You can add one or more alert contacts to an alert group.

   1. On the Alert Contact Group tab, click Create Alert Contact Group.
   2. In the Create Alert Contact Group panel, enter the group name, select alert contacts from the Existing Contacts section, and then add the alert contacts to the Selected Contacts section.
   3. Click Confirm.

Configure monitoring and alerting for attack events

After you configure monitoring and alerting for attack events, CloudMonitor sends alert notifications based on the rules you configure when WAF detects attacks such as web and HTTP flood attacks. The rules cover the severities of attack events and the methods to receive alert notifications. For more information about the attack events that can be monitored by CloudMonitor, see Attack events supported.

1. Log on to the Cloud Monitor console.
2. Create an alert rule for attack events.
   1. In the left-side navigation pane, choose Alerts > Alert Rules.
   2. Click the Event Alert tab.
   3. On the Event Alert tab, click Create Event Alert.
   4. In the Create / Modify Event Alert panel, configure the following parameters.
      The following table describes the parameters that are used to create an alert rule for attack events.

      Parameter	Description
      Alert Rule Name	Enter the name of the alert rule. The name can be up to 30 characters in length and can contain letters, digits, and underscores (_).
      Event Type	Select System Event.
      Product Type	Select WAF from the drop-down list.
      Event Type	Select All Types.
      Event Level	Select the level of the attack event for which you want to receive alert notifications. Valid values: CRITICAL, WARN, and INFO. Notice You can select multiple levels. If you select multiple levels, you must select CRITICAL.
      Event Name	Select the type of the attack event for which you want to receive alert notifications. Valid values: waf_event_aclattack waf_event_ccattack waf_event_webattack waf_event_webscan Notice The event level for each of these event types is CRITICAL.
      Resource Range	Select All Resources.
      Alert Type	Select Alert Notification and configure Contact Group and Notification Method. Contact Group: Select an existing alert group. All contacts in the alert group can receive alert notifications. Notification Method: Select Info (Email ID+DingTalk Robot). You can click Add to add more alert groups and notification methods. You can also configure other alert types, such as MNS queue, Function service, URL callback, and Log Service. For more information, see Create an event-triggered alert rule.

   5. Click OK.
   After you configure the alert rule for attack events, the contacts in the alert rule can receive alert notifications when specific attacks are detected on the domain names added to WAF.

You can also query recent attack events detected by WAF in the CloudMonitor console.

Configure monitoring and alerting for metrics

After you configure monitoring and alerting for metrics, CloudMonitor sends alert notifications to the contacts in the alert rules that you configure. Alerts are triggered when WAF detects exceptions in the metrics of domain names that are added to WAF. The exceptions include minute-to-minute decrease in queries per second (QPS) and surges in error codes and blocked attacks. For more information about the metrics that can be monitored by CloudMonitor, see WAF service metrics supported.

1. Log on to the Cloud Monitor console.
2. Create an alert rule for metrics.
   1. In the left-side navigation pane, choose Alerts > Alert Rules.
   2. On the Threshold Value Alert tab, click Create Alert Rule.
   3. On the Create Alert Rule page, configure the following parameters.

      Parameter	Description
      Product	The service that you want to monitor. Select WAF from the drop-down list.
      Resource Range	The scope of the domain names that you want to monitor. Valid values: All Resources: monitors all the domain names that are added to WAF. If the alert rule is triggered for one of the domain names, an alert notification is sent. Instance: monitors specific domain names. An alert notification is sent only when the alert rule is triggered for all the selected domain names.
      Region	The region where the WAF instance resides. This parameter is required only if you select Instance from the Resource Range drop-down list. Valid values: China East 1 (Hangzhou): specifies a WAF instance in mainland China. Asia Pacific SE 1 (Singapore): specifies a WAF instance outside mainland China.
      Instance	The ID of the WAF instance. This parameter is required only if you select Instance from the Resource Range drop-down list. After you configure Region, the ID of the WAF instance in the selected region automatically appears. You do not need to modify this parameter. If no WAF instances are purchased in the selected region, No Data appears.
      domain	The domain name that you want to monitor. This parameter is required only if you select Instance from the Resource Range drop-down list. Select the domain name that you want to monitor from the domain names that are added to the WAF instance. You can select multiple domain names.
      Alert Rule	The name of the alert rule.
      Rule Description	The content of the alert rule. This parameter defines the condition that triggers the alert rule. Note We recommend that you configure alert thresholds for different metrics based on your business requirements. For more information about the metrics, see WAF service metrics supported. A low threshold may trigger frequent alerts and affect user experience. A high threshold may not provide you with sufficient time to respond to exceptions detected in metrics. Example of an alert rule: If you configure the following rule, CloudMonitor determines whether to trigger an alert based on the QPS detected in three consecutive cycles. CloudMonitor reports a data point at an interval of 60s. A total of 15 data points are reported in the three consecutive cycles. If the maximum QPS among the reported data points is greater than 200, an alert is triggered. You can click Add Alert Rule to create more rules. You must configure Alert Rule and Rule Description for each rule.
      Mute for	The interval of re-sending the notification for an alert before the alert is cleared. The minimum value is 5 minutes, and the maximum value is 24 hours.
      Effective Period	The time period during which the alert rule remains effective. CloudMonitor sends alert notifications within the effective period and only records alerts beyond the effective period.
      Notification Contact	The alert group that receives alert notifications.
      Notification Methods	The method that is used to send alert notifications. Different levels of alerts are sent by using different methods. Alert levels are Critical, Warning, and Info. Valid values: Email + DingTalk (Info).
      Auto Scaling	If you select Auto Scaling, no additional configurations are required. After you select a scaling rule, it is triggered when an alert is generated.
      Log Service	If you select Log Service, the alert information is written to Log Service when an alert is generated. You must also configure Region, Project, and Logstore. For more information about how to create a project and a Logstore, see Quick start.
      Email Subject	The subject of the alert notification email. By default, the email subject is in the format of service name + metric name + instance ID.
      Email Remark	The additional information that you want to include in the alert notification email.
      HTTP CallBack	The URL to which CloudMonitor sends alert notifications by using HTTP POST. You can enter only an HTTP URL.

   4. Click Confirm. The alert rule is created.
      If WAF-related metrics meet the conditions described in the alert rule, alert notifications are sent to the specified alert group.