You can use CloudMonitor to configure monitoring and alerting for metrics and attacks that are launched against websites that are added to WAF. This topic describes how to use CloudMonitor to configure monitoring and alerting for WAF.

Prerequisites

Your website is added to WAF. For more information, see Tutorial.

Create an alert contact or alert contact group

  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, choose Alerts > Alert Contacts.
  3. Create an alert contact.
    1. On the Alert Contacts tab, click Create Alert Contact.
    2. In the Set Alert Contact panel, enter the name, email address, and webhook URL of the alert contact. Make sure that the Language of Alert Notifications parameter is set to the default value Automatic.
      Note Automatic specifies that CloudMonitor automatically selects the language of alert notifications based on the language that is used to create your Alibaba Cloud account.
    3. Verify the parameters and click OK.
  4. Create an alert group.
    1. On the Alert Contact Group tab, click Create Alert Contact Group.
    2. In the Create Alert Contact Group panel, enter a name for the alert contact group and add alert contacts to the alert contact group. Then, click Confirm.
  5. Add multiple alert contacts to an alert contact group.
    1. On the Alert Contacts tab, select the alert contacts that you want to add to an alert contact group and click Add to Alert Contact Group.
    2. In the Confirm dialog box, select the alert contact group to which you want to add alert contacts and click OK.
    After you create alert contacts and an alert contact group and add the alert contacts to the alert contact group, the alert contacts can receive the monitoring and alerting notifications. Alert contacts must check the alert notifications and handle the alerts at the earliest opportunity.

Configure monitoring and alerting for attack events

  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, choose Event Monitoring > System Event.
  3. On the Event-triggered Alert Rules tab, click Create Alert Rule.
  4. In the Create/Modify Event-triggered Alert Rule panel, configure the following parameters and click OK.
    Parameter Description
    Alert Rule Name The name of the event-triggered alert rule.
    Product Type The cloud service for which you want to configure an event-triggered alert rule. Select Web Application Firewall (WAF).
    Event Type The type of the event for which you want the alert rule to take effect. Valid values: Attack and Exceed.
    Event Level The level of the event for which you want the system to trigger alerts. The security level of all events that are detected by WAF is CRITICAL.
    Event Name The name of the event that triggers alerts.
    Note In the Event Name drop-down list, events whose names contain v3 are WAF 3.0 events that can be monitored by CloudMonitor. The other events are WAF 2.0 events. For information about the attack events that are detected by WAF 2.0 and can be monitored by CloudMonitor, see Attack events that can be monitored by CloudMonitor.
    Keyword Filtering The keywords that you want to use in the alert rule. Valid values:
    • Contains any of the keywords: If an attack event contains one of the specified keywords, no alert notifications are sent.
    • Does not contain any of the keywords: If an attack event does not contain any of the specified keywords, no alert notifications are sent.
    SQL Filter The SQL statements that you want to use for filtering.
    Resource Range The range of resources for which you want the event-triggered rule to take effect. Valid values: All Resources and Application Groups.
    Contact Group The contact groups to which you want to send alert notifications. For more information, see Create an alert contact or alert contact group.
    Notification Method The severity level and notification method of the event-triggered alert. Valid values:
    • Critical (Phone Call + Text Message + Email + Webhook)
    • Warning (SMS + Text Message + Webhook)
    • Info (Email + Webhook)
    MNS Queue The Message Service (MNS) queue to which you want to deliver the event alert.
    Function Compute The Function Compute function to which you want to deliver the event alert.
    URL Callback The URL that you want to use to receive the alert notifications that are sent from CloudMonitor by using HTTP POST requests. Make sure that the URL can be accessed over the Internet. Only HTTP requests are supported. For information about how to configure alert callbacks, see Configure callbacks for system event-triggered alerts.
    Log Service The Log Service Logstore to which you want to deliver the event alert.
    Mute For The interval at which you want CloudMonitor to resend alert notifications when the alert is not cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.
    After you configure an alert rule for attack events, the contacts that you specified in the alert rule can receive alert notifications when specific attacks are detected on the protected objects of WAF.
    To query the recent attack events that are detected by WAF, choose Event Monitoring > System Event in the left-side navigation pane and click the Event Monitoring tab. On the Event Monitoring tab, select Web Application Firewall (WAF) from the All Products drop-down list and select an event name that does not contain v3 from the Select Event Name drop-down list. Then, click Search. Event monitoring

Configure monitoring and alerting for WAF metrics

  1. Log on to the CloudMonitor console.
  2. In the left-side navigation pane, choose Alerts > Alert Rules.
  3. On the Alert Rules page, click Create Alert Rule.
  4. In the Create Alert Rule panel, configure the following parameters and click OK.
    Parameter Description
    Product Select Web Application Firewall (WAF) from the Product drop-down list.
    Resource Range The range of resources for which you want the alert rule to take effect. Valid values:
    • All Resources: The alert rule takes effect for all WAF resources.
    • Application Groups: The alert rule takes effect for all resources in a specified application group of WAF.
    • Instances: The alert rule takes effect for the specified resources of WAF.
    Rule Description The content of the alert rule. If a metric meets the specified condition, an alert is triggered. To specify the rule description, perform the following operations:
    1. Click Add Rule.
    2. In the Add Rule Description panel, configure the Alert Rule, Metric Type, Metric, and Threshold and Alert Level parameters. Then, click OK.
      Note For information about the WAF metrics that can be monitored by CloudMonitor, see WAF service metrics that can be monitored by CloudMonitor.
    Mute For The interval at which you want CloudMonitor to resend alert notifications when the alert is not cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.

    An alert is triggered when the conditions of an alert rule are met. CloudMonitor does not resend an alert notification if the alert is triggered during the mute period. If the alert is not cleared after the mute period elapses, CloudMonitor resends alert notifications.

    Effective Period The period of time during which you want the alert rule to take effect. CloudMonitor monitors the specified resources based on the alert rule only within the specified period of time.
    Alert Contact Group The contact groups to which you want to send alert notifications. For more information, see Create an alert contact or alert contact group.
    Alert Callback The URL that you want to use to receive the alert notifications that are sent from CloudMonitor by using HTTP POST requests. Make sure that the URL can be accessed over the Internet. Only HTTP requests are supported. For information about how to configure alert callbacks, see Use the alert callback feature to send notifications about threshold-triggered alerts.
    Note You can click Advanced Settings to configure this parameter.
    Auto Scaling (The corresponding scaling rule will be triggered when the alert occurs.) If you turn on Auto Scaling (The corresponding scaling rule will be triggered when the alert occurs.) and an alert is triggered, the specified scaling rule is enabled. In this case, you must configure the Region, ESS Group, and ESS Rule parameters.
    Note You can click Advanced Settings to configure this parameter.
    Log Service (If you select Log Service, the alert information will be written to Log Service.) If you turn on Log Service (If you select Log Service, the alert information will be written to Log Service.) and an alert is triggered, the alert information is written to the specified Logstore in Log Service. In this case, you must configure the Region, ProjectName, and Logstore parameters. For information about how to create a project and a Logstore, see Getting Started.
    Note You can click Advanced Settings to configure this parameter.
    Message Service - topic If you turn on Message Service - topic and an alert is triggered, the alert information is written to the specified topic in MNS. In this case, you must configure the Region and topicName parameters. For information about how to create a topic, see Create a topic.
    Note You can click Advanced Settings to configure this parameter.
    Method to handle alerts when no monitoring data is found The method that you want to use to handle alerts when no monitoring data is found. Valid values:
    • Do not do anything (default value)
    • Send alert notifications
    • Treated as normal
    Note You can click Advanced Settings to configure this parameter.
    Tag The tags of the alert rule. A tag consists of a tag name and a tag value.
    After you create an alert rule, you can view the rule on the Alert Rules page. Select WAF 3.0 from the Product drop-down list and domain from the Metric drop-down list. Then, select one of the metrics that are displayed on the right side to search for the alert rule that you created for the metric. monitoring metrics
    Note Descriptions of WAF metrics that can be monitored by CloudMonitor:
    • If you select domain from the Metric drop-down list, the metrics that are displayed on the right side are WAF 2.0 metrics that can be monitored by CloudMonitor.
    • If you select resource from the Metric drop-down list, the metrics that are displayed on the right side are WAF 3.0 metrics that can be monitored by CloudMonitor.
    • If you select Instance from the Metric drop-down list, the metrics that are displayed on the right side are Hybrid Cloud WAF metrics that can be monitored by CloudMonitor. Metrics whose names contain v3 are WAF 3.0 metrics that can be monitored by CloudMonitor. The other metrics are WAF 2.0 metrics.

Configure monitoring and alerting for custom metrics

You can use Log Service to configure monitoring and alerting for custom metrics. For more information, see Use Log Service to configure monitoring and alerting.

Attack events that can be monitored by CloudMonitor

CloudMonitor allows you to configure monitoring and alerting for web attacks, HTTP flood attacks, scan attacks, and unauthorized access control events on domain names that are added to WAF. You can select a notification method by which you want to receive alerts based on the severity level of events. The notification methods include text messages, emails, DingTalk, or the alert callback feature. For more information, see Configure monitoring and alerting for attack events.

Event type Event name Event description Event status Event level
Attack waf_event_aclattack An unauthorized access control event occurs. acl Critical
Exceed waf_event_bandwidth_exceed The bandwidth exceeds the threshold. overrun Critical
Attack waf_event_ccattack An HTTP flood attack occurs. cc Critical
Exceed waf_event_qps_exceed The queries per second (QPS) exceeds the threshold. overrun Critical
Attack waf_event_webattack A web attack occurs. web Critical
Attack waf_event_webscan A web scan attack occurs. webscan Critical

WAF service metrics that can be monitored by CloudMonitor

CloudMonitor allows you to configure monitoring and alerting for WAF service metrics of domain names that are added to WAF. You can specify the method that you want to use to identify exceptions on the metrics and select a notification method, such as by using text messages, emails, DingTalk, or the alert callback feature. For more information about how to configure monitoring and alerting for WAF service metrics, see Configure monitoring and alerting for WAF metrics.
Metric Dimension Description Remarks
4XX_ratio Domain The percentage of the HTTP 4xx status codes that are returned per minute. The value does not include the percentage of HTTP 405 status codes that are returned. The value is displayed as a decimal number.
5XX_ratio Domain The percentage of the HTTP 5xx status codes that are returned per minute. The value is displayed as a decimal number.
acl_blocks_5m Domain The number of requests that are blocked by access control policies in the previous 5 minutes. None.
acl_rate_5m Domain The percentage of requests that are blocked by access control policies in the previous 5 minutes. The value is displayed as a decimal number.
cc_blocks_5m Domain The number of requests that are blocked by HTTP flood protection in the previous 5 minutes. None.
cc_rate_5m Domain The percentage of requests that are blocked by HTTP flood protection in the previous 5 minutes. The value is displayed as a decimal number.
waf_blocks_5m Domain The number of requests that are blocked by web attack protection in the previous 5 minutes. None.
waf_rate_5m Domain The percentage of requests that are blocked by web attack protection in the previous 5 minutes. The value is displayed as a decimal number.
QPS Domain The number of queries per second. None.
qps_ratio Domain The minute-granularity growth rate of QPS. The value is displayed as a percentage.
qps_ratio_down Domain The minute-granularity decrease rate of QPS. The value is displayed as a percentage.