You can use CloudMonitor to configure monitoring and alerting rules for security events and metrics to monitor the protected objects of Web Application Firewall (WAF). This topic describes how to use CloudMonitor to configure monitoring and alerting rules for WAF.
Prerequisites
Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.
Create an alert contact or alert contact group
Log on to the CloudMonitor console.
In the left-side navigation pane, choose .
Create an alert contact.
On the Alert Contacts tab, click Create Alert Contact.
In the Set Alert Contact panel, enter the name, email address, and webhook URL of the alert contact. Keep the default values of other parameters.
NoteMake sure that the Language of Alert Notifications parameter is set to the default value Automatic. This indicates that CloudMonitor automatically selects the language of alert notifications based on the language that you use to create your Alibaba Cloud account.
Verify the parameter values and click OK.
Create an alert contact group.
On the Alert Contact Group tab, click Create Alert Contact Group.
In the Create Alert Contact Group panel, specify a name for the alert contact group that you want to create and select contacts that you want to add to the group. Then, click Confirm.
Add multiple alert contacts to an alert contact group
On the Alert Contacts tab, select the alert contacts that you want to add to an alert contact group and click Add to Alert Contact Group.
In the Add to Contact Group message, click the alert contact group to which you want to add the alert contacts and click OK.
After you create alert contacts, create an alert contact group, and then add the alert contacts to the alert contact group, the alert contacts can receive monitoring and alerting notifications. Alert contacts must check the alert notifications in a timely manner and handle the alerts at the earliest opportunity.
Configure monitoring and alerting rules for security events
Log on to the CloudMonitor console.
In the left-side navigation pane, choose .
On the Event-triggered Alert Rules tab, click Create Alert Rule.
In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Alert Rule Name
The name of the event-triggered alert rule.
Product Type
The cloud service for which you want to configure the event-triggered alert rule. Select WAF.
Event Type
The type of the event for which you want the alert rule to take effect. Valid values: Attack, Exceed, and Event.
Event Level
The severity level of the event that triggers alerts. The severity level of all events that are detected by WAF 3.0 is CRITICAL.
Event Name
The name of the event that triggers alerts.
NoteIn the Event Name drop-down list, the events whose names contain v3 are WAF 3.0 security events that can be monitored. The other events are WAF 2.0 security events. For information about the security events that are detected by WAF 2.0 and can be monitored, see Security events that can be monitored.
Keyword Filtering
The keywords that are used in the alert rule. Valid values:
Contains any of the keywords: If the content of an event includes one of the specified keywords, an alert notification is sent.
Does not contain any of the keywords: If the content of an event does not include one of the specified keywords, an alert notification is sent.
SQL Filter
The SQL statements that are used for filtering.
Resource Range
The range of resources for which you want the alert rule to take effect. Valid values: All Resources and Application Groups.
Alert Contact Group
The contact groups to which alert notifications are sent. For more information, see Create an alert contact and alert contact group.
Notification Method
The severity level and notification method of the event-triggered alert. Valid values:
Critical (Phone Call + SMS Message + Email + Webhook)
Warning (SMS Message + Email + Webhook)
Info (Email +Webhook)
Message Service - Queue
The Message Service (MNS) queue to which event-triggered alerts are delivered.
Function Compute
The Function Compute function to which event-triggered alerts are delivered.
URL Callback
The callback URL that can be accessed over the Internet. CloudMonitor sends HTTP POST requests to push alert notifications to the specified URL. Only HTTP is supported. For information about how to configure alert callbacks, see Configure callbacks for system event-triggered alerts (old).
Log Service
The Simple Log Service Logstore to which event-triggered alerts are delivered.
Mute For
The interval at which CloudMonitor resends alert notifications before an alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.
After you configure an alert rule, the contacts that you specified in the alert rule can receive alert notifications when security events are detected on the protected objects of WAF.
If you want to query recent security events that are detected by WAF 3.0, choose Event Center > System Event in the left-side navigation pane and click the Event Monitoring tab. On the Event Monitoring tab, select Web Application Firewall (WAF) from the All Products drop-down list and select an event name that contains v3 from the Select Event Name drop-down list. Then, click Search.
Configure monitoring and alerting rules for service metrics
Log on to the CloudMonitor console.
In the left-side navigation pane, choose .
On the Alert Rules page, click Create Alert Rule.
In the Create Alert Rule panel, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Product
The Alibaba Cloud service that you want to monitor by using CloudMonitor. Select WAF 3.0 from the Product drop-down list.
Resource Range
The range of the resources to which the alert rule is applied. Valid values:
All Resources: The alert rule takes effect for all resources of WAF 3.0.
Application Groups: The alert rule takes effect for all resources in the specified application group of WAF 3.0.
Instances: The alert rule takes effect for the specified resources of WAF 3.0.
Rule Description
The content of the alert rule. If a metric meets a specific condition, an alert is triggered. To specify a condition, perform the following steps:
Click Add Rule.
In the Config Rule Description panel, configure the Alert Rule, Metric Type, Metric, and Threshold and Alert Level parameters. Then, click OK.
NoteFor information about WAF 3.0 metrics that can be monitored, see Metrics that can be monitored.
Mute For
The interval at which CloudMonitor resends alert notifications before an alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.
An alert is triggered when the condition of an alert rule is met. If the alert is retriggered within the mute period, CloudMonitor does not resend an alert notification. If the alert is not cleared after the mute period ends, CloudMonitor resends alert notifications.
Effective Period
The period of time during which the alert rule is effective. CloudMonitor monitors the specified instances and generates alerts only within the specified period.
Alert Contact Group
The contact groups to which alert notifications are sent. For more information, see Create an alert contact and alert contact group.
Alert Callback
The callback URL that can be accessed over the Internet. CloudMonitor sends HTTP POST requests to push alert notifications to the specified URL. Only HTTP is supported. For information about how to configure an alert callback, see Use the alert callback feature to send notifications about threshold-triggered alerts.
NoteYou can click Advanced Settings to configure this parameter.
Auto Scaling
If you turn on Auto Scaling, the specified scaling rule is enabled when an alert is triggered based on the alert rule. In this case, configure the following parameters: Region, ESS Group, and ESS Rule.
For information about how to create a scaling group, see Manage scaling groups.
For information about how to create a scaling rule, see Manage scaling rules.
NoteYou can click Advanced Settings to configure this parameter.
Log Service
If you turn on Log Service, the alert information is written to the specified Logstore when an alert is triggered. You must configure the Region, ProjectName, and Logstore parameters. For information about how to create a project and a Logstore, see Getting started.
NoteYou can click Advanced Settings to configure this parameter.
Message Service - topic
If you turn on Message Service - topic, the alert information is written to the specified topic in MNS when an alert is triggered. You must configure the Region and topicName parameters. For more information about how to create a topic, see Create a topic.
NoteYou can click Advanced Settings to configure this parameter.
Method to handle alerts when no monitoring data is found
The method that is used to handle alerts when no monitoring data is found. Valid values:
Do not do anything (default)
Send alert notifications
Treated as normal
NoteYou can click Advanced Settings to configure this parameter.
Tag
The tag of the alert rule. A tag consists of a tag name and a tag value.
After you create an alert rule, you can view the rule on the Alert Rules page. Select WAF 3.0 from the Product drop-down list and resource from the Metric drop-down list. Then, select one of the metrics that are displayed on the right side to search for the alert rule that you created for the metric.
NoteIf you select domain from the Metric drop-down list, the metrics that are displayed on the right side are WAF 2.0 service metrics that can be monitored.
If you select resource from the Metric drop-down list, the metrics that are displayed on the right side are WAF 3.0 metrics that can be monitored. For more information about WAF 3.0 metrics that can be monitored, see Metrics that can be monitored.
If you select Instance from the Metric drop-down list, the metrics that are displayed on the right side are Hybrid Cloud WAF service metrics that can be monitored. The metrics whose names include v3 are WAF 3.0 service metrics that can be monitored and the remaining metrics are WAF 2.0 service metrics.
Security events that can be monitored
You can use CloudMonitor to configure monitoring and alerting rules for security events that occur on the protected objects of WAF. For more information, see Configure monitoring and alerting rules for security events.
Event type | Event name | Severity level |
Attack | wafv3_event_aclattack | Critical |
Attack | wafv3_event_ccattack | |
Attack | wafv3_event_webattack | |
Attack | wafv3_event_webscan | |
Exceed | xray_wafv3_event_log_exceed | |
Exceed | xray_wafv3_event_qps_exceed | |
Event | wafv3_event_apisec Note Alert notifications are sent to you only when high-risk security events are detected by the API security feature. |
Service metrics that can be monitored
You can use CloudMonitor to configure monitoring and alerting rules for the following metrics. For more information, see Configure monitoring and alerting rules for metrics.
Protected objects that are manually added to WAF do not support traffic-related metrics, such as 4XX_ratio_v3, 5XX_ratio_v3, qps_v3, qps_ratio_v3, and qps_ratio_down_v3.
Metric | Dimension | Description | Remarks |
4XX_ratio_v3 | Protected object | The percentage of the HTTP 4xx status codes that are returned per minute. The value does not include the percentage of HTTP 405 status codes that are returned. | The value is displayed as a decimal number. |
5XX_ratio_v3 | Protected object | The percentage of the HTTP 5xx status codes that are returned per minute. | The value is displayed as a decimal number. |
acl_blocks_5m_v3 | Protected object | The number of requests that are blocked by access control policies in the previous 5 minutes. | None |
acl_rate_5m_v3 | Protected object | The percentage of requests that are blocked by access control policies in the previous 5 minutes. | The value is displayed as a decimal number. |
cc_blocks_5m_v3 | Protected object | The number of requests that are blocked by HTTP flood protection in the previous 5 minutes. | None |
cc_rate_5m_v3 | Protected object | The percentage of requests that are blocked by HTTP flood protection in the previous 5 minutes. | The value is displayed as a decimal number. |
waf_blocks_5m_v3 | Protected object | The number of requests that are blocked by web application attack prevention in the previous 5 minutes. | None |
waf_rate_5m_v3 | Protected object | The percentage of requests that are blocked by web application attack prevention in the previous 5 minutes. | The value is displayed as a decimal number. |
QPS_V3 | Protected object | The number of queries per second. | None |
qps_ratio_v3 | Protected object | The minute-granularity growth rate of QPS. | The value is displayed as a percentage. |
qps_ratio_down_v3 | Protected object | The minute-granularity decrease rate of QPS. | The value is displayed as a percentage. |