All Products
Search
Document Center

Web Application Firewall:Best practices for pushing API security alerts

Last Updated:Dec 20, 2024

In most cases, CloudMonitor is used to push alerts for high-risk events that are detected by the API security module of Web Application Firewall (WAF). This helps you respond to risks in a timely manner. However, events detected by API security are classified into low-risk, medium-risk, and high-risk events. If you use only CloudMonitor, you cannot push alerts for all levels of attack events detected by API security. If you want to push alerts for all levels of attack events, you can use Alibaba Cloud Simple Log Service together with CloudMonitor. This topic describes how to configure alerts in Simple Log Service.

Solution overview

After you configure log subscription settings in the API security module, log delivery is enabled. All API security events are immediately recorded and stored. For more information, see 8. Log Subscription Configurations. You can use the query and analysis syntax supported by Simple Log Service and the log data included in API security alerts to create alert rules. You can push alerts by using the following methods:

Method 1: Use the alerting and notification features of Simple Log Service to push alerts for API security events.

Method 2: Use the alerting feature of Simple Log Service and the notification feature of CloudMonitor to push alerts for API security events.

Prerequisites

  • Simple Log Service is activated.

  • CloudMonitor is activated. Make sure that this prerequisite is met if you use CloudMonitor to push alerts.

  • A Logstore is created. API security logs are delivered to the Logstore. For more information, see Logstore.

    Note

    When you select a Logstore to which you want to deliver logs, you cannot select the Logstores that are automatically created by Simple Log Service or the Logstores named waf-logstore, wafng-logstore, and wafnew-logstore.

Step 1: Enable log delivery and create indexes

Deliver attack events that are detected by API security to the Logstore that you specify. Then, you can use Simple Log Service to configure alerts for different levels of attack events.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > API Security.

  3. On the API Security page, click the Policy Configurations tab and then click the Log Subscription Configurations tab.

  4. Click Configure in the Attack EventInformation section.

  5. In the Configure Subscription Information dialog box, select the region of the Logstore to which logs are delivered, the project to which the Logstore belongs, and the Logstore. image

  6. Confirm that Status in the Attack EventInformation section is turned on.

  7. Create indexes for the Logstore. This way, you can specify the event_level field in a query statement for the Query Statistics parameter when you configure alerts in Simple Log Service. The field indicates the level of an attack event. For more information, see Create indexes.

Important
  • You are charged additional fees for the project, Logstore, and indexes that you create in the Simple Log Service console. The fees are included in the bills of Simple Log Service. For more information about the billable items and pricing of Simple Log Service, see Billing overview of Simple Log Service.

  • After you create the project and Logstore, you are charged even if your log subscription task is disabled. Therefore, if you confirm that the Logstore is no longer required, delete the Logstore at the earliest opportunity. For more information, see Why am I charged even if I only create projects and Logstores?

Step 2: Create an alert rule in Simple Log Service

Create alert rules to monitor and handle different levels of API security events.

Create an alert rule

  1. In the left-side navigation pane of the Simple Log Service console, click the image icon. On the Alert Center page, click Create Alert. The Create Alert panel appears.

  2. Click Create next to Query Statistics. The Query Statistics dialog box appears. image

  3. On the Advanced Settings tab of the Query Statistics dialog box, select the Logstore that you want to use. image

  4. Enter a query statement and specify a query time range based on your business requirements.

    image

    Filter data by risk level

    You can use the following query statements to filter logs and obtain logs whose risk level is high, medium, or low:

    /*Filter for high-risk data*/
    select event_level,COUNT(*) AS CNT WHERE event_level='high'
    
    /*Filter for medium-risk data*/
    select event_level,COUNT(*) AS CNT WHERE event_level='medium'
    
    /*Filter for low-risk data*/
    select event_level,COUNT(*) AS CNT WHERE event_level='low'
    You can specify a query statement to filter logs by risk level.
  5. Click Confirm. The Create Alert panel appears. You can view the specified query statement next to the Query Statistics parameter.

  6. Configure the Trigger Condition parameter and an alert severity.

    The severity settings in the Trigger Condition parameter are required to configure notification settings in CloudMonitor. We recommend that you use the event_level field to specify an event level in a query statement. For example, you can specify high for the event_level field. image

    The preceding configuration can meet the requirements of this example. You can further configure the Check Frequency, Trigger Condition, Group Evaluation, Recovery Notifications, Add Tags, and Add Annotation parameters based on your business requirements. For more information, see Create an alert rule. If you want to use CloudMonitor to push alerts, the severity specified in the Trigger Condition parameter corresponds to the event level in the subscription policy that you create.
  7. Specify a destination to which alerts are sent.

    Do not turn on Enable. For more information, see Step 3.

    image

  8. Click OK. You can view the created alert rule on the Alert Rules tab of the Alert Center page. The alert rule configuration is complete in Simple Log Service.

Step 3: Configure alert push

Method 1: Use Simple Log Service to push alerts

If you select this method, the alerting and notification features of Simple Log Service are used to push alerts for API security events.

Configure a notification object

Create an object to which you want to send alerts.

  1. On the Alert Center page, click the Notification Objects tab.

  2. On the User Management tab, click Create. The Create User dialog box appears.

    image

  3. In the Create User dialog box, enter the information about the user that you want to create and turn on Enabled, Receive Text Message, and Receive Phone Call.

  4. Click OK. Then, refresh the current page and confirm that the user is created.

Configure an alert template

You can specify a custom value for the Content parameter when you create an alert template. For example, you can specify that a pushed alert contains the instance ID, alert rule name, and alert severity.

  1. On the Alert Center page, choose Notification Management > Alert Template. On the Alert Template tab, click Create.

  2. In the dialog box that appears, specify a custom value for the Content parameter. This parameter specifies the content of a pushed alert.

    image

    Note

    This figure shows several template variables for reference only. You can click Alert Template Variables to view all supported template variables.

  3. Click Confirm. Then, refresh the current page and confirm that the alert template is created.

Configure an alert destination
  1. Find the alert rule that you created and click Edit in the Actions column.

  2. Set the Destination parameter to Simple Log Service Notification and turn on Enable.

  3. Configure the Alert Policy parameter.

    In most cases, you can select Simple Mode. Then, specify the notification method that you want to use, select Static Recipient for the Recipient Type parameter, specify the recipients to which you want to send alerts, and select the alert template that you want to use. The following figure shows a sample configuration.

    image

    Note

    Simple Mode: Configure the Notification Method, Recipient, Alert Template, and Period parameters.

    Standard Mode: Select a system-defined action policy or create a custom action policy.

    Advanced Mode: Select an action policy and an alert policy.

    For more information about the notification methods supported by Simple Log Service, see Notification methods. If you select SMS Message or Voice Call for the Notification Method parameter, you are charged additional fees. For more information, see Billable items of pay-by-feature.

  4. Click OK. The configuration is saved.

Note

If you have more complex configuration requirements, see Destination - Simple Log Service Notification.

Enable Simple Log Service notification

  1. Log on to the Simple Log Service console.

  2. In the Projects section, click the project that you want to manage.

  3. In the left-side navigation pane, click the image icon. The Alert Rules tab of the Alert Center page appears.

  4. Confirm that the alert rule is enabled and is in the Running state.

    image

Method 2: Use CloudMonitor to push alerts

If you select this method, the alerting feature of Simple Log Service and the notification feature of CloudMonitor are used to push alerts for API security events.

Configure an alert destination in Simple Log Service

  1. Find the alert rule that you created and click Edit in the Actions column.

  2. Set the Destination parameter to CloudMonitor Event Center and turn on Enable. Click OK. The configuration is saved.

image

Create an alert contact and an alert contact group

CloudMonitor can send notifications only to contact groups. Therefore, you must add your contacts to a contact group.

Create an alert contact
  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Alerts > Alert Contacts.

  3. On the Alert Contacts tab, click Create Alert Contact.

  4. In the Set Alert Contact panel, enter the name, mobile phone number, email address, and webhook URL of the contact that you want to create. Retain the default values of other parameters.

  5. Click OK. The Alert Contacts page appears. Confirm that the contact is created.

Create an alert contact group
  1. Click the Alert Contact Group tab.

  2. On the Alert Contact Group tab, click Create Alert Contact Group.

  3. In the Create Alert Contact Group panel, enter a name for the alert contact group and add alert contacts to the alert contact group.

  4. Click Confirm.

Create a notification policy

Prerequisites: An alert contact and an alert contact group are created.

  1. Go back to the CloudMonitor console.

  2. In the left-side navigation pane, choose Event Center > Notification Configuration.

  3. On the Notification Configuration page, click Create policy. In the Create Policy panel, configure the Name and Contact Group parameters.

  4. Click OK.

Create a subscription policy

  1. Go back to the CloudMonitor console.

  2. In the left-side navigation pane, choose Event Center > Event Subscription.

  3. On the Subscription Policy tab, click Create Subscription Policy.

  4. On the Create Subscription Policy page, configure the parameters. The following table describes the parameters.

    Section

    Description

    Basic Information

    Enter a name for the subscription policy.

    Alert Subscription

    Subscription Type: Select System events.

    Product: Select Simple Log Service.

    Event Type: Select Firing and Resolved.

    Note
    • Firing indicates that the alert is in the triggered state, corresponding to the event name:

      • CRITICAL alert event

      • INFO alert event

      • WARN alert event

    • Resolved indicates that the alert is resolved, corresponding to the event name: Alert recovery event.

    Event name: Select AlertEvent:CRITICAL, AlertEvent:INFO, AlertEvent:RESOLVED, and AlertEvent:WARN.

    Event Level: Select Critical.

    Note

    Because the trigger condition in Step 2 is set to Critical, the event level is set to Critical accordingly. If your Trigger Condition Severity is set to other levels, you must select the corresponding event level as follows:

    • If the trigger condition is set to Critical or High, the event level is set to Critical.

    • If the trigger condition is set to Low or Medium, the event level is set to Warning.

    • If the trigger condition is set to Report, the event level is set to Info.

    Event Content: Enter the name of the alert rule that you created in Step 2: Create an alert rule in Simple Log Service.

    Application grouping and Event Resources: Ignore the two parameters.

    Combined noise reduction

    Retain the default values.

    Notification

    Select the created notification policy for the Notification Configuration parameter and retain the default value of the Custom notification method parameter.

    Important

    CloudMonitor provides a free quota for alert text messages. For more information, see Free quotas. If you want to use voice calls as the notification method, log on to the CloudMonitor console and click Activate Now in the CloudMonitor Basic section to enable the pay-as-you-go billing method. For more information, see Pay-as-you-go billing of CloudMonitor Basic.

    Push and Integration

    You do not need to configure parameters in this section.

    Alert Subscription configuration is shown in the figure:

    image

    Note

    The preceding configuration is for reference only. You can configure the parameters based on your business requirements. For more information, see Create a subscription policy.

  5. Click Submit at the lower part of the Create Subscription Policy page. The Event Subscription page appears. Confirm that the policy is created and is in the Enabled state.

Verification

After you complete the alert push configuration, verify the accuracy of pushed alerts at the recipient end.

View the alerts pushed by CloudMonitor

  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Event Center > Event Subscription. Confirm the pushed information in the CloudMonitor console.

    image

  3. Confirm the pushed information at the recipient end.

    Text message

    image

    Email

    image

    Voice call

    image

View the alerts pushed by Simple Log Service

1. On the Alert Rules tab, click the created alert rule. The Alert Overview page appears. Then, view alert details in the Alert History section.

2. Compare the information received at the recipient end and the information displayed in the console. The format of the received information is consistent with the format specified in the created alert template, and the content of the received information is consistent with the information displayed in the Alert History section.

image