All Products
Search
Document Center

Web Application Firewall:Configure CloudMonitor notifications

Last Updated:Nov 20, 2024

You can configure alert notification rules for metrics supported by Web Application Firewall (WAF) and for security events detected by WAF in the CloudMonitor console. This topic describes how to use CloudMonitor to configure monitoring and alerting for WAF.

Prerequisites

Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.

Create an alert contact and an alert contact group

  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Alerts > Alert Contacts.

  3. Create an alert contact.

    1. On the Alert Contacts tab, click Create Alert Contact.

    2. In the Set Alert Contact panel, enter the name, email address, and webhook URL of the alert contact. Retain the default values of other parameters.

      Note

      Make sure that the Language of Alert Notifications parameter is set to the default value Automatic. This indicates that CloudMonitor automatically selects the language of alert notifications based on the language that you use to create your Alibaba Cloud account.

    3. Verify the parameter values and click OK.

  4. Create an alert contact group.

    1. On the Alert Contact Group tab, click Create Alert Contact Group.

    2. In the Create Alert Contact Group panel, specify a name for the alert contact group that you want to create and select alert contacts that you want to add to the group. Then, click Confirm.

  5. Add multiple alert contacts to an alert contact group.

    1. On the Alert Contacts tab, select the alert contacts that you want to add to an alert contact group and click Add to Contact Group.

    2. In the Add to Contact Group dialog box, select the alert contact group to which you want to add the alert contacts and click OK.

    After you create alert contacts, create an alert contact group, and add the alert contacts to the alert contact group, the alert contacts can receive alert notifications. Alert contacts must check alert notifications and handle alerts at the earliest opportunity.

Configure monitoring and alerting for WAF security events

  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Event Center > System Event.

  3. On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner. Then, click Create Alert Rule. Choose Alert rules for legacy system events are still created in the dialog box that appears.

  4. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click Ok. The following table describes the parameters.

    Parameter

    Description

    Alert Rule Name

    The name of the alert rule.

    Product Type

    The Alibaba Cloud service for which you want to create the alert rule. Select WAF.

    Event Type

    The type of the security events to which you want to apply the alert rule. Valid values: Attack, Exceed, and Event.

    Event Level

    The severity level of the security events to which you want to apply the alert rule. The severity level of all security events that are detected by WAF 3.0 is CRITICAL.

    Event Name

    The name of the security events to which you want to apply the alert rule.

    Note

    In the Event Name drop-down list, security events whose names contain v3 are detected by WAF 3.0 and the other security events are detected by WAF 2.0. For more information about the security events that can be detected by WAF 2.0, see Security events that can be detected.

    Keyword Filtering

    The keywords that are used in the alert rule. Valid values:

    • Contains any of the keywords: If the content of a security event contains any of the specified keywords, CloudMonitor sends an alert notification.

    • Does not contain any of the keywords: If the content of a security event contains none of the specified keywords, CloudMonitor sends an alert notification.

    SQLFilter

    The SQL statement that you want to use for filtering.

    Resource Range

    The range of resources to which you want to apply the alert rule. Valid values: All Resources and Application Groups.

    Notification Method

    • Alert Contact Group: The alert contact groups to which you want to send alert notifications. For more information, see Create an alert contact and an alert contact group.

    • Notification Method: The severity level and notification methods of the alerts that can be triggered. Valid values:

      • Critical (Text Message + Email + Webhook)

      • Warning (Text Message + Email + Webhook)

      • Info (Email + Webhook)

    SMQ

    The Simple Message Queue (formerly MNS, also called SMQ) queue to which the alerts are delivered.

    Function Compute

    The Function Compute function to which the alerts are delivered.

    URL Callback

    The callback URL to which alert notifications are sent. Make sure that the URL can be accessed over the Internet. CloudMonitor sends POST requests to push the alert notifications. Only HTTP is supported. For more information about how to configure alert callbacks, see Configure callbacks for system event-triggered alerts (old).

    Simple Log Service

    The Simple Log Service Logstore to which the alerts are delivered.

    Mute For

    The interval at which CloudMonitor resends an alert notification before an existing alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.

    After you configure an alert rule, the contacts that you specify in the alert rule can receive alert notifications when security events are detected by WAF on protected objects.

    On the Event Monitoring tab, you can select WAF from the cloud service drop-down list, select a security event whose name contains v3 from the SelectEvent Name drop-down list, and then click Search to query security events that are detected by WAF 3.0.

Configure monitoring and alerting for WAF metrics

  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Alerts > Alert Rules.

  3. On the Alert Rules page, click Create Alert Rule.

  4. In the Create Alert Rule panel, configure the parameters and click Confirm. The following table describes the parameters.

    Parameter

    Description

    Product

    The Alibaba Cloud service for which you want to create the alert rule. Select WAF3.0 from the drop-down list.

    Resource Range

    The range of the resources to which you want to apply the alert rule. Valid values:

    • All Resources: The alert rule applies to all resources of WAF 3.0.

    • Application Groups: The alert rule applies to all resources in the specified application group of WAF 3.0.

    • Instances: The alert rule applies to the specified resources of WAF 3.0.

    Rule Description

    The condition of the alert rule. If a metric meets the specified condition, an alert is triggered. To specify a condition, perform the following steps:

    1. Click Add Rule.

    2. In the Configure Rule Description panel, configure the Alert Rule, Metric Type, Metric, and Threshold and Alert Level parameters. Then, click OK.

      Note

      For more information about WAF 3.0 metrics that can be monitored, see Metrics that can be monitored.

    Mute For

    The interval at which CloudMonitor resends an alert notification before an existing alert is cleared. Valid values: 1 Minutes, 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.

    An alert is triggered when the condition of an alert rule is met. If the alert is retriggered within the mute period, CloudMonitor does not resend an alert notification. If the alert is not cleared after the mute period ends, CloudMonitor resends an alert notification.

    Effective Period

    The period during which the alert rule takes effect. CloudMonitor monitors the specified resources and generates alerts only during the effective period.

    Alert Contact Group

    The alert contact groups to which you want to send alert notifications. For more information, see Create an alert contact and an alert contact group.

    Alert Callback

    The callback URL to which alert notifications are sent. Make sure that the URL can be accessed over the Internet. CloudMonitor sends POST requests to push the alert notifications. Only HTTP is supported. For more information about how to configure an alert callback, see Use the alert callback feature to send notifications about threshold-triggered alerts.

    Note

    You can click Advanced Settings to configure this parameter.

    Auto Scaling

    If you turn on Auto Scaling, the specified scaling rule takes effect when an alert is triggered. You must configure the Region, ESS Group, and ESS Rule parameters.

    Note

    You can click Advanced Settings to configure this parameter.

    Log Service

    If you turn on Log Service, the alert information is written to the specified Logstore in Simple Log Service when an alert is triggered. You must configure the Region, ProjectName, and Logstore parameters. For more information about how to create a project and a Logstore, see Getting started.

    Note

    You can click Advanced Settings to configure this parameter.

    Simple Message Queue (formerly MNS) - Topic

    If you turn on Simple Message Queue (formerly MNS) - Topic, the alert information is written to the specified topic in Simple Message Queue (formerly MNS) when an alert is triggered. You must configure the Region and topicName parameters for the Simple Message Queue (formerly MNS) topic. For more information about how to create a topic, see Create a topic.

    Note

    You can click Advanced Settings to configure this parameter.

    Method to handle alerts when no monitoring data is found

    The method that is used to handle alerts when no monitoring data exists. Valid values:

    • Do not do anything (default value.)

    • Send alert notifications

    • Treated as normal

    Note

    You can click Advanced Settings to configure this parameter.

    Tag

    The tag of the alert rule. A tag consists of a tag name and a tag value.

    After you create an alert rule, you can view the rule on the Alert Rules page. You can also perform the following operations to search for an alert rule created for a specific metric: Select WAF3.0 from the Product drop-down list and resource from the Metric Name drop-down list. Then, select the metric from the metrics that are displayed on the right side.

    Note

    The following list describes the WAF metrics that can be monitored by CloudMonitor:

    • If you select domain from the Metric Name drop-down list, the metrics that are displayed on the right side are WAF 2.0 metrics that can be monitored.

    • If you select resource from the Metric Name drop-down list, the metrics that are displayed on the right side are WAF 3.0 metrics that can be monitored. For more information about WAF 3.0 metrics that can be monitored, see Metrics that can be monitored.

    • If you select Instance from the Metric Name drop-down list, the metrics that are displayed on the right side are Hybrid Cloud WAF metrics that can be monitored. Metrics whose names contain v3 are WAF 3.0 metrics, and the other metrics are WAF 2.0 metrics.

Security events that can be detected

You can use CloudMonitor to configure monitoring and alerting for security events that occur on protected objects. For more information, see Configure monitoring and alerting for WAF security events.

Event type

Event name

Severity level

Trigger condition

Attack

wafv3_event_aclattack

(custom rule)

CRITICAL

The system uses a sliding window to accurately monitor events and collect event statistics.

A 10-minute sliding window is used, and statistical values are collected every minute. A statistical value indicates the number of attacks that are blocked within one minute.

The event is triggered when the following conditions are met:

  • The number of blocked attacks exceeds 600.

  • The number of blocked attacks within the current minute is more than three standard deviations higher than the average number over the previous 11 minutes.

The event is no longer triggered when the number of blocked attacks within the current minute is less than the average number over the previous 11 minutes.

Attack

wafv3_event_ccattack

Attack

wafv3_event_webattack

Attack

wafv3_event_webscan

Exceed

xray_wafv3_event_qps_exceed

The event is triggered when the QPS limit is exceeded. For more information, see Editions.

Exceed

xray_wafv3_event_cost_protection

The event is triggered when the threshold for traffic billing protection is exceeded.

Event

wafv3_event_apisec

The event is triggered when high risks or high-risk events are detected by the API security module.

Metrics that can be monitored

You can use CloudMonitor to configure monitoring and alerting for the following metrics. For more information, see Configure monitoring and alerting for metrics.

Note

Protected objects that are manually added in WAF do not support traffic-related metrics, such as 4XX_ratio_v3, 5XX_ratio_v3, qps_v3, qps_ratio_v3, and qps_ratio_down_v3.

Metric

Dimension

Description

Remarks

4XX_ratio_v3

Protected object

The proportion of HTTP 4xx status codes that are returned per minute. HTTP 405 status codes are not counted.

The value is displayed as a decimal number.

5XX_ratio_v3

Protected object

The proportion of HTTP 5xx status codes that are returned per minute.

The value is displayed as a decimal number.

acl_blocks_5m_v3

Protected object

The number of requests that are blocked based on access control policies in the previous 5 minutes.

None.

acl_rate_5m_v3

Protected object

The proportion of requests that are blocked based on access control policies in the previous 5 minutes.

The value is displayed as a decimal number.

cc_blocks_5m_v3

Protected object

The number of requests that are blocked based on HTTP flood protection rules in the previous 5 minutes.

None.

cc_rate_5m_v3

Protected object

The proportion of requests that are blocked based on HTTP flood protection rules in the previous 5 minutes.

The value is displayed as a decimal number.

waf_blocks_5m_v3

Protected object

The number of requests that are blocked based on attack prevention rules for web applications in the previous 5 minutes.

None.

waf_rate_5m_v3

Protected object

The proportion of requests that are blocked based on attack prevention rules for web applications in the previous 5 minutes.

The value is displayed as a decimal number.

QPS_V3

Protected object

The number of queries per second (QPS).

None.

qps_ratio_v3

Protected object

The per-minute growth rate of QPS.

The value is displayed as a percentage.

qps_ratio_down_v3

Protected object

The per-minute decrease rate of QPS.

The value is displayed as a percentage.

References

Only CloudMonitor can be used to push the high-risk alerts detected by the API security module. If you want to push low- and medium-risk alerts, follow the instructions provided in Best practices for pushing API security alerts.