Configure CloudMonitor notifications - Web Application Firewall

You can configure alert notification rules for service metrics supported by Web Application Firewall (WAF) and for security events detected by WAF in the CloudMonitor console. This topic describes how to use CloudMonitor to configure monitoring and alerting for WAF.

Prerequisites

Web services are added to WAF on the Website Configuration page. For more information, see Website configuration overview.

Create an alert contact and an alert contact group

Log on to the CloudMonitor console.
In the left-side navigation pane, choose Alerts > Alert Contacts.
Create an alert contact.
1. On the Alert Contacts tab, click Create Alert Contact.
2. In the Set Alert Contact panel, enter the name, email address, and webhook URL of the alert contact. Retain the default values of other parameters.
  Note
  Make sure that the Language of Alert Notifications parameter is set to the default value Automatic. This indicates that CloudMonitor automatically selects the language of alert notifications based on the language that you use to create your Alibaba Cloud account.
3. Verify the parameter values and click OK.
Create an alert contact group.
1. On the Alert Contact Group tab, click Create Alert Contact Group.
2. In the Create Alert Contact Group panel, specify a name for the alert contact group that you want to create and select alert contacts that you want to add to the group. Then, click Confirm.
Add multiple alert contacts to an alert contact group.
1. On the Alert Contacts tab, select the alert contacts that you want to add to an alert contact group and click Add to Alert Contact Group.
2. In the Add to Contact Group dialog box, select the alert contact group to which you want to add the alert contacts and click OK.
After you create alert contacts, create an alert contact group and add the alert contacts to the alert contact group. Then, the alert contacts can receive alert notifications. Alert contacts must check alert notifications and handle alerts at the earliest opportunity.

Configure monitoring and alerting for security events

Log on to the CloudMonitor console.
In the left-side navigation pane, choose Event Center > System Event.
On the Event Monitoring tab, click Old Event Alarm Rules in the upper-right corner and then click Create Alert Rule.

In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Alert Rule Name	The name of the event-triggered alert rule.
Product Type	The Alibaba Cloud service for which you want to configure the event-triggered alert rule. Select Web Application Firewall (WAF).
Event Type	The type of the event to which you want to apply the alert rule. Valid values: Attack, Exceed, and Event.
Event Level	The severity level of the event that triggers alerts. The severity level of all events that are detected by WAF 3.0 is CRITICAL.
Event Name	The name of the event that triggers alerts. Note In the Event Name drop-down list, the events whose names contain v3 are events that are detected by WAF 3.0 and can be monitored by CloudMonitor. The other events are security events that are detected by WAF 2.0 and can be monitored by CloudMonitor. For information about the security events that are detected by WAF 2.0 and can be monitored by CloudMonitor, see Security events that can be monitored.
Keyword Filtering	The keywords that are used in the alert rule. Valid values: Contains any of the keywords: If the content of an event contains any one of the specified keywords, CloudMonitor sends an alert notification. Does not contain any of the keywords: If the content of an event contains none of the specified keywords, CloudMonitor sends an alert notification.
SQL Filter	The SQL statements that you want to use for filtering.
Resource Range	The range of resources to which you want to apply the alert rule. Valid values: All Resources and Application Groups.
Alert Contact Group	The alert contact groups to which you want to send alert notifications. For more information, see Create an alert contact and an alert contact group.
Notification Method	The severity level and notification methods of the event-triggered alert. Valid values: Critical (Phone Call + Text Message + Email + Webhook) Warning (Text Message + Email + Webhook) Info (Email + Webhook)
Message Service - Queue	The Message Service (MNS) queue to which the event-triggered alert is delivered.
Function Compute	The Function Compute function to which the event-triggered alert is delivered.
URL Callback	The callback URL that can be accessed over the Internet. CloudMonitor sends POST requests to push alert notifications to the specified callback URL. Only HTTP is supported. For information about how to configure alert callbacks, see Configure callbacks for system event-triggered alerts (old).
Simple Log Service for WAF	The Simple Log Service Logstore to which the event-triggered alert is delivered.
Mute For	The interval at which CloudMonitor resends alert notifications before the alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours.

After you configure an alert rule, the contacts that you specified in the alert rule can receive alert notifications when security events are detected on protected objects.

On the Event Monitoring tab, you can select WAF from the All Products drop-down list, select an event name that contains v3 from the Select Event Name drop-down list, and then click Search to query security events that are detected by WAF 3.0.

Configure monitoring and alerting for service metrics

Log on to the CloudMonitor console.
In the left-side navigation pane, choose Alerts > Alert Rules.
On the Alert Rules page, click Create Alert Rule.

In the Create Alert Rule panel, configure the parameters and click Confirm. The following table describes the parameters.

Parameter	Description
Product	The Alibaba Cloud service for which you want to use the alert rule. Select WAF 3.0 from the Product drop-down list.
Resource Range	The range of resources to which you want to apply the alert rule. Valid values: All Resources: The alert rule applies to all resources of WAF 3.0. Application Groups: The alert rule applies to all resources in the specified application group of WAF 3.0. Instances: The alert rule applies to the specified resources of WAF 3.0.
Rule Description	The content of the alert rule. If a metric meets the specified conditions, an alert is triggered. To specify a condition, perform the following steps: Click Add Rule. In the Add Rule Description panel, configure the Alert Rule, Metric Type, Metric, and Threshold and Alert Level parameters. Then, click OK. Note For information about WAF 3.0 service metrics that can be monitored, see Service metrics that can be monitored.
Mute For	The interval at which CloudMonitor resends alert notifications before the alert is cleared. Valid values: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 3 Hours, 6 Hours, 12 Hours, and 24 Hours. An alert is triggered when the conditions of an alert rule are met. If the alert is retriggered within the mute period, CloudMonitor does not resend an alert notification. If the alert is not cleared after the mute period ends, CloudMonitor resends alert notifications.
Effective Period	The period of time in which the alert rule is effective. CloudMonitor monitors the specified resources and generates alerts only within the specified period.
Alert Contact Group	The alert contact groups to which you want to send alert notifications. For more information, see Create an alert contact and an alert contact group.
Alert Callback	The callback URL that can be accessed over the Internet. CloudMonitor sends POST requests to push alert notifications to the specified callback URL. Only HTTP is supported. For information about how to configure an alert callback, see Use the alert callback feature to send notifications about threshold-triggered alerts. Note You can click Advanced Settings to configure this parameter.
Auto Scaling	If you turn on Auto Scaling, the specified scaling rule is enabled when an alert is triggered based on the alert rule. In this case, you must configure the Region, ESS Group, and ESS Rule parameters. For information about how to create a scaling group, see Manage scaling groups. For information about how to create a scaling rule, see Manage scaling rules. Note You can click Advanced Settings to configure this parameter.
Simple Log Service	If you turn on Simple Log Service, the alert information is written to the specified Logstore in Simple Log Service when an alert is triggered. You must configure the Region, ProjectName, and Logstore parameters. For information about how to create a project and a Logstore, see Getting started. Note You can click Advanced Settings to configure this parameter.
Message Service - Topic	If you turn on Message Service - Topic, the alert information is written to the specified topic in MNS when an alert is triggered. You must configure the Region and topicName parameters. For information about how to create a topic, see Create a topic. Note You can click Advanced Settings to configure this parameter.
Method to handle alerts when no monitoring data is found	The method that is used to handle alerts when no monitoring data is found. Valid values: Do not do anything (default) Send alert notifications Treated as normal Note You can click Advanced Settings to configure this parameter.
Tag	The tag of the alert rule. A tag consists of a tag name and a tag value.

After you create an alert rule, you can view the rule on the Alert Rules page. Select WAF 3.0 from the Product drop-down list and resource from the Metric drop-down list. Then, select one of the metrics that are displayed on the right side to search for the alert rule that you created for the metric.

Note

Descriptions of metrics that can be monitored:

If you select domain from the Metric drop-down list, the metrics that are displayed on the right side are WAF 2.0 metrics that can be monitored.
If you select resource from the Metric drop-down list, the metrics that are displayed on the right side are WAF 3.0 metrics that can be monitored. For more information about WAF 3.0 service metrics that can be monitored, see Service metrics that can be monitored.
If you select Instance from the Metric drop-down list, the metrics that are displayed on the right side are Hybrid Cloud WAF metrics that can be monitored. Metrics whose names contain v3 are WAF 3.0 metrics that can be monitored by CloudMonitor. The other metrics are WAF 2.0 metrics.

Security events that can be monitored

You can use CloudMonitor to configure monitoring and alerting rules for security events that occur on protected objects. For more information, see Configure monitoring and alerting for security events.

Event type	Event name	Severity level
Attack	wafv3_event_aclattack	Critical
Attack	wafv3_event_ccattack
Attack	wafv3_event_webattack
Attack	wafv3_event_webscan
Exceed	xray_wafv3_event_log_exceed
Exceed	xray_wafv3_event_qps_exceed
Event	wafv3_event_apisec Note Alert notifications are sent only when high-risk security events are detected by the API security feature.

Service metrics that can be monitored by CloudMonitor

You can use CloudMonitor to configure monitoring and alerting rules for the following metrics. For more information, see Configure monitoring and alerting for service metrics.

Note

Protected objects that are manually added to WAF do not support traffic-related metrics, such as 4XX_ratio_v3, 5XX_ratio_v3, qps_v3, qps_ratio_v3, and qps_ratio_down_v3.

Metric	Dimension	Description	Remarks
4XX_ratio_v3	Protected object	The proportion of HTTP 4xx status codes that are returned per minute. The value does not include the proportion of HTTP 405 status codes that are returned.	The value is displayed as a decimal number.
5XX_ratio_v3	Protected object	The proportion of HTTP 5xx status codes that are returned per minute.	The value is displayed as a decimal number.
acl_blocks_5m_v3	Protected object	The number of requests that are blocked based on access control policies in the previous 5 minutes.	None
acl_rate_5m_v3	Protected object	The proportion of requests that are blocked based on access control policies in the previous 5 minutes.	The value is displayed as a decimal number.
cc_blocks_5m_v3	Protected object	The number of requests that are blocked based on HTTP flood protection rules in the previous 5 minutes.	None
cc_rate_5m_v3	Protected object	The proportion of requests that are blocked based on HTTP flood protection rules in the previous 5 minutes.	The value is displayed as a decimal number.
waf_blocks_5m_v3	Protected object	The number of requests that are blocked based on attack prevention rules for web applications in the previous 5 minutes.	None
waf_rate_5m_v3	Protected object	The proportion of requests that are blocked based on attack prevention rules for web applications in the previous 5 minutes.	The value is displayed as a decimal number.
QPS_V3	Protected object	The number of queries per second (QPS).	None
qps_ratio_v3	Protected object	The per-minute growth rate of QPS.	The value is displayed as a percentage.
qps_ratio_down_v3	Protected object	The per-minute decrease rate of QPS.	The value is displayed as a percentage.