Configuring custom site alerts

You can create custom site alerts to monitor and handle requests from IP addresses that contain specific signals. A custom site alert outlines:

  • the criteria that must be met for an IP address to be flagged. For example, flag an IP address when there are 25 SQL Injection attack signals in 1 minute.
  • how to handle requests from IP addresses that are flagged. You can either log subsequent requests or block subsequent requests containing attack signals from the IP address.
  • how long to block or log subsequent requests from flagged IP addresses.

Limitations and considerations

When working with custom site alerts, keep the following things in mind:

  • Custom site alerts are only included with the Professional and Premier platforms. They are not included as part of the Essentials platform.
  • Accounts are limited to 50 custom site alerts per site.
  • Users with an Observer role cannot configure custom site alerts.
  • With the Premier platform, you can block all requests from IP addresses that have been flagged for events using request rules with the Site Flagged IP (SITE-FLAGGED-IP) anomaly signal.

Adding a custom site alert

To create a custom site alert, complete the following steps:

  1. Log in to the Next-Gen WAF control panel.
  2. From the Sites menu, select a site if you have more than one site.
  3. From the Rules menu, select Site Alerts.

  4. Click Add site alert.

    create a site alert

  5. Fill out the Add form as follows:

    • In the Long name field, enter a descriptive name for the alert (e.g., Increase in failed logins).
    • From the Signal menu, select the signal that the site alert should track.
    • In the Threshold field, enter how many requests containing the signal should be detected before the IP address is flagged.
    • From the Interval menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
    • Under When an IP hits the threshold, select whether the alert should log subsequent requests or block subsequent requests containing attack signals from the IP address. If you selected a custom or anomaly signal as the Signal, then you will only be able to log subsequent requests from the IP.
    • Under Take action for, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting Custom duration and choosing a duration.
    • Leave the Notifications checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
    • Click the Status switch to enable the site alert.
  6. Click Save alert.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.