Configuring custom site alerts
Last updated 2024-11-13
IMPORTANT
This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel.
You can create custom site alerts (also known as custom workspace alerts) to monitor and handle requests from IP addresses that contain specific signals. A custom site alert (custom workspace alert) outlines:
- the criteria that must be met for an IP address to be flagged. For example, flag an IP address when there are 25 SQL Injection attack signals in 1 minute.
- how to handle requests from IP addresses that are flagged. You can either log subsequent requests or block subsequent requests containing attack signals from the IP address.
- how long to block or log subsequent requests from flagged IP addresses.
Limitations and considerations
When working with custom site alerts (custom workspace alerts), keep the following things in mind:
- Custom site alerts (custom workspace alerts) are only included with the Professional and Premier platforms. They are not included as part of the Essentials platform.
- Accounts are limited to 50 custom site alerts (custom workspace alerts) per site.
- If you've been assigned an observer role (or the user or billing role), you cannot configure custom site alerts (custom workspace alerts).
- With the Premier platform, you can block all requests from IP addresses that have been flagged for events using request rules with the Site Flagged IP (
SITE-FLAGGED-IP
) anomaly signal.
Adding custom site alerts (custom workspace alerts)
To create a custom site alert (custom workspace alert), complete the following steps:
- Log in to the Next-Gen WAF control panel.
- From the Sites menu, select a site if you have more than one site.
From the Rules menu, select Site Alerts.
Click Add site alert.
Fill out the Add form as follows:
- In the Long name field, enter a descriptive name for the alert (e.g.,
Increase in failed logins
). - From the Signal menu, select the signal that the site alert should track.
- In the Threshold field, enter how many requests containing the signal should be detected before the IP address is flagged.
- From the Interval menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
- Under When an IP hits the threshold, select whether the alert should log a sample of subsequent requests from the IP address or block subsequent requests containing attack signals from the IP address. If you selected an anomaly signal from the Signal menu, then you will only be able to log subsequent requests from the IP address.
- Under Take action for, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting Custom duration and choosing a duration.
- Leave the Notifications checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
- Click the Status switch to enable the site alert.
- In the Long name field, enter a descriptive name for the alert (e.g.,
Click Save alert.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.