Configuring custom site alerts

You can create custom site alerts to monitor and handle requests from IP addresses that contain specific signals. A custom site alert outlines:

• the criteria that must be met for an IP address to be flagged. For example, flag an IP address when there are 25 SQL Injection attack signals in 1 minute.
• how to handle requests from IP addresses that are flagged. You can either log subsequent requests or block subsequent requests containing attack signals from the IP address.
• how long to block or log subsequent requests from flagged IP addresses.

Limitations and considerations

When working with custom site alerts, keep the following things in mind:

• Custom site alerts are only included with the Professional and Premier platforms. They are not included as part of the Essentials platform.
• Accounts are limited to 50 custom site alerts per site.
• Users with an Observer role cannot configure custom site alerts.
• With the Premier platform, you can block all requests from IP addresses that have been flagged for events using request rules with the Site Flagged IP (SITE-FLAGGED-IP) anomaly signal.

Adding a custom site alert

To create a custom site alert, complete the following steps:

1. Log in to the Next-Gen WAF console.
2. From the Sites menu, select a site if you have more than one site.

3. From the Rules menu, select Site Alerts.

4. Click Add site alert.

   

5. Fill out the Add form as follows:

   • In the Long name field, enter a descriptive name for the alert (e.g., Increase in failed logins).
   • From the Signal menu, select the signal that the site alert should track.
   • In the Threshold field, enter how many requests containing the signal should be detected before the IP address is flagged.
   • From the Interval menu, select the number of minutes during which signals from the IP address are counted to determine if the threshold has been met.
   • Under When an IP hits the threshold, select whether the alert should log subsequent requests or block subsequent requests containing attack signals from the IP address. If you selected a custom or anomaly signal as the Signal, then you will only be able to log subsequent requests from the IP.
   • Under Take action for, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting Custom duration and choosing a duration.
   • Leave the Notifications checkbox selected to send an external notification (e.g., email and Slack) when the site alert is triggered. Deselect the checkbox to not send any external notifications.
   • Click the Status switch to enable the site alert.

6. Click Save alert.