Site alerts allow you to define thresholds for when to flag an IP address and how to treat subsequent requests from that IP.
About system alerts
As requests with attack signals are sent to our backend, we track the number of signals that are seen from an IP across all agents.
|Interval||Threshold||Frequency of check|
|1 minute||50||Every 20 seconds|
|10 minutes||350||Every 3 minutes|
|1 hour||1,800||Every 20 minutes|
When the number of malicious requests from an IP reaches one of these thresholds, the IP will be flagged and subsequent malicious requests will be blocked (or logged if your agent mode is set to “not blocking”) for 24 hours.
Note: Requests containing only anomaly signals are not counted towards IP flagging thresholds.
Limitations and considerations
When working with site alerts, keep the following things in mind:
- The thresholds for the system alerts are based on historical patterns that we’ve seen across all customers, but the default thresholds may not apply to every application.
- Site alerts can be used to set lower or higher thresholds to alert and optionally block requests from an IP.
- Site alerts are not supported on the Essential platform.
Adding a site alert
Log in to the Signal Sciences console.
Select a site if you have more than one site.
From the Site Rules menu, select Site Alerts. The site alerts menu page appears.
Click Add site alert. The new site alert menu page appears.
In the Long name field, enter the a descriptive name for the alert (e.g., “Increase in failed logins”).
From the Signal menu, select which signal the site alert should track.
In the Threshold field, enter how many requests containing the signal should be detected before the IP address is flagged.
From the Interval menu, select the duration the alert should track signals towards the threshold.
For example, if you set the Threshold to “60” and the Interval to “10 minutes”, then if 60 requests containing that signal were detected from a specific IP within the last 10 minutes, the IP address will be flagged.
Under When an IP hits the threshold, select whether the alert should log subsequent requests or block subsequent requests containing attack signals from the IP.
If you selected an anomaly signal as the Signal, then you will only be able to log subsequent requests from the IP.
Under Take action for, select how long the IP address should be flagged. By default, IP addresses are flagged for 24 hours. You can set a custom duration by selecting Custom duration and choosing a duration.
If your role is User or above, configure a site alert by going to Rules > Site Alerts and clicking New alert.
Note: Observer users can not configure site alerts.
The alert (either system or custom) with the lowest threshold and smallest interval for a given action (“block” or “log”) will be checked first. If an IP is flagged, it won’t be reflagged by any other alerts until that flag is lifted (in 24 hours).
Note: “Blocking” and “logging” alerts are considered different types of alerts. This means that you can log (but not block) if Signal Sciences sees 25 SQLi in a minute, while we’ll still block subsequent requests from an IP if we see over 50 SQLi in a minute.