请选择
Edge Security
  • Overview
  • DDoS Protection
    • DDoS Protection Overview
    • Exclusive DDoS Protection Usage
    • Configuration of Exclusive DDoS protection Rules
      • Increase DDoS Protection Level
      • Exclusive DDoS Traffic Alarm
      • Configuration IP blocklist/allowlist
      • Configuration Region Blocking Rule
      • Configuration Port Filtering
      • Configuration Features Filtering
      • Configuration Protocol Blocking Rule
      • Configuration Connections Attack Protection
      • Related References
        • Action
        • Related Concepts Introduction
  • Web Protection
    • Overview
    • Managed rules
    • CC attack defense
    • Custom rule
    • Custom Rate Limiting Rules
    • Exception Rules
    • Managed Custom Rules
    • Web security monitoring alarm
    • Refer
      • Web Protection Request Processing Order
      • Action
      • Match Condition
  • Bot Management
    • Overview
    • Bot Intelligent analysis
    • Bot Basic Feature Management
    • Client Reputation
    • Active Detection
    • Custom Bot Rule
    • Bot Exception Rule
    • Related References
      • Action
  • Rules Template
  • IP and IP Segment Grouping
  • Origin Protection
  • Custom Response Page
  • Alarm Notification
  • SSL/TLS
    • Overview
    • Deploying/Updating SSL Certificate for A Domain Name
    • Configuring A Free Certificate for A Domain Name
    • HTTPS Configuration
      • Forced HTTPS Access
      • Enabling HSTS
      • SSL/TLS Security Configuration
        • Configuring SSL/TLS Security
        • TLS Versions and Cipher Suites
      • Enabling OCSP Stapling

Alarm Notification

Overview

EdgeOne can push alarm notifications when security events are detected. You can subscribe to the notifications in the Message Center.
DDoS alarms: For DDoS attacks against the Enterprise DDoS mitigation plan (site access and layer-4 proxy services),
Web security monitoring rules: For security monitoring against web protection rules and bot protection rules, you can set a request condition threshold.

DDoS Attack Traffic Alarms

EdgeOne monitors the incoming traffic in real time, and cleanses traffic as soon as malicious attack traffic is detected.
Alarm notifications are pushed only for DDoS attacks against the Enterprise DDoS mitigation plan (site access and layer-4 proxy services). Currently, other businesses don't support the DDoS attack traffic alarming feature.

Configuring DDoS alarm settings

1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page.
2. On the site details page, click Security > Alarm Setting.

3. On the DDoS alarm page, adjust the default global DDoS attack alarm threshold for the current site, and the Message Center will push attack event notifications only when the attack rate exceeds the configured threshold. To do so, click Edit of the default alarm threshold, modify the threshold, and click Save.
Note:
The DDoS alarm page displays all objects that can be configured and their custom DDoS alarm thresholds if you have set. For those not configured with custom thresholds, you can modify the Default alarm threshold.

4. On the DDoS alarm page, configure the alarm threshold for a security acceleration or layer-4 proxy business project.
Note:
We recommend you adjust the threshold based on the attack frequency and history. The threshold is 100 Mbps by default and can be adjusted to 10 Mbps at the minimum.
4.1 Set a single alarm threshold
4.1.1 Select the target object and click Edit in the Custom threshold column. The threshold indicates the minimum attack rate above which the object will push DDoS attack notifications.

4.1.2 Modify the alarm threshold, click Save, and the custom threshold will be enabled automatically.
4.2 Batch set alarm thresholds
4.2.1 Select one or more objects and click Batch setting.

4.2.2 Toggle on the custom threshold switch

, set the alarm threshold, and click OK.


Web Security Monitoring Rules

When processing requests, EdgeOne records requests that hit web security and bot management rules (including security rules configured in policy templates) to the web security logs.
Note:
Requests that hit a rule whose action is Allow are not logged.
Requests are counted by the domain name. Alarms are generated when the request count exceeds the alarm threshold.
The web security monitoring rule counts the total number of rule-hit requests from a single domain name. When the rule-hit request count exceeds the threshold, an alarm is generated.

Options of web security monitoring rules

Web security monitoring rules support flexible ranges of monitoring statistics and alarm settings. You can configure multiple monitoring rules to cover daily monitoring and alarm scenarios based on your security O&M needs.
Web security monitoring rules support the following options:
Rule name: Required. Take note of the following naming conventions:
It can contain only letters, digits, and underscores.
The character length must be less than 32.
It cannot start with an underscore.
Domain name: Required. Select the domain names to be monitored.
All hostnames: Including all domain names in the current site and the domain names that are to be added in the future.
Specified hostnames: The domain names that are selected from the site.
Monitor requests: Required. You can select a statistical range for the requests by processing method or rule.
All matching requests: All requests that match the security rules are counted, except for those matching the security rules with the action being Allow.
By action: Requests that match the web protection or bot management rules with the specified action are counted.
By rule: Requests that match the web protection or bot management rules are counted.
Alarm setting: Select the alarm condition. You can select the alarm frequency.
Static alarm: When the request count threshold is exceeded, alarm notifications are pushed in the specified frequency.
Alarm frequency: When the security rule satisfies the alarm condition, alarm notifications are pushed in the specified frequency.
Note:
If Alarm frequency is not selected, alarm notifications are pushed once every five minutes for each rule by default.

Managing web security monitoring rules

1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page.
2. On the site details page, click Security > Alarm Setting.
3. In the Web security monitoring rules card, click Set to create, delete, edit, enable, or disable a web security monitoring rule.


Create a web security monitoring rule

1. On the Web security monitoring rules page, click Add rule.

2. In the Create web security monitoring rule pop-up window, set the Rule name, Domain name, Monitor requests, and Alarm setting parameters, and click Save. The alarm condition takes effect immediately.

Edit a web security monitoring rule

1. On the Web security monitoring rules page, find the target rule and click Edit in the Operation column.
2. In the Edit web security monitoring rule pop-up window, modify the Rule name, Domain name, Monitor requests, and Alarm setting parameters, and click Save. The updated alarm condition takes effect immediately.

Delete a web security monitoring rule

Delete a single web security monitoring rule On the Web security monitoring rules page, find the target rule and click Delete in the Operation column.

Batch delete web security monitoring rules On the Web security monitoring rules page, select the target rules and click Delete.


Enable or disable a web security monitoring rule

Enable or disable a single web security monitoring rule On the Web security monitoring rules page, select the target rule and toggle on or off the switch

in the On/Off column.

Batch enable or disable web security monitoring rules On the Web security monitoring rules page, select the target rules and click Enable or Disable.