Overview
EdgeOne can push alarm notifications when security events are detected. You can subscribe to the notifications in the Message Center.
DDoS alarms: For DDoS attacks against the Enterprise DDoS mitigation plan (site access and layer-4 proxy services),
Web security monitoring rules: For security monitoring against web protection rules and bot protection rules, you can set a request condition threshold.
DDoS Attack Traffic Alarms
EdgeOne monitors the incoming traffic in real time, and cleanses traffic as soon as malicious attack traffic is detected.
Alarm notifications are pushed only for DDoS attacks against the Enterprise DDoS mitigation plan (site access and layer-4 proxy services). Currently, other businesses don't support the DDoS attack traffic alarming feature.
Configuring DDoS alarm settings
1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page. 2. On the site details page, click Security > Alarm Setting.
3. On the DDoS alarm page, adjust the default global DDoS attack alarm threshold for the current site, and the Message Center will push attack event notifications only when the attack rate exceeds the configured threshold. To do so, click Edit of the default alarm threshold, modify the threshold, and click Save.
Note:
The DDoS alarm page displays all objects that can be configured and their custom DDoS alarm thresholds if you have set. For those not configured with custom thresholds, you can modify the Default alarm threshold.
4. On the DDoS alarm page, configure the alarm threshold for a security acceleration or layer-4 proxy business project.
Note:
We recommend you adjust the threshold based on the attack frequency and history. The threshold is 100 Mbps by default and can be adjusted to 10 Mbps at the minimum.
4.1 Set a single alarm threshold
4.1.1 Select the target object and click Edit in the Custom threshold column. The threshold indicates the minimum attack rate above which the object will push DDoS attack notifications.
4.1.2 Modify the alarm threshold, click Save, and the custom threshold will be enabled automatically.
4.2 Batch set alarm thresholds
4.2.1 Select one or more objects and click Batch setting.
4.2.2 Toggle on the custom threshold switch , set the alarm threshold, and click OK. Web Security Monitoring Rules
When processing requests, EdgeOne records requests that hit web security and bot management rules (including security rules configured in policy templates) to the web security logs.
Note:
Requests that hit a rule whose action is Allow are not logged.
Requests are counted by the domain name. Alarms are generated when the request count exceeds the alarm threshold.
The web security monitoring rule counts the total number of rule-hit requests from a single domain name. When the rule-hit request count exceeds the threshold, an alarm is generated.
Options of web security monitoring rules
Web security monitoring rules support flexible ranges of monitoring statistics and alarm settings. You can configure multiple monitoring rules to cover daily monitoring and alarm scenarios based on your security O&M needs.
Web security monitoring rules support the following options:
Rule name: Required. Take note of the following naming conventions:
It can contain only letters, digits, and underscores.
The character length must be less than 32.
It cannot start with an underscore.
Domain name: Required. Select the domain names to be monitored.
All hostnames: Including all domain names in the current site and the domain names that are to be added in the future.
Specified hostnames: The domain names that are selected from the site.
Monitor requests: Required. You can select a statistical range for the requests by processing method or rule.
All matching requests: All requests that match the security rules are counted, except for those matching the security rules with the action being Allow.
By action: Requests that match the web protection or bot management rules with the specified action are counted.
By rule: Requests that match the web protection or bot management rules are counted.
Alarm setting: Select the alarm condition. You can select the alarm frequency.
Static alarm: When the request count threshold is exceeded, alarm notifications are pushed in the specified frequency.
Alarm frequency: When the security rule satisfies the alarm condition, alarm notifications are pushed in the specified frequency.
Note:
If Alarm frequency is not selected, alarm notifications are pushed once every five minutes for each rule by default.
Managing web security monitoring rules
1. Log in to the EdgeOne console, click on the site list in the left menu bar, click on the site to be configured in the site list, and enter the site details page. 2. On the site details page, click Security > Alarm Setting.
3. In the Web security monitoring rules card, click Set to create, delete, edit, enable, or disable a web security monitoring rule.
Create a web security monitoring rule
1. On the Web security monitoring rules page, click Add rule.
2. In the Create web security monitoring rule pop-up window, set the Rule name, Domain name, Monitor requests, and Alarm setting parameters, and click Save. The alarm condition takes effect immediately.
Edit a web security monitoring rule
1. On the Web security monitoring rules page, find the target rule and click Edit in the Operation column.
2. In the Edit web security monitoring rule pop-up window, modify the Rule name, Domain name, Monitor requests, and Alarm setting parameters, and click Save. The updated alarm condition takes effect immediately.
Delete a web security monitoring rule
Delete a single web security monitoring rule
On the Web security monitoring rules page, find the target rule and click Delete in the Operation column.
Batch delete web security monitoring rules
On the Web security monitoring rules page, select the target rules and click Delete.
Enable or disable a web security monitoring rule
Enable or disable a single web security monitoring rule
On the Web security monitoring rules page, select the target rule and toggle on or off the switch in the On/Off column. Batch enable or disable web security monitoring rules
On the Web security monitoring rules page, select the target rules and click Enable or Disable.
Was this page helpful?