Alert components

An alert consists of three major components that require your configuration: a filter, a threshold, and settings.


Filters help you target your alert on a specific attack traffic. Alerts support the following dimensions:

Action AppliedAttack Type
Bot CategoryClient Reputation Category
Client Reputation ProfileConnecting Country/Area
Connecting IPCustom Rule ID
DoS CategoryDoS Rule ID
HostnameNetwork List Name
PathPolicy ID
Status CodeWAF Attack Group
WAF Rule IDQuery


An alert threshold determines under what conditions the alert triggers. To reach a threshold, a number of requests must meet the filter conditions within a time window. This needs to happen continuously for a number of times. For example, 10 requests have to trigger the filter conditions within 5 minutes in three 5-minute intervals.

There are two types of threshold you can set:

  • Predefined: Lets you select a sensitivity level (Low, Medium, or High ), and enter the threshold of requests that trigger the alert when it's been exceeded within the sensitivity selection's time and occurrence limits.

  • Advanced: Lets you specify custom time and occurrence settings.

To calculate the threshold, first determine the appropriate number of requests for a selected interval. This is often defined as peacetime, that is, a period without outstanding attacks.

You can have up to 6 intervals in a threshold, but be aware that the more you have, the longer it can take for the alert to trigger, depending on the time you enter. For example, if your settings are 3 minutes and 6 intervals, it could take up to 18 minutes for the alert to trigger.


When you set a duration during the threshold configuration, the metric on the chart automatically adjusts to reflect that duration.


Alert settings refer to these properties:

  • Alert name. The name of the alert. It can be up to 50 characters long. It's best to provide a meaningful name for future reference.

  • Alert description. The description of the alert. It's best to provide a meaningful description for future reference.

  • Send to. The addresses where WSA sends an email notification each time the alert triggers.

  • Enable alert. Alerts can be either enabled or disabled. Only enabled alerts are evaluated and triggered by requests. Enabled alerts also count towards your alert quota.


    You can have 10 customer-owned and 10 ​Akamai​-owned alerts per security configuration, so there can be up to 20 alerts in total. Your current quota count is available at the bottom of the left-hand column on the alert configuration page.

  • Send to SOCC. Whether the alert should be sent to ​Akamai​ SOCC for analysis. This property is read-only and serves an informational purpose.

  • Priority. You can assign a priority of high, medium, or low to each alert. You can see what your alerts' priorities are by the color code that accompanies each one:




    The priority assignment is for your use only and doesn't affect how the system processes alerts. If an alert has been triggered, its color-code box contains the number of trigger occurrences.

  • Owner. There are two types of alert ownership, those you manage yourself and those ​Akamai​ manages. ​Akamai​-owned alerts are denoted by an icon and only ​Akamai​ can change them. Both you and Akamai can change customer-owned alerts. This property is read-only and serves an informational purpose.