Guide
TrainingSupportCommunity

Alert components

Suggest Edits

An alert consists of three major components that require your configuration: a filter, a threshold, and settings.

Filter

Filters help you target your alert on a specific attack traffic. Alerts support the following dimensions:

  • Action Applied
  • API Key
  • API Operation Purpose
  • Attack Group
  • Attack Type
  • Bot - Rule ID
  • Bot Category
  • Bot Score
  • Botnet ID
  • Classification
  • Client/Network Lists
  • Connecting AS Number
  • Connecting Country/Area
  • Connecting IP Address
  • Connecting IP Address CIDR
  • Custom Rules - Match
  • Custom Rules - Message
  • Custom Rules - Rule ID
  • Custom Rules - Selector
  • Custom Rules - Tag
  • Device Browser Type
  • Device ID
  • Device OS
  • Domain
  • DoS - Rule ID
  • DoS Category
  • End User AS Number
  • End User IP Address
  • File Hash
  • File Type
  • Hostname
  • Indicator Name
  • Indicator Type
  • Malware Protection - Rule ID
  • Method
  • Native Mobile App Version
  • Path
  • Policy
  • Query
  • Referer
  • Reputation Category
  • Reputation Profile
  • SDK Version
  • Status Code
  • User ID
  • User Risk Level
  • User Risk Response Segment
  • User Risk Score
  • User Score Status
  • User-Agent
  • WAF - Evaluation
  • WAF - Group Evaluation
  • WAF - Match
  • WAF - Rule ID
  • WAF - Selector

Threshold

An alert threshold determines under what conditions the alert triggers. To reach a threshold, a number of requests must meet the filter conditions within a time window. This needs to happen continuously for a number of times. For example, 10 requests have to trigger the filter conditions within 5 minutes in three 5-minute intervals.

There are two types of threshold you can set:

  • Predefined Sensitivity: Lets you select a sensitivity level (Low, Medium, or High ), and enter the threshold of requests that trigger the alert when it's been exceeded within the sensitivity selection's time and occurrence limits.

  • Advanced Sensitivity: Lets you specify custom time and occurrence settings.

To calculate the threshold, first determine the appropriate number of requests for a selected interval. This is often defined as peacetime, that is, a period without outstanding attacks.

You can have up to 6 intervals in a threshold, but be aware that the more you have, the longer it can take for the alert to trigger, depending on the time you enter. For example, if your settings are 3 minutes and 6 intervals, it could take up to 18 minutes for the alert to trigger.

Additionally you can count requests grouped by a selected dimension:

  • Connecting IP Address
  • Connecting Country/Area
  • Hostname
  • Path
  • Referer
  • Policy
  • Status Code

📘

When you set a duration during the threshold configuration, the metric on the chart automatically adjusts to reflect that duration.

Settings

Alert settings refer to these properties:

  • Alert name. The name of the alert. It can be up to 50 characters long. It's best to provide a meaningful name for future reference.

  • Alert description. The description of the alert. It's best to provide a meaningful description for future reference.

  • Send Email to. The addresses where WSA sends an email notification each time the alert triggers.

  • Enable alert. Alerts can be either enabled or disabled. Only enabled alerts are evaluated and triggered by requests. Enabled alerts also count towards your alert quota.

    📘

    You can have 10 customer-owned and 10 ​Akamai​-owned alerts per security configuration, so there can be up to 20 alerts in total. Your current quota count is available at the bottom of the left-hand column on the alert configuration page.

  • Send to SOCC. Whether the alert should be sent to ​Akamai​ SOCC for analysis. This property is read-only and serves an informational purpose.

  • Priority. You can assign a priority of high, medium, or low to each alert. You can see what your alerts' priorities are by the color code that accompanies each one:

    High

    Medium

    Low

    The priority assignment is for your use only and doesn't affect how the system processes alerts. If an alert has been triggered, its color-code box contains the number of trigger occurrences.

  • Owner. There are two types of alert ownership, those you manage yourself and those ​Akamai​ manages. ​Akamai​-owned alerts are denoted by an icon and only ​Akamai​ can change them. Both you and Akamai can change customer-owned alerts. This property is read-only and serves an informational purpose.

Updated about 2 months ago