Create an alert

You create alerts so you can:

  • know an attack is occurring and take action to stop it
  • respond quickly

You create an alert by configuring its filter, threshold, and settings.

📘

You can have up to 10 customer-owned and 10 Akamai-owned alerts per security configuration, which makes up to 20 alerts in total. You can see your current quota count at the bottom of the left-hand column on the alert setup page.

  1. In Web Security Analytics, go to the banner at the top of the page and select the security configuration.

  2. Click the Statistics header.

  3. On the upper right of the screen, click Alerts.

  4. In panel on the left, in the header, click add alert. To create an alert:

    • based on a predefined template, select the template from the menu.
    • from scratch, select New Alert.

Set up an alert filter

You can use filters to target your alert on specific attack vectors.

  1. Select the Filter tab.

  2. On the upper right of the screen, click Filters filter and set the data filter for traffic you want see.

    For example, say you want to know when a web application security firewall rule violation triggers a Deny action. Under Common, select Attack Type matches WAF and then add another filter selectng Common > Action Applied matches Deny.

    Click Save to apply the filter

  3. Click Copy Filter below to Alert to copy the filter information to the alert's Filter.

Set up an alert threshold

The alert threshold lets you set the conditions under which the alert triggers.

  1. Click the Threshold tab.

    📘

    A current display bug causes both threshold options to display at the same time, but you can still select only the option you want.

  2. Set your threshold management preference by selecting one of the following options:

    • Predefined lets you get help from Akamai to handle the details. You just select a sensitivity level (Low, Medium, or High ) based on your appetite for notifications (higher sensitivity generates more alerts). If you select this option, DO NOT enter additional values in REQUESTS, DURING, or AFTER fields. They appear due to a temporary display bug.
    • Advanced to set a custom threshold. Calculate the threshold, first determine the usual number of requests for a selected time period during normal traffic—in other words while you're not under attack. Based on that number, set the threshold you want be alerted about about by entering:
      • Requests. Here, enter the number of requests that's higher than usual, which may be a sign of attack.
      • During is the time period window in minutes within which that number of requests occurs.
      • Occurrence enter the number of times you want the Requests/During combination to occur before you get an alert.


        For example, you might specify that 10,000 requests or more within 3 minutes, occurring 3 times (which takes a total of 9 minutes) would trigger an alert.
  3. Optional: You can group the request count by one or more dimensions—Connecting IP Address, Connecting Country/Area, Hostname, Path, Policy, and Status Code, and Attack Type.
    When you group requests by dimension, threshold conditions become more specific. For example, if you group by hostname and specify a threshold of 10,000 the associated alert would trigger only if more than 10,000 requests hit Hostname A within 3 minutes occuring three times. Any requests that hit hostname B won't count toward the alert threshold. To group by dimension, on the far right side of the Threshold section, click the vertical Count requests grouped by the following dimensions ribbon, and click the edit (pencil) icon to select a dimension.

Configure alert settings

Settings include general properties and is also where you turn alerts on and off.

  1. Select the Settings tab.

  2. Select the desired Priority of the email notifications (Low, Medium, or High).

    Priority won't affect how the system processes alerts, but rather is for your informational use.

  3. Enter an Alert Name and, if you want, an Alert Description.

    Ensure these two fields are descriptive and meaningful. Both the name and the description are visible in the user interface and alert notification emails.

  4. If you want, enter the email addresses (Send Email to) to get a notification when an alert is triggered.

    📘

    If you need to send an alert notification to many recipients, use a mailing list rather than individual addresses.

  5. If you want to turn on the alert right away, on the upper left of the settings windo, click the Disabled slider button to change it to Enabled, which means ON.There are two types of alert ownership, those you manage yourself and those ​Akamai​ manages. ​Akamai​-owned alerts are denoted by an icon and only ​Akamai​ can change them. Both you and Akamai can change customer-owned alerts. This property is read-only and serves an informational purpose

  6. Click Save.

    📘

    What about owner?

    There are two types of alert ownership, those you manage yourself as Akamai's customer, and those ​Akamai​ manages. ​Akamai​-owned alerts are denoted by an icon and only ​Akamai​ can change them. Both you and Akamai can change your (customer-owned) alerts.