Application security alert rules

更新时间:
复制 MD 格式

When an Application Security alert rule is triggered, the system sends an alert notification to the specified contacts or DingTalk groups. This helps you take prompt action to protect your applications.

Create an alert rule

  1. Log on to the ARMS console.

  2. In the left-side navigation pane, choose Application Security > Application Security Alert Rules. Then, in the top menu bar, select a region.

  3. On the Application Security Alert Rules page, click Create Application Security Alert Rule.

  4. On the Create Application Security Alert Rule page, configure the required parameters and click Save.

    Note
    • If you click Save, you remain on the alert rule creation page.

    • If you click Complete, you return to the alert rule list page.

    Parameter

    Description

    Alert Rule Name

    A custom name for the Application Security alert rule.

    Alarm Group

    The default alert contact group for Application Security is Security Alert Metric Group and cannot be modified.

    Alert metric

    The metric that triggers an alert. Currently, Application Security supports only the Number of Attacks alert metric.

    Alert Condition

    The condition based on the number of attacks that triggers an alert. For example, an alert is sent when the number of attacks is greater than or equal to 1.

    Filter Condition

    Specify the scope of applications to which the alert rule applies. An alert is generated for any application that meets both the filter conditions and the alert condition.

    Valid filter conditions include:

    • Traverse: The alert rule applies to all applications that are connected to Application Security. This is the default filter condition.

    • Equal To: After you select this condition, enter a specific application name. The alert rule applies only to that application. You cannot specify multiple application names.

    • Not Equal To: After you select this condition, enter a specific application name. The alert rule applies to all applications except the specified one. You cannot specify multiple application names.

    • Match Regular Expression: After you select this condition, enter a regular expression to match application names. The alert rule applies to all applications whose names match the expression.

    • Do Not Match Regular Expression: After you select this condition, enter a regular expression to match application names. The alert rule filters out all applications that match the regular expression.

    Note

    After you configure the filter conditions, the Data Preview area appears and displays the corresponding alert settings and the actual metrics of the selected application as a time-series curve. When the filter condition is Traverse, the Data Preview area displays the metrics of the relevant applications by default. You can select a target application and a time range in the filter box of the area to display the data.

    Data Preview

    Displays the values of the monitored metric for the current alert rule configuration as time-series curves.

    Duration

    The period for which the alert condition must be continuously met to trigger an alert. For example, if you set the duration to 1 minute, an alert is triggered only if the condition is met for one consecutive minute.

    Alert Level

    The severity level for the alert. The default level is Default. The severity increases from P4, P3, P2, to P1.

    Alert Message

    The alert message that recipients receive. You can customize this message. The default alert message is Application name: {{$labels.appName}} is under Application Security attack. Current value: {{$value}}..

    Alert notification

    • Simple mode: Specify the notification method by configuring the Notification Object, Notification Period, and Repeat Policy parameters. For information about how to create a notification object, see Notification objects.

    • Advanced mode: Specify the notification method by configuring a Notification Policy. To learn how to create a notification policy, see Notification policies.

      • Do not specify a notification policy: If you select this option, you can create a new notification policy on the Notification Policies page after you create the alert rule. In the notification policy, you can specify matching rules and conditions, such as the alert rule name, to match this alert rule. When an alert event is triggered by this rule, the alert message is sent to the contact or contact group specified in the notification policy. For more information, see Notification policies.

        When you create a notification policy, you can set Data Source to Application Security. The notification policy then matches only alerts generated by Application Security.

      • Specify a notification policy: If you select this option, a matching rule is automatically added to the selected notification policy. The matching rule uses the alert rule ID (displayed as the alert rule name) to ensure that alert events generated by the current alert rule are matched by the selected notification policy.

    Advanced Settings

    Alert check interval

    The interval at which the system checks if data meets the alert condition. The default and minimum value is 1 minute.

    Tags

    The tags for the alert. These can be used as options for matching rules in a notification policy.

    Annotations

    The annotations for the alert.

Manage alert rules

Your Application Security alert rules are listed on the Application Security > Application Security Alert Rules page. From this page, you can start, stop, edit, delete, and view the alert history for these rules.

  1. Log on to the ARMS console.

  2. In the left-side navigation pane, choose Application Security > Application Security Alert Rules. Then, in the top menu bar, select a region.

  3. Optional: On the Application Security Alert Rules page, enter an alert name in the search box and click the search icon.

    Note

    You can enter part of an alert name to perform a fuzzy search.

  4. In the Actions column for the target alert rule, perform one of the following operations:

    • To edit an alert rule, click Edit. On the Edit Application Security Alert Rule page, modify the rule and click Save.

    • To delete an alert rule, click Delete. In the Note dialog box that appears, click Confirm.

    • To start a stopped alert rule, click Start. In the Note dialog box that appears, click Confirm.

    • To stop a running alert rule, click Stop. In the Note dialog box that appears, click Confirm.

    • To view the alert event history, click Alert History. On the Alert Event History page, view the relevant records.