Using LTS to Configure Block Alarms for WAF Rules

After you authorize WAF to access Log Tank Service (LTS), you can use the attack logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

This topic walks you through how to enable LTS quick analysis for WAF attack logs and configure alarm rules to analyze WAF attack logs and generate alarms. In this way, you can gain insight into the protection status of your workloads in WAF in real time and make informed decisions.

Prerequisites

You have connected the website you want to protect to WAF.
You have enabled WAF attack log stream in LTS.
You have enabled Simple Message Notification (SMN).

Quickly Analyzing Rule Block Logs

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
In the log group list, expand the WAF log group and choose log stream attack.
On the log stream details page, click in the upper right corner. On the page displayed, click the Cloud Structured Parsing tab.
Select JSON for log structuring. Then, click Select from existing events and select a log in the dialog box displayed on the right.
Click Intelligent Extraction to find the fields you want to analyze quickly. Enable these fields in the Quick Analysis column. After this, you can collect and analyze periodic logs.
Find the category field, click in the Alias column, change the field name, and click to save the settings.

There is already a built-in category field in the system so you need to change the alias name of the category field, or your settings cannot be saved.
In the lower right corner of the list, click Save. LTS quickly analyzes and collects statistics on logs in the specified period.
In the navigation pane, choose Visualization. On the right pane, select a log query time range, enter an SQL statement in the search box, and click Query.

You can group logs by rule and URI. Enter the following SQL statement in the search box to query logs of a specified rule:

select rule, uri, count(*) as cnt where action = 'block' group by rule, uri order by cnt desc

Creating an Alarm Rule

Click in the upper left corner of the page and choose Management & Governance > Log Tank Service.
In the navigation pane on the left, choose Alarms > Alarm Rules.

Click Create. In the dialog box displayed on the right, specify related parameters. Table 1 describes the parameters.

**Table 1** Parameter description
Parameter	Description	Example Value
Rule Name	Name of the custom rule	WAF alarms
Statistics	Select By SQL.	By SQL
Charts	Click Configure from Scratch. Specify Log Group Name and Log Stream Name. Query Time Range: Time range for log statistics Query Statement: Enter the SQL statement configured in 10, for example, *select rule,uri,count() as cnt where action='block' group by rule,uri order by cnt desc**.	None
Query Frequency	Frequency which triggers alarms Generally, a fixed custom interval of 5 minutes is selected.	Custom interval 5 minutes
Conditional Expression	Alarm threshold	cnt>5
Alarm Severity	Select an alarm severity based on the blocking emergency of the rule. The options are critical, major, minor, and info.	Major
Send Notification	Select Yes.	Yes
SMN Topic	Select a topic from the drop-down list or create a topic. For details about topics and subscriptions, see the Simple Message Notification User Guide.	None
Time Zone/Language	You can modify the language and time zone for receiving messages.	None
Message Templates	Select an existing template from the drop-down list box or click Create Message Template and create a template.	sql_template