Alerts
The WAF provides two types of alerts that inform you of any spikes in security events:
- Security Events Alert: Alerts about spikes across all services that generate log entries in Security Events.
- Advanced Security Events Alert: Similar to Security Events Alert with support for additional filtering options.
For details on alert types and their availability, refer to Alert types.
To receive WAF alerts, you must configure a notification. Notifications help you stay up to date with your Cloudflare account through email, PagerDuty, or webhooks, depending on your Cloudflare plan.
For instructions on how to set up a notification for a WAF alert, refer to Create a Notification.
WAF alerts use a static threshold together with a z-score ↗ calculation over the last six hours and five-minute buckets of events. An alert is triggered whenever the z-score value is above 3.5 and the spike crosses a threshold of 200 security events. You will not receive duplicate alerts within the same two-hour time frame.
Advanced Security Events Alert
Who is it for?Enterprise customers who want to receive alerts about spikes in specific services that generate log entries in Security Events. For more information, refer to WAF alerts.
Other options / filtersA mandatory filters
selection is needed when you create a notification policy which includes the list of services and zones that you want to be alerted on.
- You can search for and add domains from your list of Enterprise zones.
- You can choose which services the alert should monitor (Managed Firewall, Rate Limiting, etc.).
- You can filter events by a targeted action.
Enterprise plans.
What should you do if you receive one?Review the information in Security Events to identify any possible attack or misconfiguration.
Additional informationThe mean time to detection is five minutes.
This alert will look for spikes across all services that generate log entries in security/firewall events.
LimitationsSecurity Events (WAF) alerts are not sent for each individual events, but only when a spike in traffic reaches the threshold for an alert to be sent.
These thresholds cannot be configured. Z-score is used to determine the threshold.
Security Events Alert
Who is it for?Business and Enterprise customers who want to receive alerts about spikes across all services that generate log entries in Security Events. For more information, refer to WAF alerts.
Other options / filtersA mandatory filters
selection is needed when you create a notification policy which includes the list of zones that you want to be alerted on.
- You can also search for and add domains from your list of business or enterprise zones. The notification will be sent for the domains chosen.
- You can filter events by a targeted action.
Business and Enterprise plans.
What should you do if you receive one?Review the information in Security Events to identify any possible attack or misconfiguration.
Additional informationThe mean time to detection is two hours.
When setting up this alert, you can select the services that will be monitored. Each selected service is monitored separately.
LimitationsSecurity Events (WAF) alerts are not sent for each individual events, but only when a spike in traffic reaches the threshold for an alert to be sent.
These thresholds cannot be configured. Z-score is used to determine the threshold.