Cloudflare Docs
WAF
Edit this page on GitHub
Set theme to dark (⇧+D)

WAF alerts

The WAF provides two types of alerts that inform you of any spikes in security events:

  • Security Events Alert: Alerts about spikes across all services that generate log entries in Security Events.
  • Advanced Security Events Alert: Similar to Security Events Alert with support for additional filtering options.

For details on alert types and their availability, refer to Alert types.

To receive WAF alerts, you must configure a notification. Notifications help you stay up to date with your Cloudflare account through email, PagerDuty, or webhooks, depending on your Cloudflare plan.

​​ Set up a notification for WAF alerts

For instructions on how to set up a notification for a WAF alert, refer to Create a Notification.


​​ Alert logic

WAF alerts use a static threshold together with a z-score calculation over the last six hours and five-minute buckets of events. An alert is triggered whenever the z-score value is above 3.5 and the spike crosses a threshold of 200 security events. You will not receive duplicate alerts within the same two-hour time frame.

​​ Alert types

Advanced Security Events Alert

Who is it for?

Enterprise customers who want to receive alerts about spikes in specific services that generate log entries in Security Events. For more information, refer to WAF alerts.

Other options / filters

A mandatory filters selection is needed when you create a notification policy which includes the list of services and zones that you want to be alerted on.

  • You can search for and add domains from your list of Enterprise zones.
  • You can choose which services the alert should monitor (Managed Firewall, Rate Limiting, etc.).
  • You can filter events by a targeted action.

Included with

Enterprise plans.

What should you do if you receive one?

Review the information in Security Events to identify any possible attack or misconfiguration.

Additional information

The mean time to detection is five minutes.

This alert will look for spikes across all services that generate log entries in security/firewall events.

Limitations

Security Events (WAF) alerts are not sent for each individual events, but only when a spike in traffic reaches the threshold for an alert to be sent.

These thresholds cannot be configured. Z-score is used to determine the threshold.

Security Events Alert

Who is it for?

Business and Enterprise customers who want to receive alerts about spikes across all services that generate log entries in Security Events. For more information, refer to WAF alerts.

Other options / filters

A mandatory filters selection is needed when you create a notification policy which includes the list of zones that you want to be alerted on.

  • You can also search for and add domains from your list of business or enterprise zones. The notification will be sent for the domains chosen.
  • You can filter events by a targeted action.

Included with

Business and Enterprise plans.

What should you do if you receive one?

Review the information in Security Events to identify any possible attack or misconfiguration.

Additional information

The mean time to detection is two hours.

When setting up this alert, you can select the services that will be monitored. Each selected service is monitored separately.

Limitations

Security Events (WAF) alerts are not sent for each individual events, but only when a spike in traffic reaches the threshold for an alert to be sent.

These thresholds cannot be configured. Z-score is used to determine the threshold.