Attack Alert Monitoring

UWAF performs attack monitoring on user domains. By default, if more than 500 dangerous attack behaviors (system rules plus user-defined rules) are triggered within one minute, an alarm email or SMS will be sent to the corresponding message subscription group users.

Attack Alert Handling

After receiving an attack alert email or SMS, please log into the UWAF console, select [Security Report] >> [Attack Overview], select the domain that triggered the alarm, and set the query time range to the time period when the alarm was triggered. You can see the attack situation of the domain during this period.

Select [Attack Details], expand the search settings, and select the attack type that triggered the alarm as shown in the figure below, to view the specific circumstances of the attack alert:

For IPs with a very high number of attacks, you can use the [IP Query] function of [Function Settings] to query the access conditions of these IPs during the corresponding period. If it is found that this IP has launched a large number of attacks during this period, you can click on the [Add to Blacklist] in the red box in the figure below to add this IP to the blacklist.

If there are many attacking source IPs, you can use the [Malicious IP Blocking] function of [Protection Settings], add malicious IP blocking rules, and punish IPs with excessive attack frequency (add to the blacklist).