Alert components
An alert consists of three major components that require your configuration: a filter, a threshold, and settings.
Filter
Filters help you target your alert on a specific attack traffic. Note that only certain dimensions are supported at this point.
Threshold
An alert threshold determines under what conditions the alert triggers. To reach a threshold, a number of requests must meet the filter conditions within a time window. This needs to happen continuously for a number of times. For example, 10 requests have to trigger the filter conditions within 5 minutes in three 5-minute intervals.
There are two types of threshold you can set:
- Predefined: Lets you select a sensitivity level (Low, Medium, or High), and enter the threshold of requests that trigger the alert when it’s been exceeded within the sensitivity selection’s time and occurrence limits.
- Advanced: Lets you specify custom time and occurrence settings.
To calculate the threshold, first determine the appropriate number of requests for a selected interval. This is often defined as peacetime, that is, a period without outstanding attacks.
You can have up to 6 intervals in a threshold, but be aware that the more you have, the longer it can take for the alert to trigger, depending on the time you enter. For example, if your settings are 3 minutes and 6 intervals, it could take up to 18 minutes for the alert to trigger.
Settings
Alert settings refer to these properties:
- Alert name
- The name of the alert. It can be up to 50 characters long. It’s best to provide a meaningful name for future reference.
- Alert description
- The description of the alert. It’s best to provide a meaningful description for future reference.
- Send to
- The addresses where WSA sends an email notification each time the alert triggers.
- Enable alert
- Alerts can be either enabled or disabled. Only enabled alerts are evaluated and triggered by requests. Enabled alerts also count towards your alert quota.
- Send to SOCC
- Whether the alert should be sent to Akamai SOCC for analysis. This property is read-only and serves an informational purpose.
- Priority
- You can assign a priority of high, medium, or low to each alert. You can
see what your alerts’ priorities are by the color code that accompanies each
one:
High
Medium
Low
The priority assignment is for your use only and doesn’t affect how the system processes alerts. If an alert has been triggered, its color-code box contains the number of trigger occurrences.
- Owner
- There are two types of alert ownership, those you manage yourself and those Akamai manages. Akamai-owned alerts are denoted by an icon and only Akamai can change them. Both you and Akamai can change customer-owned alerts. This property is read-only and serves an informational purpose.