• Web Application Firewall

  1. Help Center
  2. Web Application Firewall
  3. User Guide
  4. Event Management
  5. Enabling Alarm Notification

Enabling Alarm Notification

This section describes how to enable notification for attack logs. Once this function is enabled, WAF sends attack logs to users by email or SMS.


  • Login credentials have been obtained.
  • The SMN service has been enabled.


  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Choose Security > Web Application Firewall. In the navigation pane, choose Events. The Events page is displayed.
  4. Click the Notify tab and configure alarm notification parameters by referring to Table 1 (see Figure 1).

    Figure 1 Configuring alarm notification
    Table 1 Notification setting parameters



    Notification ID

    Alarm event ID


    Whether to enable notification

    • : enabled.
    • : disabled.

    Notification Topic

    Click the drop-down list to select an available topic or click View Topic to create a topic.

    For more information, see the Simple Message Notification User Guide.


    Alarm threshold


    Alarm notifications are sent when the number of attacks is greater than or equal to the threshold within the configured period.

    Event Type

    By default, All is selected. You can also click Customize to specify event types.

    For details about event types, see Table 2.

    Table 2 List of event types

    Event Type


    Challenge Collapsar

    CC attack. When you find out that your website is experiencing slowed processing and high bandwidth usage, it may have been under CC attacks.

    Command Injection

    Command injection. It is a technique used by hackers to execute system commands on a server by chaining commands and bypassing blacklists to invoke web application interfaces.


    Events logged by one or more precise protection rules

    Illegal Request

    Invalid requests. For example, more than 512 parameters are used.

    SQL Injection

    SQL injection. It is a common web attack whereby attackers inject malicious SQL commands into database query strings to deceive the server into executing them. By exploiting these commands, the attacker can obtain sensitive information, add users, export files, or even gain the highest permissions to the database or system.

    Local File Inclusion

    Local file inclusion (LFI) allows attackers to access files on a local server or download sensitive configurations. The vulnerability occurs due to the use of user-supplied input without proper validation.

    Scanner & Crawler

    Scanner and crawler attack events


    Events logged by one or more web tamper protection rules

    Remote File Inclusion

    Remote file inclusion


    Other types of attacks, such as a combination of SQL injection and command injection attacks or certain CVE vulnerabilities

    Cross Site Scripting

    XSS. It is a type of attacks that exploits security vulnerabilities in web applications. XSS enables attackers to inject auto-executed malicious codes into webpages to steal users' information when they visit the pages.

    Black/White IP

    Events logged by one or more blacklist or whitelist rules


    A webshell is an attack script. After intruding into a website, an attacker adds an .asp, .php, .jsp, or .cgi script file with normal webpage files. Then, the attacker accesses the file from a web browser and uses it as a backdoor to obtain a command execution environment for controlling the web server. For this reason, webshells are also called backdoor tools.

  5. Click Save.