This alert identifies a high number of blocked requests, which may indicate potential security threats, such as malicious traffic, misconfigured rules, or unexpected application behavior. Customization Guidance: Threshold: The default threshold is set to detect a sustained rate of blocked requests (e.g., more than 100 requests in for over 10% of 10 minutes ) . Adjust the threshold based on your application’s normal traffic patterns and the criticality of blocked requests. Monitoring Period: A 10-minute monitoring period is recommended to capture sustained spikes in blocked requests. Modify the period based on your application’s sensitivity to traffic changes. Refinement: Tailor the alert to specific Web ACLs or rules by using dimensions like WebACLId or RuleId to monitor targeted components. Notification Frequency: Configure the frequency of alerts to balance timely notifications with the risk of alert fatigue. For critical applications, shorter notification intervals may be preferred. Action: Upon triggering this alert, review the WAF logs to identify the source of the blocked requests. Investigate whether the blocked traffic represents a legitimate threat (e.g., SQL injection, XSS attempts) or if rules are too restrictive and blocking valid traffic. Adjust rules as needed to optimize application security and functionality.

This alert identifies a high number of allowed requests, which may indicate unexpected traffic spikes, potential rule misconfigurations, or increased legitimate user activity. Customization Guidance: Threshold: The default threshold is set to detect a sustained rate of allowed requests exceeding 10,000 requests in a 10% of 10-minute window. Adjust the threshold based on your application’s typical traffic patterns and the criticality of allowed traffic. Monitoring Period: A 10-minute monitoring period is recommended to capture sustained spikes in allowed requests. Modify the period to align with your application's sensitivity to traffic fluctuations. Refinement: Tailor the alert to specific Web ACLs or rules by using dimensions such as WebACLId or RuleId. This ensures the alert focuses on specific components or traffic types. Notification Frequency: Configure notifications to avoid alert fatigue while ensuring timely awareness of potential issues. For critical applications, shorter notification intervals may be necessary. Action: Upon triggering this alert, review the WAF logs to understand the source of the allowed requests. Determine whether the traffic is expected (e.g., legitimate user traffic) or if rule configurations need adjustment. For unexpected spikes, investigate the origin of the traffic and ensure WAF rules are correctly filtering unwanted access. Optimize WAF rules as needed to maintain security and functionality.

This alert identifies a high rate of counted requests, which may indicate increased traffic volume being evaluated by your AWS WAF rules, possibly due to legitimate user activity, unexpected spikes, or potential security scanning attempts. Customization Guidance: Threshold: The default threshold is set to detect a sustained rate of counted requests exceeding 5,000 requests. Adjust this threshold based on your application’s typical traffic patterns and the criticality of counted traffic. Monitoring Period: A 10-minute monitoring period is recommended to capture sustained spikes in counted requests. Modify this period as needed to align with your application's sensitivity to traffic changes. Refinement: Focus the alert on specific Web ACLs or rules by using dimensions such as WebACLId or RuleId. This helps target monitoring to relevant traffic components or specific application areas. Notification Frequency: Configure notifications to balance timely awareness with the risk of alert fatigue. Shorter notification intervals may be appropriate for critical services or applications. Action: Upon triggering this alert, review the WAF logs to identify the source of the counted requests. Determine whether the traffic aligns with expected user behavior or if the volume indicates unusual activity, such as automated scans or potential attacks. Adjust WAF rules as needed to optimize performance and maintain a balance between security and usability.

This alert identifies when no requests are being processed by AWS WAF, which may indicate potential configuration issues, connectivity problems, or a lack of traffic to the application protected by WAF. Customization Guidance: Threshold: Alert triggers when no requests (AllowedRequests, BlockedRequests, or CountedRequests) are processed for 10% of 10 minutes. Monitoring Period: Use a 10-minute window to reduce false positives due to temporary traffic dips. Refinement: Use dimensions like WebACLId to monitor specific applications. Action: Investigate WAF configurations and ensure that it is integrated with your application. Verify the application's health and accessibility.