Security alerts

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

Advanced API Security Alerts lets you create alerts for events related to API security, such as changes to your security scores or incidents of detected API abuse. You create alerts using Cloud Monitoring. You can configure an alert to send you a notification by text, email, or other channels, when the alert is triggered. See Create metric-threshold alerting policies for more information on creating alerts.

Required roles

To set up alerts and notification channels in Cloud Monitoring, you need to be assigned the following roles:

roles/monitoring.alertPolicyEditor
roles/monitoring.notificationChannelEditor

Limitations

For alerting, the following limitations apply:

The maximum number of alerting policies is 500 for all Apigee subscription levels.
Metrics data is stored for 6 weeks.
Maximum time period that a metric-threshold condition evaluates is 23 hours 30 minutes.
There can be up to a 4-minute delay from the time an event that triggers an alert occurs until the time the alert is created and a notification is sent.

See Limits for alerting for a complete list of limits for alerting.

The following sections present examples that show how to create alerts.

Example: Create an alert for a decrease in proxy security score

This example creates an alert when a proxy security score falls below a specified threshold. To create the alert, do the following steps:

Open the Create alerting policy page in the Google Cloud console.
Click Select a Metric.
Deselect Show only active resources & metrics.
Note: If there is no recent API traffic data in your organization, the metric in the next step won't be displayed unless this option is unselected.
Select a metric as follows:
1. Select Apigee API Security Profile Environment Association.
2. In the pane that opens to the right, select Security
3. In the next pane to the right, select Security score of Apigee API proxy.
4. Click Apply
Note: Alternatively, you can choose one of the following metrics:
- Security score of Apigee sources: See Source assessment.
- Security score of Apigee target servers: See Target assessment.
- Security score of Apigee environment: The total security score in the environment.
See Metrics for security alerts.
(Optional) To restrict the data for the alert, say to a specified environment, you can create a filter as follows:
1. Under Add filters > New filter, click in the Filter field and select a resource label to filter on, such as env.
2. In the Comparator field, select a comparator, such as =.
3. In the Value field, select a value for the resource label, such as an environment name.
With this filter, an alert will only be triggered by data that passes the filter condition. See Filters for a list of available filters.
Under Transform data, in the Rolling window function field, select sum.
Click Next.
In the Configure alert trigger pane, set the following:
- Under Condition Types, select Threshold.
- Under Alert trigger, select Any time series violates.
- Under Threshold position, select Below threshold.
- In the Threshold value field, enter a threshold that triggers the alert, such as 600..
Click Next.
In the Configure notifications field, click in the Notification Channels field and select channels, such as text message or email, for the notification. If you have not configured any channels, click Manage Notification Channels and add a channel or channels.
Click OK.
In the Documentation field, enter any text that you want delivered with the notification, such as a description of what triggered the alert. For example, you could enter "A security score has fallen below 600."
Under Name the alert policy, enter a name for the alert policy.
Click Next and review the details of the alert policy.
If everything looks good, click Create Policy to create the alert policy.

Example: Create an alert for increase in detected abuse traffic for a detection rule

This example shows how to create an alert when the number of requests with detected abuse traffic exceeds a specified threshold for any single detection rule. To create the alert, do the following steps:

Open the Create alerting policy page in the Google Cloud console.
Click Select a Metric.
Deselect Show only active resources & metrics.
Note: If there is no recent API traffic data in your organization, the metric in the next step won't be displayed unless this option is unselected.
Select a metric as follows:
1. Select Apigee API Security Detection Rule.
2. In the pane that opens to the right, select Security
3. In the next pane to the right, select Apigee API Security detected request count by rule.
4. Click Apply
Note: Alternatively, you could select the metric Apigee Environment > Security > Apigee API Security detected request count. In this case, an alert would be triggered when the total detected request count exceeded the specified threshold (as opposed to the count for a single rule).
See Metrics for security alerts.
(Optional) To restrict the data for the alert, say to a specified environment, you can create a filter as follows:
1. Under Add filters > New filter, click in the Filter field and select a resource label to filter on, such as env.
2. In the Comparator field, select a comparator, such as =.
3. In the Value field, select a value for the resource label, such as an environment name.
With this filter, an alert will only be triggered by data that passes the filter condition, such as data in an environment. See Filters for a list of available filters.
Under Transform data, in the Rolling window function field, select sum.
Click Next.
In the Configure alert trigger pane, set the following:
- Under Condition Types, select Threshold.
- Under Alert trigger, select Any time series violates.
- Under Threshold position, select Above threshold.
- In the Threshold value field, enter a threshold that triggers the alert, such as 100..
Click Next.
In the Configure notifications field, click in the Notification Channels field and select channels, such as text message or email, for the notification. If you have not configured any channels, click Manage Notification Channels and add a channel or channels.
Click OK.
In the Documentation field, enter any text that you want delivered with the notification, such as a description of what triggered the alert. For example, you could enter "Detected abuse traffic exceeded 100 for $(resource.label.env)." This uses the label $(resource.label.env), which displays the environment whose data triggered the alert.
Under Name the alert policy, enter a name for the alert policy.
Click Next and review the details of the alert policy.
If everything looks good, click Create Policy to create the alert policy.

Metrics for security alerts

The table below describes the available metrics for creating security alerts:

Resource	Metric	Description	Supported filters
Apigee Environment	Apigee API Security request count: `apigee.googleapis.com/security/request_count`	Number of API requests processed by Advanced API Security, since the last sample.	location, org, env, proxy
Apigee Environment	Apigee API Security detected request count: `apigee.googleapis.com/security/detected_request_count`	Number of API requests detected by Advanced API Security abuse detection, since the last sample.	location, org, env, proxy
Apigee API Security Detection Rule	Apigee API Security detected request count by rule: `apigee.googleapis.com/security/detected_request_count_by_rule`	Number of API requests detected by Advanced API Security abuse detection and grouped by detection rule since the last sample.	location, org, env, proxy, detection_rule
Apigee API Security Incident	Apigee API Security incident request count: `apigee.googleapis.com/security/incident_request_count`	Number of API requests detected to be part of an API Security incident. This value is measured once every hour.	location, org, env, proxy
Apigee API Security Incident	Apigee API Security incident request count by detection rule: `apigee.googleapis.com/security/incident_request_count_by_rule`	Number of API requests detected to be part of an API Security incident grouped by detection rule. This value is measured once every hour.	location, org, env, incident_id, detection_rule
Apigee API Security Profile Environment Association	Security score of Apigee API sources: `apigee.googleapis.com/security/source_score`	Current security score of Apigee API proxy based on Advanced API Security source assessment. This value is measured at least once every 3 hours.	location, org, env, profile
Apigee API Security Profile Environment Association	Security score of Apigee API proxy: `apigee.googleapis.com/security/proxy_score`	Current security score of Apigee API proxy based on Advanced API Security proxy assessment. This value is measured at least once every 3 hours.	location, org, env, profile, proxy
Apigee API Security Profile Environment Association	Security score of Apigee API target: `apigee.googleapis.com/security/target_score`	Current security score of Apigee API proxy based on Advanced API Security target assessment. This value is measured at least once every 3 hours.	location, org, env, profile, target_server
Apigee API Security Profile Environment Association	Security score of Apigee environment: `apigee.googleapis.com/security/environment_score`	Current total security score of Apigee environment based on Advanced API Security assessments of sources, proxies, and targets. This value is measured at least once every 3 hours.	location, org, env, profile

Filters

Filter Label	Description
location	Location of the resource: global always.
org	Apigee organization name
env	Apigee environment name
profile	Apigee API Security profile name
proxy	Apigee API proxy name
target_server	Apigee target server name
detection_rule	Apigee API security detection rule name