This page applies to Apigee and Apigee hybrid.
View Apigee Edge documentation.
Advanced API Security Alerts lets you create alerts for events related to API security, such as changes to your security scores or incidents of detected API abuse. You create alerts using Cloud Monitoring. You can configure an alert to send you a notification by text, email, or other channels, when the alert is triggered. See Create metric-threshold alerting policies for more information on creating alerts.
Required roles
To set up alerts and notification channels in Cloud Monitoring, you need to be assigned the following roles:
roles/monitoring.alertPolicyEditor
roles/monitoring.notificationChannelEditor
Limitations
For alerting, the following limitations apply:
- The maximum number of alerting policies is 500 for all Apigee subscription levels.
- Metrics data is stored for 6 weeks.
- Maximum time period that a metric-threshold condition evaluates is 23 hours 30 minutes.
- There can be up to a 4-minute delay from the time an event that triggers an alert occurs until the time the alert is created and a notification is sent.
See Limits for alerting for a complete list of limits for alerting.
The following sections present examples that show how to create alerts.
Example: Create an alert for a decrease in proxy security score
This example creates an alert when a proxy security score falls below a specified threshold. To create the alert, do the following steps:
Open the Create alerting policy page in the Google Cloud console.
- Click Select a Metric.
- Deselect Show only active resources & metrics.
Note: If there is no recent API traffic data in your organization, the metric in the next step won't be displayed unless this option is unselected.
- Select a metric as follows:
- Select Apigee API Security Profile Environment Association.
- In the pane that opens to the right, select Security
- In the next pane to the right, select Security score of Apigee API proxy.
- Click Apply
- (Optional) To restrict the data for the alert, say to a specified environment,
you can create a filter as follows:
- Under Add filters > New filter, click in the Filter field and select a resource label to filter on, such as env.
- In the Comparator field, select a comparator, such as =.
- In the Value field, select a value for the resource label, such as an environment name.
With this filter, an alert will only be triggered by data that passes the filter condition. See Filters for a list of available filters.
- Under Transform data, in the Rolling window function field, select sum.
- Click Next.
- In the Configure alert trigger pane, set the following:
- Under Condition Types, select Threshold.
- Under Alert trigger, select Any time series violates.
- Under Threshold position, select Below threshold.
- In the Threshold value field, enter a threshold that triggers the alert, such as 600..
- Click Next.
- In the Configure notifications field, click in the Notification Channels field and select channels, such as text message or email, for the notification. If you have not configured any channels, click Manage Notification Channels and add a channel or channels.
- Click OK.
- In the Documentation field, enter any text that you want delivered with the notification, such as a description of what triggered the alert. For example, you could enter "A security score has fallen below 600."
- Under Name the alert policy, enter a name for the alert policy.
- Click Next and review the details of the alert policy.
- If everything looks good, click Create Policy to create the alert policy.
Example: Create an alert for increase in detected abuse traffic for a detection rule
This example shows how to create an alert when the number of requests with detected abuse traffic exceeds a specified threshold for any single detection rule. To create the alert, do the following steps:
Open the Create alerting policy page in the Google Cloud console.
- Click Select a Metric.
- Deselect Show only active resources & metrics.
Note: If there is no recent API traffic data in your organization, the metric in the next step won't be displayed unless this option is unselected.
- Select a metric as follows:
- Select Apigee API Security Detection Rule.
- In the pane that opens to the right, select Security
- In the next pane to the right, select Apigee API Security detected request count by rule.
- Click Apply
- (Optional) To restrict the data for the alert, say to a specified environment,
you can create a filter as follows:
- Under Add filters > New filter, click in the Filter field and select a resource label to filter on, such as env.
- In the Comparator field, select a comparator, such as =.
- In the Value field, select a value for the resource label, such as an environment name.
With this filter, an alert will only be triggered by data that passes the filter condition, such as data in an environment. See Filters for a list of available filters.
- Under Transform data, in the Rolling window function field, select sum.
- Click Next.
- In the Configure alert trigger pane, set the following:
- Under Condition Types, select Threshold.
- Under Alert trigger, select Any time series violates.
- Under Threshold position, select Above threshold.
- In the Threshold value field, enter a threshold that triggers the alert, such as 100..
- Click Next.
- In the Configure notifications field, click in the Notification Channels field and select channels, such as text message or email, for the notification. If you have not configured any channels, click Manage Notification Channels and add a channel or channels.
- Click OK.
- In the Documentation field, enter any text that you want delivered with the notification, such as a description of what triggered the alert. For example, you could enter "Detected abuse traffic exceeded 100 for $(resource.label.env)." This uses the label $(resource.label.env), which displays the environment whose data triggered the alert.
- Under Name the alert policy, enter a name for the alert policy.
- Click Next and review the details of the alert policy.
- If everything looks good, click Create Policy to create the alert policy.
Metrics for security alerts
The table below describes the available metrics for creating security alerts:
Resource | Metric | Description | Supported filters |
---|---|---|---|
Apigee Environment | Apigee API Security request count:apigee.googleapis.com/security/request_count |
Number of API requests processed by Advanced API Security, since the last sample. | location, org, env, proxy |
Apigee Environment | Apigee API Security detected request count:apigee.googleapis.com/security/detected_request_count |
Number of API requests detected by Advanced API Security abuse detection, since the last sample. | location, org, env, proxy |
Apigee API Security Detection Rule | Apigee API Security detected request count by rule:apigee.googleapis.com/security/detected_request_count_by_rule |
Number of API requests detected by Advanced API Security abuse detection and grouped by detection rule since the last sample. | location, org, env, proxy, detection_rule |
Apigee API Security Incident | Apigee API Security incident request count:apigee.googleapis.com/security/incident_request_count |
Number of API requests detected to be part of an API Security incident. This value is measured once every hour. | location, org, env, proxy |
Apigee API Security Incident | Apigee API Security incident request count by detection rule:apigee.googleapis.com/security/incident_request_count_by_rule |
Number of API requests detected to be part of an API Security incident grouped by detection rule. This value is measured once every hour. | location, org, env, incident_id, detection_rule |
Apigee API Security Profile Environment Association | Security score of Apigee API sources:apigee.googleapis.com/security/source_score |
Current security score of Apigee API proxy based on Advanced API Security source assessment. This value is measured at least once every 3 hours. | location, org, env, profile |
Apigee API Security Profile Environment Association | Security score of Apigee API proxy:apigee.googleapis.com/security/proxy_score |
Current security score of Apigee API proxy based on Advanced API Security proxy assessment. This value is measured at least once every 3 hours. | location, org, env, profile, proxy |
Apigee API Security Profile Environment Association | Security score of Apigee API target:apigee.googleapis.com/security/target_score |
Current security score of Apigee API proxy based on Advanced API Security target assessment. This value is measured at least once every 3 hours. | location, org, env, profile, target_server |
Apigee API Security Profile Environment Association | Security score of Apigee environment:apigee.googleapis.com/security/environment_score |
Current total security score of Apigee environment based on Advanced API Security assessments of sources, proxies, and targets. This value is measured at least once every 3 hours. | location, org, env, profile |
Filters
Filter Label | Description |
---|---|
location | Location of the resource: global always. |
org | Apigee organization name |
env | Apigee environment name |
profile | Apigee API Security profile name |
proxy | Apigee API proxy name |
target_server | Apigee target server name |
detection_rule | Apigee API security detection rule name |