Runtime Application Protection monitoring rules
Dynatrace Runtime Application Protection rules allow you to
- Set up fine-grained monitoring rules to block, monitor, or ignore future attacks, based on resource attributes, and define multiple conditions for one rule. When creating a rule, you can check if conditions apply and how many process groups are affected. The rules you create override the global attack control settings for the selected technology.
- Add attacks that you don't consider harmful to the allowlist, by source IPs or attack patterns.
Define specific attack control rules
-
Go to Settings > Application security > Application Protection > Monitoring rules.
-
Select Add new rule.
-
optional Name your rule (if not, a name will be assigned to it automatically once you create the rule, based on your criteria).
-
For Attack control, specify how to control an attack that matches the rule criteria:
Off; incoming attacks NOT detected or blocked.Monitor; incoming attacks detected only.Block; incoming attacks detected and blocked.
-
For Attack type, select the attack type to which current configuration applies.
-
optional Select Add new condition to add one or more conditions to your rule.
- If you don't add any condition, the rule applies to all processes.
- If you add multiple conditions, all of them have to apply for the rule to take effect. To check if a rule applies, select Preview matching process group instances. This lists process group instances that currently match the criteria.
Example conditions:
-
Select Save changes.
-
Restart processes.
You can edit, disable, enable, or remove rules at any time.
Define exception rules
Based on the source IP of an attack or on an attack pattern, you can create an exception monitoring rule for the attack.
-
Go to Settings and select Application security > Application Protection > Allowlist.
-
Select Add new exception rule.
-
Enter the Source IP (IPv4 or IPv6 address) of the attack for which you want to create an exception. IP ranges can be defined via CIDR notation.
-
optional Enter an Attack pattern. An attack pattern can be any string an attacker uses in the malicious payload of the attack.
Example patterns:
OR 1=1 -- 0admin'--; DROP members--; cat /etc/passwd
-
Specify how to control an attack matching the criteria:
Off; incoming attacks NOT detected or blocked.– Don't monitor (ignore) the IP address.Monitor; incoming attacks detected only.– Monitor the IP address, but don't block it.
-
Select Save changes.
You can edit, disable, enable, or remove rules at any time.