Runtime Application Protection

  • How-to guide

Dynatrace Runtime Application Protection leverages code-level insights and transaction analysis to detect and block exploitation attempts on your applications automatically and in real time.

Capabilities

  • Detection of SQL injection, JNDI injection, command injection, and SSRF attacks
  • Code-level visibility provided by OneAgent
  • Production-ready performance footprint
  • Configurable automatic blocking of detected attacks
  • Protection of web applications and APIs
  • High alert precision with rich context to optimize your team's performance and make every minute count

How it works

Runtime Application Protection (RAP) uses runtime instrumentation to detect and optionally block exploit attempts. When your application receives a web request, Dynatrace OneAgent tracks user input and analyzes how it interacts with sensitive code paths, such as SQL queries, OS commands, or JNDI lookups. If the behavior matches a known attack pattern, Dynatrace reports it as a security finding. If attack blocking is enabled, OneAgent throws an exception to stop the malicious request before it executes. RAP is lightweight and safe for use in production environments.

Prerequisites

Before you begin, ensure your environment meets the necessary requirements:

  • You're using a supported version of Dynatrace. Review the release notes for currently supported versions.

  • For Runtime Application Protection to work properly, make sure deep monitoring is enabled in Settings > Processes and containers > Process group monitoring.

    For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Permissions

This permissions section refers to the classic Attacks (previous Dynatrace) or Attacks Attacks app, which is deprecated. If you're using the latest Dynatrace experience, refer to the Threats & Exploits Threats & Exploits requirements instead.

For details on transitioning, see Upgrade to the latest Dynatrace.

You need to assign the Security admin group to users who will be allowed to view and manage attacks.

To assign Security admin permission

  1. Go to Account Management > Identity & access management > People. You have the following options.

To add an existing user to the group

  1. Under Actions, select > Edit user for the user you want to add.
  2. Select Security admin, then select Save.

For more information on user permissions, see Manage user groups and permissions.

Supported technologies

Dynatrace detects SQL injection, JNDI injection, command injection, and SSRF attacks in the following technologies.

TechnologyMinimum OneAgent versionSQL injectionCommand injectionJNDI injectionSSRF
Java 8 or higher11.241
.NET2'31.289
Go31.311
1

Only supported on Windows x86 and Linux x86 systems.

2

Only .NET Framework 4.5, .NET Core 3.0 or higher, and 64-bit processes are supported.

3

For .NET and Go technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Get started

To set up Runtime Application Protection, follow the instructions below.

To use preview features, please contact a Dynatrace product expert via live chat to activate Runtime Application Protection before continuing.

To enable Runtime Application Protection globally on your environment

  1. Go to Settings (New) > Analyze and alert > Application security > Application protection (New).

  2. Enable Runtime Application Protection.

  3. Select Enable.

To define the global attack control for all process groups

  1. Go to Settings (New) > Analyze and alert > Application security > Application protection (New) > Monitoring rules > Default rules.
  2. Edit the attack control per technology:
  • Off; incoming attacks NOT detected or blocked.—Monitoring is disabled; no attacks in the selected technology are reported.
  • Monitor; incoming attacks detected only.—Monitoring is enabled; no attacks in the selected technology are blocked.
  • Block; incoming attacks detected and blocked.—Monitoring is enabled; attacks in the selected technology are blocked at runtime.

If you define custom monitoring rules based on certain process groups or vulnerability types, the custom rules override the global attack control for the selected technology, and Runtime Application Protection continues to monitor the attacks based on your rules.

  1. Select Save.

  1. Go to Settings (New) and select Collect and capture > General monitoring settings > OneAgent features.

  2. Filter by code-level attack evaluation and enable the feature for the technologies you want to monitor.

  3. Select Save changes.

  4. Restart your processes.

OneAgent version 1.309 To detect SSRF attacks, you also need to enable SSRF attack evaluation. See below for instructions.

  1. Go to Settings (New) and select Collect and capture > General monitoring settings > OneAgent features.

  2. Find and enable Java SSRF code-level vulnerability and attack evaluation.

  3. Select Save changes.

  4. Restart your processes.

What's next

After you set up Runtime Application Protection, you can

Consumption

Runtime Application Protection is licensed based on the consumption of GiB-hours if you're using the Dynatrace Platform Subscription (DPS) licensing model, or Application Security units (ASUs) if you're using the Dynatrace classic licensing.

Related tags
Application Security