Runtime Application Protection monitoring rules

Dynatrace Runtime Application Protection rules allow you to

Set up fine-grained monitoring rules to block, monitor, or ignore future attacks, based on resource attributes, and define multiple conditions for one rule. When creating a rule, you can check if conditions apply and how many process groups are affected. The rules you create override the global attack control settings for the selected technology.
Add attacks that you don't consider harmful to the allowlist, by source IPs or attack patterns.

Define specific attack control rules

Go to Settings > Application security > Application Protection > Monitoring rules.
Select Add new rule.
optional Name your rule (if not, a name will be assigned to it automatically once you create the rule, based on your criteria).
For Attack control, specify how to control an attack that matches the rule criteria:
- Off; incoming attacks NOT detected or blocked.
- Monitor; incoming attacks detected only.
- Block; incoming attacks detected and blocked.
For Attack type, select the attack type to which current configuration applies.
optional If you want the rule to apply only to a subset of your environment, for Specify where the rule is applied, select Add new condition and provide the resource attributes that should be used to identify that part of the environment (for example, dt.entity.process_group, aws.region). For details, see Enrich ingested data with Dynatrace-specific dimensions.
optional To check if a rule applies, select Preview matching process group instances. This lists process group instances that currently match the criteria.
Select Save changes.
Restart processes.

You can edit, disable, enable, or remove rules at any time.

Based on specific criteria, you can create an exception monitoring rule for the attack.

Go to Settings > Application Security > Application Protection > Allowlist and select Add new exception rule.
For Define attack control for chosen criteria, select one of the options below:
- Off; incoming attacks NOT detected or blocked to ignore the attacks based on the subsequently defined criteria
- Monitor; incoming attacks detected only to monitor the attacks based on the subsequently defined criteria, but not block them
For Define the rule, select Add new condition to set up fine-grain conditions that need to be met to allow an attack.
Most key/matcher combinations available in the drop-down list require OneAgent version 1.309+.
For OneAgent versions earlier than 1.309, the only available options are:
key: entry_point.payload, matcher: contains
key: actor.ip, matcher: is part of IP CIDR
To fully benefit from this functionality, make sure you're using the latest OneAgent version.
optional If you want the rule to apply only to a subset of your environment, for Specify where the rule is applied, select Add new condition and provide the resource attributes that should be used to identify that part of the environment (for example, dt.entity.process_group, aws.region). For details, see Enrich ingested data with Dynatrace-specific dimensions.
optional To check if a rule applies, select Preview matching process group instances. This lists process group instances that currently match the criteria.
Select Save changes.

You can edit, disable, enable, or remove rules at any time.