Runtime Application Protection

  • How-to guide

Dynatrace Runtime Application Protection leverages code-level insights and transaction analysis to detect and block exploitation attempts on your applications automatically and in real time.

Capabilities

  • Detection of SQL injection, JNDI injection, command injection, and SSRF attacks
  • Code-level visibility provided by OneAgent
  • Production-ready performance footprint
  • Configurable automatic blocking of detected attacks
  • Protection of web applications and APIs
  • High alert precision with rich context to optimize your team's performance and make every minute count

Prerequisites

Supported technologies

Dynatrace detects SQL injection, JNDI injection, command injection, and SSRF attacks in the following technologies.

Technology
Minimum OneAgent version
SQL injection
Command injection
JNDI injection
SSRF
Java 8 or higher1
1.241
.NET2'3
1.289
Go3
1.311
1

Only supported on Windows x86 and Linux x86 systems.

2

Only .NET Framework 4.5, .NET Core 3.0 or higher, and 64-bit processes are supported.

3

For .NET and Go technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.

Get started

To set up Runtime Application Protection, follow the instructions below.

Contact a Dynatrace product expert via live chat to activate Runtime Application Protection.

To enable Runtime Application Protection globally on your environment

  1. Go to Settings (New) > Analyze and alert > Application security > Application protection (New).

  2. Enable Runtime Application Protection.

  3. Select Enable.

To define the global attack control for all process groups

  1. Go to Settings (New) > Analyze and alert > Application security > Application protection (New) > Monitoring rules > Default rules.
  2. Edit the attack control per technology:
    • Off; incoming attacks NOT detected or blocked.—Monitoring is disabled; no attacks in the selected technology are reported.
    • Monitor; incoming attacks detected only.—Monitoring is enabled; no attacks in the selected technology are blocked.
    • Block; incoming attacks detected and blocked.—Monitoring is enabled; attacks in the selected technology are blocked at runtime.

If you define custom monitoring rules based on certain process groups or vulnerability types, the custom rules override the global attack control for the selected technology, and Runtime Application Protection continues to monitor the attacks based on your rules.

  1. Select Save.
  1. Go to Settings (New) and select Collect and capture > General monitoring settings > OneAgent features.
  2. Filter by code-level attack evaluation and enable the feature for the technologies you want to monitor.
  3. Select Save changes.
  4. Restart your processes.

OneAgent version 1.309 To detect SSRF attacks, you also need to enable SSRF attack evaluation. See below for instructions.

  1. Go to Settings (New) and select Collect and capture > General monitoring settings > OneAgent features.
  2. Find and enable Java SSRF code-level vulnerability and attack evaluation.
  3. Select Save changes.
  4. Restart your processes.

What's next

After you set up Runtime Application Protection, you can

Consumption

Runtime Application Protection is licensed based on the consumption of GiB-hours if you're using the Dynatrace Platform Subscription (DPS) licensing model, or Application Security units (ASUs) if you're using the Dynatrace classic licensing.

Related tags
Application Security