Dynatrace Runtime Application Protection leverages code-level insights and transaction analysis to detect and block exploitation attempts on your applications automatically and in real time.
Runtime Application Protection (RAP) uses runtime instrumentation to detect and optionally block exploit attempts. When your application receives a web request, Dynatrace OneAgent tracks user input and analyzes how it interacts with sensitive code paths, such as SQL queries, OS commands, or JNDI lookups. If the behavior matches a known attack pattern, Dynatrace reports it as a security finding. If attack blocking is enabled, OneAgent throws an exception to stop the malicious request before it executes. RAP is lightweight and safe for use in production environments.
For a quick walk-through, see the Dynatrace University Runtime Application Protection tutorial.
Before you begin, ensure your environment meets the necessary requirements:
You're using a supported version of Dynatrace. Review the release notes for currently supported versions.
For Runtime Application Protection to work properly, make sure deep monitoring is enabled in Settings > Processes and containers > Process group monitoring.
For .NET, Go, and Python technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.
You need to assign the Manage security problems permission to user groups that will be allowed to view and manage attacks.
For details, see Environment permissions and Management zone permissions.
Dynatrace detects SQL injection, JNDI injection, command injection, and SSRF attacks in the following technologies.
| Technology | Minimum OneAgent version | SQL injection | Command injection | JNDI injection | SSRF |
|---|---|---|---|---|---|
| Java 8 or higher1 | 1.241 | ||||
| .NET2'3 | 1.289 | ||||
| Go3 | 1.311 |
Only supported on Windows x86 and Linux x86 systems.
Only .NET Framework 4.5, .NET Core 3.0 or higher, and 64-bit processes are supported.
For .NET and Go technologies, for which automatic deep monitoring is disabled, you need to manually enable deep monitoring on each host. For more information, see Process deep monitoring.
To set up Runtime Application Protection, follow the instructions below.
Contact a Dynatrace product expert via live chat to activate Runtime Application Protection.
To enable Runtime Application Protection globally on your environment
Go to Settings and select Application security > Application Protection > General settings.
Select Enable Runtime Application Protection.
Select Save changes.
To define the global attack control for all process groups
If you define custom monitoring rules based on certain process groups or vulnerability types, the custom rules override the global attack control for the selected technology, and Runtime Application Protection continues to monitor the attacks based on your rules.
code-level attack evaluation and enable the feature for the technologies you want to monitor.OneAgent version 1.309 To detect SSRF attacks, you also need to enable SSRF attack evaluation. See below for instructions.
Java SSRF code-level vulnerability and attack evaluation.After you set up Runtime Application Protection, you can
Runtime Application Protection is licensed based on the consumption of GiB-hours if you're using the Dynatrace Platform Subscription (DPS) licensing model, or Application Security units (ASUs) if you're using the Dynatrace classic licensing.