diff --git a/content/en/security/application_security/setup/dotnet/_index.md b/content/en/security/application_security/setup/dotnet/_index.md new file mode 100644 index 0000000000000..7410c26682ec0 --- /dev/null +++ b/content/en/security/application_security/setup/dotnet/_index.md @@ -0,0 +1,52 @@ +--- +title: Enabling AAP for .NET +code_lang: dotnet +type: multi-code-lang +code_lang_weight: 0 +aliases: + - /security_platform/application_security/getting_started/dotnet + - /security/application_security/getting_started/dotnet + - /security/application_security/threats/setup/threat_detection/dotnet + - /security/application_security/threats_detection/dotnet +further_reading: +- link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" +- link: 'https://github.com/DataDog/dd-trace-dotnet' + tag: "Source Code" + text: '.NET Datadog library source code' +- link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- +{{< partial name="app_and_api_protection/callout.html" >}} + +{{% app_and_api_protection_dotnet_overview showSetup="false"%}} + +## Environments + +### Hosts +{{< appsec-integrations >}} + {{< appsec-integration name="Linux" avatar="linux" link="./linux" >}} + + {{< appsec-integration name="Windows" avatar="windows" link="./windows" >}} +{{< /appsec-integrations >}} + +## Additional Resources + +- [Troubleshooting Guide](dotnet/troubleshooting) +- [Compatibility Information](dotnet/compatibility) diff --git a/content/en/security/application_security/setup/dotnet/compatibility.md b/content/en/security/application_security/setup/dotnet/compatibility.md new file mode 100644 index 0000000000000..7fb7febf919b5 --- /dev/null +++ b/content/en/security/application_security/setup/dotnet/compatibility.md @@ -0,0 +1,84 @@ +--- +title: .NET Compatibility Requirements +code_lang: dotnet +type: multi-code-lang +code_lang_weight: 10 +aliases: + - /security/application_security/threats/setup/compatibility/dotnet +--- + +## App and API Protection capabilities + +The following App and API Protection capabilities are supported in the .NET library, for the specified tracer version: + +| App and API Protection capability | Minimum .NET tracer version | +| --------------------------------------- | ----------------------------| +| Threat Detection | 2.23.0 | +| Threat Protection | 2.26.0 | +| Customize response to blocked requests | 2.27.0 | +| Automatic user activity event tracking | 2.32.0 | +| API Security | 2.42.0 | + +The minimum tracer version to get all supported App and API Protection capabilities for .NET is 2.42.0. + +**Note**: Threat Protection requires enabling [Remote Configuration][1], which is included in the listed minimum tracer version. + +### Supported deployment types + +Threat Detection is supported for the following deployment types: + +- Docker +- Kubernetes +- Amazon ECS +- AWS Fargate +- AWS Lambda +- Azure App Service + +**Note**: Azure App Service is supported for **web applications only**. App and API Protection capabilities are not supported for Azure Functions. + +## Language and framework compatibility + +### Supported .NET versions + +The Datadog .NET Tracing library is open source. View the [GitHub repository][2] for more information. + +The .NET Tracer supports instrumentation from + - .NET Framework 4.6.1 and newer versions + - .NET Core 3.1 and newer versions + +These are supported on the following architectures: +- Linux (GNU) x86-64, ARM64 +- Alpine Linux (musl) x86-64, ARM64 +- macOS (Darwin) x86-64, ARM64 +- Windows (msvc) x86, x86-64 + +For a complete list of supported versions abd operating systems, see the [.NET Core tracer documentation][3] and [.NET Framework tracer documentation][4]. + +You must be running Datadog Agent v7.41.1+ for App and API Protection features. + +## Integrations + +The .NET tracer includes support for the following frameworks, data stores, and libraries: + +### Web framework compatibility +- ASP.NET MVC +- ASP.NET Web API 2 + +### Data stores +- OracleDB +- ADO.NET +- SQL Server +- MySQL +- SQLite +- PostgreSQL + +### Other +- Kafka +- GraphQL + +For a complete list of supported integrations and their versions, see the [.NET Core tracer documentation][3] and [.NET Framework tracer documentation][4]. + +[1]: /agent/remote_config/#enabling-remote-configuration +[2]: https://github.com/DataDog/dd-trace-dotnet +[3]: /tracing/trace_collection/compatibility/dotnet-core +[4]: /tracing/trace_collection/compatibility/dotnet-framework diff --git a/content/en/security/application_security/setup/dotnet/linux.md b/content/en/security/application_security/setup/dotnet/linux.md new file mode 100644 index 0000000000000..cc0fd648ad1bf --- /dev/null +++ b/content/en/security/application_security/setup/dotnet/linux.md @@ -0,0 +1,136 @@ +--- +title: Set up App and API Protection for .NET on Linux +code_lang: linux +type: multi-code-lang +code_lang_weight: 30 +further_reading: +- link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" +- link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- +{{% app_and_api_protection_dotnet_setup_options platform="linux" %}} + +{{% app_and_api_protection_dotnet_overview %}} + +## Prerequisites + +- Linux operating system +- .NET application +- Root or sudo privileges +- Systemd (for service management) +- Your Datadog API key +- Datadog .NET tracing library (see version requirements [here][1]) + +## 1. Installing the Datadog Agent + +Install the Datadog Agent by following the [setup instructions for Linux hosts][2]. + +## 2. Enabling App and API Protection monitoring + +{{% app_and_api_protection_navigation_menu %}} +{{% appsec-remote-config-activation %}} + +### Manually enabling App and API Protection monitoring + +**Go to [Datadog .NET Tracer package][3]** to find out the latest release to download. + +{{< tabs >}} +{{% tab "AMD 64 Platforms" %}} + +**Download and install** the latest *Datadog .NET Tracer package* that supports your operating system and architecture. + +
+ Note on version: replace <TRACER_VERSION> with the latest three component version of the library (ej: 3.21.0) +
+ +```bash +wget -O datadog-dotnet-apm-.tar.gz 'https://github.com/DataDog/dd-trace-dotnet/releases/download/v' +``` + +Run the following command to install the package and create the .NET tracer log directory `/var/log/datadog/dotnet` with the appropriate permissions: + +```bash +sudo tar -C /opt/datadog -xzf datadog-dotnet-apm-.tar.gz && /opt/datadog/createLogPath.sh +``` +{{% /tab %}} +{{% tab "ARM 64 Platforms" %}} + +**Download and install** the latest *Datadog .NET Tracer package* that supports your operating system and architecture. + +
+ Note on version: replace <TRACER_VERSION> with the latest three component version of the library (ej: 3.21.0) +
+ +```bash +wget -O datadog-dotnet-apm-.arm64.tar.gz 'https://github.com/DataDog/dd-trace-dotnet/releases/download/v' +``` + +Run the following command to install the package and create the .NET tracer log directory `/var/log/datadog/dotnet` with the appropriate permissions: + +```bash +sudo tar -C /opt/datadog -xzf datadog-dotnet-apm-.arm64.tar.gz && /opt/datadog/createLogPath.sh +``` + +{{% /tab %}} +{{< /tabs >}} + +
+ If you are having issues installing the Tracer library check the [Tracer Installation guide][5] + *Note on version:* replace ** with the latest three component version of the library (ej: 3.21.0) +
+ + +{{% collapse-content title="APM Tracing Enabled" level="h4" %}} +Set the required environment variables and start your .NET application: + +```bash +export CORECLR_ENABLE_PROFILING=1 +export CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8} +export CORECLR_PROFILER_PATH=/opt/datadog/Datadog.Trace.ClrProfiler.Native.so +export DD_DOTNET_TRACER_HOME=/opt/datadog +export DD_SERVICE= +export DD_ENV= +export DD_APPSEC_ENABLED=true +``` +{{% /collapse-content %}} + +{{% collapse-content title="APM Tracing Disabled" level="h4" %}} +To disable APM tracing while keeping App and API Protection enabled, you must set the APM tracing variable to false. +```bash +export CORECLR_ENABLE_PROFILING=1 +export CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8} +export CORECLR_PROFILER_PATH=/opt/datadog/Datadog.Trace.ClrProfiler.Native.so +export DD_DOTNET_TRACER_HOME=/opt/datadog +export DD_SERVICE= +export DD_ENV= +export DD_APPSEC_ENABLED=true +export DD_APM_TRACING_ENABLED=false +``` + +{{% /collapse-content %}} + +## 3. Run your application + +Start your .NET application with above settings. + +{{% app_and_api_protection_verify_setup %}} + +## Troubleshooting + +If you encounter issues while setting up App and API Protection for your .NET application, see the [.NET App and API Protection troubleshooting guide][4]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/setup/dotnet/compatibility +[2]: /agent/?tab=Linux +[3]: https://github.com/DataDog/dd-trace-dotnet/releases +[4]: /security/application_security/setup/dotnet/troubleshooting +[5]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/dotnet-core/?tab=linux \ No newline at end of file diff --git a/content/en/security/application_security/setup/dotnet/troubleshooting.md b/content/en/security/application_security/setup/dotnet/troubleshooting.md new file mode 100644 index 0000000000000..2ec05c90e0e3c --- /dev/null +++ b/content/en/security/application_security/setup/dotnet/troubleshooting.md @@ -0,0 +1,48 @@ +--- +title: Troubleshooting .NET App and API Protection +--- + +## Common Issues + +### No security signals appearing + +1. Verify Agent version: + - Ensure you're running Datadog Agent v7.41.1 or higher. + - Check Agent status: `datadog-agent status`. +2. Check .NET tracer version: + - Confirm you're using .NET tracer v2.42.0 or higher. +3. Verify environment variables: + - Ensure `DD_APPSEC_ENABLED=true` is set. + - Check `DD_SERVICE` and `DD_ENV` are properly configured. + - Verify `DD_APM_ENABLED=true` if using APM features. +4. Check file system permissions: + - Ensure the application has write access to `/tmp`. + - Verify the Java agent JAR is readable. + +### Application fails to start + +1. Check logs for errors: + - Logs are located at + - Linux: `/var/log/datadog/dotnet/` + - Windows: `%PROGRAMDATA%\Datadog .NET Tracer\logs\` + +### Performance impact + +1. High latency: + - Check Agent resource usage. + - Verify network connectivity between Agent and Datadog. + - Consider adjusting sampling rates. +2. High memory usage: + - Monitor memory usage. + - Adjust Agent resource limits if needed + +### Still having issues? + +If you're still experiencing problems: +1. Check the [Application Security Monitoring troubleshooting guide][1] +2. Review the [.NET tracer documentation][2] +3. Contact [Datadog support][3] + +[1]: /security/application_security/troubleshooting +[2]: /tracing/trace_collection/compatibility/dotnet-core +[3]: /help diff --git a/content/en/security/application_security/setup/dotnet/windows.md b/content/en/security/application_security/setup/dotnet/windows.md new file mode 100644 index 0000000000000..966588c04c463 --- /dev/null +++ b/content/en/security/application_security/setup/dotnet/windows.md @@ -0,0 +1,121 @@ +--- +title: Set up App and API Protection for .NET on Windows +code_lang: windows +type: multi-code-lang +code_lang_weight: 30 +further_reading: +- link: "/security/application_security/how-it-works/" + tag: "Documentation" + text: "How App and API Protection Works" +- link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- +{{% app_and_api_protection_dotnet_setup_options platform="linux" %}} + +{{% app_and_api_protection_dotnet_overview %}} + +## Prerequisites + +- Windows operating system +- .NET application +- Administrator privileges for some configuration steps +- Your Datadog API key +- Datadog .NET tracing library (see version requirements [here][1]) + +## 1. Installing the Datadog Agent + +Install the Datadog Agent by following the [setup instructions for Windows hosts][2]. +## 2. Enabling App and API Protection monitoring + +{{% app_and_api_protection_navigation_menu %}} +{{% appsec-remote-config-activation %}} + +### Manually enabling App and API Protection monitoring + +**Download the latest [Datadog .NET Tracer MSI Installer][3]** that supports your operating system and architecture and install it with *Administrator privileges*. + +{{% collapse-content title="APM Tracing Enabled" level="h4" %}} +To enable AAP alongside with APM, add the following Environment Variables: + +``` +DD_APPSEC_ENABLED=true +``` +{{% /collapse-content %}} + +{{% collapse-content title="APM Tracing Disabled" level="h4" %}} +To disable APM tracing while keeping App and API Protection enabled, add the following Environment Variables: + +``` +DD_APPSEC_ENABLED=true +DD_APM_TRACING_ENABLED=false +``` + +{{% /collapse-content %}} + +## 3. Run your application + +Start your .NET application with above settings. + +{{< tabs >}} +{{% tab "IIS" %}} + +Restart IIS + +```cmd +net stop /y was +net start w3svc +# Also, start any other services that were stopped when WAS was shut down. +``` + +{{% /tab %}} +{{% tab "Standalone apps *(.NET Framework)*" %}} + +
+ Note: The .NET runtime tries to load the .NET library into any .NET process that is started with these environment variables set. You should limit instrumentation to only the applications that need to be instrumented. Don't set these environment variables globally as this causes all .NET processes on the host to be instrumented. +
+ +Set the following required environment variables for automatic instrumentation to attach to your application and relaunch it: + + ``` + COR_ENABLE_PROFILING=1 + ``` + +{{% /tab %}} +{{% tab "Standalone apps *(.NET Core)*" %}} + +
+ Note: The .NET runtime tries to load the .NET library into any .NET process that is started with these environment variables set. You should limit instrumentation to only the applications that need to be instrumented. Don't set these environment variables globally as this causes all .NET processes on the host to be instrumented. +
+ +Set the following required environment variables for automatic instrumentation to attach to your application and relaunch it: + +``` +CORECLR_ENABLE_PROFILING=1 +``` + +{{% /tab %}} +{{< /tabs >}} + + +{{% app_and_api_protection_verify_setup %}} + +## Troubleshooting + +For a more detailed info go to [the Datadog Tracer installation guide for .NET Framework][5] or [the Datadog Tracer installation guide for .NET Core][6] + +If you encounter issues while setting up App and API Protection for your .NET application, see the [.NET App and API Protection troubleshooting guide][4]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/setup/dotnet/compatibility +[2]: /agent/?tab=Windows +[3]: https://github.com/DataDog/dd-trace-dotnet/releases +[4]: /security/application_security/setup/dotnet/troubleshooting +[5]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/dotnet-framework/?tab=windows +[6]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/dotnet-core/?tab=windows diff --git a/content/en/security/application_security/setup/linux/_index.md b/content/en/security/application_security/setup/linux/_index.md index 9ca9b1ac127a8..852e9a1334b71 100644 --- a/content/en/security/application_security/setup/linux/_index.md +++ b/content/en/security/application_security/setup/linux/_index.md @@ -32,7 +32,7 @@ Learn how to set up App and API Protection (AAP) on your Linux services by selec {{< appsec-integration name="Java" avatar="java" link="/security/application_security/setup/java/linux" >}} {{< appsec-integration name="Go" avatar="go" link="/security/application_security/setup/go" >}} {{< appsec-integration name="Ruby" avatar="ruby" link="/security/application_security/setup/ruby" >}} - {{< appsec-integration name=".NET" avatar="dotnet" link="/security/application_security/setup/dotnet" >}} + {{< appsec-integration name=".NET" avatar="dotnet" link="/security/application_security/setup/dotnet/linux" >}} {{< appsec-integration name="PHP" avatar="php" link="/security/application_security/setup/php" >}} {{< /appsec-integrations >}} diff --git a/layouts/shortcodes/app_and_api_protection_dotnet_overview.md b/layouts/shortcodes/app_and_api_protection_dotnet_overview.md new file mode 100644 index 0000000000000..a138580983bb6 --- /dev/null +++ b/layouts/shortcodes/app_and_api_protection_dotnet_overview.md @@ -0,0 +1,14 @@ +{{ $showSetup := .Get "showSetup" | default "true" | eq "true" }} + +## Overview +App and API Protection leverages the [Datadog .NET library](https://github.com/DataDog/dd-trace-dotnet/) to monitor and secure your .NET service. The library integrates seamlessly with your existing application without requiring code changes. + +For detailed compatibility information, including supported DOTNET versions, frameworks, and deployment environments, see [.NET Compatibility Requirements](/security/application_security/setup/dotnet/compatibility). + +{{ if $showSetup }} +This guide explains how to set up App and API Protection (AAP) for .NET applications. The setup involves: +1. Installing the Datadog Agent. +2. Enabling App and API Protection monitoring. +3. Running your .NET application with the Datadog Agent. +4. Verifying the setup. +{{ end }} diff --git a/layouts/shortcodes/app_and_api_protection_dotnet_setup_options.md b/layouts/shortcodes/app_and_api_protection_dotnet_setup_options.md new file mode 100644 index 0000000000000..e5f3eb0c6fd36 --- /dev/null +++ b/layouts/shortcodes/app_and_api_protection_dotnet_setup_options.md @@ -0,0 +1,9 @@ +
+

You can enable App and API Protection for .NET services with the following setup options:

+ +
    +
  1. If your .NET service already has APM tracing set up and running, then skip to service configuration.
    2. +
  2. If your .NET service doesn't have APM tracing set up, you can easily enable App and API Protection with Datadog's Automatic Installation.
    3. +
  3. Otherwise, continue reading the manual setup instructions below.
    4. +
+