debian-mirror-gitlab/doc/user/application_security/threat_monitoring/index.md

---
type: reference, howto
---

# Threat Monitoring **(ULTIMATE)**

> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.

The **Threat Monitoring** page provides metrics for the GitLab
application runtime security features. You can access these metrics by
navigating to your project's **Security & Compliance > Threat Monitoring** page.

GitLab supports statistics for the following security features:

- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)
- [Container Network Policies](../../../topics/autodevops/stages.md#network-policy)

## Web Application Firewall

The Web Application Firewall section provides metrics for the NGINX
Ingress controller and ModSecurity firewall. This section has the
following prerequisites:

- Project has to have at least one [environment](../../../ci/environments/index.md).
- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity) has to be enabled.
- [Elastic Stack](../../clusters/applications.md#web-application-firewall-modsecurity) has to be installed.

If you are using custom Helm values for the Elastic Stack you have to
configure Filebeat similarly to the [vendored values](https://gitlab.com/gitlab-org/gitlab/-/blob/f610a080b1ccc106270f588a50cb3c07c08bdd5a/vendor/elastic_stack/values.yaml).

The **Web Application Firewall** section displays the following information
about your Ingress traffic:

- The total amount of requests to your application
- The proportion of traffic that is considered anomalous according to
  the configured rules
- The request breakdown graph for the selected time interval

If a significant percentage of traffic is anomalous, you should
investigate it for potential threats by
[examining the Web Application Firewall logs](../../clusters/applications.md#web-application-firewall-modsecurity).

## Container Network Policy

> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/32365) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.

The **Container Network Policy** section provides packet flow metrics for
your application's Kubernetes namespace. This section has the following
prerequisites:

- Your project contains at least one [environment](../../../ci/environments/index.md)
- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)
- You've configured the [Prometheus service](../../project/integrations/prometheus.md#enabling-prometheus-integration)

If you're using custom Helm values for Cilium, you must enable Hubble
with flow metrics for each namespace by adding the following lines to
your [Hubble values](../../clusters/applications.md#install-cilium-using-gitlab-cicd):

```yaml
metrics:
  enabled:
    - 'flow:sourceContext=namespace;destinationContext=namespace'
```

The **Container Network Policy** section displays the following information
about your packet flow:

- The total amount of the inbound and outbound packets
- The proportion of packets dropped according to the configured
  policies
- The per-second average rate of the forwarded and dropped packets
  accumulated over time window for the requested time interval

If a significant percentage of packets is dropped, you should
investigate it for potential threats by
[examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`---`
			`type: reference, howto`
			`---`

			`# Threat Monitoring (ULTIMATE)`

			`> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.`

			`The Threat Monitoring page provides metrics for the GitLab`
			`application runtime security features. You can access these metrics by`
			`navigating to your project's Security & Compliance > Threat Monitoring page.`

			`GitLab supports statistics for the following security features:`

			`- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)`
			`- [Container Network Policies](../../../topics/autodevops/stages.md#network-policy)`

			`## Web Application Firewall`

			`The Web Application Firewall section provides metrics for the NGINX`
			`Ingress controller and ModSecurity firewall. This section has the`
			`following prerequisites:`

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`- Project has to have at least one [environment](../../../ci/environments/index.md).`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity) has to be enabled.`
			`- [Elastic Stack](../../clusters/applications.md#web-application-firewall-modsecurity) has to be installed.`

			`If you are using custom Helm values for the Elastic Stack you have to`
			`configure Filebeat similarly to the [vendored values](https://gitlab.com/gitlab-org/gitlab/-/blob/f610a080b1ccc106270f588a50cb3c07c08bdd5a/vendor/elastic_stack/values.yaml).`

			`The Web Application Firewall section displays the following information`
			`about your Ingress traffic:`

			`- The total amount of requests to your application`
			`- The proportion of traffic that is considered anomalous according to`
			`the configured rules`
			`- The request breakdown graph for the selected time interval`

			`If a significant percentage of traffic is anomalous, you should`
			`investigate it for potential threats by`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`[examining the Web Application Firewall logs](../../clusters/applications.md#web-application-firewall-modsecurity).`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30
			`## Container Network Policy`

			`> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/32365) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.`

			`The Container Network Policy section provides packet flow metrics for`
			`your application's Kubernetes namespace. This section has the following`
			`prerequisites:`

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`- Your project contains at least one [environment](../../../ci/environments/index.md)`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`- You've [installed Cilium](../../clusters/applications.md#install-cilium-using-gitlab-cicd)`
			`- You've configured the [Prometheus service](../../project/integrations/prometheus.md#enabling-prometheus-integration)`

			`If you're using custom Helm values for Cilium, you must enable Hubble`
			`with flow metrics for each namespace by adding the following lines to`
			`your [Hubble values](../../clusters/applications.md#install-cilium-using-gitlab-cicd):`

			```yaml
			`metrics:`
			`enabled:`
			`- 'flow:sourceContext=namespace;destinationContext=namespace'`
			```

			`The Container Network Policy section displays the following information`
			`about your packet flow:`

			`- The total amount of the inbound and outbound packets`
			`- The proportion of packets dropped according to the configured`
			`policies`
			`- The per-second average rate of the forwarded and dropped packets`
			`accumulated over time window for the requested time interval`

			`If a significant percentage of packets is dropped, you should`
			`investigate it for potential threats by`
			`[examining the Cilium logs](../../clusters/applications.md#install-cilium-using-gitlab-cicd).`