New Relic Hardening Guide
Observability security for API keys, license keys, and log obfuscation
Overview
New Relic is an observability platform ingesting application performance, infrastructure, and log data. REST API, License Keys, and 400+ integrations collect telemetry from production environments. Compromised access exposes application architecture, performance patterns, and potentially sensitive log data.
Intended Audience
- Security engineers managing observability platforms
- DevOps/SRE administrators
- GRC professionals assessing monitoring security
- Third-party risk managers evaluating APM integrations
Table of Contents
1. Authentication & Access Controls
1.1 Enforce SSO with MFA
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
ClickOps Implementation
Step 1: Configure SAML SSO
- Navigate to: Administration → Authentication domains
- Configure SAML IdP
- Enable: SSO required
Step 2: Enable MFA
- Configure MFA through IdP
- Or enable New Relic MFA
- Require for all users
1.2 Role-Based Access
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
ClickOps Implementation
Step 1: Define Roles
| Role | Permissions |
|---|---|
| Admin | Full account access |
| User | Standard access |
| Restricted User | Limited data access |
| Read only | View only |
Step 2: Configure Groups
- Navigate to: Administration → Access management → Groups
- Create groups per team
- Assign account/role combinations
2. API & Key Security
2.1 Secure API Keys
Profile Level: L1 (Baseline) NIST 800-53: IA-5
Description
Manage New Relic API keys securely.
Rationale
Attack Scenario: Exposed License Key enables data injection; User Key exposure allows configuration changes and data access.
Implementation
Key Types:
| Key Type | Purpose | Risk |
|---|---|---|
| License Key | Data ingestion | Medium |
| User Key | API access | High |
| Insert Key | Data insertion | Medium |
Step 1: Audit API Keys
- Navigate to: API keys
- Review all keys
- Delete unused keys
Step 2: Key Best Practices
- Create unique keys per service
- Rotate keys periodically
- Use least privilege
2.2 License Key Protection
Profile Level: L1 (Baseline) NIST 800-53: IA-5
ClickOps Implementation
Step 1: Rotate License Keys
- Navigate to: Administration → License keys
- Generate new keys
- Update agents
- Deactivate old keys
3. Data Security
3.1 Configure Data Obfuscation
Profile Level: L1 (Baseline) NIST 800-53: SC-28
Description
Protect sensitive data in logs and traces.
ClickOps Implementation
Step 1: Enable Log Obfuscation
- Navigate to: Logs → Obfuscation
- Create obfuscation rules
- Configure:
- Pattern matching
- Replacement values
- Apply to expressions
Step 2: Configure Drop Filters
- Navigate to: Logs → Drop filters
- Drop sensitive log entries
- Audit filter effectiveness
3.2 Data Retention
Profile Level: L1 (Baseline) NIST 800-53: SI-12
ClickOps Implementation
Step 1: Review Data Retention
- Navigate to: Data management → Data retention
- Review retention per data type
- Adjust as needed
4. Monitoring & Detection
4.1 NrAuditEvent
Profile Level: L1 (Baseline) NIST 800-53: AU-2, AU-3
Detection Queries
-- Detect configuration changes
SELECT * FROM NrAuditEvent
WHERE actionIdentifier LIKE '%update%'
SINCE 24 hours ago
-- Detect API key creation
SELECT * FROM NrAuditEvent
WHERE actionIdentifier LIKE '%apiKey%'
SINCE 7 days ago
-- Detect user additions
SELECT * FROM NrAuditEvent
WHERE actionIdentifier LIKE '%user%'
SINCE 7 days ago
Appendix A: Edition Compatibility
| Control | Free | Standard | Pro | Enterprise |
|---|---|---|---|---|
| SAML SSO | ❌ | ❌ | ❌ | ✅ |
| Custom Roles | ❌ | ❌ | ✅ | ✅ |
| Audit Events | ✅ | ✅ | ✅ | ✅ |
| Log Obfuscation | ✅ | ✅ | ✅ | ✅ |
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial New Relic hardening guide | Claude Code (Opus 4.5) |