New Relic Hardening Guide
Observability security for API keys, license keys, and log obfuscation
Code Packs:
Terraform
Overview
New Relic is an observability platform ingesting application performance, infrastructure, and log data. REST API, License Keys, and 400+ integrations collect telemetry from production environments. Compromised access exposes application architecture, performance patterns, and potentially sensitive log data.
Intended Audience
- Security engineers managing observability platforms
- DevOps/SRE administrators
- GRC professionals assessing monitoring security
- Third-party risk managers evaluating APM integrations
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers New Relic security configurations including authentication, access controls, and integration security.
Table of Contents
1. Authentication & Access Controls
1.1 Enforce SSO with MFA
Profile Level: L1 (Baseline) NIST 800-53: IA-2(1)
ClickOps Implementation
Step 1: Configure SAML SSO
- Navigate to: Administration → Authentication domains
- Configure SAML IdP
- Enable: SSO required
Step 2: Enable MFA
- Configure MFA through IdP
- Or enable New Relic MFA
- Require for all users
Code Pack: Terraform
hth-new-relic-1.1-enforce-sso-with-mfa.tf
View source on GitHub ↗
# Alert policy for SSO bypass detection
resource "newrelic_alert_policy" "sso_bypass_detection" {
name = "HTH: SSO Bypass Detection"
incident_preference = "PER_CONDITION"
}
# Detect logins not using SSO (non-SAML authentication events)
resource "newrelic_nrql_alert_condition" "non_sso_login" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.sso_bypass_detection.id
type = "static"
name = "HTH 1.1: Non-SSO Login Detected"
description = "Detects authentication events that bypass SAML SSO"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%login%' AND description NOT LIKE '%SAML%' SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = 0
threshold_duration = 300
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}1.2 Role-Based Access
Profile Level: L1 (Baseline) NIST 800-53: AC-3, AC-6
ClickOps Implementation
Step 1: Define Roles
| Role | Permissions |
|---|---|
| Admin | Full account access |
| User | Standard access |
| Restricted User | Limited data access |
| Read only | View only |
Step 2: Configure Groups
- Navigate to: Administration → Access management → Groups
- Create groups per team
- Assign account/role combinations
Code Pack: Terraform
hth-new-relic-1.2-role-based-access.tf
View source on GitHub ↗
# Alert policy for access control monitoring
resource "newrelic_alert_policy" "access_control_monitoring" {
name = "HTH: Access Control Monitoring"
incident_preference = "PER_CONDITION"
}
# Detect role and group changes (privilege escalation / unauthorized access grants)
resource "newrelic_nrql_alert_condition" "role_changes" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.access_control_monitoring.id
type = "static"
name = "HTH 1.2: Role or Group Change Detected"
description = "Detects changes to user roles, groups, or access grants"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%group%' OR actionIdentifier LIKE '%role%' OR actionIdentifier LIKE '%grant%' SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = 0
threshold_duration = 300
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}2. API & Key Security
2.1 Secure API Keys
Profile Level: L1 (Baseline) NIST 800-53: IA-5
Description
Manage New Relic API keys securely.
Rationale
Attack Scenario: Exposed License Key enables data injection; User Key exposure allows configuration changes and data access.
Implementation
Key Types:
| Key Type | Purpose | Risk |
|---|---|---|
| License Key | Data ingestion | Medium |
| User Key | API access | High |
| Insert Key | Data insertion | Medium |
Step 1: Audit API Keys
- Navigate to: API keys
- Review all keys
- Delete unused keys
Step 2: Key Best Practices
- Create unique keys per service
- Rotate keys periodically
- Use least privilege
Code Pack: Terraform
hth-new-relic-2.1-secure-api-keys.tf
View source on GitHub ↗
# Create a managed ingest key with a descriptive name for auditability.
# Each service should have its own key -- never share keys across services.
resource "newrelic_api_access_key" "managed_ingest_key" {
count = var.api_key_user_id > 0 ? 1 : 0
account_id = var.newrelic_account_id
key_type = "INGEST"
ingest_type = "LICENSE"
name = var.ingest_key_name
notes = "Managed by Terraform - HTH hardening pack. Rotate periodically."
}
# Alert policy for API key lifecycle events
resource "newrelic_alert_policy" "api_key_monitoring" {
name = "HTH: API Key Lifecycle Monitoring"
incident_preference = "PER_CONDITION"
}
# Detect API key creation, deletion, or modification
resource "newrelic_nrql_alert_condition" "api_key_changes" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.api_key_monitoring.id
type = "static"
name = "HTH 2.1: API Key Change Detected"
description = "Detects creation, deletion, or modification of API keys"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%apiKey%' OR actionIdentifier LIKE '%api_key%' SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = 0
threshold_duration = 300
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}2.2 License Key Protection
Profile Level: L1 (Baseline) NIST 800-53: IA-5
ClickOps Implementation
Step 1: Rotate License Keys
- Navigate to: Administration → License keys
- Generate new keys
- Update agents
- Deactivate old keys
Code Pack: Terraform
hth-new-relic-2.2-license-key-protection.tf
View source on GitHub ↗
# Alert policy for license key anomaly detection
resource "newrelic_alert_policy" "license_key_monitoring" {
name = "HTH: License Key Anomaly Detection"
incident_preference = "PER_CONDITION"
}
# Detect unusual data ingest patterns that may indicate key compromise
resource "newrelic_nrql_alert_condition" "license_key_anomaly" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.license_key_monitoring.id
type = "static"
name = "HTH 2.2: Unusual Ingest Volume Detected"
description = "Detects abnormal data ingest volumes that may indicate license key compromise or misuse"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT rate(bytecountestimate(), 1 minute) FROM Log, Metric, Span SINCE 10 minutes ago"
}
critical {
operator = "above"
threshold = 1000000000
threshold_duration = 600
threshold_occurrences = "all"
}
warning {
operator = "above"
threshold = 500000000
threshold_duration = 600
threshold_occurrences = "all"
}
fill_option = "none"
}3. Data Security
3.1 Configure Data Obfuscation
Profile Level: L1 (Baseline) NIST 800-53: SC-28
Description
Protect sensitive data in logs and traces.
ClickOps Implementation
Step 1: Enable Log Obfuscation
- Navigate to: Logs → Obfuscation
- Create obfuscation rules
- Configure:
- Pattern matching
- Replacement values
- Apply to expressions
Step 2: Configure Drop Filters
- Navigate to: Logs → Drop filters
- Drop sensitive log entries
- Audit filter effectiveness
Code Pack: Terraform
hth-new-relic-3.1-configure-data-obfuscation.tf
View source on GitHub ↗
# Obfuscation expressions for each sensitive data pattern
resource "newrelic_obfuscation_expression" "sensitive_patterns" {
for_each = { for idx, pattern in var.obfuscation_patterns : pattern.name => pattern }
account_id = var.newrelic_account_id
name = "HTH: ${each.value.name}"
description = "Obfuscation pattern for ${each.value.name} - managed by HTH hardening pack"
regex = each.value.pattern
}
# Obfuscation rule applying all patterns to log data
resource "newrelic_obfuscation_rule" "sensitive_data_masking" {
for_each = { for idx, pattern in var.obfuscation_patterns : pattern.name => pattern }
account_id = var.newrelic_account_id
name = "HTH: Mask ${each.value.name}"
description = "Mask ${each.value.name} in log messages - managed by HTH hardening pack"
filter = "message IS NOT NULL"
enabled = true
action {
attribute = ["message"]
expression_id = newrelic_obfuscation_expression.sensitive_patterns[each.key].id
method = "HASH_SHA256"
}
}
# Alert on obfuscation rule matches to track sensitive data exposure
resource "newrelic_alert_policy" "data_obfuscation_monitoring" {
name = "HTH: Data Obfuscation Monitoring"
incident_preference = "PER_CONDITION"
}
resource "newrelic_nrql_alert_condition" "obfuscation_effectiveness" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.data_obfuscation_monitoring.id
type = "static"
name = "HTH 3.1: High Volume of Obfuscated Data"
description = "Detects high volumes of obfuscated sensitive data, indicating potential data leak in telemetry pipeline"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM Log WHERE message LIKE '%OBFUSCATED%' SINCE 30 minutes ago"
}
warning {
operator = "above"
threshold = 1000
threshold_duration = 1800
threshold_occurrences = "all"
}
fill_option = "none"
}3.2 Data Retention
Profile Level: L1 (Baseline) NIST 800-53: SI-12
ClickOps Implementation
Step 1: Review Data Retention
- Navigate to: Data management → Data retention
- Review retention per data type
- Adjust as needed
Code Pack: Terraform
hth-new-relic-3.2-data-retention.tf
View source on GitHub ↗
# Alert policy for data retention compliance monitoring
resource "newrelic_alert_policy" "data_retention_monitoring" {
name = "HTH: Data Retention Compliance"
incident_preference = "PER_CONDITION"
}
# Detect data retention setting changes via audit events
resource "newrelic_nrql_alert_condition" "retention_changes" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.data_retention_monitoring.id
type = "static"
name = "HTH 3.2: Data Retention Change Detected"
description = "Detects modifications to data retention settings"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%retention%' OR actionIdentifier LIKE '%dataManagement%' SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = 0
threshold_duration = 300
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}
# Monitor data age to ensure retention policies are functioning
resource "newrelic_nrql_alert_condition" "data_age_compliance" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.data_retention_monitoring.id
type = "static"
name = "HTH 3.2: Log Data Exceeds Retention Window"
description = "Detects if log data older than the configured retention window still exists"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM Log WHERE timestamp < ago(${var.log_retention_days} days) SINCE 1 hour ago"
}
warning {
operator = "above"
threshold = 0
threshold_duration = 3600
threshold_occurrences = "all"
}
fill_option = "none"
}4. Monitoring & Detection
4.1 NrAuditEvent
Profile Level: L1 (Baseline) NIST 800-53: AU-2, AU-3
Detection Queries
Code Pack: Terraform
hth-new-relic-4.1-nrauditevent-monitoring.tf
View source on GitHub ↗
# Comprehensive alert policy for NrAuditEvent security monitoring
resource "newrelic_alert_policy" "audit_event_monitoring" {
name = "HTH: NrAuditEvent Security Monitoring"
incident_preference = "PER_CONDITION_AND_TARGET"
}
# Detect configuration changes
resource "newrelic_nrql_alert_condition" "config_changes" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.audit_event_monitoring.id
type = "static"
name = "HTH 4.1: Configuration Change Detected"
description = "Detects configuration changes via NrAuditEvent"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%update%' OR actionIdentifier LIKE '%modify%' OR actionIdentifier LIKE '%change%' SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = var.audit_alert_threshold_critical
threshold_duration = var.audit_alert_evaluation_window
threshold_occurrences = "at_least_once"
}
warning {
operator = "above"
threshold = 3
threshold_duration = var.audit_alert_evaluation_window
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}
# Detect API key creation events
resource "newrelic_nrql_alert_condition" "api_key_creation" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.audit_event_monitoring.id
type = "static"
name = "HTH 4.1: API Key Created"
description = "Detects API key creation events"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%apiKey%' AND actionIdentifier LIKE '%create%' SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = 0
threshold_duration = 300
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}
# Detect user additions and permission changes
resource "newrelic_nrql_alert_condition" "user_changes" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.audit_event_monitoring.id
type = "static"
name = "HTH 4.1: User Addition or Permission Change"
description = "Detects user additions and permission modifications"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%user%' AND (actionIdentifier LIKE '%create%' OR actionIdentifier LIKE '%update%' OR actionIdentifier LIKE '%grant%') SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = 0
threshold_duration = 300
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}
# Detect account-level deletions
resource "newrelic_nrql_alert_condition" "deletion_events" {
account_id = var.newrelic_account_id
policy_id = newrelic_alert_policy.audit_event_monitoring.id
type = "static"
name = "HTH 4.1: Deletion Event Detected"
description = "Detects deletion of resources, dashboards, or configurations"
enabled = true
violation_time_limit_seconds = 86400
nrql {
query = "SELECT count(*) FROM NrAuditEvent WHERE actionIdentifier LIKE '%delete%' OR actionIdentifier LIKE '%remove%' SINCE 5 minutes ago"
}
critical {
operator = "above"
threshold = 0
threshold_duration = 300
threshold_occurrences = "at_least_once"
}
fill_option = "none"
}Appendix A: Edition Compatibility
| Control | Free | Standard | Pro | Enterprise |
|---|---|---|---|---|
| SAML SSO | ❌ | ❌ | ❌ | ✅ |
| Custom Roles | ❌ | ❌ | ✅ | ✅ |
| Audit Events | ✅ | ✅ | ✅ | ✅ |
| Log Obfuscation | ✅ | ✅ | ✅ | ✅ |
Appendix B: References
Official New Relic Documentation:
- New Relic Security Overview
- New Relic Product Documentation
- Security and Privacy Documentation
- Compliance and Certifications
API Documentation:
Compliance Frameworks:
- SOC 1, SOC 2, ISO 27001, ISO 42001, FedRAMP, HIPAA, PCI DSS, TISAX — via New Relic Compliance and Certifications
- New Relic Regulatory Audits Documentation
Security Incidents:
- No major public security incidents identified for New Relic. Monitor New Relic Security for current advisories.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-12-14 | 0.1.0 | draft | Initial New Relic hardening guide | Claude Code (Opus 4.5) |