Elkeid CWPP Application Runtime Protection (RASP) User Guide

This guide covers the following features:

  • Operation and maintenance of application runtime components through CWPP.
  • Control the RASP implant probe into the target process to complete the runtime behavior acquisition.
  • Implant configuration
  • Blocking/Filtering, Configuration
  • View CWPP's alert events.

Install/Update RASP Components

  1. Make sure the rasp component is included in the component list.


If there is no rasp component, you need to create a new component named rasp.


Note! Due to the Agent mechanism, the plugin name should be the same as the plugin binary name.

Publish the version and upload the compressed package in tar.gz format. Please use the plugin version 1.9.1.*. Archive address: bytedance/Elkeid: releases


  1. Make sure the RASP component is included in the component policy RASP_policy_1

  2. Synchronize the policy to the machine. RASP_sync_1 RASP_sync_2

running state

After deploying the RASP component, RASP will automatically analyze the machine process, and the process information that meets the conditions for implantation of the probe will be reported to the running status. RASP_process_1 Details link on the right Support viewing process Additional information RASP_process_2


Configure which processes will turn on RASP protection

Click New Configuration RASP_config_1 The relationship between each form item of each configuration is AND The relationship between each configuration is or

Form ItemsRequired or NotMeaning ExplanationRemarks
Host LabelsNoDelineate the scope of applicable host labels for this configurationHost labels are consistent with labels in Asset Management
IPNoMatch Machine IP
Process command lineNoRegular matching of process command line
environment variablesNoMatch the environment variables of the processMultiple environment variables can be the relationship between multiple environment variables
Runtime typeYesWhich runtime is this configuration suitable forMultiple selectable
Whether to enable injectionYesWhether to enable RASP protection for the process of configuring filtering in this articleDefault is No

Each configuration can also be configured with blocking and filtering

  • Blocking: regular expression matching of a parameter of a Hook function
    • When the regular expression matches, the function throws an exception to block the function from running.
    • The function runs normally when the regular expression does not match.
  • Filtering: regular expression matching of parameters of a Hook function
    • Contains: only report matched parameter data
    • does not contain: only report parameter data other than matching to

Intrusion detection

After the RASP probe is implanted in the target process, it will continue to report application behavior, and events and alarms will be generated when abnormal behavior is found.


  • The alarm data on the right can check parameter details and call stack