Security events

Latest Dynatrace
Reference
Published Sep 09, 2025

Security events are a special type of data representing various events generated by Dynatrace.

In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.

Compliance finding events

A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object.

Compliance finding events: Event data

This section contains general event information.

Attribute	Type	Description	Examples
`event.kind`	string	stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`COMPLIANCE_FINDING`
`timestamp`	timestamp	stable The time (UNIX Epoch time in nanoseconds) when the event was ingested.	`1649822520123123123`

Compliance finding events: Finding data

This section contains information about the finding.

Attribute	Type	Description	Examples
`aws.account.id`	string	resource stable The 12-digit number, such as 123456789012, that uniquely identifies an AWS account. Tags: `permission` `primary-field`	`123456789012`
`aws.account.name`	string	resource experimental Name associated with the AWS account.	`example.com`
`azure.tenant.id`	string	resource experimental Unique, immutable identifier assigned to the Azure tenant.	`37c4add3-612a-483d-8b24-cccbb35d3306`
`azure.tenant.name`	string	resource experimental Name assigned to the Azure tenant.	`MyAzureTenant`
`cloud.provider`	string	resource experimental Name of the cloud provider.	`alibaba_cloud`
`dt.entity.cloud_application`	string	resource stable An entity ID of an entity of type CLOUD_APPLICATION. Tags: `entity-id`	`CLOUD_APPLICATION-3AB5BBF3E09A7942`
`dt.entity.cloud_application_instance`	string	resource stable An entity ID of an entity of type CLOUD_APPLICATION_INSTANCE. Tags: `entity-id`	`CLOUD_APPLICATION_INSTANCE-E0D8F94D9065F24F`
`dt.entity.cloud_application_namespace`	string	resource stable An entity ID of an entity of type CLOUD_APPLICATION_NAMESPACE. A CLOUD_APPLICATION_NAMESPACE is a Kubernetes namespace. Tags: `entity-id`	`CLOUD_APPLICATION_NAMESPACE-C61324AA70F57BCB`
`dt.entity.kubernetes_cluster`	string	resource stable An entity ID of an entity of type KUBERNETES_CLUSTER. Tags: `entity-id`	`KUBERNETES_CLUSTER-E0D8F94D9065F24F`
`dt.entity.kubernetes_node`	string	resource stable An entity ID of an entity of type KUBERNETES_NODE. Tags: `entity-id`	`KUBERNETES_NODE-874C66B68CE15070`
`finding.id`	string	stable Unique identifier string of a finding.	`F-2GJ3LSUM`
`finding.time.created`	timestamp	stable Time when the finding was created.	`2024-06-24T04:47:21.154000000+02:00`
`gcp.organization.id`	string	resource experimental Unique, immutable identifier assigned to an organization resource.	`123456789012`
`gcp.organization.name`	string	resource experimental Name assigned to the GCP organization.	`dynatrace.com`
`hypervisor.type`	string	resource experimental Virtualization hypervisor identified. For physical machines, this value is empty.	`KVM`; `VMWARE`
`k8s.cluster.name`	string	resource stable (Optional) The user-defined name of the cluster in Dynatrace. Doesn't need to be unique or immutable. Tags: `permission` `primary-field`	`unguard-dev`; `acme-prod10`
`k8s.cluster.uid`	string	resource stable A pseudo-ID for the cluster, by default set to the UID of the kube-system namespace.	`1c7a24c7-ff51-46e0-bcc9-c52637ceec57`
`k8s.namespace.name`	string	resource stable The name of the namespace that the pod is running in. Tags: `permission` `primary-field`	`default`; `kube-system`
`k8s.namespace.uid`	string	resource experimental The UID of the namespace.	`bfb1ba44-3bcb-467d-a2dc-188fd74d1db5`
`k8s.node.name`	string	resource stable Name of the node.	`cluster-pool-1-c3c7423d-azth`
`k8s.pod.name`	string	resource stable The name of the pod.	`checkoutservice-7895755b94-mzs5m`
`k8s.pod.uid`	string	resource stable The UID of the pod.	`275ecb36-5aa8-4c2a-9c47-d8bb681b9aff`
`k8s.workload.name`	string	resource stable The name of the workload.	`checkoutservice`
`k8s.workload.uid`	string	resource experimental The UID of the workload.	`786a41e4-e673-44bb-bb30-18888f797a2b`
`vmware.vcenter.name`	string	resource experimental Name of the VMware vCenter server managing the multi-hypervisor environment.	`my-vcenter.lab.dynatrace.org`

Compliance finding events: Scan data

This section contains information about the scan that generated the finding.

Attribute	Type	Description	Examples
`product.name`	string	resource experimental Product name.	`Tenable`; `Snyk`
`scan.id`	string	resource experimental Unique identifier of the scan.	`00000000-0000-0000-0000-000000000000`

Compliance finding events: Rule data

This section contains information about the compliance rule and the compliance standard it belongs to.

Attribute	Type	Description	Examples
`compliance.rule.id`	string	experimental Unique identifier of a compliance rule.	`CIS-66577`
`compliance.rule.metadata_json`	string	experimental Any additional metadata associated with the compliance rule.	`{\"Section\":\"Kubernetes - v1.9.0\",\"Recommendation ID\":\"1.2.16\",\"Recommendation section\":\"1.2 - Control Plane Components - API Server\", \"Level\":\"L1\"}`
`compliance.rule.severity.level`	string	experimental Original severity of a compliance rule reported by the vendor.	`CRITICAL`; `HIGH`; `MEDIUM`; `LOW`
`compliance.rule.severity.score`	double	experimental Number assigned to the respective severity. For example, 10 corresponds to 'CRITICAL', 7 to 'HIGH', 4 to 'MEDIUM', and 1 to 'LOW'.	`10.0`; `7.0`; `4.0`; `1.0`
`compliance.rule.title`	string	experimental Short description of a compliance rule.	`The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination`

Attribute	Type	Description	Examples
`compliance.standard.name`	string	experimental Name of a compliance standard.	`CIS Elastic Kubernetes Service (EKS) - v1.7.0`; `NIST SP 800-53 Revision 5.1.1 - Kubernetes`
`compliance.standard.short_name`	string	experimental Short name of a compliance standard.	`DISA STIG`; `NIST`
`compliance.standard.url`	string	experimental Link to the official documentation source about the compliance standard.	`DISA STIG`; `NIST`

Compliance finding events: Result

This section contains information about the result of the compliance scan.

Attribute	Type	Description	Examples
`aws.resource.name`	string	resource experimental Name of the resource (value of the "Name" tag in AWS).	`my-ec2-instance`
`azure.resource.id`	string	resource experimental A unique, immutable identifier assigned to each Azure cloud resource.	`/subscriptions/27e9b03f-04d2-2b69-b327-32f433f7ed21/resourceGroups/demo-backend-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks`
`azure.resource.name`	string	resource experimental User-provided name of the Azure cloud resource.	`demo-aks`
`compliance.result.description`	string	experimental Details about the compliance result status.	`Object not matching standard inclusion criteria`
`compliance.result.object.evidence_json`	string	experimental Reasoning or evidence for the compliance status of this object.	`[{\"type\":\"AUTOMATIC\",\"description\":\"Controller Manager version\",\"value\":\"1.28.0\"},{\"type\":\"AUTOMATIC\",\"description\":\"Property tls-min-version status\",\"value\":\"Not set\"}]`
`compliance.result.object.name`	string	deprecated Name of the object evaluated for compliance.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`compliance.result.object.type`	string	experimental Type of the object evaluated for compliance.	`k8scluster`; `k8spod`; `k8sservice`
`compliance.result.status.level`	string	experimental Result status of the given resource object as evaluated by a scan.	`FAILED`; `PASSED`; `MANUAL`; `NOT_RELEVANT`
`compliance.result.status.score`	double	experimental Number assigned to the respective result status. For example, 10 corresponds to 'FAILED', 7 to 'MANUAL', 4 to 'PASSED', and 1 to 'NOT_RELEVANT'.	`10.0`; `7.0`; `4.0`; `1.0`
`dt.source_entity`	string	resource stable The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. ¹ Tags: `entity-id`	`HOST-E0D8F94D9065F24F`; `PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F`
`object.id`	string	resource experimental Identifier of the affected object.	`HOST-E0D8F94D9065F24F`; `i-06becf87d5326157a`; `arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1`
`object.name`	string	resource experimental Name of the affected object.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`object.type`	string	resource experimental Type of the affected object.	`host`; `ec2_instance`; `container_image`; `process`; `HOST`; `EC2_INSTANCE`; `CONTAINER_IMAGE`

The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.

Compliance scan completed events

A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed.

Compliance scan completed events: Event metadata

This section contains general event information.

Attribute	Type	Description	Examples
`event.kind`	string	stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`COMPLIANCE_SCAN_COMPLETED`
`timestamp`	timestamp	stable The time (UNIX Epoch time in nanoseconds) when the event was ingested.	`1649822520123123123`

Compliance scan completed events: Scan info

This section contains details about the performed compliance scan.

Attribute	Type	Description	Examples
`aws.account.id`	string	resource stable The 12-digit number, such as 123456789012, that uniquely identifies an AWS account. Tags: `permission` `primary-field`	`123456789012`
`aws.account.name`	string	resource experimental Name associated with the AWS account.	`example.com`
`azure.tenant.id`	string	resource experimental Unique, immutable identifier assigned to the Azure tenant.	`37c4add3-612a-483d-8b24-cccbb35d3306`
`azure.tenant.name`	string	resource experimental Name assigned to the Azure tenant.	`MyAzureTenant`
`cloud.provider`	string	resource experimental Name of the cloud provider.	`alibaba_cloud`
`dt.entity.kubernetes_cluster`	string	resource stable An entity ID of an entity of type KUBERNETES_CLUSTER. Tags: `entity-id`	`KUBERNETES_CLUSTER-E0D8F94D9065F24F`
`gcp.organization.id`	string	resource experimental Unique, immutable identifier assigned to an organization resource.	`123456789012`
`gcp.organization.name`	string	resource experimental Name assigned to the GCP organization.	`dynatrace.com`
`hypervisor.type`	string	resource experimental Virtualization hypervisor identified. For physical machines, this value is empty.	`KVM`; `VMWARE`
`k8s.cluster.name`	string	resource stable (Optional) The user-defined name of the cluster in Dynatrace. Doesn't need to be unique or immutable. Tags: `permission` `primary-field`	`unguard-dev`; `acme-prod10`
`k8s.cluster.uid`	string	resource stable A pseudo-ID for the cluster, by default set to the UID of the kube-system namespace.	`1c7a24c7-ff51-46e0-bcc9-c52637ceec57`
`object.id`	string	resource experimental Identifier of the affected object.	`HOST-E0D8F94D9065F24F`; `i-06becf87d5326157a`; `arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1`
`object.name`	string	resource experimental Name of the affected object.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`object.type`	string	resource experimental Type of the affected object.	`host`; `ec2_instance`; `container_image`; `process`; `HOST`; `EC2_INSTANCE`; `CONTAINER_IMAGE`
`product.name`	string	resource experimental Product name.	`Tenable`; `Snyk`
`product.vendor`	string	resource experimental Product vendor.	`Tenable`; `Snyk`
`product.version`	string	resource experimental Version of the product that performed the scan.	`6.9.2.0`
`scan.id`	string	resource experimental Unique identifier of the scan.	`00000000-0000-0000-0000-000000000000`
`scan.result.summary_json`	string	resource experimental Summary of the scan results.	`{"standardResultSummaries":[{"profileCode":"CIS","compliancePercentage":85}]}`
`scan.time.completed`	timestamp	resource experimental Time when the scan was completed.	`2024-06-24T04:47:21.154000000+02:00`
`vmware.vcenter.name`	string	resource experimental Name of the VMware vCenter server managing the multi-hypervisor environment.	`my-vcenter.lab.dynatrace.org`

Detection Finding Events

A detection finding refers to alerts or detections generated by security tools using correlation algorithms, detection rules, or other analytical methods. They're primarily consumed in the Threats & Exploits app.

Detection finding events: Event fields

Required fields for detection findings to be displayed in the Threats & Exploits app.

Attribute	Type	Description	Examples
`dt.security.risk.level`	string	stable Risk score level, mapped and normalized by Dynatrace.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`; `NOT_AVAILABLE`
`event.provider`	string	stable Source of the event, for example, the name of the component or system that generated the event. Tags: `permission`	`OneAgent`; `AWS Security Hub`; `Amazon GuardDuty`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`DETECTION_FINDING`
`finding.id`	string	stable Unique identifier string of a finding.	`A-2GJ3LSUM`; `arn:aws:guardduty:us-east-1:124381674733:detector/14c0550905ccbe6e5d5455071c73c1e5/finding/5c3665bd5af0488e94f482fc549a37c1`
`finding.time.created`	timestamp	stable Time when the finding was created.	`2024-06-24T04:47:21.154000000+02:00`
`finding.title`	string	stable Title or summary of the finding.	`Title of finding`
`finding.type`	string	stable Original type of the finding reported by the vendor.	`SQL injection`; `Command injection`; `JNDI injection`; `SSRF`; `TTPs/Execution/Execution:Runtime-SuspiciousShellCreated`
`object.id`	string	resource experimental Identifier of the affected object. Either this or `object.name` has to be set.	`HOST-E0D8F94D9065F24F`; `i-06becf87d5326157a`; `arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1`
`object.name`	string	resource experimental Name of the affected object. Either this or `object.id` has to be set.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`object.type`	string	resource experimental Type of the affected object.	`host`; `ec2_instance`; `container_image`; `process`; `HOST`; `EC2_INSTANCE`; `CONTAINER_IMAGE`
`product.name`	string	resource experimental Product name.	`Runtime Application Protection`; `GuardDuty`
`product.vendor`	string	resource experimental Product vendor.	`Dynatrace`; `Amazon`

Detection finding events: Technical fields

Required fields for detection findings; should be automatically added during ingest via OpenPipeline.

Attribute	Type	Description	Examples
`event.id`	string	stable In combination with `timestamp`, this field uniquely identifies a specific event.	`1669863368163_07755297913417681159`
`event.kind`	string	stable Describes the general nature of the event, without detailing the event's specific contents. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`timestamp`	timestamp	stable Time (UNIX Epoch time in nanoseconds) when the event was ingested.	`1649822520123123123`

Entity change events

Entity change events are change events at the entity level. An event is generated whenever a vulnerability's affected entity undergoes a status or assessment change.

Query

Query entity status change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"
| filter event.level == "ENTITY"

Entity change events: Event data

This section contains general event information.

Attribute	Type	Description	Examples
`event.category`	string	stable Categorization based on the product and data generating this event.	`VULNERABILITY_MANAGEMENT`
`event.change_list`	array	resource stable List of attributes updated as part of the change event. Values in the list match a `previous` field.	`vulnerability.risk.score`; `affected_entities.count`; `related_entities.databases.count`
`event.description`	string	stable Human-readable description of an event.	`Status of S-49 Remote Code Execution for prod_process_group_1 has changed to OPEN.`; `Assessment of S-49 Remote Code Execution for prod_process_group_1 has changed.`; `Environment impact of S-49 Remote Code Execution for prod_process_group_1 has changed.`
`event.group_label`	string	experimental Group label of an event.	`CHANGE_EVENT`
`event.kind`	string	stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stable Main reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`ENTITY`
`event.name`	string	stable The human readable display name of an event type.	`Vulnerable entity status change event`; `Vulnerable entity assessment change event`
`event.provider`	string	stable Source of the event, for example, the name of the component or system that generated the event. Tags: `permission`	`Dynatrace`
`event.provider_product`	string	resource stable Name of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stable Status of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.status_transition`	string	experimental An enum that shows the transition of the above event state.	`NEW_OPEN`; `REOPEN`; `CLOSE`; `MUTE`; `UNMUTE`
`event.trigger.type`	string	resource stable Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).	`DT_PLATFORM`; `USER_ACTION`
`event.trigger.user`	string	resource stable ID of the user who triggered the event. If generated by Dynatrace, the value is `SYSTEM`.	`SYSTEM`; `<user_id>`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`VULNERABILITY_STATUS_CHANGE_EVENT`; `VULNERABILITY_ASSESSMENT_CHANGE_EVENT`
`timestamp`	timestamp	stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Entity change events: Vulnerability data

This section contains information about the vulnerability at the entity level and its global parent, as well as its previous values.

Attribute	Type	Description	Examples
`entry_points.entry_point_jsons`	string[]	resource experimental JSON representation of entry points of a vulnerability.	`[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]`
`vulnerability.code_location.name`	string	stable Name of the code location where the code-level vulnerability was detected.	`org.dynatrace.profileservice.BioController.markdownToHtml(String):80`
`vulnerability.cvss.base_score`	double	stable Vulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimental Vulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stable Vulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stable Availability of the information based on which the assessment of the vulnerability at the entity level has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimental Reasons for the assessment mode at the entity level.	`[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]`
`vulnerability.davis_assessment.data_assets_status`	string	stable Affected entity's reachability by a database.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stable Public exploits status of the vulnerability at the entity level.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stable Internet exposure status of the vulnerability at the entity level.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stable Risk level, based on Davis Security Score, of the vulnerability at the entity level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stable Davis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.	`8.1`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stable Usage status of the vulnerable functions causing the vulnerability at the entity level.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stable Description of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stable Dynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stable External provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stable External provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.first_seen`	timestamp	stable Timestamp of when the vulnerability at the entity level was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.id`	string	stable Dynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimental Indicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stable Timestamp of the last muted or unmuted action of the vulnerability at the entity level.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.comment`	string	experimental Comment for muting or unmuting the vulnerability at entity level.	`Muted because it's a false positive.`
`vulnerability.mute.reason`	string	stable Reason for muting or unmuting the vulnerability at the entity level.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stable Mute status of the vulnerability at the entity level.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stable User who last changed the mute status of the vulnerability at the entity level.	`user@example.com`
`vulnerability.parent.davis_assessment.assessment_mode`	string	stable Availability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.parent.davis_assessment.data_assets_status`	string	stable Vulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.parent.davis_assessment.exposure_status`	string	stable Vulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.parent.davis_assessment.level`	string	stable Vulnerability's Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.davis_assessment.score`	double	stable Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.parent.davis_assessment.vulnerable_function_status`	string	stable Usage status of vulnerable functions causing the vulnerability. Status is `IN_USE` when there's at least one vulnerable function in use by an application.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.parent.first_seen`	string	stable Timestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.change_date`	timestamp	stable Timestamp of the last mute or unmute action of the vulnerability.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.reason`	string	stable Reason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.parent.mute.status`	string	stable Vulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.parent.mute.user`	string	stable User who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.parent.resolution.change_date`	string	stable Timestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.parent.resolution.status`	string	stable Current status of the vulnerability.	`OPEN`; `RESOLVED`
`vulnerability.parent.risk.level`	string	stable Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.risk.score`	double	stable Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.previous.cvss.base_score`	double	stable Vulnerability's previous CVSS base score (in case the CVSS base score has changed).	`8.1`
`vulnerability.previous.davis_assessment.data_assets_status`	string	stable Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.previous.davis_assessment.exploit_status`	string	stable Vulnerability's previous public exploit status (in case the public exploit status has changed).	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.previous.davis_assessment.exposure_status`	string	stable Vulnerability's previous internet exposure status (in case the internet exposure status has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.previous.davis_assessment.level`	string	stable Vulnerability's previous risk level (in case the risk level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.previous.davis_assessment.score`	double	stable Vulnerability's previous Davis Security Score (in case Davis Security Score has changed).	`8.1`
`vulnerability.previous.davis_assessment.vulnerable_function_status`	string	stable Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed).	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.previous.mute.change_date`	string	stable Timestamp of the vulnerability's previous mute status (in case the mute status has changed).	`2023-03-22T13:19:36.945Z`
`vulnerability.previous.mute.comment`	string	experimental Comment of the vulnerability's previous mute status.	`Muted because it's a false positive.`
`vulnerability.previous.mute.reason`	string	stable Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).	`Muted: False positive`
`vulnerability.previous.mute.status`	string	stable Vulnerability's previous mute status (in case the mute status has changed).	`MUTED`; `NOT_MUTED`
`vulnerability.previous.mute.user`	string	stable User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).	`user@example.com`
`vulnerability.previous.resolution.status`	string	stable Vulnerability's previous resolution status (in case the resolution status has changed).	`OPEN`; `RESOLVED`
`vulnerability.previous.risk.level`	string	stable Vulnerability's previous risk score level (in case the risk score level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`
`vulnerability.previous.risk.score`	double	stable Vulnerability's previous risk score (in case the risk score has changed).	`8.1`
`vulnerability.previous.tracking_link.text`	string	experimental Display text of the previous tracking link that was set by the user.	`P-1000 Vulnerability CVE-2024-0001`
`vulnerability.previous.tracking_link.url`	string	experimental URL of the previous tracking link that was set by the user.	`https://example.com/Project1/P-1000`
`vulnerability.references.cve`	string[]	stable List of the vulnerability's CVE IDs.	`[CVE-2021-41079]`
`vulnerability.references.cwe`	string[]	stable List of the vulnerability's CWE IDs.	`[CWE-20]`
`vulnerability.references.owasp`	string[]	stable List of vulnerability's OWASP IDs.	`[2021:A3]`
`vulnerability.remediation.description`	string	experimental Description of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stable Timestamp of the last resolution status change of the vulnerability at the entity level.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stable Resolution status of the vulnerability at the entity level.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stable Vulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stable Scale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stable Risk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimental Level of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stable Technology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stable Title of the vulnerability.	`Improper Input Validation`
`vulnerability.tracking_link.text`	string	experimental Display text of the tracking link that was set by the user.	`P-1000 Vulnerability CVE-2024-0001`
`vulnerability.tracking_link.url`	string	experimental URL of the tracking link that was set by the user.	`https://example.com/Project1/P-1000`
`vulnerability.type`	string	stable Classification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stable Dynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Entity change events: Environmental data

This section contains information about the vulnerability's affected entity and related entities.

Affected entity

Attribute	Type	Description	Examples
`affected_entity.affected_processes.ids`	array	resource stable IDs of the processes that are currently affected by the vulnerability.	`PROCESS_GROUP_INSTANCE-1`
`affected_entity.affected_processes.names`	array	resource stable Names of the processes that are currently affected by the vulnerability.	`prod_process_group_instance_1`
`affected_entity.id`	string	resource stable ID of the affected entity.	`PROCESS_GROUP-1`; `HOST-1`
`affected_entity.management_zones.ids`	array	resource stable IDs of the management zones to which the affected entity belongs.	`mzid1`
`affected_entity.management_zones.names`	array	resource stable Names of the management zones to which the affected entity belongs.	`mz1`
`affected_entity.name`	string	resource stable Name of the affected entity.	`prod_process_group_1`; `prod_host`
`affected_entity.reachable_data_assets.count`	long	resource experimental Number of reachable data assets.	`1`
`affected_entity.reachable_data_assets.ids`	array	resource experimental IDs of the data assets that can be reached by the affected entities of the vulnerability.	`DATABASE-1`
`affected_entity.reachable_data_assets.names`	array	resource experimental Names of the data assets that can be reached by the affected entities of the vulnerability.	`prod_database_1`
`affected_entity.type`	string	resource stable Type of affected entity.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`
`affected_entity.vulnerable_component.id`	string	resource stable ID of the vulnerable component causing the vulnerability.	`SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF`
`affected_entity.vulnerable_component.name`	string	resource stable Name of the vulnerable component causing the vulnerability.	`log4j-core-2.6.2.jar`
`affected_entity.vulnerable_component.package_name`	string	resource experimental Package name of the vulnerable component causing the vulnerability.	`k8s.io/kubernetes`; `github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime`
`affected_entity.vulnerable_component.short_name`	string	resource stable Short name of the vulnerable component causing the vulnerability.	`log4j`
`affected_entity.vulnerable_functions`	array	resource stable Vulnerable functions detected, containing or causing the vulnerability.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_available`	array	resource experimental Vulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_in_use`	array	resource experimental Vulnerable functions detected which are not actively used.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stable Number of related applications.	`1`
`related_entities.applications.ids`	array	resource stable IDs of the applications related to the vulnerability's affected entities.	`APPLICATION-1`
`related_entities.databases.count`	long	resource stable Number of related databases.	`1`
`related_entities.databases.ids`	array	resource stable IDs of the databases related to the vulnerability's affected entities.	`DATABASE-1`
`related_entities.hosts.count`	long	resource stable Number of related hosts.	`1`
`related_entities.hosts.ids`	array	resource stable IDs of the hosts related to the vulnerability's affected entities.	`HOST-1`
`related_entities.kubernetes_clusters.count`	long	resource stable Number of related Kubernetes clusters.	`1`
`related_entities.kubernetes_clusters.ids`	array	resource stable IDs of the Kubernetes clusters related to the vulnerability's affected entities.	`KUBERNETES_CLUSTER-1`
`related_entities.kubernetes_workloads.count`	long	resource stable Number of related Kubernetes workloads.	`1`
`related_entities.kubernetes_workloads.ids`	array	resource stable IDs of the Kubernetes workloads related to the vulnerability's affected entities.	`KUBERNETES_WORKLOAD-1`
`related_entities.services.count`	long	resource stable Number of related services.	`1`
`related_entities.services.ids`	array	resource stable IDs of the services related to the vulnerability's affected entities.	`SERVICE-1`

Entity state events

Entity state events are historical vulnerability states reported at the entity level. The current vulnerability state per entity is exported to Grail regularly.

Query

Query entity state events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "ENTITY"

Entity state: Event data

This section contains general event information.

Attribute	Type	Description	Examples
`event.category`	string	stable Categorization based on the product and data generating this event.	`VULNERABILITY_MANAGEMENT`
`event.description`	string	stable Human-readable description of an event.	`S-49 Remote Code Execution state event reported`
`event.group_label`	string	experimental Group label of an event.	`STATE_REPORT`
`event.kind`	string	stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stable Main reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`ENTITY`
`event.name`	string	stable The human readable display name of an event type.	`Vulnerability historical state report event`
`event.provider`	string	stable Source of the event, for example, the name of the component or system that generated the event. Tags: `permission`	`OneAgent`; `K8S`; `Davis`; `VMWare`; `GCP`; `AWS`; `LIMA_USAGE_STREAM`
`event.provider_product`	string	resource stable Name of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stable Status of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`VULNERABILITY_STATE_REPORT_EVENT`
`timestamp`	timestamp	stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Entity state: Vulnerability data

This section contains information about the vulnerability at the entity level and its global vulnerability, with a focus on the affected entities.

Attribute	Type	Description	Examples
`entry_points.entry_point_jsons`	string[]	resource experimental JSON representation of entry points of a vulnerability.	`[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]`
`vulnerability.code_location.name`	string	stable Name of the code location where the code-level vulnerability was detected.	`org.dynatrace.profileservice.BioController.markdownToHtml(String):80`
`vulnerability.cvss.base_score`	double	stable Vulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimental Vulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stable Vulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stable Availability of the information based on which the assessment of the vulnerability at the entity level has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimental Reasons for the assessment mode at the entity level.	`[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]`
`vulnerability.davis_assessment.data_assets_status`	string	stable Affected entity's reachability by a database.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stable Public exploits status of the vulnerability at the entity level.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stable Internet exposure status of the vulnerability at the entity level.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stable Risk level, based on Davis Security Score, of the vulnerability at the entity level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stable Davis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.	`8.1`
`vulnerability.davis_assessment.vector`	string	experimental Vulnerability's CVSS vector, adjusted with observability data; this vector is calculated by Dynatrace.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stable Usage status of the vulnerable functions causing the vulnerability at the entity level.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stable Description of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stable Dynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stable External provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stable External provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.id`	string	stable Dynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimental Indicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stable Timestamp of the last muted or unmuted action of the vulnerability at the entity level.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.comment`	string	experimental Comment for muting or unmuting the vulnerability at entity level.	`Muted because it's a false positive.`
`vulnerability.mute.reason`	string	stable Reason for muting or unmuting the vulnerability at the entity level.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stable Mute status of the vulnerability at the entity level.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stable User who last changed the mute status of the vulnerability at the entity level.	`user@example.com`
`vulnerability.parent.davis_assessment.assessment_mode`	string	stable Availability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.parent.davis_assessment.data_assets_status`	string	stable Vulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.parent.davis_assessment.exposure_status`	string	stable Vulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.parent.davis_assessment.level`	string	stable Vulnerability's Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.davis_assessment.score`	double	stable Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.parent.davis_assessment.vulnerable_function_status`	string	stable Usage status of vulnerable functions causing the vulnerability. Status is `IN_USE` when there's at least one vulnerable function in use by an application.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.parent.first_seen`	string	stable Timestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.change_date`	timestamp	stable Timestamp of the last mute or unmute action of the vulnerability.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.reason`	string	stable Reason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.parent.mute.status`	string	stable Vulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.parent.mute.user`	string	stable User who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.parent.resolution.change_date`	string	stable Timestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.parent.resolution.status`	string	stable Current status of the vulnerability.	`OPEN`; `RESOLVED`
`vulnerability.parent.risk.level`	string	stable Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.risk.score`	double	stable Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.references.cve`	string[]	stable List of the vulnerability's CVE IDs.	`[CVE-2021-41079]`
`vulnerability.references.cwe`	string[]	stable List of the vulnerability's CWE IDs.	`[CWE-20]`
`vulnerability.references.owasp`	string[]	stable List of vulnerability's OWASP IDs.	`[2021:A3]`
`vulnerability.remediation.description`	string	experimental Description of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stable Timestamp of the last status change of the vulnerability at the entity level.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stable Resolution status of the vulnerability at the entity level.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stable Vulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stable Scale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stable Risk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimental Level of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stable Technology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stable Title of the vulnerability.	`Improper Input Validation`
`vulnerability.tracking_link.text`	string	experimental Display text of the tracking link that was set by the user.	`P-1000 Vulnerability CVE-2024-0001`
`vulnerability.tracking_link.url`	string	experimental URL of the tracking link that was set by the user.	`https://example.com/Project1/P-1000`
`vulnerability.type`	string	stable Classification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stable Dynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Entity state: Environmental data

This section contains information about the vulnerability's affected and related entities.

Affected entities

Attribute	Type	Description	Examples
`affected_entity.affected_processes.ids`	array	resource stable IDs of the processes that are currently affected by the vulnerability.	`PROCESS_GROUP_INSTANCE-1`
`affected_entity.affected_processes.names`	array	resource stable Names of the processes that are currently affected by the vulnerability.	`prod_process_group_instance_1`
`affected_entity.id`	string	resource stable ID of the affected entity.	`PROCESS_GROUP-1`; `HOST-1`
`affected_entity.management_zones.ids`	array	resource stable IDs of the management zones to which the affected entity belongs.	`mzid1`
`affected_entity.management_zones.names`	array	resource stable Names of the management zones to which the affected entity belongs.	`mz1`
`affected_entity.name`	string	resource stable Name of the affected entity.	`prod_process_group_1`; `prod_host`
`affected_entity.reachable_data_assets.count`	long	resource experimental Number of reachable data assets.	`1`
`affected_entity.reachable_data_assets.ids`	array	resource experimental IDs of the data assets that can be reached by the affected entities of the vulnerability.	`DATABASE-1`
`affected_entity.reachable_data_assets.names`	array	resource experimental Names of the data assets that can be reached by the affected entities of the vulnerability.	`prod_database_1`
`affected_entity.type`	string	resource stable Type of affected entity.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`
`affected_entity.vulnerable_component.id`	string	resource stable ID of the vulnerable component causing the vulnerability.	`SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF`
`affected_entity.vulnerable_component.name`	string	resource stable Name of the vulnerable component causing the vulnerability.	`log4j-core-2.6.2.jar`
`affected_entity.vulnerable_component.package_name`	string	resource experimental Package name of the vulnerable component causing the vulnerability.	`k8s.io/kubernetes`; `github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime`
`affected_entity.vulnerable_component.short_name`	string	resource stable Short name of the vulnerable component causing the vulnerability.	`log4j`
`affected_entity.vulnerable_functions`	array	resource stable Vulnerable functions detected, containing or causing the vulnerability.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_available`	array	resource experimental Vulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_in_use`	array	resource experimental Vulnerable functions detected which are not actively used.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stable Number of related applications.	`1`
`related_entities.applications.ids`	array	resource stable IDs of the applications related to the vulnerability's affected entities.	`APPLICATION-1`
`related_entities.applications.names`	array	resource stable Names of the applications related to the vulnerability's affected entities.	`prod_application_1`
`related_entities.databases.count`	long	resource stable Number of related databases.	`1`
`related_entities.databases.ids`	array	resource stable IDs of the databases related to the vulnerability's affected entities.	`DATABASE-1`
`related_entities.databases.names`	array	resource stable Names of the databases related to the vulnerability's affected entities.	`prod_database_1`
`related_entities.hosts.count`	long	resource stable Number of related hosts.	`1`
`related_entities.hosts.ids`	array	resource stable IDs of the hosts related to the vulnerability's affected entities.	`HOST-1`
`related_entities.hosts.names`	array	resource stable Names of the hosts related to the vulnerability's affected entities.	`prod_host_1`
`related_entities.kubernetes_clusters.count`	long	resource stable Number of related Kubernetes clusters.	`1`
`related_entities.kubernetes_clusters.ids`	array	resource stable IDs of the Kubernetes clusters related to the vulnerability's affected entities.	`KUBERNETES_CLUSTER-1`
`related_entities.kubernetes_clusters.names`	array	resource stable Names of the Kubernetes clusters related to the vulnerability's affected entities.	`prod_kubernetes_cluster_1`
`related_entities.kubernetes_workloads.count`	long	resource stable Number of related Kubernetes workloads.	`1`
`related_entities.kubernetes_workloads.ids`	array	resource stable IDs of the Kubernetes workloads related to the vulnerability's affected entities.	`KUBERNETES_WORKLOAD-1`
`related_entities.kubernetes_workloads.names`	array	resource stable Names of the Kubernetes workloads related to the vulnerability's affected entities.	`prod_kubernetes_workload_1`
`related_entities.services.count`	long	resource stable Number of related services.	`1`
`related_entities.services.ids`	array	resource stable IDs of the services related to the vulnerability's affected entities.	`SERVICE-1`
`related_entities.services.names`	array	resource stable Names of the services related to the vulnerability's affected entities.	`prod_service_1`

Vulnerability change events

Vulnerability change events are change events at the vulnerability level. An event is generated whenever a vulnerability undergoes a status or assessment change.

Query

Query vulnerability status change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"

Query vulnerability assessment change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"

Vulnerability state: Event data

This section contains general event information.

Attribute	Type	Description	Examples
`event.category`	string	stable Standard categorization based on the significance of an event according to the ITIL event management standard (previously known as `severity level`).	`VULNERABILITY_MANAGEMENT`
`event.change_list`	array	resource stable List of attributes updated as part of the change event. Values in the list match a `previous` field.	`vulnerability.risk.score`; `affected_entities.count`; `related_entities.databases.count`
`event.description`	string	stable Human-readable description of an event.	`S-49 Remote Code Execution status has changed to OPEN.`; `S-49 Remote Code Execution assessment has changed.`
`event.group_label`	string	experimental Group label of an event.	`CHANGE_EVENT`
`event.kind`	string	stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stable Main reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`VULNERABILITY`
`event.name`	string	stable The human readable display name of an event type.	`Vulnerability status change event`; `Vulnerability assessment change event`
`event.provider`	string	stable Source of the event, for example, the name of the component or system that generated the event. Tags: `permission`	`Dynatrace`
`event.provider_product`	string	resource stable Name of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stable Status of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.status_transition`	string	experimental An enum that shows the transition of the above event state.	`NEW_OPEN`; `REOPEN`; `CLOSE`; `MUTE`; `UNMUTE`
`event.trigger.type`	string	resource stable Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).	`DT_PLATFORM`; `USER_ACTION`
`event.trigger.user`	string	resource stable ID of the user who triggered the event. If generated by Dynatrace, the value is `SYSTEM`.	`SYSTEM`; `<user_id>`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`VULNERABILITY_STATUS_CHANGE_EVENT`; `VULNERABILITY_ASSESSMENT_CHANGE_EVENT`
`timestamp`	timestamp	stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Vulnerability state: Vulnerability data

This section contains information about the vulnerability and its status and assessment changes.

Attribute	Type	Description	Examples
`vulnerability.cvss.base_score`	double	stable Vulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimental Vulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stable Vulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stable Availability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimental Reasons for the assessment mode.	`[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]`
`vulnerability.davis_assessment.data_assets_status`	string	stable Vulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stable Vulnerability's public exploits status.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stable Vulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stable Vulnerability's risk level based on Davis Security Score.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stable Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stable Usage status of the vulnerable functions causing the vulnerability.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stable Description of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stable Dynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stable External provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stable External provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.first_seen`	timestamp	stable Timestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.id`	string	stable Dynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimental Indicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stable Timestamp of the vulnerability's last muted or unmuted action.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.reason`	string	stable Reason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stable Vulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stable User who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.previous.cvss.base_score`	double	stable Vulnerability's previous CVSS base score (in case the CVSS base score has changed).	`8.1`
`vulnerability.previous.cvss.vector`	string	experimental Vulnerability's previous CVSS vector defined by the provider (in case the CVSS vector has changed).	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.previous.davis_assessment.data_assets_status`	string	stable Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.previous.davis_assessment.exploit_status`	string	stable Vulnerability's previous public exploit status (in case the public exploit status has changed).	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.previous.davis_assessment.exposure_status`	string	stable Vulnerability's previous internet exposure status (in case the internet exposure status has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.previous.davis_assessment.level`	string	stable Vulnerability's previous risk level (in case the risk level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.previous.davis_assessment.score`	double	stable Vulnerability's previous Davis Security Score (in case Davis Security Score has changed).	`8.1`
`vulnerability.previous.davis_assessment.vulnerable_function_status`	string	stable Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed).	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.previous.mute.change_date`	string	stable Timestamp of the vulnerability's previous mute status (in case the mute status has changed).	`2023-03-22T13:19:36.945Z`
`vulnerability.previous.mute.reason`	string	stable Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).	`Muted: False positive`
`vulnerability.previous.mute.status`	string	stable Vulnerability's previous mute status (in case the mute status has changed).	`MUTED`; `NOT_MUTED`
`vulnerability.previous.mute.user`	string	stable User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).	`user@example.com`
`vulnerability.previous.resolution.status`	string	stable Vulnerability's previous resolution status (in case the resolution status has changed).	`OPEN`; `RESOLVED`
`vulnerability.previous.risk.level`	string	stable Vulnerability's previous risk score level (in case the risk score level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`
`vulnerability.previous.risk.score`	double	stable Vulnerability's previous risk score (in case the risk score has changed).	`8.1`
`vulnerability.references.cve`	string[]	stable List of the vulnerability's CVE IDs.	`[CVE-2021-41079]`
`vulnerability.references.cwe`	string[]	stable List of the vulnerability's CWE IDs.	`[CWE-20]`
`vulnerability.references.owasp`	string[]	stable List of vulnerability's OWASP IDs.	`[2021:A3]`
`vulnerability.remediation.description`	string	experimental Description of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stable Timestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stable Vulnerability's resolution status.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stable Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stable Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stable Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimental Level of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stable Technology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stable Title of the vulnerability.	`Improper Input Validation`
`vulnerability.type`	string	stable Classification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stable Dynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Vulnerability change: Environmental data

Affected entities

This section contains information on changes regarding vulnerability's affected entities.

Attribute	Type	Description	Examples
`affected_entities.count`	long	resource stable Number of affected entities.	`1`
`affected_entities.hosts.count`	long	resource stable Number of affected hosts.	`2`
`affected_entities.kubernetes_nodes.count`	long	resource stable Number of affected nodes.	`2`
`affected_entities.previous.count`	long	resource deprecated Number of affected entities before the last change event.	`1`
`affected_entities.previous.hosts.count`	long	resource deprecated Number of affected hosts before the last change event.	`5`
`affected_entities.previous.kubernetes_nodes.count`	long	resource deprecated Number of affected Kubernetes nodes before the last change event.	`5`
`affected_entities.previous.process_groups.count`	long	resource deprecated Number of affected process groups before the last change event.	`2`
`affected_entities.process_groups.count`	long	resource stable Number of affected process groups.	`2`
`affected_entities.types`	array	resource stable Types of affected entities.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`

This section contains information on changes regarding vulnerability's related entities.

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stable Number of related applications.	`1`
`related_entities.databases.count`	long	resource stable Number of related databases.	`1`
`related_entities.hosts.count`	long	resource stable Number of related hosts.	`1`
`related_entities.kubernetes_clusters.count`	long	resource stable Number of related Kubernetes clusters.	`1`
`related_entities.kubernetes_workloads.count`	long	resource stable Number of related Kubernetes workloads.	`1`
`related_entities.previous.databases.count`	long	resource deprecated Number of related databases before the last change event.	`1`
`related_entities.services.count`	long	resource stable Number of related services.	`1`

Vulnerability finding events

Vulnerability-finding events contain generic sections and fields like metadata, affected entity data and vulnerability data. They can also include extensions (such as container image data for container vulnerability findings) at the end of the page.

Vulnerability finding events: Metadata

This section contains meta information on the vulnerability-finding event.

Attribute	Type	Description	Examples
`event.description`	string	stable Human-readable description of an event.	`Vulnerability CVE-2023-45871 of component linux:4.19.269-1 was detected in your container image unguard-frontend:latest@054e1d39`
`event.id`	string	stable Unique identifier string of an event; is stable across multiple refreshes and updates.	`5547782627070661074_1647601320000`
`event.kind`	string	stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`event.name`	string	stable The human readable display name of an event type.	`Vulnerability finding event`
`event.provider`	string	stable Source of the event, for example, the name of the component or system that generated the event. Tags: `permission`	`Amazon ECR`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`VULNERABILITY_FINDING`
`event.version`	string	experimental Describes the version of the event.	`1.309`
`timestamp`	timestamp	stable Time (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.	`1649822520123123123`

Vulnerability finding events: Vulnerability data

This section contains information about the vulnerability that caused the vulnerability-finding event (vulnerability ID, description, risk level, and so on).

Attribute	Type	Description	Examples
`dt.security.risk.level`	string	stable Risk score level, mapped and normalized by Dynatrace.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`; `NOT_AVAILABLE`
`dt.security.risk.score`	double	stable Risk score, mapped and normalized by Dynatrace.	`8.1`
`vulnerability.cvss.base_score`	double	stable Vulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimental Vulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.exploit.status`	string	experimental Whether there is a known exploit for the vulnerability.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.id`	string	stable Dynatrace unique identifier for the vulnerability.	`CVE-2019-19814`
`vulnerability.references.cve`	string[]	stable List of the vulnerability's CVE IDs.	`[CVE-2021-41079]`
`vulnerability.remediation.status`	string	experimental Indicates whether a fix for the vulnerability is available.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.risk.level`	string	stable Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.score`	double	stable Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.title`	string	stable Title of the vulnerability.	`CVE-2019-19814`; `Improper input validation`
`vulnerability.type`	string	stable Classification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`

Vulnerability finding events: Product data

This section contains information about the third-party product from where Dynatrace fetches data.

Attribute	Type	Description	Examples
`product.name`	string	resource experimental Product name.	`Tenable`; `Snyk`
`product.vendor`	string	resource experimental Product vendor.	`Tenable`; `Snyk`

Vulnerability finding events: Scan data

This section contains information about the scan that detected this vulnerability

Attribute	Type	Description	Examples
`scan.id`	string	resource experimental Unique identifier of the scan.	`00000000-0000-0000-0000-000000000000`
`scan.name`	string	resource experimental Name of the scan.	`US Cloud Scanner`
`scan.time.completed`	timestamp	resource experimental Time when the scan was completed.	`2024-06-24T04:47:21.154000000+02:00`
`scan.time.started`	timestamp	resource experimental Time when the scan was started.	`2024-06-24T04:47:21.154000000+02:00`

Extensions

Vulnerability finding events: Container image data

This section contains container-image—specific data.

Attribute	Type	Description	Examples
`container_image.digest`	string	resource experimental Container image digest uniquely and immutably identifying the vulnerable container image.	`sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1`
`container_image.registry`	string	resource experimental Container image registry from which the finding originates.	`1294385647.eu-central-1`
`container_image.repository`	string	resource experimental Container image repository from which the finding originates.	`unguard-frontend`
`container_image.tags`	array	resource experimental List of tags of the vulnerable container image.	`[1.0.0]`; `[1.0.0, 1.0.0-nightly, latest]`

Attribute	Type	Description	Examples
`os.architecture`	string	resource experimental Architecture of the CPU, discovered from the operating system.	`X86`
`os.name`	string	resource stable The OS name in a short, human-readable format.	`iOS`
`os.type`	string	resource experimental Type of discovered operating system.	`LINUX`; `WINDOWS`
`os.version`	string	resource stable The complete OS version, including patch, build, and other information.	`15.3.1`; `Ubuntu 16.04.7 LTS (Xenial Xerus) (kernel 4.15.0-206-generic)`; `Windows Server 2022 Datacenter 21H2 2009, ver. 10.0.20348`

Attribute	Type	Description	Examples
`dt.entity.host`	string	resource stable An entity ID of an entity of type HOST. Tags: `entity-id`	`HOST-E0D8F94D9065F24F`
`dt.entity.process_group`	string	resource stable An entity ID of an entity of type PROCESS_GROUP. Tags: `entity-id`	`PROCESS_GROUP-E0D8F94D9065F24F`
`dt.entity.process_group_instance`	string	resource stable An entity ID of an entity of type PROCESS_GROUP_INSTANCE. Tags: `entity-id`	`PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F`
`dt.source_entity`	string	resource stable The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. ¹ Tags: `entity-id`	`HOST-E0D8F94D9065F24F`; `PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F`
`dt.source_entity.type`	string	resource stable The entity type of the entity whose identifier is held in dt.source_entity. The value must be a valid entity type and consistent with `dt.source_entity`. Note, however, that the type identifiers are expected to be lowercased in alignment with suffixes of dt.entity.* keys.	`host`; `process_group_instance`; `cloud:azure:resource_group`
`host.name`	string	resource experimental The host name as determined on the data source (for instance, OneAgent, extensions or OpenTelemetry). Important: This is not the name of the host entity, which can be modified based on naming rules. Tags: `permission`	`ip-10-178-54-32.ec2.internal`

The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.

Attribute	Type	Description	Examples
`software_component.purl`	string	experimental Location of the package providing unique identification.	`pkg:maven/org.apache.logging.log4j/log4j-core`
`software_component.supplier.name`	string	experimental Supplier name of the software component.	`FasterXML`
`software_component.type`	string	experimental Type of the software component usually provided by the SBOM.	`library`
`software_component.version`	string	experimental Version of the software component.	`3.16.2-5+deb9u3`

Vulnerability state events

Vulnerability state events are historical states at the vulnerability level. The current vulnerability state is exported to Grail regularly.

Query

Query vulnerability state events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "VULNERABILITY"

Vulnerability state: Event data

This section contains general event information.

Attribute	Type	Description	Examples
`event.category`	string	stable Categorization based on the product and data generating this event.	`VULNERABILITY_MANAGEMENT`
`event.description`	string	stable Human-readable description of an event.	`S-49 Remote Code Execution state event reported`
`event.group_label`	string	experimental Group label of an event.	`STATE_REPORT`
`event.kind`	string	stable Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event. Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stable Main reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`VULNERABILITY`
`event.name`	string	stable The human readable display name of an event type.	`Vulnerability historical state report event`
`event.provider`	string	stable Source of the event, for example, the name of the component or system that generated the event. Tags: `permission`	`Dynatrace`; `Snyk`
`event.provider_product`	string	resource stable Name of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stable Status of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.type`	string	stable The unique type identifier of a given event. Tags: `permission`	`VULNERABILITY_STATE_REPORT_EVENT`
`timestamp`	timestamp	stable The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Vulnerability state: Vulnerability data

This section contains information about the vulnerability.

Attribute	Type	Description	Examples
`vulnerability.code_location.name`	string	stable Name of the code location where the code-level vulnerability was detected.	`org.dynatrace.profileservice.BioController.markdownToHtml(String):80`
`vulnerability.cvss.base_score`	double	stable Vulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimental Vulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stable Vulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stable Availability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimental Reasons for the assessment mode.	`[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]`
`vulnerability.davis_assessment.data_assets_status`	string	stable Vulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stable Vulnerability's public exploits status.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stable Vulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stable Vulnerability's risk level based on Davis Security Score.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stable Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.davis_assessment.vector`	string	experimental Vulnerability's CVSS vector, adjusted with observability data; this vector is calculated by Dynatrace.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stable Usage status of the vulnerable functions causing the vulnerability.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stable Description of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stable Dynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stable External provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stable External provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.first_seen`	timestamp	stable Timestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.id`	string	stable Dynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimental Indicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stable Timestamp of the vulnerability's last muted or unmuted action.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.reason`	string	stable Reason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stable Vulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stable User who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.references.cve`	string[]	stable List of the vulnerability's CVE IDs.	`[CVE-2021-41079]`
`vulnerability.references.cwe`	string[]	stable List of the vulnerability's CWE IDs.	`[CWE-20]`
`vulnerability.references.owasp`	string[]	stable List of vulnerability's OWASP IDs.	`[2021:A3]`
`vulnerability.remediation.description`	string	experimental Description of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stable Timestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stable Vulnerability's resolution status.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stable Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stable Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stable Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimental Level of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stable Technology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stable Title of the vulnerability.	`Improper Input Validation`
`vulnerability.type`	string	stable Classification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stable Dynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Vulnerability state: Environmental data

This section contains information on the vulnerability's affected and related entities.

Affected entities

Attribute	Type	Description	Examples
`affected_entities.affected_processes.count`	long	resource stable Number of affected processes.	`50`
`affected_entities.count`	long	resource stable Number of affected entities.	`1`
`affected_entities.hosts.count`	long	resource stable Number of affected hosts.	`2`
`affected_entities.kubernetes_nodes.count`	long	resource stable Number of affected nodes.	`2`
`affected_entities.management_zones.ids`	array	resource stable IDs of the management zones to which the affected entities belong.	`mzid1`
`affected_entities.management_zones.names`	array	resource stable Names of the management zones to which the affected entities belong.	`mz1`
`affected_entities.monitored_processes.count`	long	resource stable Number of processes of the process group.	`100`
`affected_entities.process_groups.count`	long	resource stable Number of affected process groups.	`2`
`affected_entities.types`	array	resource stable Types of affected entities.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`
`affected_entities.vulnerable_components.ids`	array	resource stable Dynatrace IDs of the vulnerable components causing the vulnerability.	`SOFTWARE_COMPONENT-0000000000000001`; `SOFTWARE_COMPONENT-0000000000000002`; `SOFTWARE_COMPONENT-0000000000000003`
`affected_entities.vulnerable_components.names`	array	resource stable Names of the vulnerable components causing the vulnerability. \|	`com.fasterxml.jackson.core:jackson-databind:2.10.0`; `node-sass:4.14.1`
`affected_entities.vulnerable_functions`	array	resource stable Vulnerable functions detected, containing or causing the vulnerability.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stable Number of related applications.	`1`
`related_entities.databases.count`	long	resource stable Number of related databases.	`1`
`related_entities.hosts.count`	long	resource stable Number of related hosts.	`1`
`related_entities.kubernetes_clusters.count`	long	resource stable Number of related Kubernetes clusters.	`1`
`related_entities.kubernetes_workloads.count`	long	resource stable Number of related Kubernetes workloads.	`1`
`related_entities.services.count`	long	resource stable Number of related services.	`1`

Security events

Compliance finding events

Compliance finding events: Event data

Compliance finding events: Finding data

Compliance finding events: Scan data

Compliance finding events: Rule data

Compliance finding events: Result

Compliance scan completed events

Compliance scan completed events: Event metadata

Compliance scan completed events: Scan info

Detection Finding Events

Detection finding events: Event fields

Detection finding events: Technical fields

Entity change events

Query

Entity change events: Event data

Entity change events: Vulnerability data

Entity change events: Environmental data

Affected entity

Related entities

Entity state events

Query

Entity state: Event data

Entity state: Vulnerability data

Entity state: Environmental data

Affected entities

Related entities

Vulnerability change events

Query

Vulnerability state: Event data

Vulnerability state: Vulnerability data

Vulnerability change: Environmental data

Affected entities

Related entities

Vulnerability finding events

Vulnerability finding events: Metadata

Vulnerability finding events: Vulnerability data

Vulnerability finding events: Product data

Vulnerability finding events: Scan data

Extensions

Vulnerability finding events: Container image data

Vulnerability state events

Query

Vulnerability state: Event data

Vulnerability state: Vulnerability data

Vulnerability state: Environmental data

Affected entities

Related entities