Security events

Security events are a special type of data representing various events generated by Dynatrace.

In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.

Compliance Scan Completed Events

A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed.

Compliance scan completed events: Event metadata

This section contains general event information.

Attribute

Type

Description

Examples

event.kind

string

stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission

SECURITY_EVENT

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

COMPLIANCE_SCAN_COMPLETED

timestamp

timestamp

stable
Timestamp (UNIX epoch milliseconds) when the event was created, i.e. when the compliance scan completed.

1649822520123123123

Compliance scan completed events: Scan info

This section contains details about the performed compliance scan.

Attribute

Type

Description

Examples

dt.entity.kubernetes_cluster

string

stable
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags: entity-id

KUBERNETES_CLUSTER-E0D8F94D9065F24F

object.id

string

experimental
Identifier of the affected object.

HOST-E0D8F94D9065F24F; i-06becf87d5326157a;

arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1

object.name

string

experimental
Name of the affected object.

kube-controller-manager-k8s-mst01-t12; daemonset-25qlv

object.type

string

experimental
Type of the affected object.

HOST; EC2_INSTANCE; CONTAINER_IMAGE

scan.id

string

experimental
Unique identifier of the scan.

00000000-0000-0000-0000-000000000000

scan.product.name

string

experimental
Name of the product that performed the scan.

ECR; Inspector

scan.result.summary_json

string

experimental
Summary of the scan results.

{"standardResultSummaries":[{"profileCode":"CIS","compliancePercentage":85}]}

scan.vendor

string

experimental
Name of the scanner vendor that performed the scan.

AWS

Compliance finding events

A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object.

Compliance finding events: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.kind

string

SECURITY_EVENT

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

COMPLIANCE_FINDING

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event was ingested.

1649822520123123123

Compliance finding events: Finding data

This section contains information about the finding.

Attribute

Type

Description

Examples

dt.entity.kubernetes_cluster

string

stable
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags: entity-id

KUBERNETES_CLUSTER-E0D8F94D9065F24F

finding.id

string

experimental
Unique identifier string of a finding.

F-2GJ3LSUM

finding.time.created

timestamp

experimental
Time when the finding was created.

2024-06-24T04:47:21.154000000+02:00

k8s.cluster.name

string

stable
(Optional) The user-defined name of the cluster in Dynatrace. Doesn't need to be unique, nor immutable.
Tags: permission

unguard-dev; acme-prod10

k8s.cluster.uid

string

stable
A pseudo-ID for the cluster, by default set to the UID of the kube-system namespace.

1c7a24c7-ff51-46e0-bcc9-c52637ceec57

Compliance finding events: Scan data

This section contains information about the scan that generated the finding.

Attribute

Type

Description

Examples

scan.id

string

experimental
Unique identifier of the scan.

00000000-0000-0000-0000-000000000000

Compliance finding events: Rule data

This section contains information about the compliance rule and the compliance standard it belongs to.

Attribute

Type

Description

Examples

compliance.rule.id

string

experimental
Unique identifier of a compliance rule.

CIS-66577

compliance.rule.metadata_json

string

experimental
Any additional metadata associated with the compliance rule.

{\"Section\":\"Kubernetes - v1.9.0\",\"Recommendation ID\":\"1.2.16\",\"Recommendation section\":\"1.2 - Control Plane Components - API Server\", \"Level\":\"L1\"}

compliance.rule.severity.level

string

experimental
Original severity of a compliance rule reported by the vendor.

CRITICAL; HIGH; MEDIUM; LOW

compliance.rule.severity.score

double

experimental
Number assigned to the respective severity. For example, 10 corresponds to 'CRITICAL', 7 to 'HIGH', 4 to 'MEDIUM', and 1 to 'LOW'.

10.0; 7.0; 4.0; 1.0

compliance.rule.title

string

experimental
Short description of a compliance rule.

The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination

Attribute

Type

Description

Examples

compliance.standard.short_name

string

experimental
Short name of a compliance standard.

DISA STIG; NIST

compliance.standard.url

string

experimental
Link to the official documentation source about the compliance standard.

DISA STIG; NIST

Compliance finding events: Result

This section contains information about the result of the compliance scan.

Attribute

Type

Description

Examples

compliance.result.description

string

experimental
Details about the compliance result status.

Object not matching standard inclusion criteria

compliance.result.object.evidence_json

string

experimental
Reasoning or evidence for the compliance status of this object.

[{\"type\":\"AUTOMATIC\",\"description\":\"Controller Manager version\",\"value\":\"1.28.0\"},{\"type\":\"AUTOMATIC\",\"description\":\"Property tls-min-version status\",\"value\":\"Not set\"}]

compliance.result.object.name

string

experimental
Name of the object evaluated for compliance.

kube-controller-manager-k8s-mst01-t12; daemonset-25qlv

compliance.result.object.type

string

experimental
Type of the object evaluated for compliance.

k8scluster; k8spod; k8sservice

compliance.result.status.level

string

experimental
Result status of the given resource object as evaluated by a scan.

FAILED; PASSED; MANUAL; NOT_RELEVANT

compliance.result.status.score

double

experimental
Number assigned to the respective result status. For example, 10 corresponds to 'FAILED', 7 to 'MANUAL', 4 to 'PASSED', and 1 to 'NOT_RELEVANT'.

10.0; 7.0; 4.0; 1.0

Entity State Events

Entity state events are historical vulnerability states reported at the entity level. The current vulnerability state per entity is exported to Grail regularly.

Query

Query entity state events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "ENTITY"

Entity state: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.category

string

stable
Categorization based on the product and data generating this event.

VULNERABILITY_MANAGEMENT

event.description

string

stable
Human-readable description of an event.

S-49 Remote Code Execution state event reported

event.group_label

string

experimental
Group label of an event.

STATE_REPORT

event.kind

string

SECURITY_EVENT

event.level

string

stable
Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).

ENTITY

event.name

string

stable
The human readable display name of an event type.

Vulnerability historical state report event

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

OneAgent; K8S; Davis; VMWare; GCP; AWS; LIMA_USAGE_STREAM

event.provider_product

string

stable
Name of the product providing this event.

Runtime Vulnerability Analytics; Snyk Container

event.status

string

stable
Status of an event as being either Active or Closed.

OPEN; RESOLVED; MUTED

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_STATE_REPORT_EVENT

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.

1649822520123123123

Entity state: Vulnerability data

This section contains information about the vulnerability at the entity level and its global vulnerability, with a focus on the affected entities.

Attribute

Type

Description

Examples

entry_points.entry_point_jsons

string[]

experimental
JSON representation of entry points of a vulnerability.

[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]

vulnerability.code_location.name

string

stable
Name of the code location where the code-level vulnerability was detected.

org.dynatrace.profileservice.BioController.markdownToHtml(String):80

vulnerability.cvss.base_score

double

stable
Vulnerability's CVSS base score provided by NVD.

8.1

vulnerability.cvss.vector

string

experimental
Vulnerability's CVSS vector defined by the provider.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.cvss.version

string

stable
Vulnerability's CVSS score version.

3.1

vulnerability.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the assessment of the vulnerability at the entity level has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.davis_assessment.assessment_mode_reasons

string[]

experimental
Reasons for the assessment mode at the entity level.

[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]

vulnerability.davis_assessment.data_assets_status

string

stable
Affected entity's reachability by a database.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.davis_assessment.exploit_status

string

stable
Public exploits status of the vulnerability at the entity level.

AVAILABLE; NOT_AVAILABLE

vulnerability.davis_assessment.exposure_status

string

stable
Internet exposure status of the vulnerability at the entity level.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.davis_assessment.level

string

stable
Risk level, based on Davis Security Score, of the vulnerability at the entity level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.davis_assessment.score

double

stable
Davis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.

8.1

vulnerability.davis_assessment.vulnerable_function_status

string

stable
Usage status of the vulnerable functions causing the vulnerability at the entity level.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.display_id

string

stable
Dynatrace user-readable identifier for the vulnerability.

S-1234

vulnerability.external_id

string

stable
External provider's unique identifier for the vulnerability.

SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646

vulnerability.external_url

string

stable
External provider's URL to the details page of the vulnerability.

https://example.com

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

2039861408676243188

vulnerability.is_fix_available

boolean

experimental
Indicates if a vulnerability fix is available.

vulnerability.mute.change_date

timestamp

stable
Timestamp of the last muted or unmuted action of the vulnerability at the entity level.

2023-03-22T13:19:36.945Z

vulnerability.mute.comment

string

experimental
Comment for muting or unmuting the vulnerability at entity level.

Muted because it's a false positive.

vulnerability.mute.reason

string

stable
Reason for muting or unmuting the vulnerability at the entity level.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.mute.status

string

stable
Mute status of the vulnerability at the entity level.

MUTED; NOT_MUTED

vulnerability.mute.user

string

stable
User who last changed the mute status of the vulnerability at the entity level.

user@example.com

vulnerability.parent.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the vulnerability assessment has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.parent.davis_assessment.data_assets_status

string

stable
Vulnerability's reachability of related data assets by affected entities.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.parent.davis_assessment.exposure_status

string

stable
Vulnerability's internet exposure status.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.parent.davis_assessment.level

string

stable
Vulnerability's Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.parent.davis_assessment.score

double

stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.

8.1

vulnerability.parent.davis_assessment.vulnerable_function_status

string

stable
Usage status of vulnerable functions causing the vulnerability. Status is IN_USE when there's at least one vulnerable function in use by an application.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.parent.first_seen

string

stable
Timestamp of when the vulnerability was first detected.

2023-03-22T13:19:36.945Z

vulnerability.parent.mute.change_date

timestamp

stable
Timestamp of the last mute or unmute action of the vulnerability.

2023-03-22T13:19:36.945Z

vulnerability.parent.mute.reason

string

stable
Reason for muting or unmuting the vulnerability.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.parent.mute.status

string

stable
Vulnerability's mute status.

MUTED; NOT_MUTED

vulnerability.parent.mute.user

string

stable
User who last changed the vulnerability's mute status.

user@example.com

vulnerability.parent.resolution.change_date

string

stable
Timestamp of the vulnerability's last resolution status change.

2023-03-22T13:19:37.466Z

vulnerability.parent.resolution.status

string

stable
Current status of the vulnerability.

OPEN; RESOLVED

vulnerability.parent.risk.level

string

stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.parent.risk.score

double

stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.

8.1

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.references.cwe

string[]

stable
List of the vulnerability's CWE IDs.

[CWE-20]

vulnerability.references.owasp

string[]

stable
List of vulnerability's OWASP IDs.

[2021:A3]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade component to version 1.2.3 or higher

vulnerability.resolution.change_date

timestamp

stable
Timestamp of the last status change of the vulnerability at the entity level.

2023-03-22T13:19:37.466Z

vulnerability.resolution.status

string

stable
Resolution status of the vulnerability at the entity level.

OPEN; RESOLVED

vulnerability.risk.level

string

stable
Vulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.risk.scale

string

stable
Scale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.

Davis Security Score

vulnerability.risk.score

double

stable
Risk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.

8.1

vulnerability.stack

string

experimental
Level of the vulnerable component in the technological stack.

CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION

vulnerability.technology

string

stable
Technology of the vulnerable component.

JAVA; DOTNET; GO; PHP; NODE_JS

vulnerability.title

string

stable
Title of the vulnerability.

Improper Input Validation

vulnerability.tracking_link.text

string

experimental
Display text of the tracking link that was set by the user.

P-1000 Vulnerability CVE-2024-0001

vulnerability.tracking_link.url

string

experimental
URL of the tracking link that was set by the user.

https://example.com/Project1/P-1000

vulnerability.type

string

stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.

Improper Input Validation

vulnerability.url

string

stable
Dynatrace URL to the details page of the vulnerability. |

https://example.com

Entity state: Environmental data

This section contains information about the vulnerability's affected and related entities.

Affected entities

Attribute

Type

Description

Examples

affected_entity.affected_processes.ids

array

stable
IDs of the processes that are currently affected by the vulnerability.

PROCESS_GROUP_INSTANCE-1

affected_entity.affected_processes.names

array

stable
Names of the processes that are currently affected by the vulnerability.

prod_process_group_instance_1

affected_entity.id

string

stable
ID of the affected entity.

PROCESS_GROUP-1; HOST-1

affected_entity.management_zones.ids

array

stable
IDs of the management zones to which the affected entity belongs.

mzid1

affected_entity.management_zones.names

array

stable
Names of the management zones to which the affected entity belongs.

mz1

affected_entity.name

string

stable
Name of the affected entity.

prod_process_group_1; prod_host

affected_entity.reachable_data_assets.count

long

experimental
Number of reachable data assets.

1

affected_entity.reachable_data_assets.ids

array

experimental
IDs of the data assets that can be reached by the affected entities of the vulnerability.

DATABASE-1

affected_entity.reachable_data_assets.names

array

experimental
Names of the data assets that can be reached by the affected entities of the vulnerability.

prod_database_1

affected_entity.type

string

stable
Type of affected entity.

PROCESS_GROUP; HOST; KUBERNETES_NODE

affected_entity.vulnerable_component.id

string

stable
ID of the vulnerable component causing the vulnerability.

SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF

affected_entity.vulnerable_component.name

string

stable
Name of the vulnerable component causing the vulnerability.

log4j-core-2.6.2.jar

affected_entity.vulnerable_component.package_name

string

experimental
Package name of the vulnerable component causing the vulnerability.

k8s.io/kubernetes; github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime

affected_entity.vulnerable_component.short_name

string

stable
Short name of the vulnerable component causing the vulnerability.

log4j

affected_entity.vulnerable_functions

array

stable
Vulnerable functions detected, containing or causing the vulnerability.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

affected_entity.vulnerable_functions_not_available

array

experimental
Vulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

affected_entity.vulnerable_functions_not_in_use

array

experimental
Vulnerable functions detected which are not actively used.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

Related entities

Attribute

Type

Description

Examples

related_entities.applications.count

long

stable
Number of related applications.

1

related_entities.applications.ids

array

stable
IDs of the applications related to the vulnerability's affected entities.

APPLICATION-1

related_entities.applications.names

array

stable
Names of the applications related to the vulnerability's affected entities.

prod_application_1

related_entities.databases.count

long

stable
Number of related databases.

1

related_entities.databases.ids

array

stable
IDs of the databases related to the vulnerability's affected entities.

DATABASE-1

related_entities.databases.names

array

stable
Names of the databases related to the vulnerability's affected entities.

prod_database_1

related_entities.hosts.count

long

stable
Number of related hosts.

1

related_entities.hosts.ids

array

stable
IDs of the hosts related to the vulnerability's affected entities.

HOST-1

related_entities.hosts.names

array

stable
Names of the hosts related to the vulnerability's affected entities.

prod_host_1

related_entities.kubernetes_clusters.count

long

stable
Number of related Kubernetes clusters.

1

related_entities.kubernetes_clusters.ids

array

stable
IDs of the Kubernetes clusters related to the vulnerability's affected entities.

KUBERNETES_CLUSTER-1

related_entities.kubernetes_clusters.names

array

stable
Names of the Kubernetes clusters related to the vulnerability's affected entities.

prod_kubernetes_cluster_1

related_entities.kubernetes_workloads.count

long

stable
Number of related Kubernetes workloads.

1

related_entities.kubernetes_workloads.ids

array

stable
IDs of the Kubernetes workloads related to the vulnerability's affected entities.

KUBERNETES_WORKLOAD-1

related_entities.kubernetes_workloads.names

array

stable
Names of the Kubernetes workloads related to the vulnerability's affected entities.

prod_kubernetes_workload_1

related_entities.services.count

long

stable
Number of related services.

1

related_entities.services.ids

array

stable
IDs of the services related to the vulnerability's affected entities.

SERVICE-1

related_entities.services.names

array

stable
Names of the services related to the vulnerability's affected entities.

prod_service_1

Vulnerability Change Events

Vulnerability change events are change events at the vulnerability level. An event is generated whenever a vulnerability undergoes a status or assessment change.

Query

Query vulnerability status change events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"

Query vulnerability assessment change events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"

Vulnerability state: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.category

string

stable
Standard categorization based on the significance of an event according to the ITIL event management standard (previously known as severity level).

VULNERABILITY_MANAGEMENT

event.change_list

array

stable
List of attributes updated as part of the change event. Values in the list match a previous field.

vulnerability.risk.score; affected_entities.count; related_entities.databases.count

event.description

string

stable
Human-readable description of an event.

S-49 Remote Code Execution status has changed to OPEN.; S-49 Remote Code Execution assessment has changed.

event.group_label

string

experimental
Group label of an event.

CHANGE_EVENT

event.kind

string

SECURITY_EVENT

event.level

string

VULNERABILITY

event.name

string

stable
The human readable display name of an event type.

Vulnerability status change event; Vulnerability assessment change event

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

Dynatrace

event.provider_product

string

stable
Name of the product providing this event.

Runtime Vulnerability Analytics; Snyk Container

event.status

string

stable
Status of an event as being either Active or Closed.

OPEN; RESOLVED; MUTED

event.status_transition

string

experimental
An enum that shows the transition of the above event state.

NEW_OPEN; REOPEN; CLOSE; MUTE; UNMUTE

event.trigger.type

string

stable
Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).

DT_PLATFORM; USER_ACTION

event.trigger.user

string

stable
ID of the user who triggered the event. If generated by Dynatrace, the value is SYSTEM.

SYSTEM; <user_id>

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_STATUS_CHANGE_EVENT; VULNERABILITY_ASSESSMENT_CHANGE_EVENT

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.

1649822520123123123

Vulnerability state: Vulnerability data

This section contains information about the vulnerability and its status and assessment changes.

Attribute

Type

Description

Examples

vulnerability.cvss.base_score

double

stable
Vulnerability's CVSS base score provided by NVD.

8.1

vulnerability.cvss.vector

string

experimental
Vulnerability's CVSS vector defined by the provider.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.cvss.version

string

stable
Vulnerability's CVSS score version.

3.1

vulnerability.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the vulnerability assessment has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.davis_assessment.assessment_mode_reasons

string[]

experimental
Reasons for the assessment mode.

[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]

vulnerability.davis_assessment.data_assets_status

string

stable
Vulnerability's reachability of related data assets by affected entities.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.davis_assessment.exploit_status

string

stable
Vulnerability's public exploits status.

AVAILABLE; NOT_AVAILABLE

vulnerability.davis_assessment.exposure_status

string

stable
Vulnerability's internet exposure status.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.davis_assessment.level

string

stable
Vulnerability's risk level based on Davis Security Score.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.davis_assessment.score

double

stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.

8.1

vulnerability.davis_assessment.vulnerable_function_status

string

stable
Usage status of the vulnerable functions causing the vulnerability.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.display_id

string

stable
Dynatrace user-readable identifier for the vulnerability.

S-1234

vulnerability.external_id

string

stable
External provider's unique identifier for the vulnerability.

SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646

vulnerability.external_url

string

stable
External provider's URL to the details page of the vulnerability.

https://example.com

vulnerability.first_seen

timestamp

stable
Timestamp of when the vulnerability was first detected.

2023-03-22T13:19:36.945Z

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

2039861408676243188

vulnerability.is_fix_available

boolean

experimental
Indicates if a vulnerability fix is available.

vulnerability.mute.change_date

timestamp

stable
Timestamp of the vulnerability's last muted or unmuted action.

2023-03-22T13:19:36.945Z

vulnerability.mute.reason

string

stable
Reason for muting or unmuting the vulnerability.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.mute.status

string

stable
Vulnerability's mute status.

MUTED; NOT_MUTED

vulnerability.mute.user

string

stable
User who last changed the vulnerability's mute status.

user@example.com

vulnerability.previous.cvss.base_score

double

stable
Vulnerability's previous CVSS base score (in case the CVSS base score has changed).

8.1

vulnerability.previous.davis_assessment.data_assets_status

string

stable
Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.previous.davis_assessment.exploit_status

string

stable
Vulnerability's previous public exploit status (in case the public exploit status has changed).

AVAILABLE; NOT_AVAILABLE

vulnerability.previous.davis_assessment.exposure_status

string

stable
Vulnerability's previous internet exposure status (in case the internet exposure status has changed).

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.previous.davis_assessment.level

string

stable
Vulnerability's previous risk level (in case the risk level has changed).

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.previous.davis_assessment.score

double

stable
Vulnerability's previous Davis Security Score (in case Davis Security Score has changed).

8.1

vulnerability.previous.davis_assessment.vulnerable_function_status

string

stable
Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed).

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.previous.mute.change_date

string

stable
Timestamp of the vulnerability's previous mute status (in case the mute status has changed).

2023-03-22T13:19:36.945Z

vulnerability.previous.mute.reason

string

stable
Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).

Muted: False positive

vulnerability.previous.mute.status

string

stable
Vulnerability's previous mute status (in case the mute status has changed).

MUTED; NOT_MUTED

vulnerability.previous.mute.user

string

stable
User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).

user@example.com

vulnerability.previous.resolution.status

string

stable
Vulnerability's previous resolution status (in case the resolution status has changed).

OPEN; RESOLVED

vulnerability.previous.risk.level

string

stable
Vulnerability's previous risk score level (in case the risk score level has changed).

LOW; MEDIUM; HIGH; CRITICAL

vulnerability.previous.risk.score

double

stable
Vulnerability's previous risk score (in case the risk score has changed).

8.1

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.references.cwe

string[]

stable
List of the vulnerability's CWE IDs.

[CWE-20]

vulnerability.references.owasp

string[]

stable
List of vulnerability's OWASP IDs.

[2021:A3]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade component to version 1.2.3 or higher

vulnerability.resolution.change_date

timestamp

stable
Timestamp of the vulnerability's last resolution status change.

2023-03-22T13:19:37.466Z

vulnerability.resolution.status

string

stable
Vulnerability's resolution status.

OPEN; RESOLVED

vulnerability.risk.level

string

stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.risk.scale

string

stable
Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.

Davis Security Score

vulnerability.risk.score

double

stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.

8.1

vulnerability.stack

string

experimental
Level of the vulnerable component in the technological stack.

CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION

vulnerability.technology

string

stable
Technology of the vulnerable component.

JAVA; DOTNET; GO; PHP; NODE_JS

vulnerability.title

string

stable
Title of the vulnerability.

Improper Input Validation

vulnerability.type

string

stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.

Improper Input Validation

vulnerability.url

string

stable
Dynatrace URL to the details page of the vulnerability. |

https://example.com

Vulnerability change: Environmental data

Affected entities

This section contains information on changes regarding vulnerability's affected entities.

Attribute

Type

Description

Examples

affected_entities.count

long

stable
Number of affected entities.

1

affected_entities.hosts.count

long

stable
Number of affected hosts.

2

affected_entities.kubernetes_nodes.count

long

stable
Number of affected nodes.

2

affected_entities.previous.count

long

deprecated
Number of affected entities before the last change event.

1

affected_entities.previous.hosts.count

long

deprecated
Number of affected hosts before the last change event.

5

affected_entities.previous.kubernetes_nodes.count

long

deprecated
Number of affected Kubernetes nodes before the last change event.

5

affected_entities.previous.process_groups.count

long

deprecated
Number of affected process groups before the last change event.

2

affected_entities.process_groups.count

long

stable
Number of affected process groups.

2

affected_entities.types

array

stable
Types of affected entities.

PROCESS_GROUP; HOST; KUBERNETES_NODE

Related entities

This section contains information on changes regarding vulnerability's related entities.

Attribute

Type

Description

Examples

related_entities.applications.count

long

stable
Number of related applications.

1

related_entities.databases.count

long

stable
Number of related databases.

1

related_entities.hosts.count

long

stable
Number of related hosts.

1

related_entities.kubernetes_clusters.count

long

stable
Number of related Kubernetes clusters.

1

related_entities.kubernetes_workloads.count

long

stable
Number of related Kubernetes workloads.

1

related_entities.previous.databases.count

long

deprecated
Number of related databases before the last change event.

1

related_entities.services.count

long

stable
Number of related services.

1

Vulnerability State Events

Vulnerability state events are historical states at the vulnerability level. The current vulnerability state is exported to Grail regularly.

Query

Query vulnerability state events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "VULNERABILITY"

Vulnerability state: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.category

string

stable
Categorization based on the product and data generating this event.

VULNERABILITY_MANAGEMENT

event.description

string

stable
Human-readable description of an event.

S-49 Remote Code Execution state event reported

event.group_label

string

experimental
Group label of an event.

STATE_REPORT

event.kind

string

SECURITY_EVENT

event.level

string

VULNERABILITY

event.name

string

stable
The human readable display name of an event type.

Vulnerability historical state report event

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

Dynatrace; Snyk

event.provider_product

string

stable
Name of the product providing this event.

Runtime Vulnerability Analytics; Snyk Container

event.status

string

stable
Status of an event as being either Active or Closed.

OPEN; RESOLVED; MUTED

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_STATE_REPORT_EVENT

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.

1649822520123123123

Vulnerability state: Vulnerability data

This section contains information about the vulnerability.

Attribute

Type

Description

Examples

vulnerability.code_location.name

string

stable
Name of the code location where the code-level vulnerability was detected.

org.dynatrace.profileservice.BioController.markdownToHtml(String):80

vulnerability.cvss.base_score

double

stable
Vulnerability's CVSS base score provided by NVD.

8.1

vulnerability.cvss.vector

string

experimental
Vulnerability's CVSS vector defined by the provider.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.cvss.version

string

stable
Vulnerability's CVSS score version.

3.1

vulnerability.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the vulnerability assessment has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.davis_assessment.assessment_mode_reasons

string[]

experimental
Reasons for the assessment mode.

[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]

vulnerability.davis_assessment.data_assets_status

string

stable
Vulnerability's reachability of related data assets by affected entities.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.davis_assessment.exploit_status

string

stable
Vulnerability's public exploits status.

AVAILABLE; NOT_AVAILABLE

vulnerability.davis_assessment.exposure_status

string

stable
Vulnerability's internet exposure status.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.davis_assessment.level

string

stable
Vulnerability's risk level based on Davis Security Score.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.davis_assessment.score

double

stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.

8.1

vulnerability.davis_assessment.vulnerable_function_status

string

stable
Usage status of the vulnerable functions causing the vulnerability.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.display_id

string

stable
Dynatrace user-readable identifier for the vulnerability.

S-1234

vulnerability.external_id

string

stable
External provider's unique identifier for the vulnerability.

SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646

vulnerability.external_url

string

stable
External provider's URL to the details page of the vulnerability.

https://example.com

vulnerability.first_seen

timestamp

stable
Timestamp of when the vulnerability was first detected.

2023-03-22T13:19:36.945Z

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

2039861408676243188

vulnerability.is_fix_available

boolean

experimental
Indicates if a vulnerability fix is available.

vulnerability.mute.change_date

timestamp

stable
Timestamp of the vulnerability's last muted or unmuted action.

2023-03-22T13:19:36.945Z

vulnerability.mute.reason

string

stable
Reason for muting or unmuting the vulnerability.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.mute.status

string

stable
Vulnerability's mute status.

MUTED; NOT_MUTED

vulnerability.mute.user

string

stable
User who last changed the vulnerability's mute status.

user@example.com

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.references.cwe

string[]

stable
List of the vulnerability's CWE IDs.

[CWE-20]

vulnerability.references.owasp

string[]

stable
List of vulnerability's OWASP IDs.

[2021:A3]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade component to version 1.2.3 or higher

vulnerability.resolution.change_date

timestamp

stable
Timestamp of the vulnerability's last resolution status change.

2023-03-22T13:19:37.466Z

vulnerability.resolution.status

string

stable
Vulnerability's resolution status.

OPEN; RESOLVED

vulnerability.risk.level

string

stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.risk.scale

string

stable
Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.

Davis Security Score

vulnerability.risk.score

double

stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.

8.1

vulnerability.stack

string

experimental
Level of the vulnerable component in the technological stack.

CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION

vulnerability.technology

string

stable
Technology of the vulnerable component.

JAVA; DOTNET; GO; PHP; NODE_JS

vulnerability.title

string

stable
Title of the vulnerability.

Improper Input Validation

vulnerability.type

string

stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.

Improper Input Validation

vulnerability.url

string

stable
Dynatrace URL to the details page of the vulnerability. |

https://example.com

Vulnerability state: Environmental data

This section contains information on the vulnerability's affected and related entities.

Affected entities

Attribute

Type

Description

Examples

affected_entities.affected_processes.count

long

stable
Number of affected processes.

50

affected_entities.count

long

stable
Number of affected entities.

1

affected_entities.hosts.count

long

stable
Number of affected hosts.

2

affected_entities.kubernetes_nodes.count

long

stable
Number of affected nodes.

2

affected_entities.management_zones.ids

array

stable
IDs of the management zones to which the affected entities belong.

mzid1

affected_entities.management_zones.names

array

stable
Names of the management zones to which the affected entities belong.

mz1

affected_entities.monitored_processes.count

long

stable
Number of processes of the process group.

100

affected_entities.process_groups.count

long

stable
Number of affected process groups.

2

affected_entities.types

array

stable
Types of affected entities.

PROCESS_GROUP; HOST; KUBERNETES_NODE

affected_entities.vulnerable_components.ids

array

stable
Dynatrace IDs of the vulnerable components causing the vulnerability.

SOFTWARE_COMPONENT-0000000000000001; SOFTWARE_COMPONENT-0000000000000002; SOFTWARE_COMPONENT-0000000000000003

affected_entities.vulnerable_components.names

array

stable
Names of the vulnerable components causing the vulnerability. |

com.fasterxml.jackson.core:jackson-databind:2.10.0; node-sass:4.14.1

affected_entities.vulnerable_functions

array

stable
Vulnerable functions detected, containing or causing the vulnerability.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

Related entities

Attribute

Type

Description

Examples

related_entities.applications.count

long

stable
Number of related applications.

1

related_entities.databases.count

long

stable
Number of related databases.

1

related_entities.hosts.count

long

stable
Number of related hosts.

1

related_entities.kubernetes_clusters.count

long

stable
Number of related Kubernetes clusters.

1

related_entities.kubernetes_workloads.count

long

stable
Number of related Kubernetes workloads.

1

related_entities.services.count

long

stable
Number of related services.

1

Vulnerability finding events

Vulnerability-finding events contain generic sections and fields like metadata, affected entity data and vulnerability data. They can also include extensions (such as container image data for container vulnerability findings) at the end of the page.

Vulnerability finding events: Metadata

This section contains meta information on the vulnerability-finding event.

Attribute

Type

Description

Examples

event.category

string

stable
Standard categorization based on the significance of an event (similar to the severity level in the previous Dynatrace).

VULNERABILITY_MANAGEMENT

event.description

string

stable
Human-readable description of an event.

Vulnerability CVE-2023-45871 of component linux:4.19.269-1 was detected in your container image unguard-frontend:latest@054e1d39

event.id

string

stable
Unique identifier string of an event, is stable across multiple refreshes and updates.

5547782627070661074_1647601320000

event.kind

string

SECURITY_EVENT

event.name

string

stable
The human readable display name of an event type.

Vulnerability finding event

event.original_content

string

experimental
The original raw data of the event as received from the source.

{"severity_id": 3,"state_id": 1,"time": "2024-06-26T07:15:06.139000Z","state": "New","type_uid": 200101}

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

Amazon ECR

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_FINDING

event.version

string

experimental
Describes the version of the event.

1.304

timestamp

timestamp

stable
Time (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.

1649822520123123123

Vulnerability finding events: Vulnerability data

This section contains information about the vulnerability that caused the vulnerability-finding event (vulnerability ID, description, risk level, and so on).

Attribute

Type

Description

Examples

dt.security.risk.level

string

experimental
Risk score level defined by the provider.

LOW; MEDIUM; HIGH; CRITICAL; NONE; NOT_AVAILABLE

dt.security.risk.score

double

experimental
Risk score, mapped and normalized by Dynatrace.

8.1

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.exploit.status

string

experimental
Whether there is a known exploit for the vulnerability.

AVAILABLE; NOT_AVAILABLE

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

CVE-2019-19814

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade to JQuery version 3.5.0 or later.

vulnerability.remediation.status

string

experimental
Indicates whether a fix for the vulnerability is available.

AVAILABLE; NOT_AVAILABLE

vulnerability.title

string

stable
Title of the vulnerability.

CVE-2019-19814; Improper input validation

Extensions

Vulnerability finding events: Container image data

This section contains container-image—specific data.

Attribute

Type

Description

Examples

container_image.digest

string

experimental
Container image digest uniquely and immutably identifying the vulnerable container image.

sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1

container_image.registry

string

experimental
Container image registry from which the finding originates.

1294385647.eu-central-1

container_image.repository

string

experimental
Container image repository from which the finding originates.

unguard-frontend

container_image.tags

array

experimental
List of tags of the vulnerable container image.

[1.0.0]; [1.0.0, 1.0.0-nightly, latest]