Security events

Security events are a special type of data representing various events generated by Dynatrace.

In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.

Compliance finding events

A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object.

Compliance finding events: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.kind

string

stable
Gives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.
Tags: permission

SECURITY_EVENT

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

COMPLIANCE_FINDING

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event was ingested.

1649822520123123123

Compliance finding events: Finding data

This section contains information about the finding.

Attribute

Type

Description

Examples

aws.account.id

string

resource stable
The 12-digit number, such as 123456789012, that uniquely identifies an AWS account.
Tags: permission primary-field

123456789012

aws.account.name

string

resource experimental
Name associated with the AWS account.

example.com

azure.tenant.id

string

resource experimental
Unique, immutable identifier assigned to the Azure tenant.

37c4add3-612a-483d-8b24-cccbb35d3306

azure.tenant.name

string

resource experimental
Name assigned to the Azure tenant.

MyAzureTenant

cloud.provider

string

resource experimental
Name of the cloud provider.

alibaba_cloud

dt.entity.cloud_application

string

resource stable
An entity ID of an entity of type CLOUD_APPLICATION.
Tags: entity-id

CLOUD_APPLICATION-3AB5BBF3E09A7942

dt.entity.cloud_application_instance

string

resource stable
An entity ID of an entity of type CLOUD_APPLICATION_INSTANCE.
Tags: entity-id

CLOUD_APPLICATION_INSTANCE-E0D8F94D9065F24F

dt.entity.cloud_application_namespace

string

resource stable
An entity ID of an entity of type CLOUD_APPLICATION_NAMESPACE. A CLOUD_APPLICATION_NAMESPACE is a Kubernetes namespace.
Tags: entity-id

CLOUD_APPLICATION_NAMESPACE-C61324AA70F57BCB

dt.entity.kubernetes_cluster

string

resource stable
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags: entity-id

KUBERNETES_CLUSTER-E0D8F94D9065F24F

dt.entity.kubernetes_node

string

resource stable
An entity ID of an entity of type KUBERNETES_NODE.
Tags: entity-id

KUBERNETES_NODE-874C66B68CE15070

finding.id

string

experimental
Unique identifier string of a finding.

F-2GJ3LSUM

finding.time.created

timestamp

experimental
Time when the finding was created.

2024-06-24T04:47:21.154000000+02:00

gcp.organization.id

string

resource experimental
Unique, immutable identifier assigned to an organization resource.

123456789012

gcp.organization.name

string

resource experimental
Name assigned to the GCP organization.

dynatrace.com

hypervisor.type

string

resource experimental
Virtualization hypervisor identified. For physical machines, this value is empty.

KVM; VMWARE

k8s.cluster.name

string

resource stable
(Optional) The user-defined name of the cluster in Dynatrace. Doesn't need to be unique or immutable.
Tags: permission primary-field

unguard-dev; acme-prod10

k8s.cluster.uid

string

resource stable
A pseudo-ID for the cluster, by default set to the UID of the kube-system namespace.

1c7a24c7-ff51-46e0-bcc9-c52637ceec57

k8s.namespace.name

string

resource stable
The name of the namespace that the pod is running in.
Tags: permission primary-field

default; kube-system

k8s.namespace.uid

string

resource experimental
The UID of the namespace.

bfb1ba44-3bcb-467d-a2dc-188fd74d1db5

k8s.node.name

string

resource stable
Name of the node.

cluster-pool-1-c3c7423d-azth

k8s.pod.name

string

resource stable
The name of the pod.

checkoutservice-7895755b94-mzs5m

k8s.pod.uid

string

resource stable
The UID of the pod.

275ecb36-5aa8-4c2a-9c47-d8bb681b9aff

k8s.workload.name

string

resource stable
The name of the workload.

checkoutservice

k8s.workload.uid

string

resource experimental
The UID of the workload.

786a41e4-e673-44bb-bb30-18888f797a2b

vmware.vcenter.name

string

resource experimental
Name of the VMware vCenter server managing the multi-hypervisor environment.

my-vcenter.lab.dynatrace.org

Compliance finding events: Scan data

This section contains information about the scan that generated the finding.

Attribute

Type

Description

Examples

product.name

string

resource experimental
Product name.

Tenable; Snyk

scan.id

string

resource experimental
Unique identifier of the scan.

00000000-0000-0000-0000-000000000000

Compliance finding events: Rule data

This section contains information about the compliance rule and the compliance standard it belongs to.

Attribute

Type

Description

Examples

compliance.rule.id

string

experimental
Unique identifier of a compliance rule.

CIS-66577

compliance.rule.metadata_json

string

experimental
Any additional metadata associated with the compliance rule.

{\"Section\":\"Kubernetes - v1.9.0\",\"Recommendation ID\":\"1.2.16\",\"Recommendation section\":\"1.2 - Control Plane Components - API Server\", \"Level\":\"L1\"}

compliance.rule.severity.level

string

experimental
Original severity of a compliance rule reported by the vendor.

CRITICAL; HIGH; MEDIUM; LOW

compliance.rule.severity.score

double

experimental
Number assigned to the respective severity. For example, 10 corresponds to 'CRITICAL', 7 to 'HIGH', 4 to 'MEDIUM', and 1 to 'LOW'.

10.0; 7.0; 4.0; 1.0

compliance.rule.title

string

experimental
Short description of a compliance rule.

The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination

Attribute

Type

Description

Examples

compliance.standard.short_name

string

experimental
Short name of a compliance standard.

DISA STIG; NIST

compliance.standard.url

string

experimental
Link to the official documentation source about the compliance standard.

DISA STIG; NIST

Compliance finding events: Result

This section contains information about the result of the compliance scan.

Attribute

Type

Description

Examples

aws.resource.name

string

resource experimental
Name of the resource (value of the "Name" tag in AWS).

my-ec2-instance

azure.resource.id

string

resource experimental
A unique, immutable identifier assigned to each Azure cloud resource.

/subscriptions/27e9b03f-04d2-2b69-b327-32f433f7ed21/resourceGroups/demo-backend-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks

azure.resource.name

string

resource experimental
User-provided name of the Azure cloud resource.

demo-aks

compliance.result.description

string

experimental
Details about the compliance result status.

Object not matching standard inclusion criteria

compliance.result.object.evidence_json

string

experimental
Reasoning or evidence for the compliance status of this object.

[{\"type\":\"AUTOMATIC\",\"description\":\"Controller Manager version\",\"value\":\"1.28.0\"},{\"type\":\"AUTOMATIC\",\"description\":\"Property tls-min-version status\",\"value\":\"Not set\"}]

compliance.result.object.name

string

deprecated
Name of the object evaluated for compliance.

kube-controller-manager-k8s-mst01-t12; daemonset-25qlv

compliance.result.object.type

string

experimental
Type of the object evaluated for compliance.

k8scluster; k8spod; k8sservice

compliance.result.status.level

string

experimental
Result status of the given resource object as evaluated by a scan.

FAILED; PASSED; MANUAL; NOT_RELEVANT

compliance.result.status.score

double

experimental
Number assigned to the respective result status. For example, 10 corresponds to 'FAILED', 7 to 'MANUAL', 4 to 'PASSED', and 1 to 'NOT_RELEVANT'.

10.0; 7.0; 4.0; 1.0

dt.source_entity

string

resource stable
The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. ¹
Tags: entity-id

HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F

object.id

string

resource experimental
Identifier of the affected object.

HOST-E0D8F94D9065F24F; i-06becf87d5326157a;

arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1

object.name

string

resource experimental
Name of the affected object.

kube-controller-manager-k8s-mst01-t12; daemonset-25qlv

object.type

string

resource experimental
Type of the affected object.

HOST; EC2_INSTANCE; CONTAINER_IMAGE

The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.

Compliance scan completed events

A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed.

Compliance scan completed events: Event metadata

This section contains general event information.

Attribute

Type

Description

Examples

event.kind

string

SECURITY_EVENT

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

COMPLIANCE_SCAN_COMPLETED

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event was ingested.

1649822520123123123

Compliance scan completed events: Scan info

This section contains details about the performed compliance scan.

Attribute

Type

Description

Examples

aws.account.id

string

resource stable
The 12-digit number, such as 123456789012, that uniquely identifies an AWS account.
Tags: permission primary-field

123456789012

aws.account.name

string

resource experimental
Name associated with the AWS account.

example.com

azure.tenant.id

string

resource experimental
Unique, immutable identifier assigned to the Azure tenant.

37c4add3-612a-483d-8b24-cccbb35d3306

azure.tenant.name

string

resource experimental
Name assigned to the Azure tenant.

MyAzureTenant

cloud.provider

string

resource experimental
Name of the cloud provider.

alibaba_cloud

dt.entity.kubernetes_cluster

string

resource stable
An entity ID of an entity of type KUBERNETES_CLUSTER.
Tags: entity-id

KUBERNETES_CLUSTER-E0D8F94D9065F24F

gcp.organization.id

string

resource experimental
Unique, immutable identifier assigned to an organization resource.

123456789012

gcp.organization.name

string

resource experimental
Name assigned to the GCP organization.

dynatrace.com

hypervisor.type

string

resource experimental
Virtualization hypervisor identified. For physical machines, this value is empty.

KVM; VMWARE

object.id

string

resource experimental
Identifier of the affected object.

HOST-E0D8F94D9065F24F; i-06becf87d5326157a;

arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1

object.name

string

resource experimental
Name of the affected object.

kube-controller-manager-k8s-mst01-t12; daemonset-25qlv

object.type

string

resource experimental
Type of the affected object.

HOST; EC2_INSTANCE; CONTAINER_IMAGE

product.name

string

resource experimental
Product name.

Tenable; Snyk

product.vendor

string

resource experimental
Product vendor.

Tenable; Snyk

product.version

string

resource experimental
Version of the product that performed the scan.

6.9.2.0

scan.id

string

resource experimental
Unique identifier of the scan.

00000000-0000-0000-0000-000000000000

scan.result.summary_json

string

resource experimental
Summary of the scan results.

{"standardResultSummaries":[{"profileCode":"CIS","compliancePercentage":85}]}

scan.time.completed

timestamp

resource experimental
Time when the scan was completed.

2024-06-24T04:47:21.154000000+02:00

vmware.vcenter.name

string

resource experimental
Name of the VMware vCenter server managing the multi-hypervisor environment.

my-vcenter.lab.dynatrace.org

Entity change events

Entity change events are change events at the entity level. An event is generated whenever a vulnerability's affected entity undergoes a status or assessment change.

Query

Query entity status change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"
| filter event.level == "ENTITY"

Entity change events: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.category

string

stable
Categorization based on the product and data generating this event.

VULNERABILITY_MANAGEMENT

event.change_list

array

resource stable
List of attributes updated as part of the change event. Values in the list match a previous field.

vulnerability.risk.score; affected_entities.count; related_entities.databases.count

event.description

string

stable
Human-readable description of an event.

Status of S-49 Remote Code Execution for prod_process_group_1 has changed to OPEN.; Assessment of S-49 Remote Code Execution for prod_process_group_1 has changed.; Environment impact of S-49 Remote Code Execution for prod_process_group_1 has changed.

event.group_label

string

experimental
Group label of an event.

CHANGE_EVENT

event.kind

string

SECURITY_EVENT

event.level

string

resource stable
Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).

ENTITY

event.name

string

stable
The human readable display name of an event type.

Vulnerable entity status change event; Vulnerable entity assessment change event

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

Dynatrace

event.provider_product

string

resource stable
Name of the product providing this event.

Runtime Vulnerability Analytics; Snyk Container

event.status

string

stable
Status of an event as being either Active or Closed.

OPEN; RESOLVED; MUTED

event.status_transition

string

experimental
An enum that shows the transition of the above event state.

NEW_OPEN; REOPEN; CLOSE; MUTE; UNMUTE

event.trigger.type

string

resource stable
Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).

DT_PLATFORM; USER_ACTION

event.trigger.user

string

resource stable
ID of the user who triggered the event. If generated by Dynatrace, the value is SYSTEM.

SYSTEM; <user_id>

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_STATUS_CHANGE_EVENT; VULNERABILITY_ASSESSMENT_CHANGE_EVENT

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.

1649822520123123123

Entity change events: Vulnerability data

This section contains information about the vulnerability at the entity level and its global parent, as well as its previous values.

Attribute

Type

Description

Examples

entry_points.entry_point_jsons

string[]

resource experimental
JSON representation of entry points of a vulnerability.

[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]

vulnerability.code_location.name

string

stable
Name of the code location where the code-level vulnerability was detected.

org.dynatrace.profileservice.BioController.markdownToHtml(String):80

vulnerability.cvss.base_score

double

stable
Vulnerability's CVSS base score provided by NVD.

8.1

vulnerability.cvss.vector

string

experimental
Vulnerability's CVSS vector defined by the provider.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L; CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.cvss.version

string

stable
Vulnerability's CVSS score version.

3.1; 4.0

vulnerability.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the assessment of the vulnerability at the entity level has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.davis_assessment.assessment_mode_reasons

string[]

experimental
Reasons for the assessment mode at the entity level.

[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]

vulnerability.davis_assessment.data_assets_status

string

stable
Affected entity's reachability by a database.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.davis_assessment.exploit_status

string

stable
Public exploits status of the vulnerability at the entity level.

AVAILABLE; NOT_AVAILABLE

vulnerability.davis_assessment.exposure_status

string

stable
Internet exposure status of the vulnerability at the entity level.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.davis_assessment.level

string

stable
Risk level, based on Davis Security Score, of the vulnerability at the entity level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.davis_assessment.score

double

stable
Davis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.

8.1

vulnerability.davis_assessment.vulnerable_function_status

string

stable
Usage status of the vulnerable functions causing the vulnerability at the entity level.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.display_id

string

stable
Dynatrace user-readable identifier for the vulnerability.

S-1234

vulnerability.external_id

string

stable
External provider's unique identifier for the vulnerability.

SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646

vulnerability.external_url

string

stable
External provider's URL to the details page of the vulnerability.

https://example.com

vulnerability.first_seen

timestamp

stable
Timestamp of when the vulnerability at the entity level was first detected.

2023-03-22T13:19:36.945Z

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

2039861408676243188

vulnerability.is_fix_available

boolean

experimental
Indicates if a vulnerability fix is available.

vulnerability.mute.change_date

timestamp

stable
Timestamp of the last muted or unmuted action of the vulnerability at the entity level.

2023-03-22T13:19:36.945Z

vulnerability.mute.comment

string

experimental
Comment for muting or unmuting the vulnerability at entity level.

Muted because it's a false positive.

vulnerability.mute.reason

string

stable
Reason for muting or unmuting the vulnerability at the entity level.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.mute.status

string

stable
Mute status of the vulnerability at the entity level.

MUTED; NOT_MUTED

vulnerability.mute.user

string

stable
User who last changed the mute status of the vulnerability at the entity level.

user@example.com

vulnerability.parent.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the vulnerability assessment has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.parent.davis_assessment.data_assets_status

string

stable
Vulnerability's reachability of related data assets by affected entities.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.parent.davis_assessment.exposure_status

string

stable
Vulnerability's internet exposure status.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.parent.davis_assessment.level

string

stable
Vulnerability's Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.parent.davis_assessment.score

double

stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.

8.1

vulnerability.parent.davis_assessment.vulnerable_function_status

string

stable
Usage status of vulnerable functions causing the vulnerability. Status is IN_USE when there's at least one vulnerable function in use by an application.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.parent.first_seen

string

stable
Timestamp of when the vulnerability was first detected.

2023-03-22T13:19:36.945Z

vulnerability.parent.mute.change_date

timestamp

stable
Timestamp of the last mute or unmute action of the vulnerability.

2023-03-22T13:19:36.945Z

vulnerability.parent.mute.reason

string

stable
Reason for muting or unmuting the vulnerability.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.parent.mute.status

string

stable
Vulnerability's mute status.

MUTED; NOT_MUTED

vulnerability.parent.mute.user

string

stable
User who last changed the vulnerability's mute status.

user@example.com

vulnerability.parent.resolution.change_date

string

stable
Timestamp of the vulnerability's last resolution status change.

2023-03-22T13:19:37.466Z

vulnerability.parent.resolution.status

string

stable
Current status of the vulnerability.

OPEN; RESOLVED

vulnerability.parent.risk.level

string

stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.parent.risk.score

double

stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.

8.1

vulnerability.previous.cvss.base_score

double

stable
Vulnerability's previous CVSS base score (in case the CVSS base score has changed).

8.1

vulnerability.previous.davis_assessment.data_assets_status

string

stable
Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.previous.davis_assessment.exploit_status

string

stable
Vulnerability's previous public exploit status (in case the public exploit status has changed).

AVAILABLE; NOT_AVAILABLE

vulnerability.previous.davis_assessment.exposure_status

string

stable
Vulnerability's previous internet exposure status (in case the internet exposure status has changed).

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.previous.davis_assessment.level

string

stable
Vulnerability's previous risk level (in case the risk level has changed).

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.previous.davis_assessment.score

double

stable
Vulnerability's previous Davis Security Score (in case Davis Security Score has changed).

8.1

vulnerability.previous.davis_assessment.vulnerable_function_status

string

stable
Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed).

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.previous.mute.change_date

string

stable
Timestamp of the vulnerability's previous mute status (in case the mute status has changed).

2023-03-22T13:19:36.945Z

vulnerability.previous.mute.comment

string

experimental
Comment of the vulnerability's previous mute status.

Muted because it's a false positive.

vulnerability.previous.mute.reason

string

stable
Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).

Muted: False positive

vulnerability.previous.mute.status

string

stable
Vulnerability's previous mute status (in case the mute status has changed).

MUTED; NOT_MUTED

vulnerability.previous.mute.user

string

stable
User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).

user@example.com

vulnerability.previous.resolution.status

string

stable
Vulnerability's previous resolution status (in case the resolution status has changed).

OPEN; RESOLVED

vulnerability.previous.risk.level

string

stable
Vulnerability's previous risk score level (in case the risk score level has changed).

LOW; MEDIUM; HIGH; CRITICAL

vulnerability.previous.risk.score

double

stable
Vulnerability's previous risk score (in case the risk score has changed).

8.1

vulnerability.previous.tracking_link.text

string

experimental
Display text of the previous tracking link that was set by the user.

P-1000 Vulnerability CVE-2024-0001

vulnerability.previous.tracking_link.url

string

experimental
URL of the previous tracking link that was set by the user.

https://example.com/Project1/P-1000

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.references.cwe

string[]

stable
List of the vulnerability's CWE IDs.

[CWE-20]

vulnerability.references.owasp

string[]

stable
List of vulnerability's OWASP IDs.

[2021:A3]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade component to version 1.2.3 or higher

vulnerability.resolution.change_date

timestamp

stable
Timestamp of the last resolution status change of the vulnerability at the entity level.

2023-03-22T13:19:37.466Z

vulnerability.resolution.status

string

stable
Resolution status of the vulnerability at the entity level.

OPEN; RESOLVED

vulnerability.risk.level

string

stable
Vulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.risk.scale

string

stable
Scale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.

Davis Security Score

vulnerability.risk.score

double

stable
Risk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.

8.1

vulnerability.stack

string

experimental
Level of the vulnerable component in the technological stack.

CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION

vulnerability.technology

string

stable
Technology of the vulnerable component.

JAVA; DOTNET; GO; PHP; NODE_JS

vulnerability.title

string

stable
Title of the vulnerability.

Improper Input Validation

vulnerability.tracking_link.text

string

experimental
Display text of the tracking link that was set by the user.

P-1000 Vulnerability CVE-2024-0001

vulnerability.tracking_link.url

string

experimental
URL of the tracking link that was set by the user.

https://example.com/Project1/P-1000

vulnerability.type

string

stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.

Improper Input Validation

vulnerability.url

string

stable
Dynatrace URL to the details page of the vulnerability. |

https://example.com

Entity change events: Environmental data

This section contains information about the vulnerability's affected entity and related entities.

Affected entity

Attribute

Type

Description

Examples

affected_entity.affected_processes.ids

array

resource stable
IDs of the processes that are currently affected by the vulnerability.

PROCESS_GROUP_INSTANCE-1

affected_entity.affected_processes.names

array

resource stable
Names of the processes that are currently affected by the vulnerability.

prod_process_group_instance_1

affected_entity.id

string

resource stable
ID of the affected entity.

PROCESS_GROUP-1; HOST-1

affected_entity.management_zones.ids

array

resource stable
IDs of the management zones to which the affected entity belongs.

mzid1

affected_entity.management_zones.names

array

resource stable
Names of the management zones to which the affected entity belongs.

mz1

affected_entity.name

string

resource stable
Name of the affected entity.

prod_process_group_1; prod_host

affected_entity.reachable_data_assets.count

long

resource experimental
Number of reachable data assets.

1

affected_entity.reachable_data_assets.ids

array

resource experimental
IDs of the data assets that can be reached by the affected entities of the vulnerability.

DATABASE-1

affected_entity.reachable_data_assets.names

array

resource experimental
Names of the data assets that can be reached by the affected entities of the vulnerability.

prod_database_1

affected_entity.type

string

resource stable
Type of affected entity.

PROCESS_GROUP; HOST; KUBERNETES_NODE

affected_entity.vulnerable_component.id

string

resource stable
ID of the vulnerable component causing the vulnerability.

SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF

affected_entity.vulnerable_component.name

string

resource stable
Name of the vulnerable component causing the vulnerability.

log4j-core-2.6.2.jar

affected_entity.vulnerable_component.package_name

string

resource experimental
Package name of the vulnerable component causing the vulnerability.

k8s.io/kubernetes; github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime

affected_entity.vulnerable_component.short_name

string

resource stable
Short name of the vulnerable component causing the vulnerability.

log4j

affected_entity.vulnerable_functions

array

resource stable
Vulnerable functions detected, containing or causing the vulnerability.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

affected_entity.vulnerable_functions_not_available

array

resource experimental
Vulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

affected_entity.vulnerable_functions_not_in_use

array

resource experimental
Vulnerable functions detected which are not actively used.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

Attribute

Type

Description

Examples

related_entities.applications.count

long

resource stable
Number of related applications.

1

related_entities.applications.ids

array

resource stable
IDs of the applications related to the vulnerability's affected entities.

APPLICATION-1

related_entities.databases.count

long

resource stable
Number of related databases.

1

related_entities.databases.ids

array

resource stable
IDs of the databases related to the vulnerability's affected entities.

DATABASE-1

related_entities.hosts.count

long

resource stable
Number of related hosts.

1

related_entities.hosts.ids

array

resource stable
IDs of the hosts related to the vulnerability's affected entities.

HOST-1

related_entities.kubernetes_clusters.count

long

resource stable
Number of related Kubernetes clusters.

1

related_entities.kubernetes_clusters.ids

array

resource stable
IDs of the Kubernetes clusters related to the vulnerability's affected entities.

KUBERNETES_CLUSTER-1

related_entities.kubernetes_workloads.count

long

resource stable
Number of related Kubernetes workloads.

1

related_entities.kubernetes_workloads.ids

array

resource stable
IDs of the Kubernetes workloads related to the vulnerability's affected entities.

KUBERNETES_WORKLOAD-1

related_entities.services.count

long

resource stable
Number of related services.

1

related_entities.services.ids

array

resource stable
IDs of the services related to the vulnerability's affected entities.

SERVICE-1

Entity state events

Entity state events are historical vulnerability states reported at the entity level. The current vulnerability state per entity is exported to Grail regularly.

Query

Query entity state events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "ENTITY"

Entity state: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.category

string

stable
Categorization based on the product and data generating this event.

VULNERABILITY_MANAGEMENT

event.description

string

stable
Human-readable description of an event.

S-49 Remote Code Execution state event reported

event.group_label

string

experimental
Group label of an event.

STATE_REPORT

event.kind

string

SECURITY_EVENT

event.level

string

ENTITY

event.name

string

stable
The human readable display name of an event type.

Vulnerability historical state report event

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

OneAgent; K8S; Davis; VMWare; GCP; AWS; LIMA_USAGE_STREAM

event.provider_product

string

resource stable
Name of the product providing this event.

Runtime Vulnerability Analytics; Snyk Container

event.status

string

stable
Status of an event as being either Active or Closed.

OPEN; RESOLVED; MUTED

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_STATE_REPORT_EVENT

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.

1649822520123123123

Entity state: Vulnerability data

This section contains information about the vulnerability at the entity level and its global vulnerability, with a focus on the affected entities.

Attribute

Type

Description

Examples

entry_points.entry_point_jsons

string[]

resource experimental
JSON representation of entry points of a vulnerability.

[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]

vulnerability.code_location.name

string

stable
Name of the code location where the code-level vulnerability was detected.

org.dynatrace.profileservice.BioController.markdownToHtml(String):80

vulnerability.cvss.base_score

double

stable
Vulnerability's CVSS base score provided by NVD.

8.1

vulnerability.cvss.vector

string

experimental
Vulnerability's CVSS vector defined by the provider.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L; CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.cvss.version

string

stable
Vulnerability's CVSS score version.

3.1; 4.0

vulnerability.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the assessment of the vulnerability at the entity level has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.davis_assessment.assessment_mode_reasons

string[]

experimental
Reasons for the assessment mode at the entity level.

[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]

vulnerability.davis_assessment.data_assets_status

string

stable
Affected entity's reachability by a database.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.davis_assessment.exploit_status

string

stable
Public exploits status of the vulnerability at the entity level.

AVAILABLE; NOT_AVAILABLE

vulnerability.davis_assessment.exposure_status

string

stable
Internet exposure status of the vulnerability at the entity level.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.davis_assessment.level

string

stable
Risk level, based on Davis Security Score, of the vulnerability at the entity level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.davis_assessment.score

double

stable
Davis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.

8.1

vulnerability.davis_assessment.vector

string

experimental
Vulnerability's CVSS vector, adjusted with observability data; this vector is calculated by Dynatrace.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L; CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.davis_assessment.vulnerable_function_status

string

stable
Usage status of the vulnerable functions causing the vulnerability at the entity level.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.display_id

string

stable
Dynatrace user-readable identifier for the vulnerability.

S-1234

vulnerability.external_id

string

stable
External provider's unique identifier for the vulnerability.

SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646

vulnerability.external_url

string

stable
External provider's URL to the details page of the vulnerability.

https://example.com

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

2039861408676243188

vulnerability.is_fix_available

boolean

experimental
Indicates if a vulnerability fix is available.

vulnerability.mute.change_date

timestamp

stable
Timestamp of the last muted or unmuted action of the vulnerability at the entity level.

2023-03-22T13:19:36.945Z

vulnerability.mute.comment

string

experimental
Comment for muting or unmuting the vulnerability at entity level.

Muted because it's a false positive.

vulnerability.mute.reason

string

stable
Reason for muting or unmuting the vulnerability at the entity level.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.mute.status

string

stable
Mute status of the vulnerability at the entity level.

MUTED; NOT_MUTED

vulnerability.mute.user

string

stable
User who last changed the mute status of the vulnerability at the entity level.

user@example.com

vulnerability.parent.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the vulnerability assessment has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.parent.davis_assessment.data_assets_status

string

stable
Vulnerability's reachability of related data assets by affected entities.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.parent.davis_assessment.exposure_status

string

stable
Vulnerability's internet exposure status.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.parent.davis_assessment.level

string

stable
Vulnerability's Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.parent.davis_assessment.score

double

stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.

8.1

vulnerability.parent.davis_assessment.vulnerable_function_status

string

stable
Usage status of vulnerable functions causing the vulnerability. Status is IN_USE when there's at least one vulnerable function in use by an application.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.parent.first_seen

string

stable
Timestamp of when the vulnerability was first detected.

2023-03-22T13:19:36.945Z

vulnerability.parent.mute.change_date

timestamp

stable
Timestamp of the last mute or unmute action of the vulnerability.

2023-03-22T13:19:36.945Z

vulnerability.parent.mute.reason

string

stable
Reason for muting or unmuting the vulnerability.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.parent.mute.status

string

stable
Vulnerability's mute status.

MUTED; NOT_MUTED

vulnerability.parent.mute.user

string

stable
User who last changed the vulnerability's mute status.

user@example.com

vulnerability.parent.resolution.change_date

string

stable
Timestamp of the vulnerability's last resolution status change.

2023-03-22T13:19:37.466Z

vulnerability.parent.resolution.status

string

stable
Current status of the vulnerability.

OPEN; RESOLVED

vulnerability.parent.risk.level

string

stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.parent.risk.score

double

stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.

8.1

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.references.cwe

string[]

stable
List of the vulnerability's CWE IDs.

[CWE-20]

vulnerability.references.owasp

string[]

stable
List of vulnerability's OWASP IDs.

[2021:A3]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade component to version 1.2.3 or higher

vulnerability.resolution.change_date

timestamp

stable
Timestamp of the last status change of the vulnerability at the entity level.

2023-03-22T13:19:37.466Z

vulnerability.resolution.status

string

stable
Resolution status of the vulnerability at the entity level.

OPEN; RESOLVED

vulnerability.risk.level

string

stable
Vulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.risk.scale

string

stable
Scale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.

Davis Security Score

vulnerability.risk.score

double

stable
Risk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.

8.1

vulnerability.stack

string

experimental
Level of the vulnerable component in the technological stack.

CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION

vulnerability.technology

string

stable
Technology of the vulnerable component.

JAVA; DOTNET; GO; PHP; NODE_JS

vulnerability.title

string

stable
Title of the vulnerability.

Improper Input Validation

vulnerability.tracking_link.text

string

experimental
Display text of the tracking link that was set by the user.

P-1000 Vulnerability CVE-2024-0001

vulnerability.tracking_link.url

string

experimental
URL of the tracking link that was set by the user.

https://example.com/Project1/P-1000

vulnerability.type

string

stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.

Improper Input Validation

vulnerability.url

string

stable
Dynatrace URL to the details page of the vulnerability. |

https://example.com

Entity state: Environmental data

This section contains information about the vulnerability's affected and related entities.

Affected entities

Attribute

Type

Description

Examples

affected_entity.affected_processes.ids

array

resource stable
IDs of the processes that are currently affected by the vulnerability.

PROCESS_GROUP_INSTANCE-1

affected_entity.affected_processes.names

array

resource stable
Names of the processes that are currently affected by the vulnerability.

prod_process_group_instance_1

affected_entity.id

string

resource stable
ID of the affected entity.

PROCESS_GROUP-1; HOST-1

affected_entity.management_zones.ids

array

resource stable
IDs of the management zones to which the affected entity belongs.

mzid1

affected_entity.management_zones.names

array

resource stable
Names of the management zones to which the affected entity belongs.

mz1

affected_entity.name

string

resource stable
Name of the affected entity.

prod_process_group_1; prod_host

affected_entity.reachable_data_assets.count

long

resource experimental
Number of reachable data assets.

1

affected_entity.reachable_data_assets.ids

array

resource experimental
IDs of the data assets that can be reached by the affected entities of the vulnerability.

DATABASE-1

affected_entity.reachable_data_assets.names

array

resource experimental
Names of the data assets that can be reached by the affected entities of the vulnerability.

prod_database_1

affected_entity.type

string

resource stable
Type of affected entity.

PROCESS_GROUP; HOST; KUBERNETES_NODE

affected_entity.vulnerable_component.id

string

resource stable
ID of the vulnerable component causing the vulnerability.

SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF

affected_entity.vulnerable_component.name

string

resource stable
Name of the vulnerable component causing the vulnerability.

log4j-core-2.6.2.jar

affected_entity.vulnerable_component.package_name

string

resource experimental
Package name of the vulnerable component causing the vulnerability.

k8s.io/kubernetes; github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime

affected_entity.vulnerable_component.short_name

string

resource stable
Short name of the vulnerable component causing the vulnerability.

log4j

affected_entity.vulnerable_functions

array

resource stable
Vulnerable functions detected, containing or causing the vulnerability.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

affected_entity.vulnerable_functions_not_available

array

resource experimental
Vulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

affected_entity.vulnerable_functions_not_in_use

array

resource experimental
Vulnerable functions detected which are not actively used.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

Attribute

Type

Description

Examples

related_entities.applications.count

long

resource stable
Number of related applications.

1

related_entities.applications.ids

array

resource stable
IDs of the applications related to the vulnerability's affected entities.

APPLICATION-1

related_entities.applications.names

array

resource stable
Names of the applications related to the vulnerability's affected entities.

prod_application_1

related_entities.databases.count

long

resource stable
Number of related databases.

1

related_entities.databases.ids

array

resource stable
IDs of the databases related to the vulnerability's affected entities.

DATABASE-1

related_entities.databases.names

array

resource stable
Names of the databases related to the vulnerability's affected entities.

prod_database_1

related_entities.hosts.count

long

resource stable
Number of related hosts.

1

related_entities.hosts.ids

array

resource stable
IDs of the hosts related to the vulnerability's affected entities.

HOST-1

related_entities.hosts.names

array

resource stable
Names of the hosts related to the vulnerability's affected entities.

prod_host_1

related_entities.kubernetes_clusters.count

long

resource stable
Number of related Kubernetes clusters.

1

related_entities.kubernetes_clusters.ids

array

resource stable
IDs of the Kubernetes clusters related to the vulnerability's affected entities.

KUBERNETES_CLUSTER-1

related_entities.kubernetes_clusters.names

array

resource stable
Names of the Kubernetes clusters related to the vulnerability's affected entities.

prod_kubernetes_cluster_1

related_entities.kubernetes_workloads.count

long

resource stable
Number of related Kubernetes workloads.

1

related_entities.kubernetes_workloads.ids

array

resource stable
IDs of the Kubernetes workloads related to the vulnerability's affected entities.

KUBERNETES_WORKLOAD-1

related_entities.kubernetes_workloads.names

array

resource stable
Names of the Kubernetes workloads related to the vulnerability's affected entities.

prod_kubernetes_workload_1

related_entities.services.count

long

resource stable
Number of related services.

1

related_entities.services.ids

array

resource stable
IDs of the services related to the vulnerability's affected entities.

SERVICE-1

related_entities.services.names

array

resource stable
Names of the services related to the vulnerability's affected entities.

prod_service_1

Vulnerability change events

Vulnerability change events are change events at the vulnerability level. An event is generated whenever a vulnerability undergoes a status or assessment change.

Query

Query vulnerability status change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"

Query vulnerability assessment change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"

Vulnerability state: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.category

string

stable
Standard categorization based on the significance of an event according to the ITIL event management standard (previously known as severity level).

VULNERABILITY_MANAGEMENT

event.change_list

array

resource stable
List of attributes updated as part of the change event. Values in the list match a previous field.

vulnerability.risk.score; affected_entities.count; related_entities.databases.count

event.description

string

stable
Human-readable description of an event.

S-49 Remote Code Execution status has changed to OPEN.; S-49 Remote Code Execution assessment has changed.

event.group_label

string

experimental
Group label of an event.

CHANGE_EVENT

event.kind

string

SECURITY_EVENT

event.level

string

VULNERABILITY

event.name

string

stable
The human readable display name of an event type.

Vulnerability status change event; Vulnerability assessment change event

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

Dynatrace

event.provider_product

string

resource stable
Name of the product providing this event.

Runtime Vulnerability Analytics; Snyk Container

event.status

string

stable
Status of an event as being either Active or Closed.

OPEN; RESOLVED; MUTED

event.status_transition

string

experimental
An enum that shows the transition of the above event state.

NEW_OPEN; REOPEN; CLOSE; MUTE; UNMUTE

event.trigger.type

string

resource stable
Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).

DT_PLATFORM; USER_ACTION

event.trigger.user

string

resource stable
ID of the user who triggered the event. If generated by Dynatrace, the value is SYSTEM.

SYSTEM; <user_id>

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_STATUS_CHANGE_EVENT; VULNERABILITY_ASSESSMENT_CHANGE_EVENT

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.

1649822520123123123

Vulnerability state: Vulnerability data

This section contains information about the vulnerability and its status and assessment changes.

Attribute

Type

Description

Examples

vulnerability.cvss.base_score

double

stable
Vulnerability's CVSS base score provided by NVD.

8.1

vulnerability.cvss.vector

string

experimental
Vulnerability's CVSS vector defined by the provider.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L; CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.cvss.version

string

stable
Vulnerability's CVSS score version.

3.1; 4.0

vulnerability.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the vulnerability assessment has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.davis_assessment.assessment_mode_reasons

string[]

experimental
Reasons for the assessment mode.

[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]

vulnerability.davis_assessment.data_assets_status

string

stable
Vulnerability's reachability of related data assets by affected entities.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.davis_assessment.exploit_status

string

stable
Vulnerability's public exploits status.

AVAILABLE; NOT_AVAILABLE

vulnerability.davis_assessment.exposure_status

string

stable
Vulnerability's internet exposure status.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.davis_assessment.level

string

stable
Vulnerability's risk level based on Davis Security Score.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.davis_assessment.score

double

stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.

8.1

vulnerability.davis_assessment.vulnerable_function_status

string

stable
Usage status of the vulnerable functions causing the vulnerability.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.display_id

string

stable
Dynatrace user-readable identifier for the vulnerability.

S-1234

vulnerability.external_id

string

stable
External provider's unique identifier for the vulnerability.

SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646

vulnerability.external_url

string

stable
External provider's URL to the details page of the vulnerability.

https://example.com

vulnerability.first_seen

timestamp

stable
Timestamp of when the vulnerability was first detected.

2023-03-22T13:19:36.945Z

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

2039861408676243188

vulnerability.is_fix_available

boolean

experimental
Indicates if a vulnerability fix is available.

vulnerability.mute.change_date

timestamp

stable
Timestamp of the vulnerability's last muted or unmuted action.

2023-03-22T13:19:36.945Z

vulnerability.mute.reason

string

stable
Reason for muting or unmuting the vulnerability.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.mute.status

string

stable
Vulnerability's mute status.

MUTED; NOT_MUTED

vulnerability.mute.user

string

stable
User who last changed the vulnerability's mute status.

user@example.com

vulnerability.previous.cvss.base_score

double

stable
Vulnerability's previous CVSS base score (in case the CVSS base score has changed).

8.1

vulnerability.previous.cvss.vector

string

experimental
Vulnerability's previous CVSS vector defined by the provider (in case the CVSS vector has changed).

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L; CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.previous.davis_assessment.data_assets_status

string

stable
Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.previous.davis_assessment.exploit_status

string

stable
Vulnerability's previous public exploit status (in case the public exploit status has changed).

AVAILABLE; NOT_AVAILABLE

vulnerability.previous.davis_assessment.exposure_status

string

stable
Vulnerability's previous internet exposure status (in case the internet exposure status has changed).

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.previous.davis_assessment.level

string

stable
Vulnerability's previous risk level (in case the risk level has changed).

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.previous.davis_assessment.score

double

stable
Vulnerability's previous Davis Security Score (in case Davis Security Score has changed).

8.1

vulnerability.previous.davis_assessment.vulnerable_function_status

string

stable
Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed).

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.previous.mute.change_date

string

stable
Timestamp of the vulnerability's previous mute status (in case the mute status has changed).

2023-03-22T13:19:36.945Z

vulnerability.previous.mute.reason

string

stable
Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).

Muted: False positive

vulnerability.previous.mute.status

string

stable
Vulnerability's previous mute status (in case the mute status has changed).

MUTED; NOT_MUTED

vulnerability.previous.mute.user

string

stable
User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).

user@example.com

vulnerability.previous.resolution.status

string

stable
Vulnerability's previous resolution status (in case the resolution status has changed).

OPEN; RESOLVED

vulnerability.previous.risk.level

string

stable
Vulnerability's previous risk score level (in case the risk score level has changed).

LOW; MEDIUM; HIGH; CRITICAL

vulnerability.previous.risk.score

double

stable
Vulnerability's previous risk score (in case the risk score has changed).

8.1

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.references.cwe

string[]

stable
List of the vulnerability's CWE IDs.

[CWE-20]

vulnerability.references.owasp

string[]

stable
List of vulnerability's OWASP IDs.

[2021:A3]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade component to version 1.2.3 or higher

vulnerability.resolution.change_date

timestamp

stable
Timestamp of the vulnerability's last resolution status change.

2023-03-22T13:19:37.466Z

vulnerability.resolution.status

string

stable
Vulnerability's resolution status.

OPEN; RESOLVED

vulnerability.risk.level

string

stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.risk.scale

string

stable
Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.

Davis Security Score

vulnerability.risk.score

double

stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.

8.1

vulnerability.stack

string

experimental
Level of the vulnerable component in the technological stack.

CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION

vulnerability.technology

string

stable
Technology of the vulnerable component.

JAVA; DOTNET; GO; PHP; NODE_JS

vulnerability.title

string

stable
Title of the vulnerability.

Improper Input Validation

vulnerability.type

string

stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.

Improper Input Validation

vulnerability.url

string

stable
Dynatrace URL to the details page of the vulnerability. |

https://example.com

Vulnerability change: Environmental data

Affected entities

This section contains information on changes regarding vulnerability's affected entities.

Attribute

Type

Description

Examples

affected_entities.count

long

resource stable
Number of affected entities.

1

affected_entities.hosts.count

long

resource stable
Number of affected hosts.

2

affected_entities.kubernetes_nodes.count

long

resource stable
Number of affected nodes.

2

affected_entities.previous.count

long

resource deprecated
Number of affected entities before the last change event.

1

affected_entities.previous.hosts.count

long

resource deprecated
Number of affected hosts before the last change event.

5

affected_entities.previous.kubernetes_nodes.count

long

resource deprecated
Number of affected Kubernetes nodes before the last change event.

5

affected_entities.previous.process_groups.count

long

resource deprecated
Number of affected process groups before the last change event.

2

affected_entities.process_groups.count

long

resource stable
Number of affected process groups.

2

affected_entities.types

array

resource stable
Types of affected entities.

PROCESS_GROUP; HOST; KUBERNETES_NODE

This section contains information on changes regarding vulnerability's related entities.

Attribute

Type

Description

Examples

related_entities.applications.count

long

resource stable
Number of related applications.

1

related_entities.databases.count

long

resource stable
Number of related databases.

1

related_entities.hosts.count

long

resource stable
Number of related hosts.

1

related_entities.kubernetes_clusters.count

long

resource stable
Number of related Kubernetes clusters.

1

related_entities.kubernetes_workloads.count

long

resource stable
Number of related Kubernetes workloads.

1

related_entities.previous.databases.count

long

resource deprecated
Number of related databases before the last change event.

1

related_entities.services.count

long

resource stable
Number of related services.

1

Vulnerability finding events

Vulnerability-finding events contain generic sections and fields like metadata, affected entity data and vulnerability data. They can also include extensions (such as container image data for container vulnerability findings) at the end of the page.

Vulnerability finding events: Metadata

This section contains meta information on the vulnerability-finding event.

Attribute

Type

Description

Examples

event.category

string

stable
Standard categorization based on the significance of an event (similar to the severity level in the previous Dynatrace).

VULNERABILITY_MANAGEMENT

event.description

string

stable
Human-readable description of an event.

Vulnerability CVE-2023-45871 of component linux:4.19.269-1 was detected in your container image unguard-frontend:latest@054e1d39

event.id

string

stable
Unique identifier string of an event; is stable across multiple refreshes and updates.

5547782627070661074_1647601320000

event.kind

string

SECURITY_EVENT

event.name

string

stable
The human readable display name of an event type.

Vulnerability finding event

event.original_content

string

experimental
The original raw data of the event as received from the source.

{"severity_id": 3,"state_id": 1,"time": "2024-06-26T07:15:06.139000Z","state": "New","type_uid": 200101}

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

Amazon ECR

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_FINDING

event.version

string

experimental
Describes the version of the event.

1.309

timestamp

timestamp

stable
Time (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.

1649822520123123123

Vulnerability finding events: Vulnerability data

This section contains information about the vulnerability that caused the vulnerability-finding event (vulnerability ID, description, risk level, and so on).

Attribute

Type

Description

Examples

dt.security.risk.level

string

experimental
Risk score level defined by the provider.

LOW; MEDIUM; HIGH; CRITICAL; NONE; NOT_AVAILABLE

dt.security.risk.score

double

experimental
Risk score, mapped and normalized by Dynatrace.

8.1

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.exploit.status

string

experimental
Whether there is a known exploit for the vulnerability.

AVAILABLE; NOT_AVAILABLE

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

CVE-2019-19814

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade to JQuery version 3.5.0 or later.

vulnerability.remediation.status

string

experimental
Indicates whether a fix for the vulnerability is available.

AVAILABLE; NOT_AVAILABLE

vulnerability.title

string

stable
Title of the vulnerability.

CVE-2019-19814; Improper input validation

Vulnerability finding events: Product data

This section contains information about the third-party product from where Dynatrace fetches data.

Attribute

Type

Description

Examples

product.name

string

resource experimental
Product name.

Tenable; Snyk

product.vendor

string

resource experimental
Product vendor.

Tenable; Snyk

Vulnerability finding events: Scan data

This section contains information about the scan that detected this vulnerability

Attribute

Type

Description

Examples

scan.id

string

resource experimental
Unique identifier of the scan.

00000000-0000-0000-0000-000000000000

scan.name

string

resource experimental
Name of the scan.

US Cloud Scanner

scan.time.completed

timestamp

resource experimental
Time when the scan was completed.

2024-06-24T04:47:21.154000000+02:00

scan.time.started

timestamp

resource experimental
Time when the scan was started.

2024-06-24T04:47:21.154000000+02:00

Extensions

Vulnerability finding events: Container image data

This section contains container-image—specific data.

Attribute

Type

Description

Examples

container_image.digest

string

resource experimental
Container image digest uniquely and immutably identifying the vulnerable container image.

sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1

container_image.registry

string

resource experimental
Container image registry from which the finding originates.

1294385647.eu-central-1

container_image.repository

string

resource experimental
Container image repository from which the finding originates.

unguard-frontend

container_image.tags

array

resource experimental
List of tags of the vulnerable container image.

[1.0.0]; [1.0.0, 1.0.0-nightly, latest]

Attribute

Type

Description

Examples

os.architecture

string

resource experimental
Architecture of the CPU, discovered from the operating system.

X86

os.name

string

resource stable
The OS name in a short, human-readable format.

iOS

os.type

string

resource experimental
Type of discovered operating system.

LINUX; WINDOWS

os.version

string

resource stable
The complete OS version, including patch, build, and other information.

15.3.1; Ubuntu 16.04.7 LTS (Xenial Xerus) (kernel 4.15.0-206-generic); Windows Server 2022 Datacenter 21H2 2009, ver. 10.0.20348

Attribute

Type

Description

Examples

dt.entity.host

string

resource stable
An entity ID of an entity of type HOST.
Tags: entity-id

HOST-E0D8F94D9065F24F

dt.entity.process_group

string

resource stable
An entity ID of an entity of type PROCESS_GROUP.
Tags: entity-id

PROCESS_GROUP-E0D8F94D9065F24F

dt.entity.process_group_instance

string

resource stable
An entity ID of an entity of type PROCESS_GROUP_INSTANCE.
Tags: entity-id

PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F

dt.source_entity

string

resource stable
The ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. ¹
Tags: entity-id

HOST-E0D8F94D9065F24F; PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F

dt.source_entity.type

string

resource stable
The entity type of the entity whose identifier is held in dt.source_entity. The value must be a valid entity type and consistent with dt.source_entity. Note, however, that the type identifiers are expected to be lowercased in alignment with suffixes of dt.entity.* keys.

host; process_group_instance; cloud:azure:resource_group

host.name

string

resource experimental
The host name as determined on the data source (for instance, OneAgent, extensions or OpenTelemetry).
Important: This is not the name of the host entity, which can be modified based on naming rules.
Tags: permission

ip-10-178-54-32.ec2.internal

The value of this field will be based on one of the dt.entity.<type> fields value. This means that both dt.source_entity and dt.entity.<type> fields will be set to the same ID.

Vulnerability state events

Vulnerability state events are historical states at the vulnerability level. The current vulnerability state is exported to Grail regularly.

Query

Query vulnerability state events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "VULNERABILITY"

Vulnerability state: Event data

This section contains general event information.

Attribute

Type

Description

Examples

event.category

string

stable
Categorization based on the product and data generating this event.

VULNERABILITY_MANAGEMENT

event.description

string

stable
Human-readable description of an event.

S-49 Remote Code Execution state event reported

event.group_label

string

experimental
Group label of an event.

STATE_REPORT

event.kind

string

SECURITY_EVENT

event.level

string

VULNERABILITY

event.name

string

stable
The human readable display name of an event type.

Vulnerability historical state report event

event.provider

string

stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission

Dynatrace; Snyk

event.provider_product

string

resource stable
Name of the product providing this event.

Runtime Vulnerability Analytics; Snyk Container

event.status

string

stable
Status of an event as being either Active or Closed.

OPEN; RESOLVED; MUTED

event.type

string

stable
The unique type identifier of a given event.
Tags: permission

VULNERABILITY_STATE_REPORT_EVENT

timestamp

timestamp

stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.

1649822520123123123

Vulnerability state: Vulnerability data

This section contains information about the vulnerability.

Attribute

Type

Description

Examples

vulnerability.code_location.name

string

stable
Name of the code location where the code-level vulnerability was detected.

org.dynatrace.profileservice.BioController.markdownToHtml(String):80

vulnerability.cvss.base_score

double

stable
Vulnerability's CVSS base score provided by NVD.

8.1

vulnerability.cvss.vector

string

experimental
Vulnerability's CVSS vector defined by the provider.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L; CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.cvss.version

string

stable
Vulnerability's CVSS score version.

3.1; 4.0

vulnerability.davis_assessment.assessment_mode

string

stable
Availability of the information based on which the vulnerability assessment has been done.

FULL; NOT_AVAILABLE; REDUCED

vulnerability.davis_assessment.assessment_mode_reasons

string[]

experimental
Reasons for the assessment mode.

[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]

vulnerability.davis_assessment.data_assets_status

string

stable
Vulnerability's reachability of related data assets by affected entities.

NOT_AVAILABLE; NOT_DETECTED; REACHABLE

vulnerability.davis_assessment.exploit_status

string

stable
Vulnerability's public exploits status.

AVAILABLE; NOT_AVAILABLE

vulnerability.davis_assessment.exposure_status

string

stable
Vulnerability's internet exposure status.

NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK

vulnerability.davis_assessment.level

string

stable
Vulnerability's risk level based on Davis Security Score.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.davis_assessment.score

double

stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.

8.1

vulnerability.davis_assessment.vector

string

experimental
Vulnerability's CVSS vector, adjusted with observability data; this vector is calculated by Dynatrace.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L; CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H

vulnerability.davis_assessment.vulnerable_function_status

string

stable
Usage status of the vulnerable functions causing the vulnerability.

IN_USE; NOT_AVAILABLE; NOT_IN_USE

vulnerability.description

string

stable
Description of the vulnerability.

More detailed description about improper input validation vulnerability.

vulnerability.display_id

string

stable
Dynatrace user-readable identifier for the vulnerability.

S-1234

vulnerability.external_id

string

stable
External provider's unique identifier for the vulnerability.

SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646

vulnerability.external_url

string

stable
External provider's URL to the details page of the vulnerability.

https://example.com

vulnerability.first_seen

timestamp

stable
Timestamp of when the vulnerability was first detected.

2023-03-22T13:19:36.945Z

vulnerability.id

string

stable
Dynatrace unique identifier for the vulnerability.

2039861408676243188

vulnerability.is_fix_available

boolean

experimental
Indicates if a vulnerability fix is available.

vulnerability.mute.change_date

timestamp

stable
Timestamp of the vulnerability's last muted or unmuted action.

2023-03-22T13:19:36.945Z

vulnerability.mute.reason

string

stable
Reason for muting or unmuting the vulnerability.

FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER

vulnerability.mute.status

string

stable
Vulnerability's mute status.

MUTED; NOT_MUTED

vulnerability.mute.user

string

stable
User who last changed the vulnerability's mute status.

user@example.com

vulnerability.references.cve

string[]

stable
List of the vulnerability's CVE IDs.

[CVE-2021-41079]

vulnerability.references.cwe

string[]

stable
List of the vulnerability's CWE IDs.

[CWE-20]

vulnerability.references.owasp

string[]

stable
List of vulnerability's OWASP IDs.

[2021:A3]

vulnerability.remediation.description

string

experimental
Description of the vulnerability's remediation advice.

Upgrade component to version 1.2.3 or higher

vulnerability.resolution.change_date

timestamp

stable
Timestamp of the vulnerability's last resolution status change.

2023-03-22T13:19:37.466Z

vulnerability.resolution.status

string

stable
Vulnerability's resolution status.

OPEN; RESOLVED

vulnerability.risk.level

string

stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.

LOW; MEDIUM; HIGH; CRITICAL; NONE

vulnerability.risk.scale

string

stable
Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.

Davis Security Score

vulnerability.risk.score

double

stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.

8.1

vulnerability.stack

string

experimental
Level of the vulnerable component in the technological stack.

CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION

vulnerability.technology

string

stable
Technology of the vulnerable component.

JAVA; DOTNET; GO; PHP; NODE_JS

vulnerability.title

string

stable
Title of the vulnerability.

Improper Input Validation

vulnerability.type

string

stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.

Improper Input Validation

vulnerability.url

string

stable
Dynatrace URL to the details page of the vulnerability. |

https://example.com

Vulnerability state: Environmental data

This section contains information on the vulnerability's affected and related entities.

Affected entities

Attribute

Type

Description

Examples

affected_entities.affected_processes.count

long

resource stable
Number of affected processes.

50

affected_entities.count

long

resource stable
Number of affected entities.

1

affected_entities.hosts.count

long

resource stable
Number of affected hosts.

2

affected_entities.kubernetes_nodes.count

long

resource stable
Number of affected nodes.

2

affected_entities.management_zones.ids

array

resource stable
IDs of the management zones to which the affected entities belong.

mzid1

affected_entities.management_zones.names

array

resource stable
Names of the management zones to which the affected entities belong.

mz1

affected_entities.monitored_processes.count

long

resource stable
Number of processes of the process group.

100

affected_entities.process_groups.count

long

resource stable
Number of affected process groups.

2

affected_entities.types

array

resource stable
Types of affected entities.

PROCESS_GROUP; HOST; KUBERNETES_NODE

affected_entities.vulnerable_components.ids

array

resource stable
Dynatrace IDs of the vulnerable components causing the vulnerability.

SOFTWARE_COMPONENT-0000000000000001; SOFTWARE_COMPONENT-0000000000000002; SOFTWARE_COMPONENT-0000000000000003

affected_entities.vulnerable_components.names

array

resource stable
Names of the vulnerable components causing the vulnerability. |

com.fasterxml.jackson.core:jackson-databind:2.10.0; node-sass:4.14.1

affected_entities.vulnerable_functions

array

resource stable
Vulnerable functions detected, containing or causing the vulnerability.

org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

Attribute

Type

Description

Examples

related_entities.applications.count

long

resource stable
Number of related applications.

1

related_entities.databases.count

long

resource stable
Number of related databases.

1

related_entities.hosts.count

long

resource stable
Number of related hosts.

1

related_entities.kubernetes_clusters.count

long

resource stable
Number of related Kubernetes clusters.

1

related_entities.kubernetes_workloads.count

long

resource stable
Number of related Kubernetes workloads.

1

related_entities.services.count

long

resource stable
Number of related services.

1

Security events

Compliance finding events

Compliance finding events: Event data

Compliance finding events: Finding data

Compliance finding events: Scan data

Compliance finding events: Rule data

Compliance finding events: Result

Compliance scan completed events

Compliance scan completed events: Event metadata

Compliance scan completed events: Scan info

Entity change events

Query

Entity change events: Event data

Entity change events: Vulnerability data

Entity change events: Environmental data

Affected entity

Related entities

Entity state events

Query

Entity state: Event data

Entity state: Vulnerability data

Entity state: Environmental data

Affected entities

Related entities

Vulnerability change events

Query

Vulnerability state: Event data

Vulnerability state: Vulnerability data

Vulnerability change: Environmental data

Affected entities

Related entities

Vulnerability finding events

Vulnerability finding events: Metadata

Vulnerability finding events: Vulnerability data

Vulnerability finding events: Product data

Vulnerability finding events: Scan data

Extensions

Vulnerability finding events: Container image data

Vulnerability state events

Query

Vulnerability state: Event data

Vulnerability state: Vulnerability data

Vulnerability state: Environmental data

Affected entities

Related entities