Host coverage

After you activate Application Security, assign permissions, and enable and configure Dynatrace Runtime Vulnerability Analytics, you can review and improve the coverage of hosts on which vulnerability detection is enabled. This can help you determine where there are coverage gaps and how this can relate to the current number of open third-party and code-level vulnerabilities in your environment.

To view your host coverage posture, go to Security Overview > Host coverage. For details, see Application Security overview: Host coverage.

How host coverage is calculated

Host coverage is calculated based on the last 70 minutes and uses all hosts in your environment that run a supported technology. See below the calculation mechanism for third-party and code-level vulnerabilities.

Collect: Dynatrace first collects all monitored hosts.
Filter: All monitored hosts collected are then filtered based on your monitoring rules. If there are hosts that are excluded by monitoring rules, host coverage decreases.

If there's a decrease in coverage, it can take up to 70 minutes until changes are displayed.
If there's an increase in coverage, it can take up to 10 minutes until changes are displayed.

Dynatrace collects hosts based on the processes that are configured to report code-level vulnerabilities. If at least one process is able to report code-level vulnerabilities, then its host is covered.

A process is able to report code-level vulnerabilities when

Code-level Vulnerability Analytics is globally enabled
OneAgent monitoring is enabled
The global code-level vulnerability detection control is set to Monitor for the technology of the given process.
No monitoring rules exclude the process group of the respective process from monitoring
The process is restarted after a change in configuration

If there's a decrease in coverage, it can take up to 70 minutes until changes are displayed.
If there's an increase in coverage, it can take up to 10 minutes until changes are displayed.

How to increase host coverage

To increase the host coverage for third-party and code-level vulnerabilities, follow the instructions below.

Enable Third-party Vulnerability Analytics globally.
Enable all the technologies that you want Dynatrace to cover. Note that only hosts running technologies that are listed and enabled can be collected.
In your monitoring rules, look for hosts that are excluded from monitoring, and adapt these rules if you want the respective hosts to be collected.

Enable Code-level Vulnerability Analytics globally.
Enable OneAgent monitoring.
Set the global code-level vulnerability detection control to Monitor for all supported technologies.
In your monitoring rules, look for process groups that are excluded from monitoring, and adapt these rules. Note that a host is monitored when one of its processes is monitored with Application Security.
Restart the process.

It can take up to 10 minutes until any change is displayed.

Frequently asked questions

Why isn't the host coverage increasing?

If you have followed the steps above to increase the Application Security host coverage, yet the number of covered hosts stays the same, follow the instructions below.

Make sure that

Your OneAgent version is compatible with the supported technologies.
(…) software component reporting OneAgent features are enabled for all technologies (go to Settings > Preferences > OneAgent features and search for (…) software component reporting).
There are no OneAgent features configured at the process-group level overriding the global OneAgent configuration. For details, see OneAgent features.
You restart processes after each change in configuration.