Latest Dynatrace
This page aims to give you a better understanding of data in the security context so you can easily accomplish various use cases with security-related data available on Grail. To learn how DQL can help in your daily tasks, see DQL examples for security data.
Data that Dynatrace collects from your monitored environment and that can be currently queried in Grail consists of: logs, metrics, entities, Davis AI problems and events, system events, business events, and security events.
For information, see Data in Grail and Grail data model.
Threat exposure template
to visualize the risk and impact of vulnerabilities (Dashboards) or analyze the impact of vulnerabilities and prioritize remediation efforts (Notebooks).Dynatrace consumes data from third-party sources, providing consolidated, unified analysis and automation.
Security-related data can be either generated by Dynatrace native capabilities and collected by OneAgent or ActiveGate, or ingested from third-party tools via log ingestion or OpenPipeline.
Security-related data on Grail can provide you answers with different granularity and from various perspectives. You can query, aggregate, visualize, and report data on multiple levels.
The Grail data lakehouse doesn't distinguish security-related data from observability information. You can use all your data in Dynatrace for your security use cases. For example, if you ingested your application authentication logs for business purposes, you can use the same logs to detect potential brute force attacks on your customer accounts. Below are some examples of how you can use data for security purposes:
Security events are a type of security-related data consisting of various generated events such as
Security events (SECURITY_EVENT
) are stored in a dedicated bucket: default_security_events
.
Vulnerability events can be classified by
Event levels (event.level
)
VULNERABILITY
vulnerability.id
or vulnerability.display_id
.ENTITY
affected_entity.id
, vulnerability.id
).Event groups (event.group_label
)
CHANGE_EVENT
STATE_REPORT
OPEN
(muted and not muted) vulnerabilities are reported every 15 minutes; RESOLVED
vulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range.Event types (event.type
)
VULNERABILITY_STATE_REPORT_EVENT
VULNERABILITY_COVERAGE_REPORT_EVENT
VULNERABILITY_STATUS_CHANGE_EVENT
VULNERABILITY_ASSESSMENT_CHANGE_EVENT
For a list of vulnerability event fields mapped to Grail, see Dynatrace Semantic Dictionary.
A compliance event is a type of security event specific to Security Posture Management. It represents the assessment of a resource in the context of the rule specified in the compliance standard.
COMPLIANCE_SCAN_COMPLETED
COMPLIANCE_FINDING
For a list of compliance event fields mapped to Grail, see Dynatrace Semantic Dictionary.