Security data on Grail
Latest Dynatrace
Overview
This page aims to give you a better understanding of data in the security context so you can easily accomplish various use cases with security-related data available on Grail. To learn how DQL can help in your daily tasks, see DQL examples for security data.
Types of data available in Grail
Data from your monitored environment
Data that Dynatrace collects from your monitored environment and that can be currently queried in Grail consists of: logs, metrics, entities, Davis AI problems and events, system events, business events, and security events.
For information, see Data in Grail and Grail data model.
Use case examples
- Analyze and report with security snippets: Visualize exposure to vulnerabilities, prioritize remediation efforts, and communicate findings to owning teams.
- Determine threat exposure with security templates: Use the
Threat exposure template
to visualize the risk and impact of vulnerabilities (Dashboards) or analyze the impact of vulnerabilities and prioritize remediation efforts (Notebooks). - Intrusion notification automation: Set up a workflow to automatically identify whenever an attack occurs, determine what is affected, and notify the responsible team for the affected entities. Learn how to collect, process, and enrich the data with context, and convert it into notifications for faster response to attacks.
Data from third-party sources
Dynatrace consumes data from third-party sources, providing consolidated, unified analysis and automation.
Use case examples
- Security events ingest: Ingest security events from third-party products with OpenPipeline and analyze them on the Dynatrace platform.
- Reduce security event storm: Set up a workflow to automatically explore all incoming AWS events and receive notifications only for the critical ones and only for certain relevant accounts. Process, triage, enrich, and classify incoming AWS alerts for immediate action.
- Generate security events from Dynatrace Security Investigator via OpenPipeline: Ingest query results from Security Investigator as security events with OpenPipeline.
- Investigate security incidents in Kubernetes clusters: Use Security Investigator to analyze unauthorized requests in your Kubernetes audit logs. Manage and reuse evidence, follow investigation paths, and get a detailed overview of your results in the original format.
- Ingest and process custom security findings: Use the OpenPipeline ingest API for security events to ingest and process custom security data while pushing the data from a third-party tool to Dynatrace.
- Automate and orchestrate security findings: Use our sample workflows to periodically query for new critical container vulnerabilities and automatically receive Jira tickets or notifications on Slack for new critical vulnerability findings in your scanned container images.
- Visualize and analyze security findings: Use our sample dashboard to effortlessly view and analyze security findings across products and tools.
- Discover coverage gaps in security scans: Use our sample dashboard to gain visibility into the security validations during the Software Development Lifecycle (SDLC).
Security-related data
Security-related data can be either generated by Dynatrace native capabilities and collected by OneAgent, or ingested from third-party tools via log ingestion or OpenPipeline.
Security-related data on Grail can provide you answers with different granularity and from various perspectives. You can query, aggregate, visualize, and report data on multiple levels.
The Grail data lakehouse doesn't distinguish security-related data from observability information. You can use all your data in Dynatrace for your security use cases. For example, if you ingested your application authentication logs for business purposes, you can use the same logs to detect potential brute force attacks on your customer accounts. Below are some examples of how you can use data for security purposes:
- Context-aware security incident response with Dynatrace Automations and Tetragon
- Overseeing SaaS security with AWS AppFabric and Dynatrace
- Detect VMware Aria Operations for Logs exploitation with Dynatrace and DQL
- TTP-based threat hunting with Dynatrace Security Analytics and Falco Alerts solves alert noise
- Log forensics: Finding malicious activity in multicloud environments with Dynatrace Grail
Security events
Security events are a type of security-related data consisting of various generated events such as
- Vulnerability events
- Attack alerts Coming soon
- Threat intelligence feeds Coming soon
Security events (SECURITY_EVENT
) are stored in a dedicated bucket: default_security_events
.
Vulnerability events
Vulnerability events can be classified by
-
Event levels (
event.level
)Event levelsDescriptionVULNERABILITY
The vulnerability on the global level, including general information, global statuses, and changes. The unique identifier isvulnerability.id
orvulnerability.display_id
.ENTITY
The vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of (affected_entity.id
,vulnerability.id
). -
Event groups (
event.group_label
)Event groupsDescriptionCHANGE_EVENT
Change that occurs on a vulnerability or its affected entity.STATE_REPORT
The full historical state of a vulnerability or its affected entity and is reported periodically over time:OPEN
(muted and not muted) vulnerabilities are reported every 15 minutes;RESOLVED
vulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range. -
Event types (
event.type
)Event typesDescriptionVULNERABILITY_STATE_REPORT_EVENT
Historical vulnerability states reported periodically.VULNERABILITY_COVERAGE_REPORT_EVENT
Historical coverage events reported periodically.VULNERABILITY_STATUS_CHANGE_EVENT
Vulnerability status changes reported on change. These include resolution and mute statuses.VULNERABILITY_ASSESSMENT_CHANGE_EVENT
Vulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments.
For information about the Dynatrace data storage conventions in Grail, see Dynatrace semantic dictionary.