Security data on Grail

Latest Dynatrace

Overview

This page aims to give you a better understanding of data in the security context so you can easily accomplish various use cases with security-related data available on Grail. To learn how DQL can help in your daily tasks, see DQL examples for security data.

Types of data available in Grail

Data from your monitored environment

Data that Dynatrace collects from your monitored environment and that can be currently queried in Grail consists of: logs, metrics, entities, Davis AI problems and events, system events, business events, and security events.

For information, see Data in Grail and Grail data model.

Use case examples

  • Stay compliant with Security Posture Management: Stay on top of your security measures, policies, and practices with Security Posture Management app xSPM.
  • Analyze and report with security snippets: Visualize exposure to vulnerabilities, prioritize remediation efforts, and communicate findings to owning teams.
  • Determine threat exposure with security templates: Use the Threat exposure template to visualize the risk and impact of vulnerabilities (Dashboards) or analyze the impact of vulnerabilities and prioritize remediation efforts (Notebooks).
  • Intrusion notification automation: Set up a workflow to automatically identify whenever an attack occurs, determine what is affected, and notify the responsible team for the affected entities. Learn how to collect, process, and enrich the data with context, and convert it into notifications for faster response to attacks.

Data from third-party sources

Dynatrace consumes data from third-party sources, providing consolidated, unified analysis and automation.

Use case examples

Security-related data

Security-related data can be either generated by Dynatrace native capabilities and collected by OneAgent or ActiveGate, or ingested from third-party tools via log ingestion or OpenPipeline.

Security-related data on Grail can provide you answers with different granularity and from various perspectives. You can query, aggregate, visualize, and report data on multiple levels.

The Grail data lakehouse doesn't distinguish security-related data from observability information. You can use all your data in Dynatrace for your security use cases. For example, if you ingested your application authentication logs for business purposes, you can use the same logs to detect potential brute force attacks on your customer accounts. Below are some examples of how you can use data for security purposes:

Security events

Security events are a type of security-related data consisting of various generated events such as

Security events (SECURITY_EVENT) are stored in a dedicated bucket: default_security_events.

Vulnerability events

Vulnerability events can be classified by

  • Event levels (event.level)

    Event levels
    Description
    VULNERABILITY
    The vulnerability on the global level, including general information, global statuses, and changes. The unique identifier is vulnerability.id or vulnerability.display_id.
    ENTITY
    The vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of (affected_entity.id, vulnerability.id).
  • Event groups (event.group_label)

    Event groups
    Description
    CHANGE_EVENT
    Change that occurs on a vulnerability or its affected entity.
    STATE_REPORT
    The full historical state of a vulnerability or its affected entity and is reported periodically over time: OPEN (muted and not muted) vulnerabilities are reported every 15 minutes; RESOLVED vulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range.
  • Event types (event.type)

    Event types
    Description
    VULNERABILITY_STATE_REPORT_EVENT
    Historical vulnerability states reported periodically.
    VULNERABILITY_COVERAGE_REPORT_EVENT
    Historical coverage events reported periodically.
    VULNERABILITY_STATUS_CHANGE_EVENT
    Vulnerability status changes reported on change. These include resolution and mute statuses.
    VULNERABILITY_ASSESSMENT_CHANGE_EVENT
    Vulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments.

For a list of vulnerability event fields mapped to Grail, see Dynatrace Semantic Dictionary.

Compliance events

A compliance event is a type of security event specific to Security Posture Management. It represents the assessment of a resource in the context of the rule specified in the compliance standard.

Event types
Description
COMPLIANCE_SCAN_COMPLETED
A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed.
COMPLIANCE_FINDING
A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object.

For a list of compliance event fields mapped to Grail, see Dynatrace Semantic Dictionary.