The Dynatrace semantic dictionary defines conventions for storing data in a normalized manner, regardless of the origin of the data. This is important for creating stable and robust applications and automations.
Security events are a special type of data representing various events generated by Dynatrace.
In the events data store, security events are stored in a dedicated bucket (
default_security_events) and come as an additional event kind (
event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.
The following is a schematic representation of the different data categories that can be ingested and stored in Grail for later analysis and reporting use cases. The common fields of the schema allow dashboards, notebooks, and other apps to access and process the data uniformly.
Common fields differ between the data categories.
There are optional vendor-specific fields and Dynatrace-enriched fields.
Logical sections of security events schema
The following shows the logical sections of the security events schema.
Security event categorization
The following shows different categories of security events, with a focus on vulnerability management.
Security event groups
Change events (
CHANGE_EVENT) are changes that occur to vulnerabilities or their affected entities.
In the example below, note the
change_list fields containing the context of the change.
State reports (
STATE_REPORT) represent the full historical state (of a vulnerability, for example) and are reported periodically over time.
OPEN(muted and not muted) vulnerabilities are reported every 15 minutes.
RESOLVEDvulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range.
In the example below, note the environmental context and related fields, including the information about the directly affected entities and the wider impact on the related entities of the environment.
Security event types
The vulnerability management category includes the following event types (
VULNERABILITY_STATE_REPORT_EVENT: Historical vulnerability states reported periodically.
VULNERAVILITY_COVERAGE_REPORT_EVENT: Historical coverage events reported periodically.
VULNERABILITY_STATUS_CHANGE_EVENT: Vulnerability status changes reported on change. These include resolution and mute statuses.
VULNERABILITY_ASSESSMENT_CHANGE_EVENT: Vulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments.
VULNERABILITY_IMPACT_CHANGE_EVENT: Vulnerability environmental impact changes reported on change. These include changes in the counts of affected/related entities.
Security event levels
Vulnerability-related events can be reported on two different levels (
VULNERABILITY: The vulnerability on the global level, including, for example, general information, global statuses, and changes. The unique identifier is
ENTITY: The vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of (
- On the Third-party vulnerabilities list page, Open with… is currently unavailable if you
- Filter by
Tagin the filter bar
- Filter for recommended fixes from Davis Security Advisor.
- Filter by
- For entity state events the following attributes are currently missing:
When you run DQL queries for a specific entity, the vulnerable functions in use by all entities are reported, instead of those in use only by the specific entity.
- Using Open with… to explore security data from scratch doesn't include the aggregation to return the same amount of data as on the source Third-party vulnerabilities list page. To aggregate data, manually run the