Data structure

Latest Dynatrace

The Dynatrace semantic dictionary defines conventions for storing data in a normalized manner, regardless of the origin of the data. This is important for creating stable and robust applications and automations.

Security events are a special type of data representing various events generated by Dynatrace.

In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.

Schematics

Data categories

The following is a schematic representation of the different data categories that can be ingested and stored in Grail for later analysis and reporting use cases. The common fields of the schema allow dashboards, notebooks, and other apps to access and process the data uniformly.

Common fields differ between the data categories.
There are optional vendor-specific fields and Dynatrace-enriched fields.

security-events-on-grail

Logical sections of security events schema

The following shows the logical sections of the security events schema.

semantic-dictionary

Security event categorization

The following shows different categories of security events, with a focus on vulnerability management.

security event categorization

Security event groups

All security events can be categorized into two basic groups (event.group_label): change events and state reports.

security-event-groups

Change events

Change events (CHANGE_EVENT) are changes that occur to vulnerabilities or their affected entities.

In the example below, note the event.status_transition and change_list fields containing the context of the change.

sample-change-event

State reports

State reports (STATE_REPORT) represent the full historical state (of a vulnerability, for example) and are reported periodically over time.

OPEN (muted and not muted) vulnerabilities are reported every 15 minutes.
RESOLVED vulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range.

In the example below, note the environmental context and related fields, including the information about the directly affected entities and the wider impact on the related entities of the environment.

sample-state-report

Security event types

The vulnerability management category includes the following event types (event.type):

VULNERABILITY_STATE_REPORT_EVENT: Historical vulnerability states reported periodically.
VULNERAVILITY_COVERAGE_REPORT_EVENT: Historical coverage events reported periodically.
VULNERABILITY_STATUS_CHANGE_EVENT: Vulnerability status changes reported on change. These include resolution and mute statuses.
VULNERABILITY_ASSESSMENT_CHANGE_EVENT: Vulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments.
VULNERABILITY_IMPACT_CHANGE_EVENT: Vulnerability environmental impact changes reported on change. These include changes in the counts of affected/related entities.

security-event-types

Security event levels

Vulnerability-related events can be reported on two different levels (event.level):

VULNERABILITY: The vulnerability on the global level, including, for example, general information, global statuses, and changes. The unique identifier is vulnerability.id or vulnerability.display_id.
ENTITY: The vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of (affected_entity.id, vulnerability.id).

security-event-levels

Limitations

On the Third-party vulnerabilities list page, Open with… is currently unavailable if you
- Filter by Tag in the filter bar
- Filter for recommended fixes from Davis Security Advisor.
For entity state events the following attributes are currently missing:
- vulnerability.first_seen
- vulnerability.resolution.change_date
When you run DQL queries for a specific entity, the vulnerable functions in use by all entities are reported, instead of those in use only by the specific entity.
Using Open with… to explore security data from scratch doesn't include the aggregation to return the same amount of data as on the source Third-party vulnerabilities list page. To aggregate data, manually run the summarize DQL command.