Dynatrace semantic dictionary
Latest Dynatrace
The Dynatrace semantic dictionary defines conventions for storing data in a normalized manner, regardless of the origin of the data. See below for a list of conventions defined for security events, which are a special type of data coming from either internal or external data sources. For more information, see Data structure.
Entity state events
Entity state events are the historical vulnerability states reported per entity level.
The current vulnerability state per entity is exported to Grail regularly.
1fetch events2| filter event.kind == "SECURITY_EVENT"3| filter event.category == "VULNERABILITY_MANAGEMENT"4| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"5| filter event.level == "ENTITY"
Entity state: Event data
This section contains general event information.
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
event.category | string | Categorization based on the product and data generating this event. | VULNERABILITY_MANAGEMENT | Recommended |
event.description | string | The human readable description text of an event. | S-49 Remote Code Execution state event reported | Recommended |
event.group_label | string | Group label of an event. | STATE_REPORT | Recommended |
event.kind | string | Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | SECURITY_EVENT | Recommended |
event.level | string | Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself). | ENTITY | Recommended |
event.name | string | The human readable display name of an event type. | Vulnerability historical state report event | Recommended |
event.provider | string | Source of the event, for example the name of the component or system that generated the event. Tags: permission | OneAgent; K8S; Davis; VMWare; GCP; AWS; LIMA_USAGE_STREAM | Recommended |
event.provider_product | string | Name of the product providing this event. | Runtime Vulnerability Analytics; Snyk Container | Recommended |
event.status | string | Status of an event as being either Active or Closed. | OPEN; RESOLVED; MUTED | Recommended |
event.type | string | The unique type identifier of a given event. Tags: permission | VULNERABILITY_STATE_REPORT_EVENT | Recommended |
timestamp | timestamp | The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 | Recommended |
Entity state: Vulnerability data
This section contains information about the vulnerability at the entity level and its global parent, with a focus on the affected entities.
| Attribute | Type | Description | Examples | Requirement Level | |
|---|---|---|---|---|---|
vulnerability.cvss.base_score | double | Vulnerability's CVSS base score provided by NVD. | 8.1 | Recommended | |
vulnerability.cvss.version | string | Vulnerability's CVSS score version. | 3.1 | Recommended | |
vulnerability.davis_assessment.assessment_mode | string | Availability of the information based on which the assessment of the vulnerability at the entity level has been done. | FULL; NOT_AVAILABLE; REDUCED | Recommended | |
vulnerability.davis_assessment.data_assets_status | string | Affected entity's reachability by a database. | NOT_AVAILABLE; NOT_DETECTED; REACHABLE | Recommended | |
vulnerability.davis_assessment.exploit_status | string | Public exploits status of the vulnerability at the entity level. | AVAILABLE; NOT_AVAILABLE | Recommended | |
vulnerability.davis_assessment.exposure_status | string | Internet exposure status of the vulnerability at the entity level. | NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK | Recommended | |
vulnerability.davis_assessment.level | string | Risk level, based on Davis Security Score, of the vulnerability at the entity level. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.davis_assessment.score | double | Davis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level. | 8.1 | Recommended | |
vulnerability.davis_assessment.vulnerable_function_status | string | Usage status of the vulnerable functions causing the vulnerability at the entity level. | IN_USE; NOT_AVAILABLE; NOT_IN_USE | Recommended | |
vulnerability.description | string | Description of the vulnerability. | More detailed description about improper input validation vulnerability. | Recommended | |
vulnerability.display_id | string | Dynatrace user-readable identifier for the vulnerability. | S-1234 | Recommended | |
vulnerability.external_id | string | External provider's unique identifier for the vulnerability. | SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646 | Recommended | |
vulnerability.external_url | string | External provider's URL to the details page of the vulnerability. | https://example.com | Recommended | |
vulnerability.first_seen 1 | timestamp | Timestamp of when the vulnerability at the entity level was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.id | string | Dynatrace unique identifier for the vulnerability. | 2039861408676243188 | Recommended | |
vulnerability.mute.change_date | timestamp | Timestamp of the last muted or unmuted action of the vulnerability at the entity level. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.mute.reason | string | Reason for muting or unmuting the vulnerability at the entity level. | Muted: False positive | Recommended | |
vulnerability.mute.status | string | Mute status of the vulnerability at the entity level. | MUTED; NOT_MUTED | Recommended | |
vulnerability.mute.user | string | User who last changed the mute status of the vulnerability at the entity level. | user@example.com | Recommended | |
vulnerability.parent.davis_assessment.assessment_mode | string | Availability of the information based on which the vulnerability assessment has been done. | FULL; NOT_AVAILABLE; REDUCED | Recommended | |
vulnerability.parent.davis_assessment.data_assets_status | string | Vulnerability's reachability of related data assets by affected entities. | NOT_AVAILABLE; NOT_DETECTED; REACHABLE | Recommended | |
vulnerability.parent.davis_assessment.exposure_status | string | Vulnerability's internet exposure status. | NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK | Recommended | |
vulnerability.parent.davis_assessment.level | string | Vulnerability's Davis Security Score level. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.parent.davis_assessment.score | double | Vulnerability's Davis Security Score (1-10) calculated by Dynatrace. | 8.1 | Recommended | |
vulnerability.parent.davis_assessment.vulnerable_function_status | string | Usage status of vulnerable functions causing the vulnerability. Status is IN_USE when there's at least one vulnerable function in use by an application. | IN_USE; NOT_AVAILABLE; NOT_IN_USE | Recommended | |
vulnerability.parent.first_seen | string | Timestamp of when the vulnerability was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.parent.mute.change_date | timestamp | Timestamp of the last mute or unmute action of the vulnerability. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.parent.mute.reason | string | Reason for muting or unmuting the vulnerability. | Muted: False positive | Recommended | |
vulnerability.parent.mute.status | string | Vulnerability's mute status. | MUTED; NOT_MUTED | Recommended | |
vulnerability.parent.mute.user | string | User who last changed the vulnerability's mute status. | user@example.com | Recommended | |
vulnerability.parent.resolution.change_date | string | Timestamp of the vulnerability's last status change. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.parent.resolution.status | string | Current status of the vulnerability. | OPEN; RESOLVED | Recommended | |
vulnerability.parent.risk.level | string | Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.parent.risk.score | double | Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score. | 8.1 | Recommended | |
vulnerability.references.cve | string[] | List of the vulnerability's CVE IDs. | [CVE-2021-41079] | Recommended | |
vulnerability.references.cwe | string[] | List of the vulnerability's CWE IDs. | [CWE-20] | Recommended | |
vulnerability.references.owasp | string[] | List of vulnerability's OWASP IDs. | [2021:A3] | Recommended | |
vulnerability.resolution.change_date 1 | timestamp | Timestamp of the last status change of the vulnerability at the entity level. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.resolution.status | string | Resolution status of the vulnerability at the entity level. | OPEN; RESOLVED | Recommended | |
vulnerability.risk.level | string | Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.risk.scale | string | Scale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured. | Dynatrace security score | Recommended | |
vulnerability.risk.score | double | Risk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score. | 8.1 | Recommended | |
vulnerability.stack | string | Level of the vulnerable component in the technological stack. | CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION | Recommended | |
vulnerability.technology | string | Technology of the vulnerable component. | JAVA; DOT_NET; GO; PHP; NODE_JS; KUBERNETES | Recommended | |
vulnerability.title | string | Title of the vulnerability. | Improper Input Validation | Recommended | |
vulnerability.type | string | Classification of the vulnerability based on commonly accepted enums, such as CWE. | Improper Input Validation | Recommended | |
vulnerability.url | string | Dynatrace URL to the details page of the vulnerability. | https://example.com | Recommended | |
1 This attribute is currently unavailable. For details, see Limitations. |
Entity state: Environmental data
This section contains information about the vulnerability's affected and related entities.
Affected entities
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
affected_entity.affected_processes.ids | array | IDs of the processes that are currently affected by the vulnerability. | PROCESS_GROUP_INSTANCE-1 | Recommended |
affected_entity.affected_processes.names | array | Names of the processes that are currently affected by the vulnerability. | prod_process_group_instance_1 | Recommended |
affected_entity.id | string | ID of the affected entity. | PROCESS_GROUP-1; HOST-1 | Recommended |
affected_entity.management_zones.ids | array | IDs of the management zones to which the affected entity belongs. | mzid1 | Recommended |
affected_entity.management_zones.names | array | Names of the management zones to which the affected entity belongs. | mz1 | Recommended |
affected_entity.name | string | Name of the affected entity. | prod_process_group_1; prod_host | Recommended |
affected_entity.type | string | Type of affected entity. | PROCESS_GROUP; HOST | Recommended |
affected_entity.vulnerable_component.id | string | ID of the vulnerable component causing the vulnerability. | SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF | Recommended |
affected_entity.vulnerable_component.name | string | Name of the vulnerable component causing the vulnerability. | log4j-core-2.6.2.jar | Recommended |
affected_entity.vulnerable_component.short_name | string | Short name of the vulnerable component causing the vulnerability. | log4j | Recommended |
affected_entity.vulnerable_functions | array | List of vulnerable functions detected to contain the vulnerability within the library. | org.springframework.beans.CachedIntrospectionResults:init | Recommended |
Related entities
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
related_entities.applications.count | long | Number of related applications. | 1 | Recommended |
related_entities.applications.ids | array | IDs of the applications related to the vulnerability's affected entities. | APPLICATION-1 | Recommended |
related_entities.applications.names | array | Names of the applications related to the vulnerability's affected entities. | prod_application_1 | Recommended |
related_entities.databases.count | long | Number of related databases. | 1 | Recommended |
related_entities.databases.ids | array | IDs of the databases related to the vulnerability's affected entities. | DATABASE-1 | Recommended |
related_entities.databases.names | array | Names of the databases related to the vulnerability's affected entities. | prod_database_1 | Recommended |
related_entities.hosts.count | long | Number of related hosts. | 1 | Recommended |
related_entities.hosts.ids | array | IDs of the hosts related to the vulnerability's affected entities. | HOST-1 | Recommended |
related_entities.hosts.names | array | Names of the hosts related to the vulnerability's affected entities. | prod_host_1 | Recommended |
related_entities.kubernetes_clusters.count | long | Number of related Kubernetes clusters. | 1 | Recommended |
related_entities.kubernetes_clusters.ids | array | IDs of the Kubernetes clusters related to the vulnerability's affected entities. | KUBERNETES_CLUSTER-1 | Recommended |
related_entities.kubernetes_clusters.names | array | Names of the Kubernetes clusters related to the vulnerability's affected entities. | prod_kubernetes_cluster_1 | Recommended |
related_entities.kubernetes_workloads.count | long | Number of related Kubernetes workloads. | 1 | Recommended |
related_entities.kubernetes_workloads.ids | array | IDs of the Kubernetes workloads related to the vulnerability's affected entities. | KUBERNETES_WORKLOAD-1 | Recommended |
related_entities.kubernetes_workloads.names | array | Names of the Kubernetes workloads related to the vulnerability's affected entities. | prod_kubernetes_workload_1 | Recommended |
related_entities.services.count | long | Number of related services. | 1 | Recommended |
related_entities.services.ids | array | IDs of the services related to the vulnerability's affected entities. | SERVICE-1 | Recommended |
related_entities.services.names | array | Names of the services related to the vulnerability's affected entities. | prod_service_1 | Recommended |
Vulnerability state events
Vulnerability state events are historical states at the vulnerability level.
The current vulnerability state is exported to Grail regularly.
1fetch events2| filter event.kind == "SECURITY_EVENT"3| filter event.category == "VULNERABILITY_MANAGEMENT"4| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"5| filter event.level == "VULNERABILITY"
Vulnerability state: Event data
This section contains general event information.
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
event.category | string | Categorization based on the product and data generating this event. | VULNERABILITY_MANAGEMENT | Recommended |
event.description | string | The human readable description text of an event. | S-49 Remote Code Execution state event reported | Recommended |
event.group_label | string | Group label of an event. | STATE_REPORT | Recommended |
event.kind | string | Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | SECURITY_EVENT | Recommended |
event.level | string | Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself). | VULNERABILITY | Recommended |
event.name | string | The human readable display name of an event type. | Vulnerability historical state report event | Recommended |
event.provider | string | Source of the event, for example the name of the component or system that generated the event. Tags: permission | Dynatrace; Snyk | Recommended |
event.provider_product | string | Name of the product providing this event. | Runtime Vulnerability Analytics; Snyk Container | Recommended |
event.status | string | Status of an event as being either Active or Closed. | OPEN; RESOLVED; MUTED | Recommended |
event.type | string | The unique type identifier of a given event. Tags: permission | VULNERABILITY_STATE_REPORT_EVENT | Recommended |
timestamp | timestamp | The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 | Recommended |
Vulnerability state: Vulnerability data
This section contains information about the vulnerability.
| Attribute | Type | Description | Examples | Requirement Level | |
|---|---|---|---|---|---|
vulnerability.cvss.base_score | double | Vulnerability's CVSS base score provided by NVD. | 8.1 | Recommended | |
vulnerability.cvss.version | string | Vulnerability's CVSS score version. | 3.1 | Recommended | |
vulnerability.davis_assessment.assessment_mode | string | Availability of the information based on which the vulnerability assessment has been done. | FULL; NOT_AVAILABLE; REDUCED | Recommended | |
vulnerability.davis_assessment.data_assets_status | string | Vulnerability's reachability of related data assets by affected entities. | NOT_AVAILABLE; NOT_DETECTED; REACHABLE | Recommended | |
vulnerability.davis_assessment.exploit_status | string | Vulnerability's public exploits status. | AVAILABLE; NOT_AVAILABLE | Recommended | |
vulnerability.davis_assessment.exposure_status | string | Vulnerability's internet exposure status. | NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK | Recommended | |
vulnerability.davis_assessment.level | string | Vulnerability's risk level based on Davis Security Score. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.davis_assessment.score | double | Vulnerability's Davis Security Score (1-10) calculated by Dynatrace. | 8.1 | Recommended | |
vulnerability.davis_assessment.vulnerable_function_status | string | Usage status of the vulnerable functions causing the vulnerability. | IN_USE; NOT_AVAILABLE; NOT_IN_USE | Recommended | |
vulnerability.description | string | Description of the vulnerability. | More detailed description about improper input validation vulnerability. | Recommended | |
vulnerability.display_id | string | Dynatrace user-readable identifier for the vulnerability. | S-1234 | Recommended | |
vulnerability.external_id | string | External provider's unique identifier for the vulnerability. | SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646 | Recommended | |
vulnerability.external_url | string | External provider's URL to the details page of the vulnerability. | https://example.com | Recommended | |
vulnerability.first_seen | timestamp | Timestamp of when the vulnerability was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.id | string | Dynatrace unique identifier for the vulnerability. | 2039861408676243188 | Recommended | |
vulnerability.mute.change_date | timestamp | Timestamp of the vulnerability's last muted or unmuted action. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.mute.reason | string | Reason for muting or unmuting the vulnerability. | Muted: False positive | Recommended | |
vulnerability.mute.status | string | Vulnerability's mute status. | MUTED; NOT_MUTED | Recommended | |
vulnerability.mute.user | string | User who last changed the vulnerability's mute status. | user@example.com | Recommended | |
vulnerability.references.cve | string[] | List of the vulnerability's CVE IDs. | [CVE-2021-41079] | Recommended | |
vulnerability.references.cwe | string[] | List of the vulnerability's CWE IDs. | [CWE-20] | Recommended | |
vulnerability.references.owasp | string[] | List of vulnerability's OWASP IDs. | [2021:A3] | Recommended | |
vulnerability.resolution.change_date | timestamp | Timestamp of the vulnerability's last status change. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.resolution.status | string | Vulnerability's resolution status. | OPEN; RESOLVED | Recommended | |
vulnerability.risk.level | string | Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.risk.scale | string | Scale by which the vulnerability's risk score and risk score level defined by the provider are measured. | Dynatrace security score | Recommended | |
vulnerability.risk.score | double | Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score. | 8.1 | Recommended | |
vulnerability.stack | string | Level of the vulnerable component in the technological stack. | CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION | Recommended | |
vulnerability.technology | string | Technology of the vulnerable component. | JAVA; DOT_NET; GO; PHP; NODE_JS; KUBERNETES | Recommended | |
vulnerability.title | string | Title of the vulnerability. | Improper Input Validation | Recommended | |
vulnerability.type | string | Classification of the vulnerability based on commonly accepted enums, such as CWE. | Improper Input Validation | Recommended | |
vulnerability.url | string | Dynatrace URL to the details page of the vulnerability. | https://example.com | Recommended |
Vulnerability state: Environmental data
This section contains information on the vulnerability's affected and related entities.
Affected entities
| Attribute | Type | Description | Examples | Requirement Level | |
|---|---|---|---|---|---|
affected_entities.affected_processes.count | long | Number of affected processes. | 50 | Recommended | |
affected_entities.count | long | Number of affected entities. | 1 | Recommended | |
affected_entities.hosts.count | long | Number of affected hosts. | 2 | Recommended | |
affected_entities.kubernetes_nodes.count | long | Number of affected nodes. | 2 | Recommended | |
affected_entities.management_zones.ids | array | IDs of the management zones to which the affected entities belong. | mzid1 | Recommended | |
affected_entities.management_zones.names | array | Names of the management zones to which the affected entities belong. | mz1 | Recommended | |
affected_entities.monitored_processes.count | long | Number of processes of the process group. | 100 | Recommended | |
affected_entities.process_groups.count | long | Number of affected process groups. | 2 | Recommended | |
affected_entities.types | array | Types of affected entities. | PROCESS_GROUP; HOST | Recommended | |
affected_entities.vulnerable_components.ids | array | Dynatrace IDs of the vulnerable components causing the vulnerability. | SOFTWARE_COMPONENT-0000000000000001; SOFTWARE_COMPONENT-0000000000000002; SOFTWARE_COMPONENT-0000000000000003 | Recommended | |
affected_entities.vulnerable_components.names | array | Names of the vulnerable components causing the vulnerability. | com.fasterxml.jackson.core:jackson-databind:2.10.0; node-sass:4.14.1 | Recommended | |
affected_entities.vulnerable_functions | array | Vulnerable functions detected to contain the vulnerability within the library. | org.example.class.ApiImplementation:initMethod | Recommended |
Related entities
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
related_entities.applications.count | long | Number of related applications. | 1 | Recommended |
related_entities.databases.count | long | Number of related databases. | 1 | Recommended |
related_entities.hosts.count | long | Number of related hosts. | 1 | Recommended |
related_entities.kubernetes_clusters.count | long | Number of related Kubernetes clusters. | 1 | Recommended |
related_entities.kubernetes_workloads.count | long | Number of related Kubernetes workloads. | 1 | Recommended |
related_entities.services.count | long | Number of related services. | 1 | Recommended |
Vulnerability change events
Vulnerability change events are change events at the vulnerability level.
An event is generated whenever a vulnerability undergoes a status or assessment change.
1fetch events2| filter event.kind == "SECURITY_EVENT"3| filter event.category == "VULNERABILITY_MANAGEMENT"4| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"56fetch events7| filter event.kind == "SECURITY_EVENT"8| filter event.category == "VULNERABILITY_MANAGEMENT"9| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"1011fetch events12| filter event.kind == "SECURITY_EVENT"13| filter event.category == "VULNERABILITY_MANAGEMENT"14| filter event.type == "VULNERABILITY_IMPACT_CHANGE_EVENT"
Vulnerability change: Event data
This section contains general event information.
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
event.category | string | Standard categorization based on the significance of an event according to the ITIL event management standard (previously known as severity level). | VULNERABILITY_MANAGEMENT | Recommended |
event.change_list | array | List of attributes updated as part of the change event. Values in the list match a previous field. | vulnerability.risk.score; affected_entities.count; related_entities.databases.count | Recommended |
event.description | string | The human readable description text of an event. | S-49 Remote Code Execution status has changed to OPEN.; S-49 Remote Code Execution assessment has changed.; S-49 Remote Code Execution environment impact has changed. | Recommended |
event.group_label | string | Group label of an event. | CHANGE_EVENT | Recommended |
event.kind | string | Gives high-level information about what kind of information the event contains, without being specific to the contents of the event. Helps to determine the record type of a raw event. Tags: permission | SECURITY_EVENT | Recommended |
event.level | string | Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself). | VULNERABILITY | Recommended |
event.name | string | The human readable display name of an event type. | Vulnerability status change event; Vulnerability assessment change event; Vulnerability impact change event | Recommended |
event.provider | string | Source of the event, for example the name of the component or system that generated the event. Tags: permission | Dynatrace | Recommended |
event.provider_product | string | Name of the product providing this event. | Runtime Vulnerability Analytics; Snyk Container | Recommended |
event.status | string | Status of an event as being either Active or Closed. | OPEN; RESOLVED; MUTED | Recommended |
event.status_transition | string | An enum that shows the transition of the above event state. | NEW_OPEN; REOPEN; CLOSE; MUTE; UNMUTE | Recommended |
event.trigger.type | string | Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user). | DT_PLATFORM; USER_ACTION | Recommended |
event.trigger.user | string | ID of the user who triggered the event. If generated by Dynatrace, the value is SYSTEM. | SYSTEM; <user_id> | Recommended |
event.type | string | The unique type identifier of a given event. Tags: permission | VULNERABILITY_STATUS_CHANGE_EVENT; VULNERABILITY_ASSESSMENT_CHANGE_EVENT; VULNERABILITY_IMPACT_CHANGE_EVENT | Recommended |
timestamp | timestamp | The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (e.g. ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 | Recommended |
Vulnerability change: Vulnerability data
This section contains information about the vulnerability and its status and assessment changes.
| Attribute | Type | Description | Examples | Requirement Level | |
|---|---|---|---|---|---|
vulnerability.cvss.base_score | double | Vulnerability's CVSS base score provided by NVD. | 8.1 | Recommended | |
vulnerability.cvss.version | string | Vulnerability's CVSS score version. | 3.1 | Recommended | |
vulnerability.davis_assessment.assessment_mode | string | Availability of the information based on which the vulnerability assessment has been done. | FULL; NOT_AVAILABLE; REDUCED | Recommended | |
vulnerability.davis_assessment.data_assets_status | string | Vulnerability's reachability of related data assets by affected entities. | NOT_AVAILABLE; NOT_DETECTED; REACHABLE | Recommended | |
vulnerability.davis_assessment.exploit_status | string | Vulnerability's public exploits status. | AVAILABLE; NOT_AVAILABLE | Recommended | |
vulnerability.davis_assessment.exposure_status | string | Vulnerability's internet exposure status. | NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK | Recommended | |
vulnerability.davis_assessment.level | string | Vulnerability's risk level based on Davis Security Score. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.davis_assessment.score | double | Vulnerability's Davis Security Score (1-10) calculated by Dynatrace. | 8.1 | Recommended | |
vulnerability.davis_assessment.vulnerable_function_status | string | Usage status of the vulnerable functions causing the vulnerability. | IN_USE; NOT_AVAILABLE; NOT_IN_USE | Recommended | |
vulnerability.description | string | Description of the vulnerability. | More detailed description about improper input validation vulnerability. | Recommended | |
vulnerability.display_id | string | Dynatrace user-readable identifier for the vulnerability. | S-1234 | Recommended | |
vulnerability.external_id | string | External provider's unique identifier for the vulnerability. | SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646 | Recommended | |
vulnerability.external_url | string | External provider's URL to the details page of the vulnerability. | https://example.com | Recommended | |
vulnerability.first_seen | timestamp | Timestamp of when the vulnerability was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.id | string | Dynatrace unique identifier for the vulnerability. | 2039861408676243188 | Recommended | |
vulnerability.mute.change_date | timestamp | Timestamp of the vulnerability's last muted or unmuted action. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.mute.reason | string | Reason for muting or unmuting the vulnerability. | Muted: False positive | Recommended | |
vulnerability.mute.status | string | Vulnerability's mute status. | MUTED; NOT_MUTED | Recommended | |
vulnerability.mute.user | string | User who last changed the vulnerability's mute status. | user@example.com | Recommended | |
vulnerability.previous.cvss.base | double | Vulnerability's previous CVSS base score (in case the CVSS base score has changed). | 8.1 | Recommended | |
vulnerability.previous.davis_assessment.data_assets_status | string | Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed). | NOT_AVAILABLE; NOT_DETECTED; REACHABLE | Recommended | |
vulnerability.previous.davis_assessment.exploit_status | string | Vulnerability's previous public exploit status (in case the public exploit status has changed). | AVAILABLE; NOT_AVAILABLE | Recommended | |
vulnerability.previous.davis_assessment.exposure_status | string | Vulnerability's previous internet exposure status (in case the internet exposure status has changed). | NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK | Recommended | |
vulnerability.previous.davis_assessment.level | string | Vulnerability's previous risk level (in case the risk level has changed). | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.previous.davis_assessment.score | double | Vulnerability's previous Davis Security Score (in case Davis Security Score has changed). | 8.1 | Recommended | |
vulnerability.previous.davis_assessment.vulnerable_function_status | string | Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed). | IN_USE; NOT_AVAILABLE; NOT_IN_USE | Recommended | |
vulnerability.previous.mute.change_date | string | Timestamp of the vulnerability's previous mute status (in case the mute status has changed). | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.previous.mute.reason | string | Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed). | Muted: False positive | Recommended | |
vulnerability.previous.mute.status | string | Vulnerability's previous mute status (in case the mute status has changed). | MUTED; NOT_MUTED | Recommended | |
vulnerability.previous.mute.user | string | User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user). | user@example.com | Recommended | |
vulnerability.previous.resolution.status | string | Vulnerability's previous resolution status (in case the resolution status has changed). | OPEN; RESOLVED | Recommended | |
vulnerability.previous.risk.level | string | Vulnerability's previous risk score level (in case the risk score level has changed). | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.previous.risk.score | double | Vulnerability's previous risk score (in case the risk score has changed). | 8.1 | Recommended | |
vulnerability.references.cve | string[] | List of the vulnerability's CVE IDs. | [CVE-2021-41079] | Recommended | |
vulnerability.references.cwe | string[] | List of the vulnerability's CWE IDs. | [CWE-20] | Recommended | |
vulnerability.references.owasp | string[] | List of vulnerability's OWASP IDs. | [2021:A3] | Recommended | |
vulnerability.resolution.change_date | timestamp | Timestamp of the vulnerability's last status change. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.resolution.status | string | Vulnerability's resolution status. | OPEN; RESOLVED | Recommended | |
vulnerability.risk.level | string | Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW; MEDIUM; HIGH; CRITICAL | Recommended | |
vulnerability.risk.scale | string | Scale by which the vulnerability's risk score and risk score level defined by the provider are measured. | Dynatrace security score | Recommended | |
vulnerability.risk.score | double | Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score. | 8.1 | Recommended | |
vulnerability.stack | string | Level of the vulnerable component in the technological stack. | CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION | Recommended | |
vulnerability.technology | string | Technology of the vulnerable component. | JAVA; DOT_NET; GO; PHP; NODE_JS; KUBERNETES | Recommended | |
vulnerability.title | string | Title of the vulnerability. | Improper Input Validation | Recommended | |
vulnerability.type | string | Classification of the vulnerability based on commonly accepted enums, such as CWE. | Improper Input Validation | Recommended | |
vulnerability.url | string | Dynatrace URL to the details page of the vulnerability. | https://example.com | Recommended |
Vulnerability change: Environmental data
This section contains information on changes regarding vulnerability's affected and related entities.
Affected entities
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
affected_entities.count | long | Number of affected entities. | 1 | Recommended |
affected_entities.hosts.count | long | Number of affected hosts. | 2 | Recommended |
affected_entities.kubernetes_nodes.count | long | Number of affected nodes. | 2 | Recommended |
affected_entities.previous.count | long | Number of affected entities before the last change event. | 1 | Recommended |
affected_entities.previous.hosts.count | long | Number of affected hosts before the last change event. | 5 | Recommended |
affected_entities.previous.kubernetes_nodes.count | long | Number of affected Kubernetes nodes before the last change event. | 5 | Recommended |
affected_entities.previous.process_groups.count | long | Number of affected process groups before the last change event. | 2 | Recommended |
affected_entities.process_groups.count | long | Number of affected process groups. | 2 | Recommended |
affected_entities.types | array | Types of affected entities. | PROCESS_GROUP; HOST | Recommended |
Related entities
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
related_entities.applications.count | long | Number of related applications. | 1 | Recommended |
related_entities.databases.count | long | Number of related databases. | 1 | Recommended |
related_entities.hosts.count | long | Number of related hosts. | 1 | Recommended |
related_entities.kubernetes_clusters.count | long | Number of related Kubernetes clusters. | 1 | Recommended |
related_entities.kubernetes_workloads.count | long | Number of related Kubernetes workloads. | 1 | Recommended |
related_entities.previous.databases.count | long | Number of related databases before the last change event. | 1 | Recommended |
related_entities.services.count | long | Number of related services. | 1 | Recommended |