Security Investigator

Latest Dynatrace

What you'll learn

Define and execute queries while combining functionalities.
Search for relevant log information.
Grasp structured information from log records.
Extract fields and get instant feedback on patterns.
Track your path, navigate to previous steps, view your investigation history.
Define the time range for your data queries.
Attach relevant findings as evidence, while preserving the investigation context.
Collaborate with peers on threat hunting with controlled access.
Interact with compatible apps for further insights.

Target audience

While Dynatrace Security Investigator SI Logo is primarily designed for security investigations, it's highly effective in conducting any detailed, evidence-driven investigation, no matter the field or nature of the inquiry.

Key use cases include:

Incident response
Root cause analysis
Threat hunting
Fraud analysis and investigations
Data forensics

Our diverse audience includes everyone involved in evidence-driven investigations, from security analysts and SREs to DevOps engineers and internal auditors handling major fraud investigations on large-scale events.

To investigate ingested logs, you need to set up log ingestion.
Permissions: For a list of permissions required, go to Dynatrace Hub , select Security Investigator , and display Technical information.
Basic knowledge of
- Dynatrace Query Language (DQL)
- Dynatrace Pattern Language (DPL)

Security Investigator SI Logo is designed to streamline evidence-driven investigations on data in Grail by

Eliminating manual, repetitive tasks
Providing contextual enrichment without tool-switching
Offering fast, detailed access to your data
Enhancing user experience for quick issue identification

It features assisted functionalities and automations to expedite and support investigation resolution, leveraging logs, metrics, and traces ingested into Grail.

View your whole investigation flow as you go along with the ability to always jump back to the previous step of the investigation.

Detailed view of the record shows all record fields at once; you can drill down to the details of the field or move between records.

Use the data in results with the character precision: you can create new evidence of DQL filters by selecting a portion of the field.

Manipulate evidence and filter with multiple values at once: you can select the range of IPs and create a DQL filter based on the values.

1 of 4

To get started and create your first investigation scenario, open Security Investigator SI Logo and select Case.

Try Security Investigator SI Logo and share your feedback to help us improve.

Learning modules

01Execute queries

Learn how to execute DQL queries in Security Investigator.

02Manage results

Extract structured and actionable insights from your log records.

03Filter logs

Learn how to analyze results via filtering in Security Investigator.

04Extract fields with DPL Architect

Learn how to extract fields with DPL Architect from Security Investigator.

05Manage the query tree

Learn how to work with the query tree in Security Investigator.

06Define timeframes

Learn how to define timeframes in Security Investigator.

07Manage evidence

Learn how to manage evidence in Security Investigator.

08Manage cases

Ways to manage cases with Security Investigator.

09Manage templates

Manage templates with Security Investigator.

10Collaborate with other apps

Learn how to collaborate with other apps from Security Investigator.

Security Investigator app concepts

Understand essential concepts and key terms for the Security Investigator app.

A case is an investigation scenario that you can create to start investigating security incidents and perform threat hunting.

Once you create a case (in Security Investigator SI Logo , select Case), you can build, rename, or delete it; switch between cases (all your changes are automatically saved); share it with others.

You can create an unlimited number of investigation scenarios.

Example scenario: Threat hunting and forensics

You can create a maximum of 100 nodes per case.

The maximum size of a case is 1 GB.

You can check the number of nodes and size of a case on the Security Investigator home page. Each case card contains information about the case size and number of queries.

The query tree is a visual representation of your investigation history, designed to help you efficiently manage your query activities.

You can quickly

Navigate through your query history
Revisit executed query results
Enhance and run queries
Keep track of your investigation steps

query tree

How it works

A query tree is composed of:

Root node: The initial node created in the query tree when you execute your first DQL query.
Query node: Each time you modify and execute a DQL query, a new query node is added to the tree. A string of query nodes forms a query branch.
Query branch: A visual representation of your investigation path. It's made up of a string of query nodes. If you navigate to a previous query and then modify and execute it, a new query branch with a new query node is created from the respective query.

Despite any modification in the query tree, the following elements are always preserved:

The integrity of the previously existing queries and results
The relations among queries
The context of the investigation

If you modify your query to a point where no further analysis is possible, you can navigate back in the tree to your last working query and continue your investigation from there. This creates a new branch in the query tree.

For details about how to use the query tree, see Manage the query tree.

Evidence lists are relevant fragments from logs and IP addresses saved for later use.

evidence lists

Once you add evidence to the evidence lists, you can build filters for your query.

For details about how to manage evidence, see Manage evidence.

Threat hunting and forensics

Search for indicators of compromise (IoC) and perform forensic investigations and threat hunting activities.

Threat hunting and forensics

Resolve incidents faster with templates

Speed up your log-related investigations with Security Investigator templates.

Resolve incidents faster with Security Investigator templates

Analyze AWS CloudTrail logs

Analyze CloudTrail logs and find potential security issues with Dynatrace Security Investigator.

Analyze AWS CloudTrail logs with Security Investigator

Analyze Amazon API Gateway access logs

Monitor and identify errors in your Amazon API Gateway access logs with Dynatrace Security Investigator.

Analyze Amazon API Gateway access logs with Security Investigator

Detect threats against your AWS Secrets

Monitor and identify potential threats against your AWS Secrets with Dynatrace Security Investigator.

Detect threats against your AWS Secrets with Security Investigator

Browse through some of the most relevant topics to get you started with Security Investigator.

Videos

Blogs

Dynatrace University tutorials

Dynatrace Community articles

Dynatrace Security Investigator sneak peek:

Dynatrace Security Investigator
Insights into DPL Architect:

Additional insights into DPL Architect
Elevate security with Dynatrace Davis Anomaly Detection:

Elevating Security with Dynatrace Davis Anomaly Detection