Monitoring rules - Third-party Vulnerability Analytics

To include or exclude specific processes from being monitored by Application Security, you can set up fine-grained monitoring rules for Third-party Vulnerability Analytics, based on properties such as process group tag, host tag, and management zone.

If you define custom monitoring rules, the global third-party vulnerability detection control mode applies to all processes that are not matched by a rule.

Define custom monitoring rules

You can define custom monitoring rules through the Dynatrace web UI or the Settings API.

To add a new rule

Go to Settings > Application Security > Vulnerability Analytics > Monitoring rules: Third-party.
Select Add new rule to add a new rule.
Enter the requested information (mode, property, condition operator, and condition value).

The Process tag property applies to process groups, not processes.
Select Save changes.

You can edit, disable, enable, or remove rules at any time.

You can read or modify the rules using the Settings API.

To view a monitoring rule, use the GET an object request. Set the following parameters:

schemaIds=builtin:appsec.rule-settings
scopes=tenant

{
  "items": [
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkYTc4NjY0NGItZmVjNC0zNzliLWI0MWItNThmYzgzOWZmYWY5vu9U3hXa3q0",
      "value": {
        "enabled": true,
        "mode": "MONITORING_OFF",
        "property": "PROCESS_TAG",
        "operator": "EQUALS",
        "value": "super secret process"
      }
    },
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNDhkZGYxNDMtYzc2Mi0zYzIwLWI1ODAtNTNhODEwOGZlMDBivu9U3hXa3q0",
      "value": {
        "enabled": true,
        "mode": "MONITORING_ON",
        "property": "HOST_TAG",
        "operator": "NOT_EQUALS",
        "value": "Test"
      }
    },
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNmY1NjZkNmItYWMyNy0zOTg2LWE1OGItNTU2ZTI1NTE5NTcyvu9U3hXa3q0",
      "value": {
        "enabled": false,
        "mode": "MONITORING_ON",
        "property": "MANAGEMENT_ZONE",
        "operator": "EQUALS",
        "value": "Monitorme"
      }
    }
  ],
  "totalCount": 3,
  "pageSize": 100
}

To modify a monitoring rule, use the POST an object request.

[
  {
      "value": {
        "enabled": true,
        "mode": "MONITORING_ON",
        "property": "HOST_TAG",
        "operator": "EQUALS",
        "value": "REST"
      },
    "scope": "tenant",
    "schemaId": "builtin:appsec.rule-settings"
  },
    {
      "value": {
        "enabled": true,
        "mode": "MONITORING_OFF",
        "property": "PROCESS_TAG",
        "operator": "NOT_EQUALS",
        "value": "Test-Process"
      },
    "scope": "tenant",
    "schemaId": "builtin:appsec.rule-settings"
  }
]

For Kubernetes environments, you need to add tags both on the host and on the Kubernetes node.

Monitoring rules evaluation

After you add, edit, or remove a rule, it can take up to 15 minutes for changes to take effect throughout the system. The configured monitoring rules are evaluated periodically (on internal worker runs) and on-demand (through calls to the REST API).

Regardless of the calling context, the rule evaluation stays the same: given a set of entities, the algorithm decides whether a specific entity should be monitored. The rules are processed in order until the first match. Note that each rule must be unique.
When you have a rule in place for a management zone or tag, and you add an entity to the same management zone or add the same tag to an entity, it can take up to 15 minutes until the change is reflected in your monitoring rule.

For example, if you have a Do not monitor if host tag equals 'testsystem' rule, and you add the tag testsystem to a host, it can take up to 15 minutes until the newly tagged host stops being monitored.
If a rule matches a specific entity, the configured mode (Monitor, Do not monitor) is used and subsequent rules are not evaluated for this particular entity.
If no rule matches a specific entity, the global third-party vulnerability detection control mode is used.

Frequently asked questions

Is process restart required after enabling or disabling a monitoring rule? No restart is required. For more information, see FAQ: Is restart required after enabling or disabling an Application Security feature or functionality?
What happens if I change the order of the rules?
- The first matching rule will apply.
What happens if a Do not monitor rule that applies gets added?
- New vulnerabilities for the processes that match the rule won't be created.
- Existing vulnerabilities that only relate to matching processes are resolved.
What happens if a Do not monitor rule is deleted or doesn't apply anymore?
- New vulnerabilities for the processes that match the rule will be created.
- Related resolved vulnerabilities are reopened.

Monitoring rules - Third-party Vulnerability Analytics

Define custom monitoring rules

Monitoring rules evaluation

Frequently asked questions

Related topics