Security events are a special type of data representing various events generated by Dynatrace.
In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.
Entity state events are historical vulnerability states reported at the entity level. The current vulnerability state per entity is exported to Grail regularly.
Query entity state events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"| filter event.level == "ENTITY"
This section contains general event information.
event.category
VULNERABILITY_MANAGEMENT
event.description
S-49 Remote Code Execution state event reported
event.group_label
STATE_REPORT
event.kind
permission
SECURITY_EVENT
event.level
Vulnerability
(shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity
(shows the assessment based on the entity itself).ENTITY
event.name
Vulnerability historical state report event
event.provider
permission
OneAgent
; K8S
; Davis
; VMWare
; GCP
; AWS
; LIMA_USAGE_STREAM
event.provider_product
Runtime Vulnerability Analytics
; Snyk Container
event.status
OPEN
; RESOLVED
; MUTED
event.type
permission
VULNERABILITY_STATE_REPORT_EVENT
timestamp
1649822520123123123
This section contains information about the vulnerability at the entity level and its global vulnerability, with a focus on the affected entities.
entry_points.entry_point_jsons
[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]
vulnerability.code_location.name
org.dynatrace.profileservice.BioController.markdownToHtml(String):80
vulnerability.cvss.base_score
8.1
vulnerability.cvss.vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H
vulnerability.cvss.version
3.1
vulnerability.davis_assessment.assessment_mode
FULL
; NOT_AVAILABLE
; REDUCED
vulnerability.davis_assessment.assessment_mode_reasons
[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]
vulnerability.davis_assessment.data_assets_status
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.davis_assessment.exploit_status
AVAILABLE
; NOT_AVAILABLE
vulnerability.davis_assessment.exposure_status
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.davis_assessment.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.davis_assessment.score
8.1
vulnerability.davis_assessment.vulnerable_function_status
IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.description
More detailed description about improper input validation vulnerability.
vulnerability.display_id
S-1234
vulnerability.external_id
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646
vulnerability.external_url
https://example.com
vulnerability.id
2039861408676243188
vulnerability.is_fix_available
vulnerability.mute.change_date
2023-03-22T13:19:36.945Z
vulnerability.mute.comment
Muted because it's a false positive.
vulnerability.mute.reason
FALSE_POSITIVE
; IGNORE
; AFFECTED
; CONFIGURATION_NOT_AFFECTED
; OTHER
vulnerability.mute.status
MUTED
; NOT_MUTED
vulnerability.mute.user
user@example.com
vulnerability.parent.davis_assessment.assessment_mode
FULL
; NOT_AVAILABLE
; REDUCED
vulnerability.parent.davis_assessment.data_assets_status
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.parent.davis_assessment.exposure_status
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.parent.davis_assessment.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.parent.davis_assessment.score
8.1
vulnerability.parent.davis_assessment.vulnerable_function_status
IN_USE
when there's at least one vulnerable function in use by an application.IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.parent.first_seen
2023-03-22T13:19:36.945Z
vulnerability.parent.mute.change_date
2023-03-22T13:19:36.945Z
vulnerability.parent.mute.reason
FALSE_POSITIVE
; IGNORE
; AFFECTED
; CONFIGURATION_NOT_AFFECTED
; OTHER
vulnerability.parent.mute.status
MUTED
; NOT_MUTED
vulnerability.parent.mute.user
user@example.com
vulnerability.parent.resolution.change_date
2023-03-22T13:19:37.466Z
vulnerability.parent.resolution.status
OPEN
; RESOLVED
vulnerability.parent.risk.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.parent.risk.score
8.1
vulnerability.references.cve
[CVE-2021-41079]
vulnerability.references.cwe
[CWE-20]
vulnerability.references.owasp
[2021:A3]
vulnerability.remediation.description
Upgrade component to version 1.2.3 or higher
vulnerability.resolution.change_date
2023-03-22T13:19:37.466Z
vulnerability.resolution.status
OPEN
; RESOLVED
vulnerability.risk.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.risk.scale
Davis Security Score
vulnerability.risk.score
8.1
vulnerability.stack
CODE
; CODE_LIBRARY
; SOFTWARE
; CONTAINER_ORCHESTRATION
vulnerability.technology
JAVA
; DOTNET
; GO
; PHP
; NODE_JS
vulnerability.title
Improper Input Validation
vulnerability.tracking_link.text
P-1000 Vulnerability CVE-2024-0001
vulnerability.tracking_link.url
https://example.com/Project1/P-1000
vulnerability.type
Improper Input Validation
vulnerability.url
https://example.com
This section contains information about the vulnerability's affected and related entities.
affected_entity.affected_processes.ids
PROCESS_GROUP_INSTANCE-1
affected_entity.affected_processes.names
prod_process_group_instance_1
affected_entity.id
PROCESS_GROUP-1
; HOST-1
affected_entity.management_zones.ids
mzid1
affected_entity.management_zones.names
mz1
affected_entity.name
prod_process_group_1
; prod_host
affected_entity.reachable_data_assets.count
1
affected_entity.reachable_data_assets.ids
DATABASE-1
affected_entity.reachable_data_assets.names
prod_database_1
affected_entity.type
PROCESS_GROUP
; HOST
; KUBERNETES_NODE
affected_entity.vulnerable_component.id
SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF
affected_entity.vulnerable_component.name
log4j-core-2.6.2.jar
affected_entity.vulnerable_component.package_name
k8s.io/kubernetes
; github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime
affected_entity.vulnerable_component.short_name
log4j
affected_entity.vulnerable_functions
org.springframework.beans.CachedIntrospectionResults:init
; java.lang.ProcessBuilder.<init>(String[])
; (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)
affected_entity.vulnerable_functions_not_available
org.springframework.beans.CachedIntrospectionResults:init
; java.lang.ProcessBuilder.<init>(String[])
; (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)
affected_entity.vulnerable_functions_not_in_use
org.springframework.beans.CachedIntrospectionResults:init
; java.lang.ProcessBuilder.<init>(String[])
; (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)
related_entities.applications.count
1
related_entities.applications.ids
APPLICATION-1
related_entities.applications.names
prod_application_1
related_entities.databases.count
1
related_entities.databases.ids
DATABASE-1
related_entities.databases.names
prod_database_1
related_entities.hosts.count
1
related_entities.hosts.ids
HOST-1
related_entities.hosts.names
prod_host_1
related_entities.kubernetes_clusters.count
1
related_entities.kubernetes_clusters.ids
KUBERNETES_CLUSTER-1
related_entities.kubernetes_clusters.names
prod_kubernetes_cluster_1
related_entities.kubernetes_workloads.count
1
related_entities.kubernetes_workloads.ids
KUBERNETES_WORKLOAD-1
related_entities.kubernetes_workloads.names
prod_kubernetes_workload_1
related_entities.services.count
1
related_entities.services.ids
SERVICE-1
related_entities.services.names
prod_service_1
Vulnerability change events are change events at the vulnerability level. An event is generated whenever a vulnerability undergoes a status or assessment change.
Query vulnerability status change events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"
Query vulnerability assessment change events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"
This section contains general event information.
event.category
severity level
).VULNERABILITY_MANAGEMENT
event.change_list
previous
field.vulnerability.risk.score
; affected_entities.count
; related_entities.databases.count
event.description
S-49 Remote Code Execution status has changed to OPEN.
; S-49 Remote Code Execution assessment has changed.
event.group_label
CHANGE_EVENT
event.kind
permission
SECURITY_EVENT
event.level
Vulnerability
(shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity
(shows the assessment based on the entity itself).VULNERABILITY
event.name
Vulnerability status change event
; Vulnerability assessment change event
event.provider
permission
Dynatrace
event.provider_product
Runtime Vulnerability Analytics
; Snyk Container
event.status
OPEN
; RESOLVED
; MUTED
event.status_transition
NEW_OPEN
; REOPEN
; CLOSE
; MUTE
; UNMUTE
event.trigger.type
DT_PLATFORM
; USER_ACTION
event.trigger.user
SYSTEM
.SYSTEM
; <user_id>
event.type
permission
VULNERABILITY_STATUS_CHANGE_EVENT
; VULNERABILITY_ASSESSMENT_CHANGE_EVENT
timestamp
1649822520123123123
This section contains information about the vulnerability and its status and assessment changes.
vulnerability.cvss.base_score
8.1
vulnerability.cvss.vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H
vulnerability.cvss.version
3.1
vulnerability.davis_assessment.assessment_mode
FULL
; NOT_AVAILABLE
; REDUCED
vulnerability.davis_assessment.assessment_mode_reasons
[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]
vulnerability.davis_assessment.data_assets_status
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.davis_assessment.exploit_status
AVAILABLE
; NOT_AVAILABLE
vulnerability.davis_assessment.exposure_status
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.davis_assessment.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.davis_assessment.score
8.1
vulnerability.davis_assessment.vulnerable_function_status
IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.description
More detailed description about improper input validation vulnerability.
vulnerability.display_id
S-1234
vulnerability.external_id
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646
vulnerability.external_url
https://example.com
vulnerability.first_seen
2023-03-22T13:19:36.945Z
vulnerability.id
2039861408676243188
vulnerability.is_fix_available
vulnerability.mute.change_date
2023-03-22T13:19:36.945Z
vulnerability.mute.reason
FALSE_POSITIVE
; IGNORE
; AFFECTED
; CONFIGURATION_NOT_AFFECTED
; OTHER
vulnerability.mute.status
MUTED
; NOT_MUTED
vulnerability.mute.user
user@example.com
vulnerability.previous.cvss.base_score
8.1
vulnerability.previous.davis_assessment.data_assets_status
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.previous.davis_assessment.exploit_status
AVAILABLE
; NOT_AVAILABLE
vulnerability.previous.davis_assessment.exposure_status
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.previous.davis_assessment.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.previous.davis_assessment.score
8.1
vulnerability.previous.davis_assessment.vulnerable_function_status
IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.previous.mute.change_date
2023-03-22T13:19:36.945Z
vulnerability.previous.mute.reason
Muted: False positive
vulnerability.previous.mute.status
MUTED
; NOT_MUTED
vulnerability.previous.mute.user
user@example.com
vulnerability.previous.resolution.status
OPEN
; RESOLVED
vulnerability.previous.risk.level
LOW
; MEDIUM
; HIGH
; CRITICAL
vulnerability.previous.risk.score
8.1
vulnerability.references.cve
[CVE-2021-41079]
vulnerability.references.cwe
[CWE-20]
vulnerability.references.owasp
[2021:A3]
vulnerability.remediation.description
Upgrade component to version 1.2.3 or higher
vulnerability.resolution.change_date
2023-03-22T13:19:37.466Z
vulnerability.resolution.status
OPEN
; RESOLVED
vulnerability.risk.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.risk.scale
Davis Security Score
vulnerability.risk.score
8.1
vulnerability.stack
CODE
; CODE_LIBRARY
; SOFTWARE
; CONTAINER_ORCHESTRATION
vulnerability.technology
JAVA
; DOTNET
; GO
; PHP
; NODE_JS
vulnerability.title
Improper Input Validation
vulnerability.type
Improper Input Validation
vulnerability.url
https://example.com
This section contains information on changes regarding vulnerability's affected entities.
affected_entities.count
1
affected_entities.hosts.count
2
affected_entities.kubernetes_nodes.count
2
affected_entities.previous.count
1
affected_entities.previous.hosts.count
5
affected_entities.previous.kubernetes_nodes.count
5
affected_entities.previous.process_groups.count
2
affected_entities.process_groups.count
2
affected_entities.types
PROCESS_GROUP
; HOST
; KUBERNETES_NODE
This section contains information on changes regarding vulnerability's related entities.
related_entities.applications.count
1
related_entities.databases.count
1
related_entities.hosts.count
1
related_entities.kubernetes_clusters.count
1
related_entities.kubernetes_workloads.count
1
related_entities.previous.databases.count
1
related_entities.services.count
1
Vulnerability state events are historical states at the vulnerability level. The current vulnerability state is exported to Grail regularly.
Query vulnerability state events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"| filter event.level == "VULNERABILITY"
This section contains general event information.
event.category
VULNERABILITY_MANAGEMENT
event.description
S-49 Remote Code Execution state event reported
event.group_label
STATE_REPORT
event.kind
permission
SECURITY_EVENT
event.level
Vulnerability
(shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity
(shows the assessment based on the entity itself).VULNERABILITY
event.name
Vulnerability historical state report event
event.provider
permission
Dynatrace
; Snyk
event.provider_product
Runtime Vulnerability Analytics
; Snyk Container
event.status
OPEN
; RESOLVED
; MUTED
event.type
permission
VULNERABILITY_STATE_REPORT_EVENT
timestamp
1649822520123123123
This section contains information about the vulnerability.
vulnerability.code_location.name
org.dynatrace.profileservice.BioController.markdownToHtml(String):80
vulnerability.cvss.base_score
8.1
vulnerability.cvss.vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H
vulnerability.cvss.version
3.1
vulnerability.davis_assessment.assessment_mode
FULL
; NOT_AVAILABLE
; REDUCED
vulnerability.davis_assessment.assessment_mode_reasons
[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]
vulnerability.davis_assessment.data_assets_status
NOT_AVAILABLE
; NOT_DETECTED
; REACHABLE
vulnerability.davis_assessment.exploit_status
AVAILABLE
; NOT_AVAILABLE
vulnerability.davis_assessment.exposure_status
NOT_AVAILABLE
; NOT_DETECTED
; PUBLIC_NETWORK
; ADJACENT_NETWORK
vulnerability.davis_assessment.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.davis_assessment.score
8.1
vulnerability.davis_assessment.vulnerable_function_status
IN_USE
; NOT_AVAILABLE
; NOT_IN_USE
vulnerability.description
More detailed description about improper input validation vulnerability.
vulnerability.display_id
S-1234
vulnerability.external_id
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646
vulnerability.external_url
https://example.com
vulnerability.first_seen
2023-03-22T13:19:36.945Z
vulnerability.id
2039861408676243188
vulnerability.is_fix_available
vulnerability.mute.change_date
2023-03-22T13:19:36.945Z
vulnerability.mute.reason
FALSE_POSITIVE
; IGNORE
; AFFECTED
; CONFIGURATION_NOT_AFFECTED
; OTHER
vulnerability.mute.status
MUTED
; NOT_MUTED
vulnerability.mute.user
user@example.com
vulnerability.references.cve
[CVE-2021-41079]
vulnerability.references.cwe
[CWE-20]
vulnerability.references.owasp
[2021:A3]
vulnerability.remediation.description
Upgrade component to version 1.2.3 or higher
vulnerability.resolution.change_date
2023-03-22T13:19:37.466Z
vulnerability.resolution.status
OPEN
; RESOLVED
vulnerability.risk.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
vulnerability.risk.scale
Davis Security Score
vulnerability.risk.score
8.1
vulnerability.stack
CODE
; CODE_LIBRARY
; SOFTWARE
; CONTAINER_ORCHESTRATION
vulnerability.technology
JAVA
; DOTNET
; GO
; PHP
; NODE_JS
vulnerability.title
Improper Input Validation
vulnerability.type
Improper Input Validation
vulnerability.url
https://example.com
This section contains information on the vulnerability's affected and related entities.
affected_entities.affected_processes.count
50
affected_entities.count
1
affected_entities.hosts.count
2
affected_entities.kubernetes_nodes.count
2
affected_entities.management_zones.ids
mzid1
affected_entities.management_zones.names
mz1
affected_entities.monitored_processes.count
100
affected_entities.process_groups.count
2
affected_entities.types
PROCESS_GROUP
; HOST
; KUBERNETES_NODE
affected_entities.vulnerable_components.ids
SOFTWARE_COMPONENT-0000000000000001
; SOFTWARE_COMPONENT-0000000000000002
; SOFTWARE_COMPONENT-0000000000000003
affected_entities.vulnerable_components.names
com.fasterxml.jackson.core:jackson-databind:2.10.0
; node-sass:4.14.1
affected_entities.vulnerable_functions
org.springframework.beans.CachedIntrospectionResults:init
; java.lang.ProcessBuilder.<init>(String[])
; (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)
related_entities.applications.count
1
related_entities.databases.count
1
related_entities.hosts.count
1
related_entities.kubernetes_clusters.count
1
related_entities.kubernetes_workloads.count
1
related_entities.services.count
1
Vulnerability-finding events contain generic sections and fields like metadata, affected entity data and vulnerability data. They can also include extensions (such as container image data for container vulnerability findings) at the end of the page.
This section contains meta information on the vulnerability-finding event.
event.category
VULNERABILITY_MANAGEMENT
event.description
Vulnerability CVE-2023-45871 of component linux:4.19.269-1 was detected in your container image unguard-frontend:latest@054e1d39
event.id
5547782627070661074_1647601320000
event.kind
permission
SECURITY_EVENT
event.name
Vulnerability finding event
event.original_content
{"severity_id": 3,"state_id": 1,"time": "2024-06-26T07:15:06.139000Z","state": "New","type_uid": 200101}
event.provider
permission
Amazon ECR
event.type
permission
VULNERABILITY_FINDING
event.version
1.304
timestamp
1649822520123123123
This section contains information about the vulnerability that caused the vulnerability-finding event (vulnerability ID, description, risk level, and so on).
dt.security.risk.level
LOW
; MEDIUM
; HIGH
; CRITICAL
; NONE
; NOT_AVAILABLE
dt.security.risk.score
8.1
vulnerability.description
More detailed description about improper input validation vulnerability.
vulnerability.id
CVE-2019-19814
vulnerability.title
CVE-2019-19814
; Improper input validation
This section contains container-image—specific data.
container_image.digest
sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1
container_image.registry
1294385647.eu-central-1
container_image.repository
unguard-frontend
container_image.tags
[1.0.0]
; [1.0.0, 1.0.0-nightly, latest]