Security events

Security events are a special type of data representing various events generated by Dynatrace.

In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.

Entity State Events

Entity state events are historical vulnerability states reported at the entity level. The current vulnerability state per entity is exported to Grail regularly.

Query

Query entity state events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "ENTITY"

Entity state: Event data

This section contains general event information.

Attribute
Type
Description
Examples
event.category
string
stable
Categorization based on the product and data generating this event.
VULNERABILITY_MANAGEMENT
event.description
string
stable
Human-readable description of an event.
S-49 Remote Code Execution state event reported
event.group_label
string
experimental
Group label of an event.
STATE_REPORT
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
SECURITY_EVENT
event.level
string
stable
Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).
ENTITY
event.name
string
stable
The human readable display name of an event type.
Vulnerability historical state report event
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
OneAgent; K8S; Davis; VMWare; GCP; AWS; LIMA_USAGE_STREAM
event.provider_product
string
stable
Name of the product providing this event.
Runtime Vulnerability Analytics; Snyk Container
event.status
string
stable
Status of an event as being either Active or Closed.
OPEN; RESOLVED; MUTED
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
VULNERABILITY_STATE_REPORT_EVENT
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.
1649822520123123123

Entity state: Vulnerability data

This section contains information about the vulnerability at the entity level and its global vulnerability, with a focus on the affected entities.

Attribute
Type
Description
Examples
entry_points.entry_point_jsons
string[]
experimental
JSON representation of entry points of a vulnerability.
[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]
vulnerability.code_location.name
string
stable
Name of the code location where the code-level vulnerability was detected.
org.dynatrace.profileservice.BioController.markdownToHtml(String):80
vulnerability.cvss.base_score
double
stable
Vulnerability's CVSS base score provided by NVD.
8.1
vulnerability.cvss.vector
string
experimental
Vulnerability's CVSS vector defined by the provider.
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H
vulnerability.cvss.version
string
stable
Vulnerability's CVSS score version.
3.1
vulnerability.davis_assessment.assessment_mode
string
stable
Availability of the information based on which the assessment of the vulnerability at the entity level has been done.
FULL; NOT_AVAILABLE; REDUCED
vulnerability.davis_assessment.assessment_mode_reasons
string[]
experimental
Reasons for the assessment mode at the entity level.
[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]
vulnerability.davis_assessment.data_assets_status
string
stable
Affected entity's reachability by a database.
NOT_AVAILABLE; NOT_DETECTED; REACHABLE
vulnerability.davis_assessment.exploit_status
string
stable
Public exploits status of the vulnerability at the entity level.
AVAILABLE; NOT_AVAILABLE
vulnerability.davis_assessment.exposure_status
string
stable
Internet exposure status of the vulnerability at the entity level.
NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK
vulnerability.davis_assessment.level
string
stable
Risk level, based on Davis Security Score, of the vulnerability at the entity level.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.davis_assessment.score
double
stable
Davis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.
8.1
vulnerability.davis_assessment.vulnerable_function_status
string
stable
Usage status of the vulnerable functions causing the vulnerability at the entity level.
IN_USE; NOT_AVAILABLE; NOT_IN_USE
vulnerability.description
string
stable
Description of the vulnerability.
More detailed description about improper input validation vulnerability.
vulnerability.display_id
string
stable
Dynatrace user-readable identifier for the vulnerability.
S-1234
vulnerability.external_id
string
stable
External provider's unique identifier for the vulnerability.
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646
vulnerability.external_url
string
stable
External provider's URL to the details page of the vulnerability.
https://example.com
vulnerability.id
string
stable
Dynatrace unique identifier for the vulnerability.
2039861408676243188
vulnerability.is_fix_available
boolean
experimental
Indicates if a vulnerability fix is available.
vulnerability.mute.change_date
timestamp
stable
Timestamp of the last muted or unmuted action of the vulnerability at the entity level.
2023-03-22T13:19:36.945Z
vulnerability.mute.comment
string
experimental
Comment for muting or unmuting the vulnerability at entity level.
Muted because it's a false positive.
vulnerability.mute.reason
string
stable
Reason for muting or unmuting the vulnerability at the entity level.
FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER
vulnerability.mute.status
string
stable
Mute status of the vulnerability at the entity level.
MUTED; NOT_MUTED
vulnerability.mute.user
string
stable
User who last changed the mute status of the vulnerability at the entity level.
user@example.com
vulnerability.parent.davis_assessment.assessment_mode
string
stable
Availability of the information based on which the vulnerability assessment has been done.
FULL; NOT_AVAILABLE; REDUCED
vulnerability.parent.davis_assessment.data_assets_status
string
stable
Vulnerability's reachability of related data assets by affected entities.
NOT_AVAILABLE; NOT_DETECTED; REACHABLE
vulnerability.parent.davis_assessment.exposure_status
string
stable
Vulnerability's internet exposure status.
NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK
vulnerability.parent.davis_assessment.level
string
stable
Vulnerability's Davis Security Score level.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.parent.davis_assessment.score
double
stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.
8.1
vulnerability.parent.davis_assessment.vulnerable_function_status
string
stable
Usage status of vulnerable functions causing the vulnerability. Status is IN_USE when there's at least one vulnerable function in use by an application.
IN_USE; NOT_AVAILABLE; NOT_IN_USE
vulnerability.parent.first_seen
string
stable
Timestamp of when the vulnerability was first detected.
2023-03-22T13:19:36.945Z
vulnerability.parent.mute.change_date
timestamp
stable
Timestamp of the last mute or unmute action of the vulnerability.
2023-03-22T13:19:36.945Z
vulnerability.parent.mute.reason
string
stable
Reason for muting or unmuting the vulnerability.
FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER
vulnerability.parent.mute.status
string
stable
Vulnerability's mute status.
MUTED; NOT_MUTED
vulnerability.parent.mute.user
string
stable
User who last changed the vulnerability's mute status.
user@example.com
vulnerability.parent.resolution.change_date
string
stable
Timestamp of the vulnerability's last resolution status change.
2023-03-22T13:19:37.466Z
vulnerability.parent.resolution.status
string
stable
Current status of the vulnerability.
OPEN; RESOLVED
vulnerability.parent.risk.level
string
stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.parent.risk.score
double
stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.
8.1
vulnerability.references.cve
string[]
stable
List of the vulnerability's CVE IDs.
[CVE-2021-41079]
vulnerability.references.cwe
string[]
stable
List of the vulnerability's CWE IDs.
[CWE-20]
vulnerability.references.owasp
string[]
stable
List of vulnerability's OWASP IDs.
[2021:A3]
vulnerability.remediation.description
string
experimental
Description of the vulnerability's remediation advice.
Upgrade component to version 1.2.3 or higher
vulnerability.resolution.change_date
timestamp
stable
Timestamp of the last status change of the vulnerability at the entity level.
2023-03-22T13:19:37.466Z
vulnerability.resolution.status
string
stable
Resolution status of the vulnerability at the entity level.
OPEN; RESOLVED
vulnerability.risk.level
string
stable
Vulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.risk.scale
string
stable
Scale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.
Davis Security Score
vulnerability.risk.score
double
stable
Risk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.
8.1
vulnerability.stack
string
experimental
Level of the vulnerable component in the technological stack.
CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION
vulnerability.technology
string
stable
Technology of the vulnerable component.
JAVA; DOTNET; GO; PHP; NODE_JS
vulnerability.title
string
stable
Title of the vulnerability.
Improper Input Validation
vulnerability.tracking_link.text
string
experimental
Display text of the tracking link that was set by the user.
P-1000 Vulnerability CVE-2024-0001
vulnerability.tracking_link.url
string
experimental
URL of the tracking link that was set by the user.
https://example.com/Project1/P-1000
vulnerability.type
string
stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.
Improper Input Validation
vulnerability.url
string
stable
Dynatrace URL to the details page of the vulnerability. |
https://example.com

Entity state: Environmental data

This section contains information about the vulnerability's affected and related entities.

Affected entities

Attribute
Type
Description
Examples
affected_entity.affected_processes.ids
array
stable
IDs of the processes that are currently affected by the vulnerability.
PROCESS_GROUP_INSTANCE-1
affected_entity.affected_processes.names
array
stable
Names of the processes that are currently affected by the vulnerability.
prod_process_group_instance_1
affected_entity.id
string
stable
ID of the affected entity.
PROCESS_GROUP-1; HOST-1
affected_entity.management_zones.ids
array
stable
IDs of the management zones to which the affected entity belongs.
mzid1
affected_entity.management_zones.names
array
stable
Names of the management zones to which the affected entity belongs.
mz1
affected_entity.name
string
stable
Name of the affected entity.
prod_process_group_1; prod_host
affected_entity.reachable_data_assets.count
long
experimental
Number of reachable data assets.
1
affected_entity.reachable_data_assets.ids
array
experimental
IDs of the data assets that can be reached by the affected entities of the vulnerability.
DATABASE-1
affected_entity.reachable_data_assets.names
array
experimental
Names of the data assets that can be reached by the affected entities of the vulnerability.
prod_database_1
affected_entity.type
string
stable
Type of affected entity.
PROCESS_GROUP; HOST; KUBERNETES_NODE
affected_entity.vulnerable_component.id
string
stable
ID of the vulnerable component causing the vulnerability.
SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF
affected_entity.vulnerable_component.name
string
stable
Name of the vulnerable component causing the vulnerability.
log4j-core-2.6.2.jar
affected_entity.vulnerable_component.package_name
string
experimental
Package name of the vulnerable component causing the vulnerability.
k8s.io/kubernetes; github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime
affected_entity.vulnerable_component.short_name
string
stable
Short name of the vulnerable component causing the vulnerability.
log4j
affected_entity.vulnerable_functions
array
stable
Vulnerable functions detected, containing or causing the vulnerability.
org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)
affected_entity.vulnerable_functions_not_available
array
experimental
Vulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.
org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)
affected_entity.vulnerable_functions_not_in_use
array
experimental
Vulnerable functions detected which are not actively used.
org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

Related entities

Attribute
Type
Description
Examples
related_entities.applications.count
long
stable
Number of related applications.
1
related_entities.applications.ids
array
stable
IDs of the applications related to the vulnerability's affected entities.
APPLICATION-1
related_entities.applications.names
array
stable
Names of the applications related to the vulnerability's affected entities.
prod_application_1
related_entities.databases.count
long
stable
Number of related databases.
1
related_entities.databases.ids
array
stable
IDs of the databases related to the vulnerability's affected entities.
DATABASE-1
related_entities.databases.names
array
stable
Names of the databases related to the vulnerability's affected entities.
prod_database_1
related_entities.hosts.count
long
stable
Number of related hosts.
1
related_entities.hosts.ids
array
stable
IDs of the hosts related to the vulnerability's affected entities.
HOST-1
related_entities.hosts.names
array
stable
Names of the hosts related to the vulnerability's affected entities.
prod_host_1
related_entities.kubernetes_clusters.count
long
stable
Number of related Kubernetes clusters.
1
related_entities.kubernetes_clusters.ids
array
stable
IDs of the Kubernetes clusters related to the vulnerability's affected entities.
KUBERNETES_CLUSTER-1
related_entities.kubernetes_clusters.names
array
stable
Names of the Kubernetes clusters related to the vulnerability's affected entities.
prod_kubernetes_cluster_1
related_entities.kubernetes_workloads.count
long
stable
Number of related Kubernetes workloads.
1
related_entities.kubernetes_workloads.ids
array
stable
IDs of the Kubernetes workloads related to the vulnerability's affected entities.
KUBERNETES_WORKLOAD-1
related_entities.kubernetes_workloads.names
array
stable
Names of the Kubernetes workloads related to the vulnerability's affected entities.
prod_kubernetes_workload_1
related_entities.services.count
long
stable
Number of related services.
1
related_entities.services.ids
array
stable
IDs of the services related to the vulnerability's affected entities.
SERVICE-1
related_entities.services.names
array
stable
Names of the services related to the vulnerability's affected entities.
prod_service_1

Vulnerability Change Events

Vulnerability change events are change events at the vulnerability level. An event is generated whenever a vulnerability undergoes a status or assessment change.

Query

Query vulnerability status change events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"

Query vulnerability assessment change events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"

Vulnerability state: Event data

This section contains general event information.

Attribute
Type
Description
Examples
event.category
string
stable
Standard categorization based on the significance of an event according to the ITIL event management standard (previously known as severity level).
VULNERABILITY_MANAGEMENT
event.change_list
array
stable
List of attributes updated as part of the change event. Values in the list match a previous field.
vulnerability.risk.score; affected_entities.count; related_entities.databases.count
event.description
string
stable
Human-readable description of an event.
S-49 Remote Code Execution status has changed to OPEN.; S-49 Remote Code Execution assessment has changed.
event.group_label
string
experimental
Group label of an event.
CHANGE_EVENT
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
SECURITY_EVENT
event.level
string
stable
Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).
VULNERABILITY
event.name
string
stable
The human readable display name of an event type.
Vulnerability status change event; Vulnerability assessment change event
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
Dynatrace
event.provider_product
string
stable
Name of the product providing this event.
Runtime Vulnerability Analytics; Snyk Container
event.status
string
stable
Status of an event as being either Active or Closed.
OPEN; RESOLVED; MUTED
event.status_transition
string
experimental
An enum that shows the transition of the above event state.
NEW_OPEN; REOPEN; CLOSE; MUTE; UNMUTE
event.trigger.type
string
stable
Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).
DT_PLATFORM; USER_ACTION
event.trigger.user
string
stable
ID of the user who triggered the event. If generated by Dynatrace, the value is SYSTEM.
SYSTEM; <user_id>
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
VULNERABILITY_STATUS_CHANGE_EVENT; VULNERABILITY_ASSESSMENT_CHANGE_EVENT
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.
1649822520123123123

Vulnerability state: Vulnerability data

This section contains information about the vulnerability and its status and assessment changes.

Attribute
Type
Description
Examples
vulnerability.cvss.base_score
double
stable
Vulnerability's CVSS base score provided by NVD.
8.1
vulnerability.cvss.vector
string
experimental
Vulnerability's CVSS vector defined by the provider.
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H
vulnerability.cvss.version
string
stable
Vulnerability's CVSS score version.
3.1
vulnerability.davis_assessment.assessment_mode
string
stable
Availability of the information based on which the vulnerability assessment has been done.
FULL; NOT_AVAILABLE; REDUCED
vulnerability.davis_assessment.assessment_mode_reasons
string[]
experimental
Reasons for the assessment mode.
[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]
vulnerability.davis_assessment.data_assets_status
string
stable
Vulnerability's reachability of related data assets by affected entities.
NOT_AVAILABLE; NOT_DETECTED; REACHABLE
vulnerability.davis_assessment.exploit_status
string
stable
Vulnerability's public exploits status.
AVAILABLE; NOT_AVAILABLE
vulnerability.davis_assessment.exposure_status
string
stable
Vulnerability's internet exposure status.
NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK
vulnerability.davis_assessment.level
string
stable
Vulnerability's risk level based on Davis Security Score.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.davis_assessment.score
double
stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.
8.1
vulnerability.davis_assessment.vulnerable_function_status
string
stable
Usage status of the vulnerable functions causing the vulnerability.
IN_USE; NOT_AVAILABLE; NOT_IN_USE
vulnerability.description
string
stable
Description of the vulnerability.
More detailed description about improper input validation vulnerability.
vulnerability.display_id
string
stable
Dynatrace user-readable identifier for the vulnerability.
S-1234
vulnerability.external_id
string
stable
External provider's unique identifier for the vulnerability.
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646
vulnerability.external_url
string
stable
External provider's URL to the details page of the vulnerability.
https://example.com
vulnerability.first_seen
timestamp
stable
Timestamp of when the vulnerability was first detected.
2023-03-22T13:19:36.945Z
vulnerability.id
string
stable
Dynatrace unique identifier for the vulnerability.
2039861408676243188
vulnerability.is_fix_available
boolean
experimental
Indicates if a vulnerability fix is available.
vulnerability.mute.change_date
timestamp
stable
Timestamp of the vulnerability's last muted or unmuted action.
2023-03-22T13:19:36.945Z
vulnerability.mute.reason
string
stable
Reason for muting or unmuting the vulnerability.
FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER
vulnerability.mute.status
string
stable
Vulnerability's mute status.
MUTED; NOT_MUTED
vulnerability.mute.user
string
stable
User who last changed the vulnerability's mute status.
user@example.com
vulnerability.previous.cvss.base_score
double
stable
Vulnerability's previous CVSS base score (in case the CVSS base score has changed).
8.1
vulnerability.previous.davis_assessment.data_assets_status
string
stable
Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).
NOT_AVAILABLE; NOT_DETECTED; REACHABLE
vulnerability.previous.davis_assessment.exploit_status
string
stable
Vulnerability's previous public exploit status (in case the public exploit status has changed).
AVAILABLE; NOT_AVAILABLE
vulnerability.previous.davis_assessment.exposure_status
string
stable
Vulnerability's previous internet exposure status (in case the internet exposure status has changed).
NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK
vulnerability.previous.davis_assessment.level
string
stable
Vulnerability's previous risk level (in case the risk level has changed).
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.previous.davis_assessment.score
double
stable
Vulnerability's previous Davis Security Score (in case Davis Security Score has changed).
8.1
vulnerability.previous.davis_assessment.vulnerable_function_status
string
stable
Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed).
IN_USE; NOT_AVAILABLE; NOT_IN_USE
vulnerability.previous.mute.change_date
string
stable
Timestamp of the vulnerability's previous mute status (in case the mute status has changed).
2023-03-22T13:19:36.945Z
vulnerability.previous.mute.reason
string
stable
Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).
Muted: False positive
vulnerability.previous.mute.status
string
stable
Vulnerability's previous mute status (in case the mute status has changed).
MUTED; NOT_MUTED
vulnerability.previous.mute.user
string
stable
User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).
user@example.com
vulnerability.previous.resolution.status
string
stable
Vulnerability's previous resolution status (in case the resolution status has changed).
OPEN; RESOLVED
vulnerability.previous.risk.level
string
stable
Vulnerability's previous risk score level (in case the risk score level has changed).
LOW; MEDIUM; HIGH; CRITICAL
vulnerability.previous.risk.score
double
stable
Vulnerability's previous risk score (in case the risk score has changed).
8.1
vulnerability.references.cve
string[]
stable
List of the vulnerability's CVE IDs.
[CVE-2021-41079]
vulnerability.references.cwe
string[]
stable
List of the vulnerability's CWE IDs.
[CWE-20]
vulnerability.references.owasp
string[]
stable
List of vulnerability's OWASP IDs.
[2021:A3]
vulnerability.remediation.description
string
experimental
Description of the vulnerability's remediation advice.
Upgrade component to version 1.2.3 or higher
vulnerability.resolution.change_date
timestamp
stable
Timestamp of the vulnerability's last resolution status change.
2023-03-22T13:19:37.466Z
vulnerability.resolution.status
string
stable
Vulnerability's resolution status.
OPEN; RESOLVED
vulnerability.risk.level
string
stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.risk.scale
string
stable
Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.
Davis Security Score
vulnerability.risk.score
double
stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.
8.1
vulnerability.stack
string
experimental
Level of the vulnerable component in the technological stack.
CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION
vulnerability.technology
string
stable
Technology of the vulnerable component.
JAVA; DOTNET; GO; PHP; NODE_JS
vulnerability.title
string
stable
Title of the vulnerability.
Improper Input Validation
vulnerability.type
string
stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.
Improper Input Validation
vulnerability.url
string
stable
Dynatrace URL to the details page of the vulnerability. |
https://example.com

Vulnerability change: Environmental data

Affected entities

This section contains information on changes regarding vulnerability's affected entities.

Attribute
Type
Description
Examples
affected_entities.count
long
stable
Number of affected entities.
1
affected_entities.hosts.count
long
stable
Number of affected hosts.
2
affected_entities.kubernetes_nodes.count
long
stable
Number of affected nodes.
2
affected_entities.previous.count
long
deprecated
Number of affected entities before the last change event.
1
affected_entities.previous.hosts.count
long
deprecated
Number of affected hosts before the last change event.
5
affected_entities.previous.kubernetes_nodes.count
long
deprecated
Number of affected Kubernetes nodes before the last change event.
5
affected_entities.previous.process_groups.count
long
deprecated
Number of affected process groups before the last change event.
2
affected_entities.process_groups.count
long
stable
Number of affected process groups.
2
affected_entities.types
array
stable
Types of affected entities.
PROCESS_GROUP; HOST; KUBERNETES_NODE

Related entities

This section contains information on changes regarding vulnerability's related entities.

Attribute
Type
Description
Examples
related_entities.applications.count
long
stable
Number of related applications.
1
related_entities.databases.count
long
stable
Number of related databases.
1
related_entities.hosts.count
long
stable
Number of related hosts.
1
related_entities.kubernetes_clusters.count
long
stable
Number of related Kubernetes clusters.
1
related_entities.kubernetes_workloads.count
long
stable
Number of related Kubernetes workloads.
1
related_entities.previous.databases.count
long
deprecated
Number of related databases before the last change event.
1
related_entities.services.count
long
stable
Number of related services.
1

Vulnerability State Events

Vulnerability state events are historical states at the vulnerability level. The current vulnerability state is exported to Grail regularly.

Query

Query vulnerability state events.

fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "VULNERABILITY"

Vulnerability state: Event data

This section contains general event information.

Attribute
Type
Description
Examples
event.category
string
stable
Categorization based on the product and data generating this event.
VULNERABILITY_MANAGEMENT
event.description
string
stable
Human-readable description of an event.
S-49 Remote Code Execution state event reported
event.group_label
string
experimental
Group label of an event.
STATE_REPORT
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
SECURITY_EVENT
event.level
string
stable
Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).
VULNERABILITY
event.name
string
stable
The human readable display name of an event type.
Vulnerability historical state report event
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
Dynatrace; Snyk
event.provider_product
string
stable
Name of the product providing this event.
Runtime Vulnerability Analytics; Snyk Container
event.status
string
stable
Status of an event as being either Active or Closed.
OPEN; RESOLVED; MUTED
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
VULNERABILITY_STATE_REPORT_EVENT
timestamp
timestamp
stable
The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.
1649822520123123123

Vulnerability state: Vulnerability data

This section contains information about the vulnerability.

Attribute
Type
Description
Examples
vulnerability.code_location.name
string
stable
Name of the code location where the code-level vulnerability was detected.
org.dynatrace.profileservice.BioController.markdownToHtml(String):80
vulnerability.cvss.base_score
double
stable
Vulnerability's CVSS base score provided by NVD.
8.1
vulnerability.cvss.vector
string
experimental
Vulnerability's CVSS vector defined by the provider.
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H
vulnerability.cvss.version
string
stable
Vulnerability's CVSS score version.
3.1
vulnerability.davis_assessment.assessment_mode
string
stable
Availability of the information based on which the vulnerability assessment has been done.
FULL; NOT_AVAILABLE; REDUCED
vulnerability.davis_assessment.assessment_mode_reasons
string[]
experimental
Reasons for the assessment mode.
[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]
vulnerability.davis_assessment.data_assets_status
string
stable
Vulnerability's reachability of related data assets by affected entities.
NOT_AVAILABLE; NOT_DETECTED; REACHABLE
vulnerability.davis_assessment.exploit_status
string
stable
Vulnerability's public exploits status.
AVAILABLE; NOT_AVAILABLE
vulnerability.davis_assessment.exposure_status
string
stable
Vulnerability's internet exposure status.
NOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORK
vulnerability.davis_assessment.level
string
stable
Vulnerability's risk level based on Davis Security Score.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.davis_assessment.score
double
stable
Vulnerability's Davis Security Score (1-10) calculated by Dynatrace.
8.1
vulnerability.davis_assessment.vulnerable_function_status
string
stable
Usage status of the vulnerable functions causing the vulnerability.
IN_USE; NOT_AVAILABLE; NOT_IN_USE
vulnerability.description
string
stable
Description of the vulnerability.
More detailed description about improper input validation vulnerability.
vulnerability.display_id
string
stable
Dynatrace user-readable identifier for the vulnerability.
S-1234
vulnerability.external_id
string
stable
External provider's unique identifier for the vulnerability.
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646
vulnerability.external_url
string
stable
External provider's URL to the details page of the vulnerability.
https://example.com
vulnerability.first_seen
timestamp
stable
Timestamp of when the vulnerability was first detected.
2023-03-22T13:19:36.945Z
vulnerability.id
string
stable
Dynatrace unique identifier for the vulnerability.
2039861408676243188
vulnerability.is_fix_available
boolean
experimental
Indicates if a vulnerability fix is available.
vulnerability.mute.change_date
timestamp
stable
Timestamp of the vulnerability's last muted or unmuted action.
2023-03-22T13:19:36.945Z
vulnerability.mute.reason
string
stable
Reason for muting or unmuting the vulnerability.
FALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHER
vulnerability.mute.status
string
stable
Vulnerability's mute status.
MUTED; NOT_MUTED
vulnerability.mute.user
string
stable
User who last changed the vulnerability's mute status.
user@example.com
vulnerability.references.cve
string[]
stable
List of the vulnerability's CVE IDs.
[CVE-2021-41079]
vulnerability.references.cwe
string[]
stable
List of the vulnerability's CWE IDs.
[CWE-20]
vulnerability.references.owasp
string[]
stable
List of vulnerability's OWASP IDs.
[2021:A3]
vulnerability.remediation.description
string
experimental
Description of the vulnerability's remediation advice.
Upgrade component to version 1.2.3 or higher
vulnerability.resolution.change_date
timestamp
stable
Timestamp of the vulnerability's last resolution status change.
2023-03-22T13:19:37.466Z
vulnerability.resolution.status
string
stable
Vulnerability's resolution status.
OPEN; RESOLVED
vulnerability.risk.level
string
stable
Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.
LOW; MEDIUM; HIGH; CRITICAL; NONE
vulnerability.risk.scale
string
stable
Scale by which the vulnerability's risk score and risk score level defined by the provider are measured.
Davis Security Score
vulnerability.risk.score
double
stable
Vulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.
8.1
vulnerability.stack
string
experimental
Level of the vulnerable component in the technological stack.
CODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATION
vulnerability.technology
string
stable
Technology of the vulnerable component.
JAVA; DOTNET; GO; PHP; NODE_JS
vulnerability.title
string
stable
Title of the vulnerability.
Improper Input Validation
vulnerability.type
string
stable
Classification of the vulnerability based on commonly accepted enums, such as CWE.
Improper Input Validation
vulnerability.url
string
stable
Dynatrace URL to the details page of the vulnerability. |
https://example.com

Vulnerability state: Environmental data

This section contains information on the vulnerability's affected and related entities.

Affected entities

Attribute
Type
Description
Examples
affected_entities.affected_processes.count
long
stable
Number of affected processes.
50
affected_entities.count
long
stable
Number of affected entities.
1
affected_entities.hosts.count
long
stable
Number of affected hosts.
2
affected_entities.kubernetes_nodes.count
long
stable
Number of affected nodes.
2
affected_entities.management_zones.ids
array
stable
IDs of the management zones to which the affected entities belong.
mzid1
affected_entities.management_zones.names
array
stable
Names of the management zones to which the affected entities belong.
mz1
affected_entities.monitored_processes.count
long
stable
Number of processes of the process group.
100
affected_entities.process_groups.count
long
stable
Number of affected process groups.
2
affected_entities.types
array
stable
Types of affected entities.
PROCESS_GROUP; HOST; KUBERNETES_NODE
affected_entities.vulnerable_components.ids
array
stable
Dynatrace IDs of the vulnerable components causing the vulnerability.
SOFTWARE_COMPONENT-0000000000000001; SOFTWARE_COMPONENT-0000000000000002; SOFTWARE_COMPONENT-0000000000000003
affected_entities.vulnerable_components.names
array
stable
Names of the vulnerable components causing the vulnerability. |
com.fasterxml.jackson.core:jackson-databind:2.10.0; node-sass:4.14.1
affected_entities.vulnerable_functions
array
stable
Vulnerable functions detected, containing or causing the vulnerability.
org.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)

Related entities

Attribute
Type
Description
Examples
related_entities.applications.count
long
stable
Number of related applications.
1
related_entities.databases.count
long
stable
Number of related databases.
1
related_entities.hosts.count
long
stable
Number of related hosts.
1
related_entities.kubernetes_clusters.count
long
stable
Number of related Kubernetes clusters.
1
related_entities.kubernetes_workloads.count
long
stable
Number of related Kubernetes workloads.
1
related_entities.services.count
long
stable
Number of related services.
1

Vulnerability finding events

Vulnerability-finding events contain generic sections and fields like metadata, affected entity data and vulnerability data. They can also include extensions (such as container image data for container vulnerability findings) at the end of the page.

Vulnerability finding events: Metadata

This section contains meta information on the vulnerability-finding event.

Attribute
Type
Description
Examples
event.category
string
stable
Standard categorization based on the significance of an event (similar to the severity level in the previous Dynatrace).
VULNERABILITY_MANAGEMENT
event.description
string
stable
Human-readable description of an event.
Vulnerability CVE-2023-45871 of component linux:4.19.269-1 was detected in your container image unguard-frontend:latest@054e1d39
event.id
string
stable
Unique identifier string of an event, is stable across multiple refreshes and updates.
5547782627070661074_1647601320000
event.kind
string
stable
Gives high-level information about what kind of information the event contains without being specific to the contents of the event. It helps to determine the record type of a raw event.
Tags: permission
SECURITY_EVENT
event.name
string
stable
The human readable display name of an event type.
Vulnerability finding event
event.original_content
string
experimental
The original raw data of the event as received from the source.
{"severity_id": 3,"state_id": 1,"time": "2024-06-26T07:15:06.139000Z","state": "New","type_uid": 200101}
event.provider
string
stable
Source of the event, for example, the name of the component or system that generated the event.
Tags: permission
Amazon ECR
event.type
string
stable
The unique type identifier of a given event.
Tags: permission
VULNERABILITY_FINDING
event.version
string
experimental
Describes the version of the event.
1.304
timestamp
timestamp
stable
Time (UNIX Epoch time in nanoseconds) when the event originated, typically when the event was ingested into Dynatrace.
1649822520123123123

Vulnerability finding events: Vulnerability data

This section contains information about the vulnerability that caused the vulnerability-finding event (vulnerability ID, description, risk level, and so on).

Attribute
Type
Description
Examples
dt.security.risk.level
string
experimental
Risk score level defined by the provider.
LOW; MEDIUM; HIGH; CRITICAL; NONE; NOT_AVAILABLE
dt.security.risk.score
double
experimental
Risk score, mapped and normalized by Dynatrace.
8.1
vulnerability.description
string
stable
Description of the vulnerability.
More detailed description about improper input validation vulnerability.
vulnerability.id
string
stable
Dynatrace unique identifier for the vulnerability.
CVE-2019-19814
vulnerability.title
string
stable
Title of the vulnerability.
CVE-2019-19814; Improper input validation

Extensions

Vulnerability finding events: Container image data

This section contains container-image—specific data.

Attribute
Type
Description
Examples
container_image.digest
string
experimental
Container image digest uniquely and immutably identifying the vulnerable container image.
sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1
container_image.registry
string
experimental
Container image registry from which the finding originates.
1294385647.eu-central-1
container_image.repository
string
experimental
Container image repository from which the finding originates.
unguard-frontend
container_image.tags
array
experimental
List of tags of the vulnerable container image.
[1.0.0]; [1.0.0, 1.0.0-nightly, latest]