Security events are a special type of data representing various events generated by Dynatrace.
In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.
Entity state events are historical vulnerability states reported at the entity level. The current vulnerability state per entity is exported to Grail regularly.
Query entity state events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"| filter event.level == "ENTITY"
This section contains general event information.
event.categoryVULNERABILITY_MANAGEMENTevent.descriptionS-49 Remote Code Execution state event reportedevent.group_labelSTATE_REPORTevent.kindpermissionSECURITY_EVENTevent.levelVulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).ENTITYevent.nameVulnerability historical state report eventevent.providerpermissionOneAgent; K8S; Davis; VMWare; GCP; AWS; LIMA_USAGE_STREAMevent.provider_productRuntime Vulnerability Analytics; Snyk Containerevent.statusOPEN; RESOLVED; MUTEDevent.typepermissionVULNERABILITY_STATE_REPORT_EVENTtimestamp1649822520123123123This section contains information about the vulnerability at the entity level and its global vulnerability, with a focus on the affected entities.
entry_points.entry_point_jsons[{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = '' WHERE 1 = 0; TRUNCATE TABLE bio; --' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "' OR 100=100 -- 0'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}]vulnerability.code_location.nameorg.dynatrace.profileservice.BioController.markdownToHtml(String):80vulnerability.cvss.base_score8.1vulnerability.cvss.vectorCVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:Hvulnerability.cvss.version3.1vulnerability.davis_assessment.assessment_modeFULL; NOT_AVAILABLE; REDUCEDvulnerability.davis_assessment.assessment_mode_reasons[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]vulnerability.davis_assessment.data_assets_statusNOT_AVAILABLE; NOT_DETECTED; REACHABLEvulnerability.davis_assessment.exploit_statusAVAILABLE; NOT_AVAILABLEvulnerability.davis_assessment.exposure_statusNOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORKvulnerability.davis_assessment.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.davis_assessment.score8.1vulnerability.davis_assessment.vulnerable_function_statusIN_USE; NOT_AVAILABLE; NOT_IN_USEvulnerability.descriptionMore detailed description about improper input validation vulnerability.vulnerability.display_idS-1234vulnerability.external_idSNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646vulnerability.external_urlhttps://example.comvulnerability.id2039861408676243188vulnerability.is_fix_availablevulnerability.mute.change_date2023-03-22T13:19:36.945Zvulnerability.mute.commentMuted because it's a false positive.vulnerability.mute.reasonFALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHERvulnerability.mute.statusMUTED; NOT_MUTEDvulnerability.mute.useruser@example.comvulnerability.parent.davis_assessment.assessment_modeFULL; NOT_AVAILABLE; REDUCEDvulnerability.parent.davis_assessment.data_assets_statusNOT_AVAILABLE; NOT_DETECTED; REACHABLEvulnerability.parent.davis_assessment.exposure_statusNOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORKvulnerability.parent.davis_assessment.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.parent.davis_assessment.score8.1vulnerability.parent.davis_assessment.vulnerable_function_statusIN_USE when there's at least one vulnerable function in use by an application.IN_USE; NOT_AVAILABLE; NOT_IN_USEvulnerability.parent.first_seen2023-03-22T13:19:36.945Zvulnerability.parent.mute.change_date2023-03-22T13:19:36.945Zvulnerability.parent.mute.reasonFALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHERvulnerability.parent.mute.statusMUTED; NOT_MUTEDvulnerability.parent.mute.useruser@example.comvulnerability.parent.resolution.change_date2023-03-22T13:19:37.466Zvulnerability.parent.resolution.statusOPEN; RESOLVEDvulnerability.parent.risk.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.parent.risk.score8.1vulnerability.references.cve[CVE-2021-41079]vulnerability.references.cwe[CWE-20]vulnerability.references.owasp[2021:A3]vulnerability.remediation.descriptionUpgrade component to version 1.2.3 or highervulnerability.resolution.change_date2023-03-22T13:19:37.466Zvulnerability.resolution.statusOPEN; RESOLVEDvulnerability.risk.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.risk.scaleDavis Security Scorevulnerability.risk.score8.1vulnerability.stackCODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATIONvulnerability.technologyJAVA; DOTNET; GO; PHP; NODE_JSvulnerability.titleImproper Input Validationvulnerability.tracking_link.textP-1000 Vulnerability CVE-2024-0001vulnerability.tracking_link.urlhttps://example.com/Project1/P-1000vulnerability.typeImproper Input Validationvulnerability.urlhttps://example.comThis section contains information about the vulnerability's affected and related entities.
affected_entity.affected_processes.idsPROCESS_GROUP_INSTANCE-1affected_entity.affected_processes.namesprod_process_group_instance_1affected_entity.idPROCESS_GROUP-1; HOST-1affected_entity.management_zones.idsmzid1affected_entity.management_zones.namesmz1affected_entity.nameprod_process_group_1; prod_hostaffected_entity.reachable_data_assets.count1affected_entity.reachable_data_assets.idsDATABASE-1affected_entity.reachable_data_assets.namesprod_database_1affected_entity.typePROCESS_GROUP; HOST; KUBERNETES_NODEaffected_entity.vulnerable_component.idSOFTWARE_COMPONENT-D8FCFFB4FDF7A3FFaffected_entity.vulnerable_component.namelog4j-core-2.6.2.jaraffected_entity.vulnerable_component.package_namek8s.io/kubernetes; github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntimeaffected_entity.vulnerable_component.short_namelog4jaffected_entity.vulnerable_functionsorg.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)affected_entity.vulnerable_functions_not_availableorg.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)affected_entity.vulnerable_functions_not_in_useorg.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)related_entities.applications.count1related_entities.applications.idsAPPLICATION-1related_entities.applications.namesprod_application_1related_entities.databases.count1related_entities.databases.idsDATABASE-1related_entities.databases.namesprod_database_1related_entities.hosts.count1related_entities.hosts.idsHOST-1related_entities.hosts.namesprod_host_1related_entities.kubernetes_clusters.count1related_entities.kubernetes_clusters.idsKUBERNETES_CLUSTER-1related_entities.kubernetes_clusters.namesprod_kubernetes_cluster_1related_entities.kubernetes_workloads.count1related_entities.kubernetes_workloads.idsKUBERNETES_WORKLOAD-1related_entities.kubernetes_workloads.namesprod_kubernetes_workload_1related_entities.services.count1related_entities.services.idsSERVICE-1related_entities.services.namesprod_service_1Vulnerability change events are change events at the vulnerability level. An event is generated whenever a vulnerability undergoes a status or assessment change.
Query vulnerability status change events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"
Query vulnerability assessment change events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"
This section contains general event information.
event.categoryseverity level).VULNERABILITY_MANAGEMENTevent.change_listprevious field.vulnerability.risk.score; affected_entities.count; related_entities.databases.countevent.descriptionS-49 Remote Code Execution status has changed to OPEN.; S-49 Remote Code Execution assessment has changed.event.group_labelCHANGE_EVENTevent.kindpermissionSECURITY_EVENTevent.levelVulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).VULNERABILITYevent.nameVulnerability status change event; Vulnerability assessment change eventevent.providerpermissionDynatraceevent.provider_productRuntime Vulnerability Analytics; Snyk Containerevent.statusOPEN; RESOLVED; MUTEDevent.status_transitionNEW_OPEN; REOPEN; CLOSE; MUTE; UNMUTEevent.trigger.typeDT_PLATFORM; USER_ACTIONevent.trigger.userSYSTEM.SYSTEM; <user_id>event.typepermissionVULNERABILITY_STATUS_CHANGE_EVENT; VULNERABILITY_ASSESSMENT_CHANGE_EVENTtimestamp1649822520123123123This section contains information about the vulnerability and its status and assessment changes.
vulnerability.cvss.base_score8.1vulnerability.cvss.vectorCVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:Hvulnerability.cvss.version3.1vulnerability.davis_assessment.assessment_modeFULL; NOT_AVAILABLE; REDUCEDvulnerability.davis_assessment.assessment_mode_reasons[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]vulnerability.davis_assessment.data_assets_statusNOT_AVAILABLE; NOT_DETECTED; REACHABLEvulnerability.davis_assessment.exploit_statusAVAILABLE; NOT_AVAILABLEvulnerability.davis_assessment.exposure_statusNOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORKvulnerability.davis_assessment.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.davis_assessment.score8.1vulnerability.davis_assessment.vulnerable_function_statusIN_USE; NOT_AVAILABLE; NOT_IN_USEvulnerability.descriptionMore detailed description about improper input validation vulnerability.vulnerability.display_idS-1234vulnerability.external_idSNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646vulnerability.external_urlhttps://example.comvulnerability.first_seen2023-03-22T13:19:36.945Zvulnerability.id2039861408676243188vulnerability.is_fix_availablevulnerability.mute.change_date2023-03-22T13:19:36.945Zvulnerability.mute.reasonFALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHERvulnerability.mute.statusMUTED; NOT_MUTEDvulnerability.mute.useruser@example.comvulnerability.previous.cvss.base_score8.1vulnerability.previous.davis_assessment.data_assets_statusNOT_AVAILABLE; NOT_DETECTED; REACHABLEvulnerability.previous.davis_assessment.exploit_statusAVAILABLE; NOT_AVAILABLEvulnerability.previous.davis_assessment.exposure_statusNOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORKvulnerability.previous.davis_assessment.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.previous.davis_assessment.score8.1vulnerability.previous.davis_assessment.vulnerable_function_statusIN_USE; NOT_AVAILABLE; NOT_IN_USEvulnerability.previous.mute.change_date2023-03-22T13:19:36.945Zvulnerability.previous.mute.reasonMuted: False positivevulnerability.previous.mute.statusMUTED; NOT_MUTEDvulnerability.previous.mute.useruser@example.comvulnerability.previous.resolution.statusOPEN; RESOLVEDvulnerability.previous.risk.levelLOW; MEDIUM; HIGH; CRITICALvulnerability.previous.risk.score8.1vulnerability.references.cve[CVE-2021-41079]vulnerability.references.cwe[CWE-20]vulnerability.references.owasp[2021:A3]vulnerability.remediation.descriptionUpgrade component to version 1.2.3 or highervulnerability.resolution.change_date2023-03-22T13:19:37.466Zvulnerability.resolution.statusOPEN; RESOLVEDvulnerability.risk.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.risk.scaleDavis Security Scorevulnerability.risk.score8.1vulnerability.stackCODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATIONvulnerability.technologyJAVA; DOTNET; GO; PHP; NODE_JSvulnerability.titleImproper Input Validationvulnerability.typeImproper Input Validationvulnerability.urlhttps://example.comThis section contains information on changes regarding vulnerability's affected entities.
affected_entities.count1affected_entities.hosts.count2affected_entities.kubernetes_nodes.count2affected_entities.previous.count1affected_entities.previous.hosts.count5affected_entities.previous.kubernetes_nodes.count5affected_entities.previous.process_groups.count2affected_entities.process_groups.count2affected_entities.typesPROCESS_GROUP; HOST; KUBERNETES_NODEThis section contains information on changes regarding vulnerability's related entities.
related_entities.applications.count1related_entities.databases.count1related_entities.hosts.count1related_entities.kubernetes_clusters.count1related_entities.kubernetes_workloads.count1related_entities.previous.databases.count1related_entities.services.count1Vulnerability state events are historical states at the vulnerability level. The current vulnerability state is exported to Grail regularly.
Query vulnerability state events.
fetch events| filter event.kind == "SECURITY_EVENT"| filter event.category == "VULNERABILITY_MANAGEMENT"| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"| filter event.level == "VULNERABILITY"
This section contains general event information.
event.categoryVULNERABILITY_MANAGEMENTevent.descriptionS-49 Remote Code Execution state event reportedevent.group_labelSTATE_REPORTevent.kindpermissionSECURITY_EVENTevent.levelVulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself).VULNERABILITYevent.nameVulnerability historical state report eventevent.providerpermissionDynatrace; Snykevent.provider_productRuntime Vulnerability Analytics; Snyk Containerevent.statusOPEN; RESOLVED; MUTEDevent.typepermissionVULNERABILITY_STATE_REPORT_EVENTtimestamp1649822520123123123This section contains information about the vulnerability.
vulnerability.code_location.nameorg.dynatrace.profileservice.BioController.markdownToHtml(String):80vulnerability.cvss.base_score8.1vulnerability.cvss.vectorCVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:Hvulnerability.cvss.version3.1vulnerability.davis_assessment.assessment_modeFULL; NOT_AVAILABLE; REDUCEDvulnerability.davis_assessment.assessment_mode_reasons[LIMITED_BY_CONFIGURATION, LIMITED_AGENT_SUPPORT]vulnerability.davis_assessment.data_assets_statusNOT_AVAILABLE; NOT_DETECTED; REACHABLEvulnerability.davis_assessment.exploit_statusAVAILABLE; NOT_AVAILABLEvulnerability.davis_assessment.exposure_statusNOT_AVAILABLE; NOT_DETECTED; PUBLIC_NETWORK; ADJACENT_NETWORKvulnerability.davis_assessment.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.davis_assessment.score8.1vulnerability.davis_assessment.vulnerable_function_statusIN_USE; NOT_AVAILABLE; NOT_IN_USEvulnerability.descriptionMore detailed description about improper input validation vulnerability.vulnerability.display_idS-1234vulnerability.external_idSNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646vulnerability.external_urlhttps://example.comvulnerability.first_seen2023-03-22T13:19:36.945Zvulnerability.id2039861408676243188vulnerability.is_fix_availablevulnerability.mute.change_date2023-03-22T13:19:36.945Zvulnerability.mute.reasonFALSE_POSITIVE; IGNORE; AFFECTED; CONFIGURATION_NOT_AFFECTED; OTHERvulnerability.mute.statusMUTED; NOT_MUTEDvulnerability.mute.useruser@example.comvulnerability.references.cve[CVE-2021-41079]vulnerability.references.cwe[CWE-20]vulnerability.references.owasp[2021:A3]vulnerability.remediation.descriptionUpgrade component to version 1.2.3 or highervulnerability.resolution.change_date2023-03-22T13:19:37.466Zvulnerability.resolution.statusOPEN; RESOLVEDvulnerability.risk.levelLOW; MEDIUM; HIGH; CRITICAL; NONEvulnerability.risk.scaleDavis Security Scorevulnerability.risk.score8.1vulnerability.stackCODE; CODE_LIBRARY; SOFTWARE; CONTAINER_ORCHESTRATIONvulnerability.technologyJAVA; DOTNET; GO; PHP; NODE_JSvulnerability.titleImproper Input Validationvulnerability.typeImproper Input Validationvulnerability.urlhttps://example.comThis section contains information on the vulnerability's affected and related entities.
affected_entities.affected_processes.count50affected_entities.count1affected_entities.hosts.count2affected_entities.kubernetes_nodes.count2affected_entities.management_zones.idsmzid1affected_entities.management_zones.namesmz1affected_entities.monitored_processes.count100affected_entities.process_groups.count2affected_entities.typesPROCESS_GROUP; HOST; KUBERNETES_NODEaffected_entities.vulnerable_components.idsSOFTWARE_COMPONENT-0000000000000001; SOFTWARE_COMPONENT-0000000000000002; SOFTWARE_COMPONENT-0000000000000003affected_entities.vulnerable_components.namescom.fasterxml.jackson.core:jackson-databind:2.10.0; node-sass:4.14.1affected_entities.vulnerable_functionsorg.springframework.beans.CachedIntrospectionResults:init; java.lang.ProcessBuilder.<init>(String[]); (*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)related_entities.applications.count1related_entities.databases.count1related_entities.hosts.count1related_entities.kubernetes_clusters.count1related_entities.kubernetes_workloads.count1related_entities.services.count1Vulnerability-finding events contain generic sections and fields like metadata, affected entity data and vulnerability data. They can also include extensions (such as container image data for container vulnerability findings) at the end of the page.
This section contains meta information on the vulnerability-finding event.
event.categoryVULNERABILITY_MANAGEMENTevent.descriptionVulnerability CVE-2023-45871 of component linux:4.19.269-1 was detected in your container image unguard-frontend:latest@054e1d39event.id5547782627070661074_1647601320000event.kindpermissionSECURITY_EVENTevent.nameVulnerability finding eventevent.original_content{"severity_id": 3,"state_id": 1,"time": "2024-06-26T07:15:06.139000Z","state": "New","type_uid": 200101}event.providerpermissionAmazon ECRevent.typepermissionVULNERABILITY_FINDINGevent.version1.304timestamp1649822520123123123This section contains information about the vulnerability that caused the vulnerability-finding event (vulnerability ID, description, risk level, and so on).
dt.security.risk.levelLOW; MEDIUM; HIGH; CRITICAL; NONE; NOT_AVAILABLEdt.security.risk.score8.1vulnerability.descriptionMore detailed description about improper input validation vulnerability.vulnerability.idCVE-2019-19814vulnerability.titleCVE-2019-19814; Improper input validationThis section contains container-image—specific data.
container_image.digestsha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1container_image.registry1294385647.eu-central-1container_image.repositoryunguard-frontendcontainer_image.tags[1.0.0]; [1.0.0, 1.0.0-nightly, latest]