Monitoring rules - Code-level Vulnerability Analytics

You can create your own fine-grained monitoring rules for code-level vulnerabilities based on resource attributes, and define multiple conditions for one rule. When creating a rule, you can check if conditions apply and how many process groups are affected. The rules you create override the global code-level vulnerability detection control for the selected technology.

Prerequisites

Enable Code-level Vulnerability Analytics.

Create custom monitoring rules

  1. Go to Settings and select Application security > Vulnerability Analytics > Monitoring rules: Code-level.

  2. Select Add new rule.

  3. optional Name your rule (if not, a name will be assigned to it automatically once you create the rule, based on your criteria).

  4. For Code-level vulnerability control, specify how to control a vulnerability that matches the rule criteria:

    • Do not monitor – Code-level vulnerabilities for the selected conditions are ignored.
    • Monitor – Code-level vulnerabilities for the selected selected conditions are reported.
  5. optional If you want the rule to apply only to a subset of your environment, for Specify where the rule is applied, select Add new condition and provide the resource attributes that should be used to identify that part of the environment (for example, dt.entity.process_group, aws.region). For details, see Enrich ingested data with Dynatrace-specific dimensions.

  6. optional To check if a rule applies, select Preview matching process group instances. This lists process group instances that currently match the criteria.

  7. Select Save changes.

You can edit, disable, enable, or remove rules at any time.

Monitoring rules are ordered; the first matching rule applies.

  1. Restart processes.

Frequently asked questions

  • What happens if I change the order of the rules?
    • The first matching rule applies.
  • What happens if a Do not monitor rule that applies gets added?
    • New vulnerabilities for the processes that match the rule won't be created.
    • Existing vulnerabilities that only relate to matching processes are resolved.
  • What happens if a Do not monitor rule is deleted or doesn't apply anymore?
    • New vulnerabilities for the processes that match the rule will be created.
    • Related resolved vulnerabilities are reopened.