To include or exclude specific entities from being monitored by Runtime Vulnerability Analytics, you can set up fine-grained monitoring rules for third-party vulnerabilities based on different criteria.
If you define custom monitoring rules, the global third-party vulnerability detection control mode applies to all entities that are not matched by a rule.
There are currently two ways to set up monitoring rules:
Based on resource attributes and Kubernetes labels recommended
Based on process group tag, host tag, and management zones
To start monitoring based on your rules, you need to activate the corresponding monitoring criteria. The two criteria cannot be in place at the same time. When one is activated, the other one is deactivated. You can switch between them at any time.
For environments created on Dynatrace version 1.313+, classic monitoring rules based on process group tag, host tag, and management zones aren't available; you can set up monitoring rules based on resource attributes and Kubernetes labels.
To activate your preferred way to define monitoring
In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics.
Make one of the following changes:
Your setting will persist until you change it again.
For environments created on Dynatrace version 1.313+, new monitoring rules are activated by default (no action is required from your side).
recommended
With the new monitoring rules, you can define which processes and Kubernetes nodes and hosts should be monitored.
Process rules are based on resource attributes.
Kubernetes node and host rules are based on Kubernetes labels.
You can define new monitoring rules through the Dynatrace web UI or the Settings API.
In Dynatrace, go to Settings > Application Security > New monitoring rules: Third-party.
In the Resource attribute monitoring rules (…) tab, select Add new rule.
Follow the on-screen instructions.
A condition's key and value fields are free text fields. On-screen suggestions aren't mandatory.
Select Preview matching process group instances to verify if the condition matches the expected processes.
All conditions of a rule must match for the rule to apply.
Select Save changes.
To start monitoring based on your preferred monitoring criterion, make sure it's activated.
You can edit, disable, enable, or remove rules at any time.
You can read or modify the rules using the Settings API.
To view a monitoring rule, use the GET an object request. Set the following parameters:
schemaIds=builtin:appsec.third-party-vulnerability-rule-settingsscopes=tenant{"items": [{"objectId": "vu9U3hXa3q0AAAABADZidWlsdGluOmFwcHNlYy50aGlyZC1wYXJ0eS12dWxuZXJhYmlsaXR5LXJ1bGUtc2V0dGluZ3MABnRlbmFudAAGdGVuYW50ACQ1YWYzOWNiZC0xM2I0LTNlZmItYTViYi1iYzljNTgyOTQxNze-71TeFdrerQ","value": {"enabled": true,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "dt.entity.host","matcher": "EQUALS","resourceAttributeValue": "HOST-ABD42981B3D483AC"}],"metadata": {"comment": ""}}},{"objectId": "vu9U3hXa3q0AAAABADZidWlsdGluOmFwcHNlYy50aGlyZC1wYXJ0eS12dWxuZXJhYmlsaXR5LXJ1bGUtc2V0dGluZ3MABnRlbmFudAAGdGVuYW50ACQ4NDQ1OGRjNC1lM2Q2LTM2MGYtOWQyYy1lNmYwMTY1MzAwMza-71TeFdrerQ","value": {"enabled": false,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_ON"},"resourceAttributeConditions": [{"resourceAttributeKey": "attribute_2","matcher": "EXISTS"}],"metadata": {"comment": ""}}},{"objectId": "vu9U3hXa3q0AAAABADZidWlsdGluOmFwcHNlYy50aGlyZC1wYXJ0eS12dWxuZXJhYmlsaXR5LXJ1bGUtc2V0dGluZ3MABnRlbmFudAAGdGVuYW50ACRjNzk3M2I4YS1kYmFjLTMxMzAtYjdjMy0zYjYxNGMxOWU1NzK-71TeFdrerQ","value": {"enabled": false,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "my.app.name","matcher": "EQUALS","resourceAttributeValue": "cool-app"}],"metadata": {"comment": ""}}}],"totalCount": 3,"pageSize": 100}
To modify a monitoring rule, use the POST an object request.
[{"value": {"enabled": true,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "dt.entity.host","matcher": "EQUALS","resourceAttributeValue": "HOST-ABD42981B3D483AC"}],"metadata": { "comment": "" }},"schemaId": "builtin:appsec.third-party-vulnerability-rule-settings","scope": "tenant"},{"value": {"enabled": false,"vulnerabilityDetectionControl": { "monitoringMode": "MONITORING_ON" },"resourceAttributeConditions": [{"resourceAttributeKey": "attribute_2","matcher": "EXISTS"}],"metadata": { "comment": "" }},"schemaId": "builtin:appsec.third-party-vulnerability-rule-settings","scope": "tenant"},{"value": {"enabled": false,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "my.app.name","matcher": "EQUALS","resourceAttributeValue": "cool-app"}],"metadata": {"comment": ""}},"schemaId": "builtin:appsec.third-party-vulnerability-rule-settings","scope": "tenant"}]
After you add, edit, or remove a rule, it can take up to 10 minutes for changes to take effect throughout the system. The configured monitoring rules are evaluated periodically (on internal worker runs) and on-demand (through calls to the REST API).
Exception: After an entity that was previously monitored is excluded from monitoring, it can take up to 70 minutes for changes to take effect throughout the system. For details, see How host coverage is calculated.
Regardless of the calling context, the rule evaluation stays the same: given a set of entities, the algorithm decides whether a specific entity should be monitored. The rules are processed in order until the first match.
For some common scenarios for defining monitoring rules, see Use cases for monitoring rules.
Classic monitoring rules are based on process group tag, host tag, and management zones.
You can define classic monitoring rules through the Dynatrace web UI or the Settings API.
To add a new rule
Go to Settings > Application Security > Vulnerability Analytics > Monitoring rules: Third-party.
Select Add new rule to add a new rule.
Enter the requested information (mode, property, condition operator, and condition value).
The Process tag property applies to process groups, not processes.
Select Save changes.
You can edit, disable, enable, or remove rules at any time.
You can read or modify the rules using the Settings API.
To view a monitoring rule, use the GET an object request. Set the following parameters:
schemaIds=builtin:appsec.rule-settingsscopes=tenant{"items": [{"objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkYTc4NjY0NGItZmVjNC0zNzliLWI0MWItNThmYzgzOWZmYWY5vu9U3hXa3q0","value": {"enabled": true,"mode": "MONITORING_OFF","property": "PROCESS_TAG","operator": "EQUALS","value": "super secret process"}},{"objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNDhkZGYxNDMtYzc2Mi0zYzIwLWI1ODAtNTNhODEwOGZlMDBivu9U3hXa3q0","value": {"enabled": true,"mode": "MONITORING_ON","property": "HOST_TAG","operator": "NOT_EQUALS","value": "Test"}},{"objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNmY1NjZkNmItYWMyNy0zOTg2LWE1OGItNTU2ZTI1NTE5NTcyvu9U3hXa3q0","value": {"enabled": false,"mode": "MONITORING_ON","property": "MANAGEMENT_ZONE","operator": "EQUALS","value": "Monitorme"}}],"totalCount": 3,"pageSize": 100}
To modify a monitoring rule, use the POST an object request.
[{"value": {"enabled": true,"mode": "MONITORING_ON","property": "HOST_TAG","operator": "EQUALS","value": "REST"},"scope": "tenant","schemaId": "builtin:appsec.rule-settings"},{"value": {"enabled": true,"mode": "MONITORING_OFF","property": "PROCESS_TAG","operator": "NOT_EQUALS","value": "Test-Process"},"scope": "tenant","schemaId": "builtin:appsec.rule-settings"}]
For Kubernetes environments, you need to add tags both on the host and on the Kubernetes node.
After you add, edit, or remove a rule, it can take up to 15 minutes for changes to take effect throughout the system. The configured monitoring rules are evaluated periodically (on internal worker runs) and on-demand (through calls to the REST API).
Regardless of the calling context, the rule evaluation stays the same: given a set of entities, the algorithm decides whether a specific entity should be monitored. The rules are processed in order until the first match. Note that each rule must be unique.
When you have a rule in place for a management zone or tag, and you add an entity to the same management zone or add the same tag to an entity, it can take up to 15 minutes until the change is reflected in your monitoring rule.
For example, if you have a Do not monitor if host tag equals 'testsystem' rule, and you add the tag testsystem to a host, it can take up to 15 minutes until the newly tagged host stops being monitored.
If a rule matches a specific entity, the configured mode (Monitor, Do not monitor) is used and subsequent rules are not evaluated for this particular entity.
If no rule matches a specific entity, the global third-party vulnerability detection control mode is used.
The order of the monitoring rules is important: As soon as a rule matches an entity, the entity won't be considered by any of the later rules. Consequently, specific rules should come before general rules.
Automatic migration from the classic to the new monitoring rules isn't possible. You need to recreate the rules, or you can create new rules from scratch.
Classic monitoring rules
No restart is required. For more information, see FAQ: Is restart required after enabling or disabling an Application Security feature or functionality?
New monitoring rules Classic monitoring rules
New monitoring rules Classic monitoring rules