To include or exclude specific entities from being monitored by Runtime Vulnerability Analytics, you can set up fine-grained monitoring rules for third-party vulnerabilities based on different criteria.
If you define custom monitoring rules, the global third-party vulnerability detection control mode applies to all entities that are not matched by a rule.
There are currently two ways to set up monitoring rules:
Based on resource attributes and Kubernetes labels recommended
Based on process group tag, host tag, and management zones
To start monitoring based on your rules, you need to activate the corresponding monitoring criteria. The two criteria cannot be in place at the same time. When one is activated, the other one is deactivated. You can switch between them at any time.
For environments created on Dynatrace version 1.313+, classic monitoring rules based on process group tag, host tag, and management zones aren't available; you can set up monitoring rules based on resource attributes and Kubernetes labels.
To activate your preferred way to define monitoring
In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics.
Make one of the following changes:
Your setting will persist until you change it again.
For environments created on Dynatrace version 1.313+, new monitoring rules are activated by default (no action is required from your side).
recommended
With the new monitoring rules, you can define which processes and Kubernetes nodes and hosts should be monitored.
Process rules are based on resource attributes.
Kubernetes node and host rules are based on Kubernetes labels.
You can define new monitoring rules through the Dynatrace web UI or the Settings API.
In Dynatrace, go to Settings > Application Security > New monitoring rules: Third-party.
In the Resource attribute monitoring rules (…) tab, select Add new rule.
Follow the on-screen instructions.
A condition's key and value fields are free text fields. On-screen suggestions aren't mandatory.
Select Preview matching process group instances to verify if the condition matches the expected processes.
All conditions of a rule must match for the rule to apply.
Select Save changes.
To start monitoring based on your preferred monitoring criterion, make sure it's activated.
You can edit, disable, enable, or remove rules at any time.
You can read or modify the rules using the Settings API.
To view a monitoring rule, use the GET an object request. Set the following parameters:
schemaIds=builtin:appsec.third-party-vulnerability-rule-settings
scopes=tenant
{"items": [{"objectId": "vu9U3hXa3q0AAAABADZidWlsdGluOmFwcHNlYy50aGlyZC1wYXJ0eS12dWxuZXJhYmlsaXR5LXJ1bGUtc2V0dGluZ3MABnRlbmFudAAGdGVuYW50ACQ1YWYzOWNiZC0xM2I0LTNlZmItYTViYi1iYzljNTgyOTQxNze-71TeFdrerQ","value": {"enabled": true,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "dt.entity.host","matcher": "EQUALS","resourceAttributeValue": "HOST-ABD42981B3D483AC"}],"metadata": {"comment": ""}}},{"objectId": "vu9U3hXa3q0AAAABADZidWlsdGluOmFwcHNlYy50aGlyZC1wYXJ0eS12dWxuZXJhYmlsaXR5LXJ1bGUtc2V0dGluZ3MABnRlbmFudAAGdGVuYW50ACQ4NDQ1OGRjNC1lM2Q2LTM2MGYtOWQyYy1lNmYwMTY1MzAwMza-71TeFdrerQ","value": {"enabled": false,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_ON"},"resourceAttributeConditions": [{"resourceAttributeKey": "attribute_2","matcher": "EXISTS"}],"metadata": {"comment": ""}}},{"objectId": "vu9U3hXa3q0AAAABADZidWlsdGluOmFwcHNlYy50aGlyZC1wYXJ0eS12dWxuZXJhYmlsaXR5LXJ1bGUtc2V0dGluZ3MABnRlbmFudAAGdGVuYW50ACRjNzk3M2I4YS1kYmFjLTMxMzAtYjdjMy0zYjYxNGMxOWU1NzK-71TeFdrerQ","value": {"enabled": false,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "my.app.name","matcher": "EQUALS","resourceAttributeValue": "cool-app"}],"metadata": {"comment": ""}}}],"totalCount": 3,"pageSize": 100}
To modify a monitoring rule, use the POST an object request.
[{"value": {"enabled": true,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "dt.entity.host","matcher": "EQUALS","resourceAttributeValue": "HOST-ABD42981B3D483AC"}],"metadata": { "comment": "" }},"schemaId": "builtin:appsec.third-party-vulnerability-rule-settings","scope": "tenant"},{"value": {"enabled": false,"vulnerabilityDetectionControl": { "monitoringMode": "MONITORING_ON" },"resourceAttributeConditions": [{"resourceAttributeKey": "attribute_2","matcher": "EXISTS"}],"metadata": { "comment": "" }},"schemaId": "builtin:appsec.third-party-vulnerability-rule-settings","scope": "tenant"},{"value": {"enabled": false,"vulnerabilityDetectionControl": {"monitoringMode": "MONITORING_OFF"},"resourceAttributeConditions": [{"resourceAttributeKey": "my.app.name","matcher": "EQUALS","resourceAttributeValue": "cool-app"}],"metadata": {"comment": ""}},"schemaId": "builtin:appsec.third-party-vulnerability-rule-settings","scope": "tenant"}]
You can easily verify which hosts are covered by your monitoring rules, regardless of whether the rules are currently enabled.
Go to Settings > Application Security > New monitoring rules: Third-party.
Select Show monitored hosts. This takes you to Hosts or Hosts Classic, filtered to display only the hosts covered by your rules.
optional Use the timeframe selector to choose a period and view the hosts that were monitored during that time. Keep in mind that this doesn't confirm whether those hosts are still being actively monitored.
For the most accurate view of currently monitored hosts, select a shorter timeframe. For example, if a host was monitored 23 hours ago, only for one hour, and you select a 24-hour timeframe, the host will still appear in the list, even if it's no longer actively monitored.
Newly monitored hosts may take up to 10 minutes to appear in the preview.
Why use host preview?
After you add, edit, or remove a rule, it can take up to 10 minutes for changes to take effect throughout the system. The configured monitoring rules are evaluated periodically (on internal worker runs) and on-demand (through calls to the REST API).
Exception: After an entity that was previously monitored is excluded from monitoring, it can take up to 70 minutes for changes to take effect throughout the system. For details, see How host coverage is calculated.
Regardless of the calling context, the rule evaluation stays the same: given a set of entities, the algorithm decides whether a specific entity should be monitored. The rules are processed in order until the first match.
For some common scenarios for defining monitoring rules, see Use cases for monitoring rules.
Classic monitoring rules are based on process group tag, host tag, and management zones.
You can define classic monitoring rules through the Dynatrace web UI or the Settings API.
To add a new rule
Go to Settings > Application Security > Vulnerability Analytics > Monitoring rules: Third-party.
Select Add new rule to add a new rule.
Enter the requested information (mode, property, condition operator, and condition value).
The Process tag
property applies to process groups, not processes.
Select Save changes.
You can edit, disable, enable, or remove rules at any time.
You can read or modify the rules using the Settings API.
To view a monitoring rule, use the GET an object request. Set the following parameters:
schemaIds=builtin:appsec.rule-settings
scopes=tenant
{"items": [{"objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkYTc4NjY0NGItZmVjNC0zNzliLWI0MWItNThmYzgzOWZmYWY5vu9U3hXa3q0","value": {"enabled": true,"mode": "MONITORING_OFF","property": "PROCESS_TAG","operator": "EQUALS","value": "super secret process"}},{"objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNDhkZGYxNDMtYzc2Mi0zYzIwLWI1ODAtNTNhODEwOGZlMDBivu9U3hXa3q0","value": {"enabled": true,"mode": "MONITORING_ON","property": "HOST_TAG","operator": "NOT_EQUALS","value": "Test"}},{"objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNmY1NjZkNmItYWMyNy0zOTg2LWE1OGItNTU2ZTI1NTE5NTcyvu9U3hXa3q0","value": {"enabled": false,"mode": "MONITORING_ON","property": "MANAGEMENT_ZONE","operator": "EQUALS","value": "Monitorme"}}],"totalCount": 3,"pageSize": 100}
To modify a monitoring rule, use the POST an object request.
[{"value": {"enabled": true,"mode": "MONITORING_ON","property": "HOST_TAG","operator": "EQUALS","value": "REST"},"scope": "tenant","schemaId": "builtin:appsec.rule-settings"},{"value": {"enabled": true,"mode": "MONITORING_OFF","property": "PROCESS_TAG","operator": "NOT_EQUALS","value": "Test-Process"},"scope": "tenant","schemaId": "builtin:appsec.rule-settings"}]
For Kubernetes environments, you need to add tags both on the host and on the Kubernetes node.
You can easily verify which hosts are covered by your monitoring rules, regardless of whether the rules are currently enabled.
Go to Settings > Application Security > Classic monitoring rules: Third-party.
Select Show monitored hosts. This takes you to Hosts or Hosts Classic, filtered to display only the hosts covered by your rules.
optional Use the timeframe selector to choose a period and view the hosts that were monitored during that time. Keep in mind that this doesn't confirm whether those hosts are still being actively monitored.
For the most accurate view of currently monitored hosts, select a shorter timeframe. For example, if a host was monitored 23 hours ago, only for one hour, and you select a 24-hour timeframe, the host will still appear in the list, even if it's no longer actively monitored.
Newly monitored hosts may take up to 10 minutes to appear in the preview.
Why use host preview?
It works independently of monitoring rule activation: Hosts appear in the preview, regardless of whether rules are enabled.
It helps validate rule scope: You can ensure your rule configuration covers the intended hosts.
It supports rule optimization: Based on the preview, you can adjust the rules to ensure your configuration is effective before enforcement.
To transition from classic to new monitoring rules, open both previews side by side for a direct comparison. Once you've confirmed that the migration aligns with your expectations, you can confidently enable the new monitoring rules.
After you add, edit, or remove a rule, it can take up to 15 minutes for changes to take effect throughout the system. The configured monitoring rules are evaluated periodically (on internal worker runs) and on-demand (through calls to the REST API).
Regardless of the calling context, the rule evaluation stays the same: given a set of entities, the algorithm decides whether a specific entity should be monitored. The rules are processed in order until the first match. Note that each rule must be unique.
When you have a rule in place for a management zone or tag, and you add an entity to the same management zone or add the same tag to an entity, it can take up to 15 minutes until the change is reflected in your monitoring rule.
For example, if you have a Do not monitor if host tag equals 'testsystem'
rule, and you add the tag testsystem
to a host, it can take up to 15 minutes until the newly tagged host stops being monitored.
If a rule matches a specific entity, the configured mode (Monitor
, Do not monitor
) is used and subsequent rules are not evaluated for this particular entity.
If no rule matches a specific entity, the global third-party vulnerability detection control mode is used.
The order of the monitoring rules is important: As soon as a rule matches an entity, the entity won't be considered by any of the later rules. Consequently, specific rules should come before general rules.
Automatic migration from the classic to the new monitoring rules isn't possible. You need to recreate the rules, or you can create new rules from scratch and preview the monitored hosts to ensure the desired hosts are covered.
Classic monitoring rules
No restart is required. For more information, see FAQ: Is restart required after enabling or disabling an Application Security feature or functionality?
New monitoring rules Classic monitoring rules
New monitoring rules Classic monitoring rules