Use cases for monitoring rules

Below are some common scenarios for defining monitoring rules for third-party vulnerabilities based on resource attributes and Kubernetes labels.

Monitor only the processes on specific hosts

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Find the host on which you want to monitor processes (for example, via Infrastructure & Operations Infrastructure & Operations).

  3. Copy the hostname (for example, exchange.mycompany.local) from the overview.

  4. Add a new resource attribute monitoring rule:

    • Set Third-party vulnerability control to Monitor.

    • Select Add new condition and enter the following data:

      • Resource attribute key: host.name

      • Matcher: equals

      • Resource attribute value: hostname from step 3.

    • Check the preview to see if the condition matches the expected processes.

    • Save the rule.

Monitor only the Java processes on specific hosts

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Find the host on which you want to monitor processes (for example, via Infrastructure & Operations Infrastructure & Operations).

  3. Copy the hostname (for example, exchange.mycompany.local) from the overview.

  4. Add a new resource attribute monitoring rule:

    • Set Third-party vulnerability control to Monitor.

    • To create a condition that matches the host, select Add new condition and enter the following data:

      • Resource attribute key: host.name

      • Matcher: equals

      • Resource attribute value: hostname from step 3.

    • To create a condition that matches the technology, select Add new condition and enter the following data:

      • Resource attribute key: java.main.class

      • Matcher: exists

    • Check the preview to see if the conditions match the expected processes.

    • Save the rule.

Exclude .NET processes of specific hosts from monitoring

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Monitor.

  2. Find the host on which you want to monitor processes (for example, via Infrastructure & Operations Infrastructure & Operations).

  3. Copy the hostname (for example, exchange.mycompany.local) from the overview.

  4. Add a new resource attribute monitoring rule:

    • Set Third-party vulnerability control to Do not monitor.

    • To create a condition that matches the host, select Add new condition and enter the following data:

      • Resource attribute key: host.name

      • Matcher: equals

      • Resource attribute value: hostname from step 3.

    • To create a condition that matches the technology, select Add new condition and enter the following data:

      • Resource attribute key: dotnet.dll.file

      • Matcher: exists

    • Check the preview to see if the conditions match the expected processes.

    • Save the rule.

Monitor only processes with a custom resource attribute

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Add a custom resource attributes (for example, {"stage":"production"}) to your entities.

  3. Add a new resource attribute monitoring rule:

    • Set Third-party vulnerability control to Monitor.

    • Select Add new condition and enter the following data:

      • Resource attribute key: key of the custom resource attribute from step 2 (for example, stage)

      • Matcher: equals

      • Resource attribute value: value of the custom resource attribute from step 2 (for example, production)

    • Check the preview to see if the condition matches the expected processes.

    • Save the rule.

Monitor only processes of a specific process group

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Find the process group on which you want to monitor processes (for example, via the Technologies & Processes Classic app).

  3. Copy the process group ID (for example, PROCESS_GROUP-0123456789ABCDEF) from the URL.

  4. Add a new resource attribute monitoring rule:

    • Set Third-party vulnerability control to Monitor.

    • Select Add new condition and enter the following data:

      • Resource attribute key: dt.entity.process_group

      • Matcher: equals

      • Resource attribute value: ID of the process group from step 3.

    • Check the preview to see if the condition matches the expected processes.

    • Save the rule.

Monitor only processes running in a specific Kubernetes namespace

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Add a new resource attribute monitoring rule:

    • Set Third-party vulnerability control to Monitor.

    • Select Add new condition and enter the following data:

      • Resource attribute key: k8s.namespace.name

      • Matcher: equals

      • Resource attribute value: namespace name that should be monitored

    • Check the preview to see if the condition matches the expected processes.

    • Save the rule.

Monitor only Kubernetes nodes and hosts running a Linux-based OS for Kubernetes vulnerabilities

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Add a new Kubernetes monitoring rule:

    • Set Third-party vulnerability control to Monitor.

    • Select Add new condition and enter the following data:

      • Kubernetes label key: kubernetes.io/os

      • Matcher: equals

      • Kubernetes label value: linux

    • Check the preview to see if the condition matches the expected Kubernetes nodes.

    • Save the rule.

Monitor only EC2 instances for Kubernetes vulnerabilities

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Add a new Kubernetes monitoring rule:

    • Set Third-party vulnerability control to Monitor.

    • Select Add new condition and enter the following data:

      • Kubernetes label key: kubernetes.io/hostname

      • Matcher: ends with

      • Kubernetes label value: .ec2.internal

    • Check the preview to see if the condition matches the expected Kubernetes nodes.

    • Save the rule.

Exclude ARM-based nodes from monitoring of Kubernetes vulnerabilities

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Monitor.

  2. Add a new Kubernetes monitoring rule:

    • Set Third-party vulnerability control to Do not monitor.

    • Select Add new condition and enter the following data:

      • Kubernetes label key: kubernetes.io/arch

      • Matcher: contains

      • Kubernetes label value: arm

    • Check the preview to see if the condition matches the expected Kubernetes nodes.

    • Save the rule.

Monitor all Java processes except the Java demo application process on the development hosts

  1. In Dynatrace, go to Settings > Application Security > General settings > Third-party Vulnerability Analytics and set Global third-party vulnerability detection control to Do not monitor.

  2. Copy the fully qualified name (FQN) of the Java main class of your demo application (for example, com.example.my.DemoMain).

  3. Find the development host on which you don't want to monitor the demo application process (for example, via Infrastructure & Operations Infrastructure & Operations).

  4. Copy the hostname (for example, exchange.mycompany.local) from the overview.

  5. Add a new resource attribute monitoring rule to exclude the demo application process on the development host:

    • Set Third-party vulnerability control to Do not monitor.

    • To create a condition that matches the development host, select Add new condition and enter the following data:

      • Resource attribute key: host.name

      • Matcher: equals

      • Resource attribute value: hostname from step 4.

    • To create a condition that matches the demo application process, select Add new condition and enter the following data:

      • Resource attribute key: java.main.class

      • Matcher: equals

      • Resource attribute value: main class from step 2.

    • Check the preview to see if the conditions match the expected processes.

    • Save the rule.

  6. Add a new resource attribute monitoring rule to monitor all remaining Java processes:

    • Set Third-party vulnerability control to Monitor.

    • To create a condition that matches the technology, select Add new condition and enter the following data:

      • Resource attribute key: java.main.class

      • Matcher: exists

    • Check the preview to see if the condition matches the expected processes.

    • Save the rule.

The order of the monitoring rules is important: As soon as a rule matches an entity, the entity won't be considered by any of the later rules. Consequently, specific rules should come before general rules.