Threat Observability

Latest Dynatrace

In a world where security data is constantly increasing in scale, DevSecOps teams find themselves lost in siloed tooling, overwhelmed by the number of alerts. This leads to missed threats and increased security risks. A lot of manual effort is required to assemble all the puzzle pieces and act on the security findings.

Dynatrace Threat Observability offers a platform that unifies and enriches the security data with the runtime context. This helps to break the informational siloes between various tools and environments and contributes to efficient risk mitigation.

Leveraging Grail and DQL, you can uniformly consume Dynatrace-generated and third-party security findings, enabling multiple use cases that contribute to:

  • Findings prioritization with runtime context
  • Security data visualization and reporting
  • Automation of ticket creation and notifications
  • Security investigation and threat hunting
  • Threat detection and remediation

With a wide range of security integrations and OpenPipeline ingest, the Dynatrace observability and security platform interoperates with your ecosystem of products, providing more significant value from the generated data.

This section aims to give you a better understanding of data in the security context so you can easily accomplish various use cases with security-related data available on Grail. To learn how DQL can help in your daily tasks, see DQL examples for security data.

Data can be ingested in Grail from your monitored environment or from third-party sources.

Data from your monitored environment

Data that Dynatrace collects from your monitored environment and that can be currently queried in Grail consists of: logs, metrics, entities, Davis AI problems and events, system events, business events, and security events.

For information, see Data in Grail and Grail data model.

Data from third-party sources

Dynatrace consumes data from third-party sources, providing consolidated, unified analysis and automation.

For information, see Security events ingest.

Security-related data can be either generated by Dynatrace native capabilities and collected by OneAgent or ActiveGate, or ingested from third-party tools via log ingestion or OpenPipeline.

Security-related data on Grail can provide you answers with different granularity and from various perspectives. You can query, aggregate, visualize, and report data on multiple levels.

The Grail data lakehouse doesn't distinguish security-related data from observability information. You can use all your data in Dynatrace for your security use cases. For example, if you ingested your application authentication logs for business purposes, you can use the same logs to detect potential brute force attacks on your customer accounts. Below are some examples of how you can use data for security purposes:

Security events

Security events are a type of security-related data consisting of various generated events such as

Storage:

  • Security events generated by Dynatrace from your monitored environment are stored in the default_security_events bucket.
  • Security events ingested from third-party security events are stored in the default_security_custom_events bucket.

Vulnerability events

Vulnerability events can be classified by

  • Event levels (event.level)

    Event levels
    Description
    VULNERABILITY
    The vulnerability on the global level, including general information, global statuses, and changes. The unique identifier is vulnerability.id or vulnerability.display_id.
    ENTITY
    The vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of (affected_entity.id, vulnerability.id).

  • Event groups (event.group_label)

    Event groups
    Description
    CHANGE_EVENT
    Change that occurs on a vulnerability or its affected entity.
    STATE_REPORT
    The full historical state of a vulnerability or its affected entity and is reported periodically over time: OPEN (muted and not muted) vulnerabilities are reported every 15 minutes; RESOLVED vulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range.

  • Event types (event.type)

    Event types
    Description
    VULNERABILITY_STATE_REPORT_EVENT
    Historical vulnerability states reported periodically.
    VULNERABILITY_COVERAGE_REPORT_EVENT
    Historical coverage events reported periodically.
    VULNERABILITY_STATUS_CHANGE_EVENT
    Vulnerability status changes reported on change. These include resolution and mute statuses.
    VULNERABILITY_ASSESSMENT_CHANGE_EVENT
    Vulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments.

For a list of vulnerability event fields mapped to Grail, see Dynatrace Semantic Dictionary.

Compliance events

A compliance event is a type of security event specific to Security Posture Management. It represents the assessment of a resource in the context of the rule specified in the compliance standard.

Event types
Description
COMPLIANCE_SCAN_COMPLETED
A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed.
COMPLIANCE_FINDING
A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object.

For a list of compliance event fields mapped to Grail, see Dynatrace Semantic Dictionary.

With OpenPipeline, you can ingest external security events from multiple third-party products into Grail and operationalize your data on the Dynatrace platform.

Out-of-the-box integrations

Dynatrace provides seamless OpenPipeline integration options for specific technologies.

Ingested data is automatically stored in Grail and mapped to the Dynatrace Semantic Dictionary unified format. We provide sample dashboards and workflows to help you visualize data and automatize notifications.

Support for custom ingestion

You can use our built-in security events API endpoint or create a custom API endpoint to ingest any kind of security events from any third-party system into Grail.

You can configure a pipeline to manually map your data to the Semantic Dictionary conventions. This enables you to use our sample dashboard, Jira workflow, and Slack workflow.