Threat Observability concepts
- Latest Dynatrace
- Concept
This section aims to give you a better understanding of data in the security context so you can easily accomplish various use cases with security-related data available on Grail. To learn how DQL can help in your daily tasks, see DQL examples for security data.
Types of data available in Grail
Data can be ingested in Grail from your monitored environment or from third-party sources.
Data from your monitored environment
Data that Dynatrace collects from your monitored environment and that can be currently queried in Grail consists of: logs, metrics, entities, Davis AI problems and events, system events, business events, and security events.
For information, see Data in Grail and Grail data model.
Data from third-party sources
Dynatrace consumes data from third-party sources, providing consolidated, unified analysis and automation.
For information, see Security events ingest.
Security-related data
Security-related data can be either generated by Dynatrace native capabilities and collected by OneAgent or ActiveGate, or ingested from third-party tools via log ingestion or OpenPipeline.
Security-related data on Grail can provide you answers with different granularity and from various perspectives. You can query, aggregate, visualize, and report data on multiple levels.
The Grail data lakehouse doesn't distinguish security-related data from observability information. You can use all your data in Dynatrace for your security use cases. For example, if you ingested your application authentication logs for business purposes, you can use the same logs to detect potential brute force attacks on your customer accounts. Below are some examples of how you can use data for security purposes:
- Context-aware security incident response with Dynatrace Automations and Tetragon
- Overseeing SaaS security with AWS AppFabric and Dynatrace
- Detect VMware Aria Operations for Logs exploitation with Dynatrace and DQL
- TTP-based threat hunting with Dynatrace Security Analytics and Falco Alerts solves alert noise
- Log forensics: Finding malicious activity in multicloud environments with Dynatrace Grail
Security events
This section has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.
Security events are a type of security-related data consisting of various generated events such as
Storage:
- Security events generated by Dynatrace from your monitored environment are stored in the
default_securityevents_builtinbucket. - Security events ingested from third-party security events are stored in the
default_securityeventsbucket.
Necessary permissions:
- To query ingested security events:
storage:security.events:read. - To query ingested logs:
storage:logs:read.
Vulnerability events
Vulnerability events can be classified by
-
Event levels (
event.level)Event levels Description VULNERABILITYThe vulnerability on the global level, including general information, global statuses, and changes. The unique identifier is vulnerability.idorvulnerability.display_id.ENTITYThe vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of ( affected_entity.id,vulnerability.id). -
Event groups (
event.group_label)Event groups Description CHANGE_EVENTChange that occurs on a vulnerability or its affected entity. STATE_REPORTThe full historical state of a vulnerability or its affected entity and is reported periodically over time: OPEN(muted and not muted) vulnerabilities are reported every 15 minutes;RESOLVEDvulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range. -
Event types (
event.type)Event types Description VULNERABILITY_STATE_REPORT_EVENTHistorical vulnerability states reported periodically. VULNERABILITY_COVERAGE_REPORT_EVENTHistorical coverage events reported periodically. VULNERABILITY_STATUS_CHANGE_EVENTVulnerability status changes reported on change. These include resolution and mute statuses. VULNERABILITY_ASSESSMENT_CHANGE_EVENTVulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments.
For a list of vulnerability event fields mapped to Grail, see Dynatrace Semantic Dictionary.
Compliance events
A compliance event is a type of security event specific to the Security Posture Management capability. It represents the assessment of a resource in the context of the rule specified in the compliance standard.
| Event types | Description |
|---|---|
COMPLIANCE_SCAN_COMPLETED | A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed. |
COMPLIANCE_FINDING | A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object. |
For a list of compliance event fields mapped to Grail, see Dynatrace Semantic Dictionary.
Detection finding events
Use Threats & Exploits 
to evaluate, triage, and investigate detection findings.
A detection finding event is generated when suspicious activity is observed around an object. The event contains all information available and deemed useful at the moment of detection.
| Event types | Description |
|---|---|
DETECTION_FINDING | An alert or detection generated by security tools using correlation algorithms, detection rules, or other analytical methods. |
For a list of detection finding event fields mapped to Grail, see Dynatrace Semantic Dictionary.
OpenPipeline integration types for security events
With OpenPipeline, you can ingest external security events from multiple third-party products into Grail and operationalize your data on the Dynatrace platform.
Out-of-the-box integrations
Dynatrace provides seamless OpenPipeline integration options for specific technologies.
Ingested data is automatically stored in Grail and mapped to the Dynatrace Semantic Dictionary unified format. We provide sample dashboards and workflows to help you visualize data and automatize notifications.
Support for custom ingestion
You can use our built-in security events API endpoint or create a custom API endpoint to ingest any kind of security events from any third-party system into Grail.
You can configure a pipeline to manually map your data to the Semantic Dictionary conventions. This enables you to use our sample dashboard, Jira workflow, and Slack workflow.