This section aims to give you a better understanding of data in the security context so you can easily accomplish various use cases with security-related data available on Grail. To learn how DQL can help in your daily tasks, see DQL examples for security data.
Data can be ingested in Grail from your monitored environment or from third-party sources.
Data that Dynatrace collects from your monitored environment and that can be currently queried in Grail consists of: logs, metrics, entities, Davis AI problems and events, system events, business events, and security events.
For information, see Data in Grail and Grail data model.
Dynatrace consumes data from third-party sources, providing consolidated, unified analysis and automation.
For information, see Security events ingest.
Security-related data can be either generated by Dynatrace native capabilities and collected by OneAgent or ActiveGate, or ingested from third-party tools via log ingestion or OpenPipeline.
Security-related data on Grail can provide you answers with different granularity and from various perspectives. You can query, aggregate, visualize, and report data on multiple levels.
The Grail data lakehouse doesn't distinguish security-related data from observability information. You can use all your data in Dynatrace for your security use cases. For example, if you ingested your application authentication logs for business purposes, you can use the same logs to detect potential brute force attacks on your customer accounts. Below are some examples of how you can use data for security purposes:
This section has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.
Security events are a type of security-related data consisting of various generated events such as
Storage:
default_securityevents_builtin
bucket.default_securityevents
bucket.Necessary permissions:
storage:security.events:read
.storage:logs:read
.Vulnerability events can be classified by
Event levels (event.level
)
Event levels | Description |
---|---|
VULNERABILITY | The vulnerability on the global level, including general information, global statuses, and changes. The unique identifier is vulnerability.id or vulnerability.display_id . |
ENTITY | The vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of (affected_entity.id , vulnerability.id ). |
Event groups (event.group_label
)
Event groups | Description |
---|---|
CHANGE_EVENT | Change that occurs on a vulnerability or its affected entity. |
STATE_REPORT | The full historical state of a vulnerability or its affected entity and is reported periodically over time: OPEN (muted and not muted) vulnerabilities are reported every 15 minutes; RESOLVED vulnerabilities are reported only once (when open vulnerabilities get resolved). To analyze resolved vulnerabilities, filter for the desired time range. |
Event types (event.type
)
Event types | Description |
---|---|
VULNERABILITY_STATE_REPORT_EVENT | Historical vulnerability states reported periodically. |
VULNERABILITY_COVERAGE_REPORT_EVENT | Historical coverage events reported periodically. |
VULNERABILITY_STATUS_CHANGE_EVENT | Vulnerability status changes reported on change. These include resolution and mute statuses. |
VULNERABILITY_ASSESSMENT_CHANGE_EVENT | Vulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments. |
For a list of vulnerability event fields mapped to Grail, see Dynatrace Semantic Dictionary.
A compliance event is a type of security event specific to the Security Posture Management capability. It represents the assessment of a resource in the context of the rule specified in the compliance standard.
Event types | Description |
---|---|
COMPLIANCE_SCAN_COMPLETED | A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed. |
COMPLIANCE_FINDING | A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object. |
For a list of compliance event fields mapped to Grail, see Dynatrace Semantic Dictionary.
Use Threats & Exploits to evaluate, triage, and investigate detection findings.
A detection finding event is generated when suspicious activity is observed around an object. The event contains all information available and deemed useful at the moment of detection.
Event types | Description |
---|---|
DETECTION_FINDING | An alert or detection generated by security tools using correlation algorithms, detection rules, or other analytical methods. |
For a list of detection finding event fields mapped to Grail, see Dynatrace Semantic Dictionary.
With OpenPipeline, you can ingest external security events from multiple third-party products into Grail and operationalize your data on the Dynatrace platform.
Dynatrace provides seamless OpenPipeline integration options for specific technologies.
Ingested data is automatically stored in Grail and mapped to the Dynatrace Semantic Dictionary unified format. We provide sample dashboards and workflows to help you visualize data and automatize notifications.
You can use our built-in security events API endpoint or create a custom API endpoint to ingest any kind of security events from any third-party system into Grail.
You can configure a pipeline to manually map your data to the Semantic Dictionary conventions. This enables you to use our sample dashboard, Jira workflow, and Slack workflow.