Ingest vulnerability findings in OCSF format

Latest Dynatrace
How-to guide
Page has not been published yet
Preview

This page has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

In the following, you'll learn how to ingest vulnerability findings from any source or provider in a standard format (Open Cybersecurity Schema Framework (OCSF)) into Grail and analyze them on the Dynatrace platform.

Explore in Dynatrace Hub

Ingest security findings in Open Cybersecurity Schema Framework (OCSF) format.

Goal

Get Dynatrace insights for vulnerability findings from any source or provider.
Easily work with your data on the Dynatrace platform in a unified format.

How it works

1. You feed OCSF-formatted data into Grail

Details	You feed the OCSF-formatted data into Grail via our built-in security events OpenPipeline endpoint.
Action required	Follow the instructions in Get started.

2. Data is mapped

Details

The OpenPipe ingest endpoint receives the vulnerability findings and maps (formats) them according to the Semantic Dictionary.

These are stored in a bucket called default_securityevents (for details, see: Built-in Grail buckets).

Ingested data is mapped to Dynatrace Semantic Dictionary. Original vendor data is also preserved alongside the mapped data.

Action required

No action is required from your side.

3. Enjoy the data

After data is ingested into Grail, you can visualize, analyze, and automate data.

Prerequisites

Permissions:
- To query ingested data: storage:security.events:read.

Get started

In Dynatrace, open Dynatrace Hub.
Look for OCSF and select Install.
Select Set up, then select Configure new connection.
Follow the on-screen instructions to set up the ingestion.

Monitor data

Once you ingest your OCSF data into Grail, you can monitor your data in the app (in Dynatrace, go to Settings > OCSF).

You can view

A chart of ingested data from all existing connections over time
- Available actions: Query ingested data
A table with information about your connections
- Available actions: Delete connection

Visualize and analyze findings

You can create your own dashboards or use our templates to visualize and analyze container vulnerability findings.

To use a dashboard template

In Dynatrace, go to Settings > OCSF.
In the Try our templates section, select the desired dashboard template.

Automate and orchestrate findings

You can create your own workflows or use our templates to automate and orchestrate container vulnerability findings.

To use a workflow template

In Dynatrace, go to Settings > OCSF.
In the Try our templates section, select the desired workflow template.

Query ingested data

You can query ingested data in Notebooks or Security Investigator , using the data format in Semantic Dictionary.

To query ingested data

In Dynatrace, go to Settings > OCSF.
Select Open with .
Select Notebooks or Security Investigator.

Support

For OCSF, Dynatrace supports vulnerability findings (regardless of the source) following the OCSF v1.1.0 format.

Delete connections

To stop sending events to Dynatrace

In Dynatrace, go to Settings > OCSF.
For the connection you want to delete, select Delete.
Follow the on-screen instructions to delete the resources. If you used values different from those specified in the setup dialog, adjust them accordingly.

This removes the Dynatrace resources created for this integration.

Consumption

For billing information, see Events powered by Grail.

Use cases

With the ingested data, you can accomplish various use cases, such as