Ingest vulnerability findings in OCSF format

  • Latest Dynatrace
  • How-to guide
  • Preview

This page has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

In the following, you'll learn how to ingest vulnerability findings from any source or provider in a standard format (Open Cybersecurity Schema Framework (OCSF)) into Grail and analyze them on the Dynatrace platform.

Hub

Explore in Dynatrace Hub

Ingest security findings in Open Cybersecurity Schema Framework (OCSF) format.

Goal

  • Get Dynatrace insights for vulnerability findings from any source or provider.
  • Easily work with your data on the Dynatrace platform in a unified format.

How it works

how-it-works

You feed the OCSF-formatted data into Grail via our built-in security events OpenPipeline endpoint.

For instructions, see Get started.

The OpenPipe ingest endpoint receives the vulnerability findings and maps them according to the Semantic Dictionary.
They are stored in the default_securityevents bucket (see Built-in Grail buckets).

Ingested data is mapped to Dynatrace Semantic Dictionary. Original vendor data is also preserved alongside the mapped data.

Once data is ingested into Grail, you can visualize, analyze, and automate data using dashboards, workflows, and queries.

Prerequisites

  • Permissions:
    • To query ingested data: storage:security.events:read.

Get started

  1. In Dynatrace, open Hub.
  2. Look for OCSF and select Install.
  3. Select Set up, then select Configure new connection.
  4. Follow the on-screen instructions to set up the ingestion.

Monitor data

Once you ingest your OCSF data into Grail, you can monitor your data in the app (in Dynatrace, go to Settings > OCSF).

You can view:

  • A chart of ingested data from all existing connections over time

  • A table with information about your connections

Visualize and analyze findings

You can create your own dashboards or use our templates to visualize and analyze container vulnerability findings.

To use a dashboard template:

  1. In Dynatrace, go to Settings > OCSF.
  2. In the Try our templates section, select the desired dashboard template.

Automate and orchestrate findings

You can create your own workflows or use our templates to automate and orchestrate container vulnerability findings.

To use a workflow template:

  1. In Dynatrace, go to Settings > OCSF.
  2. In the Try our templates section, select the desired workflow template.

Query ingested data

You can query ingested data in Notebooks Notebooks or Security Investigator Security Investigator, using the data format in Semantic Dictionary.

To query ingested data:

  1. In Dynatrace, go to Settings > OCSF.
  2. Select Open with .
  3. Select Notebooks or Security Investigator.

Support

For OCSF, Dynatrace supports vulnerability findings (regardless of the source) following the OCSF v1.1.0 format.

Delete connections

To stop sending events to Dynatrace:

  1. In Dynatrace, go to Settings > OCSF.
  2. For the connection you want to delete, select Delete.
  3. Follow the on-screen instructions to delete the resources. If you used values different from those specified in the setup dialog, adjust them accordingly.

This removes the Dynatrace resources created for this integration.

Consumption

For billing information, see Events powered by Grail.

Use cases

With the ingested data, you can accomplish various use cases, such as

Related tags
Threat Observability