Ingest vulnerability findings in OCSF format

Latest Dynatrace Preview

In the following, you'll learn how to ingest vulnerability findings from any source or provider in a standard format (Open Cybersecurity Schema Framework (OCSF)) into Grail and analyze them on the Dynatrace platform.

Goal

  • Get Dynatrace insights for vulnerability findings from any source or provider.
  • Easily work with your data on the Dynatrace platform in a unified format.

How it works

1. You feed OCSF-formatted data into Grail

Details

You feed the OCSF-formatted data into Grail via our built-in security events OpenPipeline endpoint.

Action required

Follow the instructions in Get started.

2. Data is mapped

Details

The OpenPipe ingest endpoint receives the vulnerability findings and maps (formats) them according to the Semantic Dictionary.

These are stored in a bucket called default_security_custom_events (for details, see: Built-in Grail buckets).

Ingested data is mapped to Dynatrace semantic conventions. Original vendor data is also preserved alongside the mapped data.

Action required

No action is required from your side.

3. Enjoy the data

After data is ingested into Grail, you can visualize, analyze, and automate data.

Get started

To ingest your data in OCSF format via API, use the information below.

Endpoint URL

https://{your-environment-id}.live.dynatrace.com/platform/ingest/v1/events.security

Method

POST

Authentication

Access token

Scope

openpipeline.events_security

Payload

application/json

For details on how to perform the API ingest, see Learn more.

Response codes

Code
Description
202
Accepted
400
Bad request (in case of missing body or wrong format)
401
Unauthorized (in case of missing or invalid token)

Examples

{
"activity_id": 2,
"activity_name": "Update",
"category_name": "Findings",
"category_uid": 2,
"class_name": "Vulnerability Finding",
"class_uid": 2002,
"cloud": {
"account": {
"uid": "111111111111"
},
"provider": "AWS",
"region": "us-east-2"
},
"finding_info": {
"created_time_dt": "2023-04-21T11:59:04.000-04:00",
"desc": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.",
"first_seen_time_dt": "2023-04-21T11:59:04.000-04:00",
"last_seen_time_dt": "2024-01-26T17:19:14.000-05:00",
"modified_time_dt": "2024-01-26T17:19:14.000-05:00",
"title": "CVE-2023-1255 - openssl",
"types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
],
"uid": "arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5"
},
"metadata": {
"log_version": "2018-10-08",
"processed_time_dt": "2024-01-26T17:59:56.923-05:00",
"product": {
"feature": {
"uid": "AWSInspector"
},
"name": "Inspector",
"uid": "arn:aws:securityhub:us-east-2::product/aws/inspector",
"vendor_name": "Amazon",
"version": "2"
},
"profiles": [
"cloud",
"datetime"
],
"version": "1.1.0"
},
"observables": [
{
"name": "resource.uid",
"type": "Resource UID",
"type_id": 10,
"value": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8"
}
],
"resource": {
"cloud_partition": "aws",
"data": "{\"AwsEcrContainerImage\":{\"Architecture\":\"amd64\",\"ImageDigest\":\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\",\"ImagePublishedAt\":\"2023-04-11T21:07:55Z\",\"RegistryId\":\"111111111111\",\"RepositoryName\":\"browserhostingstack-EXAMPLE-btb1o54yh1jr\"}}",
"region": "us-east-2",
"type": "AwsEcrContainerImage",
"uid": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8"
},
"severity": "Medium",
"severity_id": 3,
"status": "New",
"time": 1706307554000,
"time_dt": "2024-01-26T17:19:14.000-05:00",
"type_name": "Vulnerability Finding: Update",
"type_uid": 200202,
"unmapped": {
"FindingProviderFields.Severity.Label": "MEDIUM",
"FindingProviderFields.Types[]": "Software and Configuration Checks/Vulnerabilities/CVE",
"ProductFields.aws/inspector/FindingStatus": "ACTIVE",
"ProductFields.aws/inspector/inspectorScore": "5.9",
"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09",
"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "ALPINE_LINUX_3_17",
"ProductFields.aws/securityhub/CompanyName": "Amazon",
"ProductFields.aws/securityhub/FindingId": "arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5",
"ProductFields.aws/securityhub/ProductName": "Inspector",
"RecordState": "ACTIVE",
"Severity.Normalized": "40",
"Vulnerabilities[].Cvss[].Source": "NVD,NVD",
"Vulnerabilities[].Vendor.VendorSeverity": "MEDIUM",
"Vulnerabilities[].VulnerablePackages[].SourceLayerHash": "sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09",
"WorkflowState": "NEW"
},
"vulnerabilities": [
{
"affected_packages": [
{
"architecture": "X86_64",
"epoch": 0,
"fixed_in_version": "0:3.0.8-r4",
"name": "openssl",
"package_manager": "OS",
"release": "r3",
"remediation": {
"desc": "apk update && apk upgrade openssl"
},
"version": "3.0.8"
}
],
"cve": {
"created_time_dt": "2023-04-20T13:15:06.000-04:00",
"cvss": [
{
"base_score": 5.9,
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"base_score": 5.9,
"vector_string": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"epss": {
"score": "0.00066"
},
"modified_time_dt": "2023-09-08T13:15:15.000-04:00",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-1255"
],
"uid": "CVE-2023-1255"
},
"is_exploit_available": true,
"is_fix_available": true,
"references": [
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a",
"https://www.openssl.org/news/secadv/20230419.txt",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb"
],
"remediation": {
"desc": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON."
},
"vendor_name": "NVD"
}
]
}
{
"timestamp": "2024-10-29T21:12:18.177000000+01:00",
"activity_id": "2",
"activity_name": "Update",
"aws.account.id": "111111111111",
"aws.region": "us-east-2",
"aws.resource.id": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8",
"category_name": "Findings",
"category_uid": "2",
"class_name": "Vulnerability Finding",
"class_uid": "2002",
"cloud": "{\"account\":{\"uid\":\"111111111111\"},\"provider\":\"AWS\",\"region\":\"us-east-2\"}",
"component.name": "openssl",
"component.version": "3.0.8",
"dt.openpipeline.pipelines": [
"events.security:vulnerability_finding"
],
"dt.openpipeline.source": "/platform/ingest/v1/events.security/",
"dt.security.risk.level": "MEDIUM",
"dt.security.risk.score": 6.9,
"event.category": "VULNERABILITY_MANAGEMENT",
"event.description": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.",
"event.kind": "SECURITY_EVENT",
"event.name": "Vulnerability finding",
"event.provider": "Amazon Inspector",
"event.type": "VULNERABILITY_FINDING",
"event.version": "1.304",
"finding.description": "Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\nplatform contains a bug that could cause it to read past the input buffer,\nleading to a crash.\n\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\nused for disk encryption.\n\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\nbuffer is unmapped, this will trigger a crash which results in a denial of\nservice.\n\nIf an attacker can control the size and location of the ciphertext buffer\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\napplication is affected. This is fairly unlikely making this issue\na Low severity one.",
"finding.id": "arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5",
"finding.time.created": "2024-01-26T23:19:14.000000000+01:00",
"finding.title": "CVE-2023-1255 - openssl",
"finding_info": "{\"created_time_dt\":\"2023-04-21T11:59:04.000-04:00\",\"desc\":\"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\",\"first_seen_time_dt\":\"2023-04-21T11:59:04.000-04:00\",\"last_seen_time_dt\":\"2024-01-26T17:19:14.000-05:00\",\"modified_time_dt\":\"2024-01-26T17:19:14.000-05:00\",\"title\":\"CVE-2023-1255 - openssl\",\"types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"uid\":\"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}",
"metadata": "{\"log_version\":\"2018-10-08\",\"processed_time_dt\":\"2024-01-26T17:59:56.923-05:00\",\"product\":{\"feature\":{\"uid\":\"AWSInspector\"},\"name\":\"Inspector\",\"uid\":\"arn:aws:securityhub:us-east-2::product/aws/inspector\",\"vendor_name\":\"Amazon\",\"version\":\"2\"},\"profiles\":[\"cloud\",\"datetime\"],\"version\":\"1.1.0\"}",
"object.id": "arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8",
"observables": [
"{\"name\":\"resource.uid\",\"type\":\"Resource UID\",\"type_id\":10,\"value\":\"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}"
],
"resource": "{\"cloud_partition\":\"aws\",\"data\":\"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\",\"region\":\"us-east-2\",\"type\":\"AwsEcrContainerImage\",\"uid\":\"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}",
"severity": "Medium",
"severity_id": "3",
"status": "New",
"time": "1706307554000",
"time_dt": "2024-01-26T17:19:14.000-05:00",
"type_name": "Vulnerability Finding: Update",
"type_uid": "200202",
"unmapped": "{\"FindingProviderFields.Severity.Label\":\"MEDIUM\",\"FindingProviderFields.Types[]\":\"Software and Configuration Checks/Vulnerabilities/CVE\",\"ProductFields.aws/inspector/FindingStatus\":\"ACTIVE\",\"ProductFields.aws/inspector/inspectorScore\":\"5.9\",\"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\":\"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\",\"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\":\"ALPINE_LINUX_3_17\",\"ProductFields.aws/securityhub/CompanyName\":\"Amazon\",\"ProductFields.aws/securityhub/FindingId\":\"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\",\"ProductFields.aws/securityhub/ProductName\":\"Inspector\",\"RecordState\":\"ACTIVE\",\"Severity.Normalized\":\"40\",\"Vulnerabilities[].Cvss[].Source\":\"NVD,NVD\",\"Vulnerabilities[].Vendor.VendorSeverity\":\"MEDIUM\",\"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\":\"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\",\"WorkflowState\":\"NEW\"}",
"vulnerabilities": [
"{\"affected_packages\":[{\"architecture\":\"X86_64\",\"epoch\":0,\"fixed_in_version\":\"0:3.0.8-r4\",\"name\":\"openssl\",\"package_manager\":\"OS\",\"release\":\"r3\",\"remediation\":{\"desc\":\"apk update && apk upgrade openssl\"},\"version\":\"3.0.8\"}],\"cve\":{\"created_time_dt\":\"2023-04-20T13:15:06.000-04:00\",\"cvss\":[{\"base_score\":5.9,\"vector_string\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"version\":\"3.1\"},{\"base_score\":5.9,\"vector_string\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"version\":\"3.1\"}],\"epss\":{\"score\":\"0.00066\"},\"modified_time_dt\":\"2023-09-08T13:15:15.000-04:00\",\"references\":[\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"],\"uid\":\"CVE-2023-1255\"},\"is_exploit_available\":true,\"is_fix_available\":true,\"references\":[\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\",\"https://www.openssl.org/news/secadv/20230419.txt\",\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"],\"remediation\":{\"desc\":\"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"},\"vendor_name\":\"NVD\"}"
],
"vulnerability.description": null,
"vulnerability.id": "CVE-2023-1255",
"vulnerability.title": "CVE-2023-1255"
}

Visualize, analyze, and automate data

Once you ingest your data into Grail, you can

  • Create your own dashboards or use our sample dashboard to visualize and analyze container findings
  • Create your own workflows or use our sample workflows to automate and orchestrate container findings

For instructions, see

Consumption

For billing information, see Events powered by Grail.