Gain insights

Latest Dynatrace
How-to guide

Selecting a finding on the detection findings page opens a side window that enables you to

Review key information:
- Get finding details
- List source information
Initiate deeper analysis:
- Explain finding
- Trigger investigation

For findings from third-party sources, data displayed in this section is limited based on the external source information.

Get finding details

The Details section helps you understand the context and impact of a security finding.

For definitions and background on the items below, see Concepts.

Actor

Investigate who’s behind the suspicious activity. Use this view to trace the origin, assess reputation, and understand behavior of the IP address involved.

IP and location: Determine where the activity originated to spot anomalies, such as unexpected access from unfamiliar regions.
IP enrichment: Deepen your investigation with external threat intelligence.

To use enrichment, ensure your environment is connected to a supported threat intelligence source. For setup instructions and a list of supported providers, see Enrich data.
1. Select Enrich IP to retrieve reputation data from trusted sources like AbuseIPDB and VirusTotal.
2. Open the context menu and select View full report for detailed insights.
Prevalence: Assess how active the actor has been across your environment. A visual indicator shows how many related findings were detected in the past 24 hours.
- Select the findings count to view a filtered list of all events tied to that IP and determine whether it's an isolated incident or part of a broader campaign.

Affected object

Take action on the asset that was affected. This view helps you:

Pinpoint what was affected: Identify whether the object is a service, endpoint, or resource, and understand its role in your environment.
Investigate in context: Use the context menu to open the object in another compatible app and explore its relationships, metrics, and dependencies.
Evaluate risk and impact: Review vulnerabilities, detection findings, and active problems to assess the object's security posture and operational health.
Coordinate response: Use tagging and ownership information to identify responsible teams and streamline collaboration.

Tag and ownership details are shown when available and depend on the type of entity and your monitoring setup. They help you understand how the affected object fits into your environment and who's responsible for it.

Investigate components directly connected to the affected object to gain deeper insight into its context and potential impact. This view helps you:

Identify entity details: Understand how each component is connected to the affected object, what type of entity it is, and its name. For example, see which Kubernetes cluster the object belongs to, which namespace it operates within, which node it runs on, or which job it's part of. These relationships help clarify the object's placement and dependencies within your environment.

Relationship details are only available for Smartscape entities.
Assess security posture: Review vulnerabilities and detection findings associated with each entity.
Check operational health: View active problems across related entities.

Use this view to prioritize investigation and trace root causes. If multiple related entities show problems or vulnerabilities, it may indicate a broader issue affecting your environment.

Action taken

See how Runtime Application Protection responded to the threat based on your monitoring rules and whether further intervention is needed. Potential values are:

Blocked: Incoming requests are detected and blocked.
Audited: Incoming requests are detected but no action is taken.
Allowedlisted: Incoming requests are ignored.

Attack vector

Identify how the attacker reached your application. This helps you trace the method or path used, such as injection, exploitation of a vulnerable endpoint, or abuse of a misconfigured service.

Entry point

Understand where the attacker gained access. This helps you assess exposure and decide whether additional hardening or monitoring is needed at that location.

Vulnerability

Learn which weakness was exploited. This helps you prioritize remediation, whether it’s patching, configuration changes, or broader architectural improvements.

Identified request

Review the specific request that triggered the finding. This helps you validate whether the activity was malicious, part of a known pattern, or potentially benign but misconfigured.

List source information

In Source, you can see a list of all the available information from the ingested finding.

Long values may be clipped. You can copy the full values via the context menu on their right.

For further analysis, you can open any of the listed values in another app.

Explain finding

To use this Davis CoPilot functionality, ensure the following:

Davis CoPilot has been enabled on the environment level. For details, see Enable Davis CoPilot on your environment.
You have permissions to access the conversational recommender skill. For details, see User permissions.

Davis CoPilot can provide contextual, plain-language explanations of detection findings to accelerate understanding and response.

To access the functionality

In Threats & Exploits, select a finding.
Select Explain finding in the upper-right corner of the finding details pane.

When selected, Davis CoPilot analyzes the technical details of a detection finding and generates a structured summary that may include:

What the finding means: Interprets technical terms and describes the nature of the detected behavior (for example, a process modification, SQL injection attempt, or unexpected kernel code change).
Why it matters: Highlights severity levels (such as CRITICAL) and potential implications for application performance, system stability, or data security.
What to investigate: Suggests next steps such as reviewing affected components, analyzing logs and metrics, and assessing operational impact.
How to respond: Recommends remediation actions and links to relevant tools.

The structure and depth of CoPilot's explanation may vary depending on the nature of the detection and available context. While CoPilot aims to provide detailed insights, not all findings will include every element listed above.

CoPilot explanations are tailored to the nature of each detection—whether it's a code-level exploit, behavioral anomaly, or infrastructure-level threat—providing relevant, actionable insights that accelerate triage and support informed decision-making, even for users without deep security expertise.

Trigger investigation

To start an investigation, go to Investigation guidance and select one of the predefined investigation paths. This opens a query tailored to your selected finding in the Dynatrace Security Investigator app . You can run the query as-is or modify it to refine your analysis.

For details on how to use the Security Investigator app, see Security Investigator.

To view the query without leaving the Threats & Exploits app, select View query from the context menu . This lets you inspect and copy the query directly, then return to your previous view.