Gain insights

Latest Dynatrace
How-to guide

Selecting a finding on the detection findings page opens a side window that enables you to

Get finding details
List source information
Explain with AI
Analyze related logs

For findings from third-party sources, data displayed in this section is limited based on the external source information.

Get finding details

The Details section helps you understand the context and impact of a security finding.

Action taken: See how Runtime Application Protection responded to the threat based on your monitoring rules and whether further intervention is needed. Potential values are:
- Blocked: Incoming requests are detected and blocked.
- Audited: Incoming requests are detected but no action is taken.
- Allowedlisted: Incoming requests are ignored.
Attack vector: Identify how the attacker reached your application. Use this to trace the method or path used, such as injection, exploitation of a vulnerable endpoint, or abuse of a misconfigured service.
Affected object: Determine what was targeted. This could be a service, endpoint, or resource. To analyze the object in its native context, select Open with from the context menu .
Actor: Investigate who’s behind the suspicious activity. The actor view helps you trace the origin, assess reputation, and understand behavior of the IP address involved.
- IP and location: Determine where the activity originated. This can help you spot anomalies, like unexpected access from unfamiliar regions.
- IP enrichment: Deepen your investigation with external threat intelligence.
  - Select Enrich IP to retrieve reputation data from trusted sources like AbuseIPDB and VirusTotal.
  - Open the context menu and select View full report for detailed insights.
  To use enrichment, ensure your environment is connected to a supported threat intelligence source. For setup instructions and a list of supported providers, see Enrich data.
- Prevalence: Assess how active the actor has been across your environment. A visual indicator shows how many related findings were detected in the past 24 hours.
  - Select the findings count to view a filtered list of all events tied to that IP, helping you determine whether this is an isolated incident or part of a broader campaign.
Entry point: Understand where the attacker gained access. Use this to assess exposure and decide whether additional hardening or monitoring is needed at that location.
Vulnerability: Learn which weakness was exploited. This insight helps you prioritize remediation, whether it’s patching, configuration changes, or broader architectural improvements.
Identified request: Review the specific request that triggered the finding. This helps you validate whether the activity was malicious, part of a known pattern, or potentially benign but misconfigured.

For details about these items, see Concepts.

List source information

In Source, you can see a list of all the available information from the ingested finding.

Long values may be clipped. You can copy the full values via the context menu on their right.

For further analysis, you can open any of the listed values in another app.

Explain with AI

To use this Davis CoPilot functionality, ensure the following:

Davis CoPilot has been enabled on the environment level. For details, see Enable Davis CoPilot on your environment.
You have permissions to access the conversational recommender skill. For details, see User permissions.

Davis CoPilot can provide contextual, plain-language explanations of detection findings to accelerate understanding and response.

To access the functionality:

In Threats & Exploits, select a finding.
Select Explain with AI in the upper-right corner of the finding details pane.

When selected, Davis CoPilot analyzes the technical details of a detection finding and generates a structured summary that may include:

What the finding means: Interprets technical terms and describes the nature of the detected behavior (for example, a process modification, SQL injection attempt, or unexpected kernel code change).
Why it matters: Highlights severity levels (such as CRITICAL) and potential implications for application performance, system stability, or data security.
What to investigate: Suggests next steps such as reviewing affected components, analyzing logs and metrics, and assessing operational impact.
How to respond: Recommends remediation actions and links to relevant tools.

The structure and depth of CoPilot's explanation may vary depending on the nature of the detection and available context. While CoPilot aims to provide detailed insights, not all findings will include every element listed above.

CoPilot explanations are tailored to the nature of each detection—whether it's a code-level exploit, behavioral anomaly, or infrastructure-level threat—providing relevant, actionable insights that accelerate triage and support informed decision-making, even for users without deep security expertise.

Analyze logs

In Log analysis, you can

Have a quick overview of logs related to a particular finding and their severity within the selected timeframe.
Run recommended DQL queries for a quick analysis of logs related to a selected finding. This enables you to carry out fast investigations and root-cause analysis based on the relevant data.

Select Run query to execute a query.

See below for details on how to manage query results.

Display results

Results displayed in the results table are formatted and the most critical information is highlighted.

Expand rows for details. (1)
Select Open Logs to open results in the Logs app for deeper insights. (2)
Use Column settings to add or remove table columns. (3)
Use the column title menu to sort, hide, or move columns. (4)
Use Enable line wrap to view longer log lines without horizontal scrolling. (5)
Select the records tab to display metadata information about the executed query. (6)
Select > Download as CSV > All to download results in a CSV file. (7)

Search in results

After your query has returned records in the result table, you can search for keywords in this data. Use the Search results field to filter the table by your keyword. This filtering won't execute a new query, but will only show the already returned and loaded results in your browser.

Show surrounding logs

See the related logs for every record to understand the data context better.

Find a relevant log line in the result table and expand it for details.
Select Show surrounding logs.

The surrounding logs are displayed for the context provided by the log record. For example, if the trace_id parameter is present, you'll see other records with the same trace ID; otherwise, you can see surrounding logs for the same topology entity.

Navigate logs

You can quickly navigate between log details and related hosts, Kubernetes clusters, traces, or other entities. This helps you understand the impact of a single record in the context of related metrics and traces.

Select Run query for 15 logs before to navigate the logs.
Select to close Surrounding logs and return to the previous record.