Gain insights

Latest Dynatrace
How-to guide

Selecting a finding on the detection findings page opens a side window that enables you to

Review key information:
- Get finding details
- List source information
Initiate deeper analysis:
- Explain finding
- Trigger investigation

For findings from third-party sources, data displayed in this section is limited based on the external source information.

Get finding details

The Details tab helps you understand the context and impact of a security finding. The following sections are displayed.

For definitions and background on the items below, see Concepts.

Actor

Investigate who’s behind the suspicious activity. Use this view to trace the origin, assess reputation, and understand behavior of the IP address involved.

IP and location: Determine where the activity originated to spot anomalies, such as unexpected access from unfamiliar regions.
IP enrichment: Deepen your investigation with external threat intelligence.

To use enrichment, ensure your environment is connected to a supported threat intelligence source. For setup instructions and a list of supported providers, see Enrich data.
1. Select Enrich IP to retrieve reputation data from trusted sources like AbuseIPDB and VirusTotal.
2. Open the context menu and select View full report for detailed insights.
Prevalence: Assess how active the actor has been across your environment. A visual indicator shows how many related findings were detected in the past 24 hours.
- Select the findings count to view a filtered list of all events tied to that IP and determine whether it's an isolated incident or part of a broader campaign.

Affected object

Take action on the asset that was affected. This view helps you:

Pinpoint what was affected: Identify whether the object is a service, endpoint, or resource, and understand its role in your environment.
Investigate in context: Use the context menu to open the object in another compatible app and explore its relationships, metrics, and dependencies.
Evaluate risk and impact: Review vulnerabilities, detection findings, and active problems to assess the object's security posture and operational health.
Coordinate response: Use tagging information to identify responsible teams and streamline collaboration.

Tag details are shown when available and depend on the type of entity and your monitoring setup. They help you understand how the affected object fits into your environment.

Investigate components directly connected to the affected object to gain deeper insight into its context and potential impact. This view helps you:

Identify entity details: Understand how each component is connected to the affected object, what type of entity it is, and its name. For example, see which Kubernetes cluster the object belongs to, which namespace it operates within, which node it runs on, or which job it's part of. These relationships help clarify the object's placement and dependencies within your environment.

Relationship details are only available for Smartscape entities.
Assess security posture: Review vulnerabilities and detection findings associated with each entity.
Check operational health: View active problems across related entities.

Use this view to prioritize investigation and trace root causes. If multiple related entities show problems or vulnerabilities, it may indicate a broader issue affecting your environment.

Action taken

See how Runtime Application Protection responded to the threat based on your monitoring rules and whether further intervention is needed. Potential values are:

Blocked: Incoming requests are detected and blocked.
Audited: Incoming requests are detected but no action is taken.
Allowedlisted: Incoming requests are ignored.

Attack vector

Identify how the attacker reached your application. This helps you trace the method or path used, such as injection, exploitation of a vulnerable endpoint, or abuse of a misconfigured service.

Entry point

Understand where the attacker gained access. This helps you assess exposure and decide whether additional hardening or monitoring is needed at that location.

Vulnerability

Learn which weakness was exploited. This helps you prioritize remediation, whether it’s patching, configuration changes, or broader architectural improvements.

Identified request

Review the specific request that triggered the finding. This helps you validate whether the activity was malicious, part of a known pattern, or potentially benign but misconfigured.

List source information

In the Source tab, you can see a list of all the available information from the ingested finding.

Long values may be clipped. You can copy the full values via the context menu on their right.

For further analysis, you can open any of the listed values in another app.

Explain finding

To use this generative AI functionality, ensure the following:

Dynatrace Intelligence generative AI has been enabled on the environment level. For details, see Enable Dynatrace Intelligence generative AI on your environment.
You have permissions to access it. For details, see User permissions.

Dynatrace Intelligence generative AI can provide contextual, plain-language explanations of detection findings to accelerate understanding and response.

To access the functionality

In Threats & Exploits, select a finding.
In the upper-right corner of the finding details pane, select Explain finding.

When selected, Dynatrace Intelligence generative AI analyzes the technical details of a detection finding and provides a structured summary that may include:

What the finding means: Interprets technical terms and describes the nature of the detected behavior (for example, a process modification, SQL injection attempt, or unexpected kernel code change).
Why it matters: Highlights severity levels (such as CRITICAL) and potential implications for application performance, system stability, or data security.
What to investigate: Suggests next steps such as reviewing affected components, analyzing logs and metrics, and assessing operational impact.
How to respond: Recommends remediation actions and links to relevant tools.

The structure and depth of generative AI's explanation may vary depending on the nature of the detection and available context. While Dynatrace Intelligence generative AI aims to provide detailed insights, not all findings will include every element listed above.

Dynatrace Intelligence generative AI explanations are tailored to the nature of each detection—whether it's a code-level exploit, behavioral anomaly, or infrastructure-level threat—providing relevant, actionable insights that accelerate triage and support informed decision-making, even for users without deep security expertise.

Trigger investigation

You can analyze a finding in depth by opening a tailored query for a selected finding in Investigations Investigations.

To start an investigation

In Threats & Exploits, select a finding.
In the Details tab, go to Investigation guidance and select one of the predefined investigation paths.

You can run the query in Investigations Investigations as is or modify it to refine your analysis.

For details on how to use Investigations Investigations, see Investigations.

To view the query without leaving the Threats & Exploits app, select View query from the context menu . This lets you inspect and copy the query directly, then return to your previous view.