Gain insights

  • Latest Dynatrace
  • How-to guide

Selecting a finding on the detection findings page opens a side window that enables you to

For findings from third-party sources, data displayed in this section is limited based on the external source information.

Get finding details

The Details tab helps you understand the context and impact of a security finding. The following sections are displayed.

For definitions and background on the items below, see Concepts.

Actor

Investigate who’s behind the suspicious activity. Use this view to trace the origin, assess reputation, and understand behavior of the IP address involved.

  • IP and location: Determine where the activity originated to spot anomalies, such as unexpected access from unfamiliar regions.

  • IP enrichment: Deepen your investigation with external threat intelligence.

    To use enrichment, ensure your environment is connected to a supported threat intelligence source. For setup instructions and a list of supported providers, see Enrich data.

    1. Select Enrich IP to retrieve reputation data from trusted sources like AbuseIPDB and VirusTotal.
    2. Open the context menu and select View full report for detailed insights.

  • Prevalence: Assess how active the actor has been across your environment. A visual indicator shows how many related findings were detected in the past 24 hours.

    • Select the findings count to view a filtered list of all events tied to that IP and determine whether it's an isolated incident or part of a broader campaign.

Affected object

Take action on the asset that was affected. This view helps you:

  • Pinpoint what was affected: Identify whether the object is a service, endpoint, or resource, and understand its role in your environment.

  • Investigate in context: Use the context menu to open the object in another compatible app and explore its relationships, metrics, and dependencies.

  • Evaluate risk and impact: Review vulnerabilities, detection findings, and active problems to assess the object's security posture and operational health.

  • Coordinate response: Use tagging information to identify responsible teams and streamline collaboration.

    Tag details are shown when available and depend on the type of entity and your monitoring setup. They help you understand how the affected object fits into your environment.

Investigate components directly connected to the affected object to gain deeper insight into its context and potential impact. This view helps you:

  • Identify entity details: Understand how each component is connected to the affected object, what type of entity it is, and its name. For example, see which Kubernetes cluster the object belongs to, which namespace it operates within, which node it runs on, or which job it's part of. These relationships help clarify the object's placement and dependencies within your environment.

    Relationship details are only available for Smartscape entities.

  • Assess security posture: Review vulnerabilities and detection findings associated with each entity.

  • Check operational health: View active problems across related entities.

Use this view to prioritize investigation and trace root causes. If multiple related entities show problems or vulnerabilities, it may indicate a broader issue affecting your environment.

Understand the broader context of a finding by exploring other findings that occurred around the same time and may be connected. A clear count of all related findings and their severity gives you an immediate sense of how much correlated activity exists. Expand the card for additional insights.

This view helps you:

  • Identify correlated activity: See findings triggered by the same actor IP, or findings on the same or related entities that share the same finding type.

  • Analyze timing and distribution: Use the interactive chart to understand when related findings occurred. Selecting a time range filters the table, allowing you to focus on specific activity clusters or suspicious time windows.

  • Assess similarity: Review each related finding’s severity, relative detection time, and a visual indicator of field overlap to understand how closely it matches the original finding. Dynatrace also highlights core identical fields shared with the original finding to clarify why each item is considered related.

Use this view to accelerate investigation, uncover connections between findings, and determine whether you’re dealing with isolated events or part of a broader pattern of activity.

Action taken

See how Runtime Application Protection responded to the threat based on your monitoring rules and whether further intervention is needed. Potential values are:

  • Blocked: Incoming requests are detected and blocked.
  • Audited: Incoming requests are detected but no action is taken.
  • Allowedlisted: Incoming requests are ignored.

Attack vector

Identify how the attacker reached your application. This helps you trace the method or path used, such as injection, exploitation of a vulnerable endpoint, or abuse of a misconfigured service.

Entry point

Understand where the attacker gained access. This helps you assess exposure and decide whether additional hardening or monitoring is needed at that location.

Vulnerability

Learn which weakness was exploited. This helps you prioritize remediation, whether it’s patching, configuration changes, or broader architectural improvements.

Identified request

Review the specific request that triggered the finding. This helps you validate whether the activity was malicious, part of a known pattern, or potentially benign but misconfigured.

List source information

In the Source tab, you can see a list of all the available information from the ingested finding.

Long values may be clipped. You can copy the full values via the context menu on their right.

For further analysis, you can open any of the listed values in another app.

Explain finding

To use this generative AI functionality, ensure the following:

Dynatrace Intelligence generative AI can provide contextual, plain-language explanations of detection findings to accelerate understanding and response.

To access the functionality

  1. In Threats & Exploits Threats & Exploits, select a finding.
  2. In the upper-right corner of the finding details pane, select Explain finding.

When selected, Dynatrace Intelligence generative AI analyzes the technical details of a detection finding and provides a structured summary that may include:

  • What the finding means: Interprets technical terms and describes the nature of the detected behavior (for example, a process modification, SQL injection attempt, or unexpected kernel code change).

  • Why it matters: Highlights severity levels (such as CRITICAL) and potential implications for application performance, system stability, or data security.

  • What to investigate: Suggests next steps such as reviewing affected components, analyzing logs and metrics, and assessing operational impact.

  • How to respond: Recommends remediation actions and links to relevant tools.

The structure and depth of generative AI's explanation may vary depending on the nature of the detection and available context. While Dynatrace Intelligence generative AI aims to provide detailed insights, not all findings will include every element listed above.

Dynatrace Intelligence generative AI explanations are tailored to the nature of each detection—whether it's a code-level exploit, behavioral anomaly, or infrastructure-level threat—providing relevant, actionable insights that accelerate triage and support informed decision-making, even for users without deep security expertise.

Trigger investigation

You can analyze a finding in depth by opening a tailored query for a selected finding in Investigations Investigations.

To start an investigation

  1. In Threats & Exploits Threats & Exploits, select a finding.

  2. In the Details tab, go to Investigation guidance and select one of the predefined investigation paths.

You can run the query in Investigations Investigations as is or modify it to refine your analysis.

For details on how to use Investigations Investigations, see Investigations.

To view the query without leaving the Threats & Exploits app, select View query from the context menu . This lets you inspect and copy the query directly, then return to your previous view.

View topology

You can view the topology of an affected object to understand how it connects to other components in your environment. This gives you immediate context about upstream and downstream dependencies and helps you see which services or processes interact with the affected object.

To view topology

  1. In Threats & Exploits Threats & Exploits, select a finding.

  2. In the Details tab, go to Affected object and select Smartscape View topology.

This opens Smartscape Smartscape, where you can explore how the affected object relates to other services, processes, and infrastructure components. For details, see View topology.

Related tags
Application Security