Latest Dynatrace
To kick off new investigations faster and save yourself from repetitive manual work, you can use templates in Security Investigator . Templates provide a boilerplate for investigations, creating initial DQL queries ready to be executed and the required artifacts about your environment available as evidence lists. This saves time when creating manual queries or copying the queries from incident response playbooks.
In the following, you'll learn how to speed up log-related endeavors in Security Investigator using templates.
This article is intended for security engineers, site reliability engineers, DevOps engineers, and others who regularly perform investigations and log analysis on Grail data using Security Investigator.
When Dynatrace notifies you of an issue in a production environment, you typically start an investigation with the same basic queries. For example, in a Kubernetes environment, you want to determine:
The queries you create to answer such questions are often scattered across previous cases, DQL query repositories, and incident response playbooks.
To streamline your process, you want to create a template to prepare these queries in advance for future incidents. Fortunately, you have already conducted an investigation that includes these queries, allowing you to create a template from an existing case.
In Security Investigator, select one of the three ways to start a template:
Create it from a case: You can make a template from an existing case, for example, if you want to use the queries from a previous investigation. For instructions, see Save cases as templates.
Upload it: You can upload a template downloaded from a blog post or provided by the community. For instructions, see Download and upload templates.
Duplicate it: You can copy a template that you own or clone and edit a template that has been shared with you. For instructions, see Duplicate templates.
Once you created a template, the following options are available.
You can modify your template if, for example, you want to remove some queries and add production cluster names to the evidence list in the template for faster access. For instructions, see Edit templates.
You can start a new investigation based on the initial input from your template. For instructions, see Create cases from templates.
You can create another similar template for yourself based on your template. For instructions, see Duplicate templates.