Resolve incidents faster with Security Investigator templates

Latest Dynatrace

To kick off new investigations faster and save yourself from repetitive manual work, you can use templates in Security Investigator Security Investigator. Templates provide a boilerplate for investigations, creating initial DQL queries ready to be executed and the required artifacts about your environment available as evidence lists. This saves time when creating manual queries or copying the queries from incident response playbooks.

In the following, you'll learn how to speed up log-related endeavors in Security Investigator using templates.

Target audience

This article is intended for security engineers, site reliability engineers, DevOps engineers, and others who regularly perform investigations and log analysis on Grail data using Security Investigator.

Scenario

When Dynatrace notifies you of an issue in a production environment, you typically start an investigation with the same basic queries. For example, in a Kubernetes environment, you want to determine:

  • Is the error present in only one cluster or across all of them?
  • Does the error appear in only one cluster node or several?
  • Which pods and containers are currently running in your environment?
  • What was logged in the specific Kubernetes log?
  • What was logged by the pod?
  • What was logged by the container?

The queries you create to answer such questions are often scattered across previous cases, DQL query repositories, and incident response playbooks.

To streamline your process, you want to create a template to prepare these queries in advance for future incidents. Fortunately, you have already conducted an investigation that includes these queries, allowing you to create a template from an existing case.

Start a template

In Security Investigator, select one of the three ways to start a template:

  • Create it from a case: You can make a template from an existing case, for example, if you want to use the queries from a previous investigation. For instructions, see Save cases as templates.

  • Upload it: You can upload a template downloaded from a blog post or provided by the community. For instructions, see Download and upload templates.

  • Duplicate it: You can copy a template that you own or clone and edit a template that has been shared with you. For instructions, see Duplicate templates.

Work with your template

Once you created a template, the following options are available.

You can modify your template if, for example, you want to remove some queries and add production cluster names to the evidence list in the template for faster access. For instructions, see Edit templates.

You can start a new investigation based on the initial input from your template. For instructions, see Create cases from templates.

You can create another similar template for yourself based on your template. For instructions, see Duplicate templates.

You can share your template with others to increase productivity and empower collaboration between within you, your team, and your organization. This enables your team members to save time when kicking off an investigation. Templates can be shared in a similar way with cases. For instructions, see Duplicate templates.