Security events

Latest Dynatrace
Reference

Security events are a special type of data representing security-relevant data generated by Dynatrace, but also third-party vendors.

The data contains information on vulnerability findings, compliance findings, detection findings, and their corresponding scan events summarizing the scan results.

In the security.events table, the data is separated in different buckets, depending on the origin of the data. For Dynatrace generated data, data is stored in the default_securityevents_builtin bucket, data ingested through the ingest APIs is stored in the default_securityevents bucket, unless rerouted to another bucket in OpenPipeline.

Compliance finding events

A compliance finding event is generated when an object is evaluated against a compliance rule during a scan. The event contains the results of this evaluation and the compliance status of the given object.

Compliance finding events event data fields

General event information.

Attribute	Type	Description	Examples
`event.kind`	string	stableGives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.Tags: `permission`	`SECURITY_EVENT`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`COMPLIANCE_FINDING`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event was ingested.	`1649822520123123123`

Compliance finding events finding data fields

Information about the finding.

Attribute	Type	Description	Examples
`aws.account.id`	string	resource stableThe 12-digit number, such as 123456789012, that uniquely identifies an AWS account.Tags: `permission` `primary-field`	`123456789012`
`aws.account.name`	string	resource experimentalName associated with the AWS account.	`example.com`
`azure.tenant.id`	string	resource experimentalUnique, immutable identifier assigned to the Azure tenant.	`37c4add3-612a-483d-8b24-cccbb35d3306`
`azure.tenant.name`	string	resource experimentalName assigned to the Azure tenant.	`MyAzureTenant`
`cloud.provider`	string	resource stableName of the cloud provider.	`alibaba_cloud`
`dt.entity.cloud_application`	string	resource stableAn entity ID of an entity of type CLOUD_APPLICATION.Tags: `entity-id`	`CLOUD_APPLICATION-3AB5BBF3E09A7942`
`dt.entity.cloud_application_instance`	string	resource stableAn entity ID of an entity of type CLOUD_APPLICATION_INSTANCE.Tags: `entity-id`	`CLOUD_APPLICATION_INSTANCE-E0D8F94D9065F24F`
`dt.entity.cloud_application_namespace`	string	resource stableAn entity ID of an entity of type CLOUD_APPLICATION_NAMESPACE. A CLOUD_APPLICATION_NAMESPACE is a Kubernetes namespace.Tags: `entity-id`	`CLOUD_APPLICATION_NAMESPACE-C61324AA70F57BCB`
`dt.entity.kubernetes_cluster`	string	resource stableAn entity ID of an entity of type KUBERNETES_CLUSTER.Tags: `entity-id`	`KUBERNETES_CLUSTER-E0D8F94D9065F24F`
`dt.entity.kubernetes_node`	string	resource stableAn entity ID of an entity of type KUBERNETES_NODE.Tags: `entity-id`	`KUBERNETES_NODE-874C66B68CE15070`
`finding.id`	string	stableUnique identifier string of a finding.	`F-2GJ3LSUM`
`finding.time.created`	timestamp	stableTime when the finding was created.	`2024-06-24T04:47:21.154000000+02:00`
`gcp.organization.id`	string	resource experimentalUnique, immutable identifier assigned to an organization resource.	`123456789012`
`gcp.organization.name`	string	resource experimentalName assigned to the GCP organization.	`dynatrace.com`
`hypervisor.type`	string	resource experimentalVirtualization hypervisor identified. For physical machines, this value is empty.	`KVM`; `VMWARE`
`k8s.cluster.name`	string	resource stableThe user-defined name of the cluster in Dynatrace. Doesn't need to be unique or immutable.Tags: `permission` `primary-field`	`unguard-dev`; `acme-prod10`
`k8s.cluster.uid`	string	resource stableA pseudo-ID for the cluster, by default set to the UID of the kube-system namespace.	`1c7a24c7-ff51-46e0-bcc9-c52637ceec57`
`k8s.namespace.name`	string	resource stableThe name of the namespace that the pod is running in.Tags: `permission` `primary-field`	`default`; `kube-system`
`k8s.namespace.uid`	string	resource experimentalThe UID of the namespace.	`bfb1ba44-3bcb-467d-a2dc-188fd74d1db5`
`k8s.node.name`	string	resource stableName of the node.	`cluster-pool-1-c3c7423d-azth`
`k8s.pod.name`	string	resource stableThe name of the pod.	`checkoutservice-7895755b94-mzs5m`
`k8s.pod.uid`	string	resource stableThe UID of the pod.	`275ecb36-5aa8-4c2a-9c47-d8bb681b9aff`
`k8s.workload.name`	string	resource stableThe name of the workload.	`checkoutservice`
`k8s.workload.uid`	string	resource experimentalThe UID of the workload.	`786a41e4-e673-44bb-bb30-18888f797a2b`
`vmware.vcenter.name`	string	resource experimentalName of the VMware vCenter server managing the multi-hypervisor environment.	`my-vcenter.lab.dynatrace.org`

Compliance finding events scan data fields

Information about the scan that generated the finding.

Attribute	Type	Description	Examples
`product.name`	string	resource experimentalProduct name.	`Tenable`; `Snyk`
`scan.id`	string	resource experimentalUnique identifier of the scan.	`00000000-0000-0000-0000-000000000000`

Compliance finding events rule data fields

Information about the compliance rule and the compliance standard it belongs to.

Attribute	Type	Description	Examples
`compliance.rule.id`	string	experimentalUnique identifier of a compliance rule.	`CIS-66577`
`compliance.rule.metadata_json`	string	experimentalAny additional metadata associated with the compliance rule.	`{\"Section\":\"Kubernetes - v1.9.0\",\"Recommendation ID\":\"1.2.16\",\"Recommendation section\":\"1.2 - Control Plane Components - API Server\", \"Level\":\"L1\"}`
`compliance.rule.severity.level`	string	experimentalOriginal severity of a compliance rule reported by the vendor.	`CRITICAL`; `HIGH`; `MEDIUM`; `LOW`
`compliance.rule.severity.score`	double	experimentalNumber assigned to the respective severity. For example, 10 corresponds to 'CRITICAL', 7 to 'HIGH', 4 to 'MEDIUM', and 1 to 'LOW'.	`10.0`; `7.0`; `4.0`; `1.0`
`compliance.rule.title`	string	experimentalShort description of a compliance rule.	`The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination`

Compliance finding events standard data fields

Attribute	Type	Description	Examples
`compliance.standard.name`	string	experimentalName of a compliance standard.	`CIS Elastic Kubernetes Service (EKS) - v1.7.0`; `NIST SP 800-53 Revision 5.1.1 - Kubernetes`
`compliance.standard.short_name`	string	experimentalShort name of a compliance standard.	`DISA STIG`; `NIST`
`compliance.standard.url`	string	experimentalLink to the official documentation source about the compliance standard.	`DISA STIG`; `NIST`

Compliance finding events result fields

Information about the result of the compliance scan.

Attribute	Type	Description	Examples
`aws.resource.name`	string	resource stableName of the resource for named resources, value of the "Name" tag in AWS for non-named resources (if unavailable, same as aws.resource.id).	`my-ec2-instance`
`azure.resource.id`	string	resource experimentalA unique, immutable identifier assigned to each Azure cloud resource.	`/subscriptions/27e9b03f-04d2-2b69-b327-32f433f7ed21/resourceGroups/demo-backend-rg/providers/Microsoft.ContainerService/managedClusters/demo-aks`
`azure.resource.name`	string	resource experimentalUser-provided name of the Azure cloud resource.	`demo-aks`
`compliance.result.description`	string	experimentalDetails about the compliance result status.	`Object not matching standard inclusion criteria`
`compliance.result.object.evidence_json`	string	experimentalReasoning or evidence for the compliance status of this object.	`[{\"type\":\"AUTOMATIC\",\"description\":\"Controller Manager version\",\"value\":\"1.28.0\"},{\"type\":\"AUTOMATIC\",\"description\":\"Property tls-min-version status\",\"value\":\"Not set\"}]`
`compliance.result.object.name`	string	deprecatedName of the object evaluated for compliance.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`compliance.result.object.type`	string	experimentalType of the object evaluated for compliance.	`k8scluster`; `k8spod`; `k8sservice`
`compliance.result.status.level`	string	experimentalResult status of the given resource object as evaluated by a scan.	`FAILED`; `PASSED`; `MANUAL`; `NOT_RELEVANT`
`compliance.result.status.score`	double	experimentalNumber assigned to the respective result status. For example, 10 corresponds to 'FAILED', 7 to 'MANUAL', 4 to 'PASSED', and 1 to 'NOT_RELEVANT'.	`10.0`; `7.0`; `4.0`; `1.0`
`dt.source_entity`	string	resource stableThe ID of the entity considered the source of the signal. The string represents an entity ID of an entity that is stored in the classic entity storage. ¹Tags: `entity-id`	`HOST-E0D8F94D9065F24F`; `PROCESS_GROUP_INSTANCE-E0D8F94D9065F24F`
`object.id`	string	resource experimentalIdentifier of the affected object.	`HOST-E0D8F94D9065F24F`; `i-06becf87d5326157a`; `arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1`
`object.name`	string	resource experimentalName of the affected object.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`object.type`	string	resource experimentalType of the affected object.	`host`; `ec2_instance`; `container_image`; `process`; `HOST`; `EC2_INSTANCE`; `CONTAINER_IMAGE`

The value of this field will be based on the value of one of the dt.entity.<type> fields. This means that the dt.source_entity and dt.entity.<type> fields will both be set to the same ID.

Compliance scan completed events

A compliance scan completed event is generated when a scan of a configuration dataset against compliance rules is completed.

Compliance scan completed events metadata fields

General event information.

Attribute	Type	Description	Examples
`event.kind`	string	stableGives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.Tags: `permission`	`SECURITY_EVENT`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`COMPLIANCE_SCAN_COMPLETED`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event was ingested.	`1649822520123123123`

Compliance scan completed events scan info fields

Details about the performed compliance scan.

Attribute	Type	Description	Examples
`aws.account.id`	string	resource stableThe 12-digit number, such as 123456789012, that uniquely identifies an AWS account.Tags: `permission` `primary-field`	`123456789012`
`aws.account.name`	string	resource experimentalName associated with the AWS account.	`example.com`
`azure.tenant.id`	string	resource experimentalUnique, immutable identifier assigned to the Azure tenant.	`37c4add3-612a-483d-8b24-cccbb35d3306`
`azure.tenant.name`	string	resource experimentalName assigned to the Azure tenant.	`MyAzureTenant`
`cloud.provider`	string	resource stableName of the cloud provider.	`alibaba_cloud`
`dt.entity.kubernetes_cluster`	string	resource stableAn entity ID of an entity of type KUBERNETES_CLUSTER.Tags: `entity-id`	`KUBERNETES_CLUSTER-E0D8F94D9065F24F`
`gcp.organization.id`	string	resource experimentalUnique, immutable identifier assigned to an organization resource.	`123456789012`
`gcp.organization.name`	string	resource experimentalName assigned to the GCP organization.	`dynatrace.com`
`hypervisor.type`	string	resource experimentalVirtualization hypervisor identified. For physical machines, this value is empty.	`KVM`; `VMWARE`
`k8s.cluster.name`	string	resource stableThe user-defined name of the cluster in Dynatrace. Doesn't need to be unique or immutable.Tags: `permission` `primary-field`	`unguard-dev`; `acme-prod10`
`k8s.cluster.uid`	string	resource stableA pseudo-ID for the cluster, by default set to the UID of the kube-system namespace.	`1c7a24c7-ff51-46e0-bcc9-c52637ceec57`
`object.id`	string	resource experimentalIdentifier of the affected object.	`HOST-E0D8F94D9065F24F`; `i-06becf87d5326157a`; `arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1`
`object.name`	string	resource experimentalName of the affected object.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`object.type`	string	resource experimentalType of the affected object.	`host`; `ec2_instance`; `container_image`; `process`; `HOST`; `EC2_INSTANCE`; `CONTAINER_IMAGE`
`product.name`	string	resource experimentalProduct name.	`Tenable`; `Snyk`
`product.vendor`	string	resource experimentalProduct vendor.	`Tenable`; `Snyk`
`product.version`	string	resource experimentalVersion of the product that performed the scan.	`6.9.2.0`
`scan.id`	string	resource experimentalUnique identifier of the scan.	`00000000-0000-0000-0000-000000000000`
`scan.result.summary_json`	string	resource experimentalSummary of the scan results.	`{"standardResultSummaries":[{"profileCode":"CIS","compliancePercentage":85}]}`
`scan.time.completed`	timestamp	resource experimentalTime when the scan was completed.	`2024-06-24T04:47:21.154000000+02:00`
`vmware.vcenter.name`	string	resource experimentalName of the VMware vCenter server managing the multi-hypervisor environment.	`my-vcenter.lab.dynatrace.org`

Detection finding events

A detection finding refers to alerts or detections generated by security tools using correlation algorithms, detection rules, or other analytical methods. They're primarily consumed in the Threats & Exploits app.

Detection finding event fields

Required fields for detection findings to be displayed in the Threats & Exploits app.

Attribute	Type	Description	Examples
`dt.security.risk.level`	string	stableRisk score level, mapped and normalized by Dynatrace.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`; `NOT_AVAILABLE`
`event.provider`	string	stableSource of the event, for example, the name of the component or system that generated the event.Tags: `permission`	`OneAgent`; `AWS Security Hub`; `Amazon GuardDuty`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`DETECTION_FINDING`
`finding.id`	string	stableUnique identifier string of a finding.	`A-2GJ3LSUM`; `arn:aws:guardduty:us-east-1:124381674733:detector/14c0550905ccbe6e5d5455071c73c1e5/finding/5c3665bd5af0488e94f482fc549a37c1`
`finding.time.created`	timestamp	stableTime when the finding was created.	`2024-06-24T04:47:21.154000000+02:00`
`finding.title`	string	stableTitle or summary of the finding.	`Title of finding`
`finding.type`	string	stableOriginal type of the finding reported by the vendor.	`SQL injection`; `Command injection`; `JNDI injection`; `SSRF`; `TTPs/Execution/Execution:Runtime-SuspiciousShellCreated`
`object.id`	string	resource experimentalIdentifier of the affected object. Either this or `object.name` has to be set.	`HOST-E0D8F94D9065F24F`; `i-06becf87d5326157a`; `arn:aws:ecr:eu-central-1:124567890123:repository/unguard-frontend/sha256:054e1d39fb20a52f2c78caeb83574035462d3d2e627978d89a2834ce8cb69fe1`
`object.name`	string	resource experimentalName of the affected object. Either this or `object.id` has to be set.	`kube-controller-manager-k8s-mst01-t12`; `daemonset-25qlv`
`object.type`	string	resource experimentalType of the affected object.	`host`; `ec2_instance`; `container_image`; `process`; `HOST`; `EC2_INSTANCE`; `CONTAINER_IMAGE`
`product.name`	string	resource experimentalProduct name.	`Runtime Application Protection`; `GuardDuty`
`product.vendor`	string	resource experimentalProduct vendor.	`Dynatrace`; `Amazon`

Optional detection finding event fields

Optional fields for detection findings (their existence in an event does not influence if they're displayed in T&E or not).

Attribute	Type	Description	Examples
`event.end`	string	stableTimestamp of latest activity associated with this finding in UTC (given in Grail preferred Linux timestamp nano precision format).	`1757405399`
`event.start`	string	stableTimestamp of earliest activity associated with this finding in UTC (given in Grail preferred Linux timestamp nano precision format).	`1757405398`
`threat.attack.subtechnique.ids`	string[]	experimentalMITRE ATT&CK sub-technique identifiers for this detection, in T{parent}.{sub} dotted format. Independent of threat.attack.technique.ids—no positional alignment is assumed or required. The parent technique is encoded in the sub-technique ID itself, for example, T1059.003 belongs to technique T1059). Omit when no sub-technique information is available; don't use empty string placeholders. Sub-technique names are derivable from IDs via the ATT&CK knowledge base. DQL filter example: array.contains(threat.attack.subtechnique.ids, "T1059.003")	`['T1059.003']`; `['T1059.003', 'T1078.002']`
`threat.attack.subtechnique.names`	string[]	experimentalHuman-readable names of the MITRE ATT&CK sub-techniques for this detection. Optional companion to threat.attack.subtechnique.ids. When populated, elements must correspond positionally to threat.attack.subtechnique.ids: names[i] is the display name for ids[i]. No specific ordering of the array is required. Omit when the producing source does not provide sub-technique names; don't use placeholder values. Names can be derived from IDs using the ATT&CK knowledge base.	`['Windows Command Shell']`; `['Windows Command Shell', 'Domain Accounts']`
`threat.attack.tactic.ids`	string[]	experimentalMITRE ATT&CK tactic identifiers for this detection, in TA-prefixed format. A detection may map to zero or more tactics. Omit or set to an empty array when tactic information is unavailable from the producing source. Tactic names can be derived from IDs using the ATT&CK knowledge base. DQL filter example: array.contains(threat.attack.tactic.ids, "TA0002")	`['TA0002']`; `['TA0002', 'TA0004']`
`threat.attack.tactic.names`	string[]	experimentalHuman-readable names of the MITRE ATT&CK tactics for this detection. Optional companion to threat.attack.tactic.ids. When populated, elements must correspond positionally to threat.attack.tactic.ids: names[i] is the display name for ids[i]. No specific ordering of the array is required. Omit when the producing source does not provide tactic names; don't use placeholder values. Names can be derived from IDs using the ATT&CK knowledge base.	`['Execution']`; `['Execution', 'Privilege Escalation']`
`threat.attack.technique.ids`	string[]	experimentalMITRE ATT&CK technique identifiers for this detection, in T-prefixed format. A detection may map to zero or more techniques. The primary pivot field for ATT&CK heat maps and technique coverage dashboards. Technique names can be derived from IDs using the ATT&CK knowledge base. DQL filter example: array.contains(threat.attack.technique.ids, "T1059")	`['T1059']`; `['T1059', 'T1078']`
`threat.attack.technique.names`	string[]	experimentalHuman-readable names of the MITRE ATT&CK techniques for this detection. Optional companion to threat.attack.technique.ids. When populated, elements must correspond positionally to threat.attack.technique.ids: names[i] is the display name for ids[i]. No specific ordering of the array is required. Omit when the producing source does not provide technique names; don't use placeholder values. Names can be derived from IDs using the ATT&CK knowledge base.	`['Command and Scripting Interpreter']`; `['Command and Scripting Interpreter', 'Valid Accounts']`
`threat.attack.version`	string	experimentalVersion of the MITRE ATT&CK framework used to classify this detection. Useful for audit and reproducibility, since tactic and technique IDs can be added or renumbered across major ATT&CK versions. Some producers don't embed the framework version in their event payloads; omit when version provenance can't be reliably determined. Use bare version numbers without a "v" prefix.	`14.1`; `15.1`; `16.0`

Detection finding events technical fields

Required fields for detection findings; should be automatically added during ingest via OpenPipeline.

Attribute	Type	Description	Examples
`event.id`	string	stableIn combination with `timestamp`, this field uniquely identifies a specific event.	`1669863368163_07755297913417681159`
`event.kind`	string	stableDescribes the general nature of the event, without detailing the event's specific contents. It helps to determine the record type of a raw event.Tags: `permission`	`SECURITY_EVENT`
`timestamp`	timestamp	stableTime (UNIX Epoch time in nanoseconds) when the event was ingested.	`1649822520123123123`

Entity change events

Entity change events are change events at the entity level. An event is generated whenever a vulnerability's affected entity undergoes a status or assessment change.

Query

Query entity status change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"
| filter event.level == "ENTITY"

Entity change events event data

General event information.

Attribute	Type	Description	Examples
`event.category`	string	stableCategorization based on the product and data generating this event.	`VULNERABILITY_MANAGEMENT`
`event.change_list`	array	resource stableList of attributes updated as part of the change event. Values in the list match a `previous` field.	`vulnerability.risk.score`; `affected_entities.count`; `related_entities.databases.count`
`event.description`	string	stableHuman-readable description of an event.	`Status of S-49 Remote Code Execution for prod_process_group_1 has changed to OPEN.`; `Assessment of S-49 Remote Code Execution for prod_process_group_1 has changed.`; `Environment impact of S-49 Remote Code Execution for prod_process_group_1 has changed.`
`event.group_label`	string	experimentalGroup label of an event.	`CHANGE_EVENT`
`event.kind`	string	stableGives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stableMain reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`ENTITY`
`event.name`	string	stableThe human readable display name of an event type.	`Vulnerable entity status change event`; `Vulnerable entity assessment change event`
`event.provider`	string	stableSource of the event, for example, the name of the component or system that generated the event.Tags: `permission`	`Dynatrace`
`event.provider_product`	string	resource stableName of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stableStatus of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.status_transition`	string	experimentalAn enum that shows the transition of the above event state.	`NEW_OPEN`; `REOPEN`; `CLOSE`; `MUTE`; `UNMUTE`
`event.trigger.type`	string	resource stableType of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).	`DT_PLATFORM`; `USER_ACTION`
`event.trigger.user`	string	resource stableID of the user who triggered the event. If generated by Dynatrace, the value is `SYSTEM`.	`SYSTEM`; `<user_id>`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`VULNERABILITY_STATUS_CHANGE_EVENT`; `VULNERABILITY_ASSESSMENT_CHANGE_EVENT`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Entity change events vulnerability data

Information about the vulnerability at the entity level and its global parent, as well as its previous values.

Attribute	Type	Description	Examples
`entry_points.entry_point_jsons`	string[]	resource deprecatedUse `entry_points` instead.JSON representation of entry points of a vulnerability.	`['{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = \'\' WHERE 1 = 0; TRUNCATE TABLE bio; --\' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "\' OR 100=100 -- 0\'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}']`
`vulnerability.code_location.name`	string	stableName of the code location where the code-level vulnerability was detected.	`org.dynatrace.profileservice.BioController.markdownToHtml(String):80`
`vulnerability.cvss.base_score`	double	stableVulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimentalVulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stableVulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stableAvailability of the information based on which the assessment of the vulnerability at the entity level has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimentalReasons for the assessment mode at the entity level.	`['LIMITED_BY_CONFIGURATION', 'LIMITED_AGENT_SUPPORT']`
`vulnerability.davis_assessment.data_assets_status`	string	stableAffected entity's reachability by a database.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stablePublic exploits status of the vulnerability at the entity level.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stableInternet exposure status of the vulnerability at the entity level.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stableRisk level, based on Davis Security Score, of the vulnerability at the entity level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stableDavis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.	`8.1`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stableUsage status of the vulnerable functions causing the vulnerability at the entity level.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stableDescription of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stableDynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stableExternal provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stableExternal provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.first_seen`	timestamp	stableTimestamp of when the vulnerability at the entity level was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.id`	string	stableDynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimentalIndicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stableTimestamp of the last muted or unmuted action of the vulnerability at the entity level.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.comment`	string	experimentalComment for muting or unmuting the vulnerability at entity level.	`Muted because it's a false positive.`
`vulnerability.mute.reason`	string	stableReason for muting or unmuting the vulnerability at the entity level.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stableMute status of the vulnerability at the entity level.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stableUser who last changed the mute status of the vulnerability at the entity level.	`user@example.com`
`vulnerability.parent.davis_assessment.assessment_mode`	string	stableAvailability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.parent.davis_assessment.data_assets_status`	string	stableVulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.parent.davis_assessment.exposure_status`	string	stableVulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.parent.davis_assessment.level`	string	stableVulnerability's Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.davis_assessment.score`	double	stableVulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.parent.davis_assessment.vulnerable_function_status`	string	stableUsage status of vulnerable functions causing the vulnerability. Status is `IN_USE` when there's at least one vulnerable function in use by an application.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.parent.first_seen`	string	stableTimestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.change_date`	timestamp	stableTimestamp of the last mute or unmute action of the vulnerability.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.reason`	string	stableReason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.parent.mute.status`	string	stableVulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.parent.mute.user`	string	stableUser who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.parent.resolution.change_date`	string	stableTimestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.parent.resolution.status`	string	stableCurrent status of the vulnerability.	`OPEN`; `RESOLVED`
`vulnerability.parent.risk.level`	string	stableVulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.risk.score`	double	stableVulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.previous.cvss.base_score`	double	stableVulnerability's previous CVSS base score (in case the CVSS base score has changed).	`8.1`
`vulnerability.previous.davis_assessment.data_assets_status`	string	stableVulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.previous.davis_assessment.exploit_status`	string	stableVulnerability's previous public exploit status (in case the public exploit status has changed).	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.previous.davis_assessment.exposure_status`	string	stableVulnerability's previous internet exposure status (in case the internet exposure status has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.previous.davis_assessment.level`	string	stableVulnerability's previous risk level (in case the risk level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.previous.davis_assessment.score`	double	stableVulnerability's previous Davis Security Score (in case Davis Security Score has changed).	`8.1`
`vulnerability.previous.davis_assessment.vulnerable_function_status`	string	stableVulnerability's previous vulnerable function status (in case the vulnerable function status has changed).	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.previous.external_id`	string	experimentalVulnerability’s unique identifier from the previous external provider.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.previous.mute.change_date`	string	stableTimestamp of the vulnerability's previous mute status (in case the mute status has changed).	`2023-03-22T13:19:36.945Z`
`vulnerability.previous.mute.comment`	string	experimentalComment of the vulnerability's previous mute status.	`Muted because it's a false positive.`
`vulnerability.previous.mute.reason`	string	stableReason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).	`Muted: False positive`
`vulnerability.previous.mute.status`	string	stableVulnerability's previous mute status (in case the mute status has changed).	`MUTED`; `NOT_MUTED`
`vulnerability.previous.mute.user`	string	stableUser who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).	`user@example.com`
`vulnerability.previous.resolution.status`	string	stableVulnerability's previous resolution status (in case the resolution status has changed).	`OPEN`; `RESOLVED`
`vulnerability.previous.risk.level`	string	stableVulnerability's previous risk score level (in case the risk score level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`
`vulnerability.previous.risk.score`	double	stableVulnerability's previous risk score (in case the risk score has changed).	`8.1`
`vulnerability.previous.tracking_link.text`	string	experimentalDisplay text of the previous tracking link that was set by the user.	`P-1000 Vulnerability CVE-2024-0001`
`vulnerability.previous.tracking_link.url`	string	experimentalURL of the previous tracking link that was set by the user.	`https://example.com/Project1/P-1000`
`vulnerability.references.cve`	string[]	stableList of the vulnerability's CVE IDs.	`['CVE-2021-41079']`
`vulnerability.references.cwe`	string[]	stableList of the vulnerability's CWE IDs.	`['CWE-20']`
`vulnerability.references.owasp`	string[]	stableList of vulnerability's OWASP IDs.	`['2021:A3']`
`vulnerability.remediation.description`	string	experimentalDescription of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stableTimestamp of the last resolution status change of the vulnerability at the entity level.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stableResolution status of the vulnerability at the entity level.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stableVulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stableScale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stableRisk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimentalLevel of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stableTechnology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stableTitle of the vulnerability.	`Improper Input Validation`
`vulnerability.tracking_link.text`	string	experimentalDisplay text of the tracking link that was set by the user.	`P-1000 Vulnerability CVE-2024-0001`
`vulnerability.tracking_link.url`	string	experimentalURL of the tracking link that was set by the user.	`https://example.com/Project1/P-1000`
`vulnerability.type`	string	stableClassification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stableDynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Entity change events: environmental data

Affected entity

Information about the vulnerability's affected entity and related entities.

Attribute	Type	Description	Examples
`affected_entity.affected_processes.ids`	array	resource stableIDs of the processes that are currently affected by the vulnerability.	`PROCESS_GROUP_INSTANCE-1`
`affected_entity.affected_processes.names`	array	resource stableNames of the processes that are currently affected by the vulnerability.	`prod_process_group_instance_1`
`affected_entity.id`	string	resource stableID of the affected entity.	`PROCESS_GROUP-1`; `HOST-1`
`affected_entity.management_zones.ids`	array	resource stableIDs of the management zones to which the affected entity belongs.	`mzid1`
`affected_entity.management_zones.names`	array	resource stableNames of the management zones to which the affected entity belongs.	`mz1`
`affected_entity.name`	string	resource stableName of the affected entity.	`prod_process_group_1`; `prod_host`
`affected_entity.reachable_data_assets.count`	long	resource experimentalNumber of reachable data assets.	`1`
`affected_entity.reachable_data_assets.ids`	array	resource experimentalIDs of the data assets that can be reached by the affected entities of the vulnerability.	`DATABASE-1`
`affected_entity.reachable_data_assets.names`	array	resource experimentalNames of the data assets that can be reached by the affected entities of the vulnerability.	`prod_database_1`
`affected_entity.type`	string	resource stableType of affected entity.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`
`affected_entity.vulnerable_component.id`	string	resource stableID of the vulnerable component causing the vulnerability.	`SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF`
`affected_entity.vulnerable_component.name`	string	resource stableName of the vulnerable component causing the vulnerability.	`log4j-core-2.6.2.jar`
`affected_entity.vulnerable_component.package_name`	string	resource experimentalPackage name of the vulnerable component causing the vulnerability.	`k8s.io/kubernetes`; `github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime`
`affected_entity.vulnerable_component.short_name`	string	resource stableShort name of the vulnerable component causing the vulnerability.	`log4j`
`affected_entity.vulnerable_functions`	array	resource stableVulnerable functions detected, containing or causing the vulnerability.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_available`	array	resource experimentalVulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_in_use`	array	resource experimentalVulnerable functions detected which are not actively used.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stableNumber of related applications.	`1`
`related_entities.applications.ids`	array	resource stableIDs of the applications related to the vulnerability's affected entities.	`APPLICATION-1`
`related_entities.databases.count`	long	resource stableNumber of related databases.	`1`
`related_entities.databases.ids`	array	resource stableIDs of the databases related to the vulnerability's affected entities.	`DATABASE-1`
`related_entities.hosts.count`	long	resource stableNumber of related hosts.	`1`
`related_entities.hosts.ids`	array	resource stableIDs of the hosts related to the vulnerability's affected entities.	`HOST-1`
`related_entities.kubernetes_clusters.count`	long	resource stableNumber of related Kubernetes clusters.	`1`
`related_entities.kubernetes_clusters.ids`	array	resource stableIDs of the Kubernetes clusters related to the vulnerability's affected entities.	`KUBERNETES_CLUSTER-1`
`related_entities.kubernetes_workloads.count`	long	resource stableNumber of related Kubernetes workloads.	`1`
`related_entities.kubernetes_workloads.ids`	array	resource stableIDs of the Kubernetes workloads related to the vulnerability's affected entities.	`KUBERNETES_WORKLOAD-1`
`related_entities.services.count`	long	resource stableNumber of related services.	`1`
`related_entities.services.ids`	array	resource stableIDs of the services related to the vulnerability's affected entities.	`SERVICE-1`

Entity state events

Entity state events are historical vulnerability states reported at the entity level. The current vulnerability state per entity is exported to Grail regularly.

Query

Query entity state events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "ENTITY"

Entity state event data

General event information.

Attribute	Type	Description	Examples
`event.category`	string	stableCategorization based on the product and data generating this event.	`VULNERABILITY_MANAGEMENT`
`event.description`	string	stableHuman-readable description of an event.	`S-49 Remote Code Execution state event reported`
`event.group_label`	string	experimentalGroup label of an event.	`STATE_REPORT`
`event.kind`	string	stableGives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stableMain reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`ENTITY`
`event.name`	string	stableThe human readable display name of an event type.	`Vulnerability historical state report event`
`event.provider`	string	stableSource of the event, for example, the name of the component or system that generated the event.Tags: `permission`	`OneAgent`; `K8S`; `Davis`; `VMWare`; `GCP`; `AWS`; `LIMA_USAGE_STREAM`
`event.provider_product`	string	resource stableName of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stableStatus of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`VULNERABILITY_STATE_REPORT_EVENT`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Entity state vulnerability data

Information about the vulnerability at the entity level and its global vulnerability, with a focus on the affected entities

Attribute	Type	Description	Examples
`entry_points.entry_point_jsons`	string[]	resource deprecatedUse `entry_points` instead.JSON representation of entry points of a vulnerability.	`['{ "entry_point.url.path": "/user/2/bio", "entry_point.payload": "UPDATE bio SET bio_text = \'\' WHERE 1 = 0; TRUNCATE TABLE bio; --\' WHERE user_id = 2", "entry_point.user_controlled_inputs_json": [{ "user_controlled_input.type": "HTTP_PARAMETER_VALUE", "user_controlled_input.key": "username", "user_controlled_input.value": "\' OR 100=100 -- 0\'", "user_controlled_input.payload.start": "56", "user_controlled_input.payload.end": "73", "user_controlled_input.is_malicious": true}]}']`
`vulnerability.code_location.name`	string	stableName of the code location where the code-level vulnerability was detected.	`org.dynatrace.profileservice.BioController.markdownToHtml(String):80`
`vulnerability.cvss.base_score`	double	stableVulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimentalVulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stableVulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stableAvailability of the information based on which the assessment of the vulnerability at the entity level has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimentalReasons for the assessment mode at the entity level.	`['LIMITED_BY_CONFIGURATION', 'LIMITED_AGENT_SUPPORT']`
`vulnerability.davis_assessment.data_assets_status`	string	stableAffected entity's reachability by a database.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stablePublic exploits status of the vulnerability at the entity level.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stableInternet exposure status of the vulnerability at the entity level.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stableRisk level, based on Davis Security Score, of the vulnerability at the entity level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stableDavis Security Score (1-10) calculated by Dynatrace for the vulnerability at the entity level.	`8.1`
`vulnerability.davis_assessment.vector`	string	experimentalVulnerability's CVSS vector, adjusted with observability data; this vector is calculated by Dynatrace.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stableUsage status of the vulnerable functions causing the vulnerability at the entity level.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stableDescription of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stableDynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stableExternal provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stableExternal provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.id`	string	stableDynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimentalIndicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stableTimestamp of the last muted or unmuted action of the vulnerability at the entity level.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.comment`	string	experimentalComment for muting or unmuting the vulnerability at entity level.	`Muted because it's a false positive.`
`vulnerability.mute.reason`	string	stableReason for muting or unmuting the vulnerability at the entity level.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stableMute status of the vulnerability at the entity level.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stableUser who last changed the mute status of the vulnerability at the entity level.	`user@example.com`
`vulnerability.parent.davis_assessment.assessment_mode`	string	stableAvailability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.parent.davis_assessment.data_assets_status`	string	stableVulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.parent.davis_assessment.exposure_status`	string	stableVulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.parent.davis_assessment.level`	string	stableVulnerability's Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.davis_assessment.score`	double	stableVulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.parent.davis_assessment.vulnerable_function_status`	string	stableUsage status of vulnerable functions causing the vulnerability. Status is `IN_USE` when there's at least one vulnerable function in use by an application.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.parent.first_seen`	string	stableTimestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.change_date`	timestamp	stableTimestamp of the last mute or unmute action of the vulnerability.	`2023-03-22T13:19:36.945Z`
`vulnerability.parent.mute.reason`	string	stableReason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.parent.mute.status`	string	stableVulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.parent.mute.user`	string	stableUser who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.parent.resolution.change_date`	string	stableTimestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.parent.resolution.status`	string	stableCurrent status of the vulnerability.	`OPEN`; `RESOLVED`
`vulnerability.parent.risk.level`	string	stableVulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.parent.risk.score`	double	stableVulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.references.cve`	string[]	stableList of the vulnerability's CVE IDs.	`['CVE-2021-41079']`
`vulnerability.references.cwe`	string[]	stableList of the vulnerability's CWE IDs.	`['CWE-20']`
`vulnerability.references.owasp`	string[]	stableList of vulnerability's OWASP IDs.	`['2021:A3']`
`vulnerability.remediation.description`	string	experimentalDescription of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stableTimestamp of the last status change of the vulnerability at the entity level.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stableResolution status of the vulnerability at the entity level.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stableVulnerability's risk score level defined by the provider at the entity level. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stableScale by which the risk score and risk score level defined by the provider for the vulnerability at the entity level are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stableRisk score defined by the provider for the vulnerability at the entity level. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimentalLevel of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stableTechnology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stableTitle of the vulnerability.	`Improper Input Validation`
`vulnerability.tracking_link.text`	string	experimentalDisplay text of the tracking link that was set by the user.	`P-1000 Vulnerability CVE-2024-0001`
`vulnerability.tracking_link.url`	string	experimentalURL of the tracking link that was set by the user.	`https://example.com/Project1/P-1000`
`vulnerability.type`	string	stableClassification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stableDynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Entity state: environmental data

This section contains information about the vulnerability's affected and related entities.

Entity state affected entity fields

Attribute	Type	Description	Examples
`affected_entity.affected_processes.ids`	array	resource stableIDs of the processes that are currently affected by the vulnerability.	`PROCESS_GROUP_INSTANCE-1`
`affected_entity.affected_processes.names`	array	resource stableNames of the processes that are currently affected by the vulnerability.	`prod_process_group_instance_1`
`affected_entity.id`	string	resource stableID of the affected entity.	`PROCESS_GROUP-1`; `HOST-1`
`affected_entity.management_zones.ids`	array	resource stableIDs of the management zones to which the affected entity belongs.	`mzid1`
`affected_entity.management_zones.names`	array	resource stableNames of the management zones to which the affected entity belongs.	`mz1`
`affected_entity.name`	string	resource stableName of the affected entity.	`prod_process_group_1`; `prod_host`
`affected_entity.reachable_data_assets.count`	long	resource experimentalNumber of reachable data assets.	`1`
`affected_entity.reachable_data_assets.ids`	array	resource experimentalIDs of the data assets that can be reached by the affected entities of the vulnerability.	`DATABASE-1`
`affected_entity.reachable_data_assets.names`	array	resource experimentalNames of the data assets that can be reached by the affected entities of the vulnerability.	`prod_database_1`
`affected_entity.type`	string	resource stableType of affected entity.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`
`affected_entity.vulnerable_component.id`	string	resource stableID of the vulnerable component causing the vulnerability.	`SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF`
`affected_entity.vulnerable_component.name`	string	resource stableName of the vulnerable component causing the vulnerability.	`log4j-core-2.6.2.jar`
`affected_entity.vulnerable_component.package_name`	string	resource experimentalPackage name of the vulnerable component causing the vulnerability.	`k8s.io/kubernetes`; `github.com/kubernetes/kubernetes/pkg/kubelet/kuberuntime`
`affected_entity.vulnerable_component.short_name`	string	resource stableShort name of the vulnerable component causing the vulnerability.	`log4j`
`affected_entity.vulnerable_functions`	array	resource stableVulnerable functions detected, containing or causing the vulnerability.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_available`	array	resource experimentalVulnerable functions detected which Dynatrace can't tell if they're in use due to limited insights.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`
`affected_entity.vulnerable_functions_not_in_use`	array	resource experimentalVulnerable functions detected which are not actively used.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stableNumber of related applications.	`1`
`related_entities.applications.ids`	array	resource stableIDs of the applications related to the vulnerability's affected entities.	`APPLICATION-1`
`related_entities.applications.names`	array	resource stableNames of the applications related to the vulnerability's affected entities.	`prod_application_1`
`related_entities.databases.count`	long	resource stableNumber of related databases.	`1`
`related_entities.databases.ids`	array	resource stableIDs of the databases related to the vulnerability's affected entities.	`DATABASE-1`
`related_entities.databases.names`	array	resource stableNames of the databases related to the vulnerability's affected entities.	`prod_database_1`
`related_entities.hosts.count`	long	resource stableNumber of related hosts.	`1`
`related_entities.hosts.ids`	array	resource stableIDs of the hosts related to the vulnerability's affected entities.	`HOST-1`
`related_entities.hosts.names`	array	resource stableNames of the hosts related to the vulnerability's affected entities.	`prod_host_1`
`related_entities.kubernetes_clusters.count`	long	resource stableNumber of related Kubernetes clusters.	`1`
`related_entities.kubernetes_clusters.ids`	array	resource stableIDs of the Kubernetes clusters related to the vulnerability's affected entities.	`KUBERNETES_CLUSTER-1`
`related_entities.kubernetes_clusters.names`	array	resource stableNames of the Kubernetes clusters related to the vulnerability's affected entities.	`prod_kubernetes_cluster_1`
`related_entities.kubernetes_workloads.count`	long	resource stableNumber of related Kubernetes workloads.	`1`
`related_entities.kubernetes_workloads.ids`	array	resource stableIDs of the Kubernetes workloads related to the vulnerability's affected entities.	`KUBERNETES_WORKLOAD-1`
`related_entities.kubernetes_workloads.names`	array	resource stableNames of the Kubernetes workloads related to the vulnerability's affected entities.	`prod_kubernetes_workload_1`
`related_entities.services.count`	long	resource stableNumber of related services.	`1`
`related_entities.services.ids`	array	resource stableIDs of the services related to the vulnerability's affected entities.	`SERVICE-1`
`related_entities.services.names`	array	resource stableNames of the services related to the vulnerability's affected entities.	`prod_service_1`

Vulnerability change events

Vulnerability change events are change events at the vulnerability level. An event is generated whenever a vulnerability undergoes a status or assessment change.

Query

Query vulnerability status change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"

Query vulnerability assessment change events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"

Vulnerability state event data fields

General event information.

Attribute	Type	Description	Examples
`event.category`	string	stableStandard categorization based on the significance of an event according to the ITIL event management standard (previously known as `severity level`).	`VULNERABILITY_MANAGEMENT`
`event.change_list`	array	resource stableList of attributes updated as part of the change event. Values in the list match a `previous` field.	`vulnerability.risk.score`; `affected_entities.count`; `related_entities.databases.count`
`event.description`	string	stableHuman-readable description of an event.	`S-49 Remote Code Execution status has changed to OPEN.`; `S-49 Remote Code Execution assessment has changed.`
`event.group_label`	string	experimentalGroup label of an event.	`CHANGE_EVENT`
`event.kind`	string	stableGives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stableMain reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`VULNERABILITY`
`event.name`	string	stableThe human readable display name of an event type.	`Vulnerability status change event`; `Vulnerability assessment change event`; `Vulnerability external ID change event`
`event.provider`	string	stableSource of the event, for example, the name of the component or system that generated the event.Tags: `permission`	`Dynatrace`
`event.provider_product`	string	resource stableName of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stableStatus of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.status_transition`	string	experimentalAn enum that shows the transition of the above event state.	`NEW_OPEN`; `REOPEN`; `CLOSE`; `MUTE`; `UNMUTE`
`event.trigger.type`	string	resource stableType of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user).	`DT_PLATFORM`; `USER_ACTION`
`event.trigger.user`	string	resource stableID of the user who triggered the event. If generated by Dynatrace, the value is `SYSTEM`.	`SYSTEM`; `<user_id>`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`VULNERABILITY_STATUS_CHANGE_EVENT`; `VULNERABILITY_ASSESSMENT_CHANGE_EVENT`; `VULNERABILITY_EXTERNAL_ID_CHANGE_EVENT`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Vulnerability state vulnerability data fields

Information about the vulnerability and its status and assessment changes.

Attribute	Type	Description	Examples
`vulnerability.cvss.base_score`	double	stableVulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimentalVulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stableVulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stableAvailability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimentalReasons for the assessment mode.	`['LIMITED_BY_CONFIGURATION', 'LIMITED_AGENT_SUPPORT']`
`vulnerability.davis_assessment.data_assets_status`	string	stableVulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stableVulnerability's public exploits status.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stableVulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stableVulnerability's risk level based on Davis Security Score.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stableVulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stableUsage status of the vulnerable functions causing the vulnerability.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stableDescription of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stableDynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stableExternal provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stableExternal provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.first_seen`	timestamp	stableTimestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.id`	string	stableDynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimentalIndicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stableTimestamp of the vulnerability's last muted or unmuted action.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.reason`	string	stableReason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stableVulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stableUser who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.previous.cvss.base_score`	double	stableVulnerability's previous CVSS base score (in case the CVSS base score has changed).	`8.1`
`vulnerability.previous.cvss.vector`	string	experimentalVulnerability's previous CVSS vector defined by the provider (in case the CVSS vector has changed).	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.previous.davis_assessment.data_assets_status`	string	stableVulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.previous.davis_assessment.exploit_status`	string	stableVulnerability's previous public exploit status (in case the public exploit status has changed).	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.previous.davis_assessment.exposure_status`	string	stableVulnerability's previous internet exposure status (in case the internet exposure status has changed).	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.previous.davis_assessment.level`	string	stableVulnerability's previous risk level (in case the risk level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.previous.davis_assessment.score`	double	stableVulnerability's previous Davis Security Score (in case Davis Security Score has changed).	`8.1`
`vulnerability.previous.davis_assessment.vulnerable_function_status`	string	stableVulnerability's previous vulnerable function status (in case the vulnerable function status has changed).	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.previous.mute.change_date`	string	stableTimestamp of the vulnerability's previous mute status (in case the mute status has changed).	`2023-03-22T13:19:36.945Z`
`vulnerability.previous.mute.reason`	string	stableReason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed).	`Muted: False positive`
`vulnerability.previous.mute.status`	string	stableVulnerability's previous mute status (in case the mute status has changed).	`MUTED`; `NOT_MUTED`
`vulnerability.previous.mute.user`	string	stableUser who last changed the vulnerability's mute status (in case the mute status was last changed by a different user).	`user@example.com`
`vulnerability.previous.resolution.status`	string	stableVulnerability's previous resolution status (in case the resolution status has changed).	`OPEN`; `RESOLVED`
`vulnerability.previous.risk.level`	string	stableVulnerability's previous risk score level (in case the risk score level has changed).	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`
`vulnerability.previous.risk.score`	double	stableVulnerability's previous risk score (in case the risk score has changed).	`8.1`
`vulnerability.references.cve`	string[]	stableList of the vulnerability's CVE IDs.	`['CVE-2021-41079']`
`vulnerability.references.cwe`	string[]	stableList of the vulnerability's CWE IDs.	`['CWE-20']`
`vulnerability.references.owasp`	string[]	stableList of vulnerability's OWASP IDs.	`['2021:A3']`
`vulnerability.remediation.description`	string	experimentalDescription of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stableTimestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stableVulnerability's resolution status.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stableVulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stableScale by which the vulnerability's risk score and risk score level defined by the provider are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stableVulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimentalLevel of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stableTechnology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stableTitle of the vulnerability.	`Improper Input Validation`
`vulnerability.type`	string	stableClassification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stableDynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Vulnerability change: Environmental data

Vulnerability change affected entity fields

Information on changes regarding vulnerability's affected entities.

Attribute	Type	Description	Examples
`affected_entities.count`	long	resource stableNumber of affected entities.	`1`
`affected_entities.hosts.count`	long	resource stableNumber of affected hosts.	`2`
`affected_entities.kubernetes_nodes.count`	long	resource stableNumber of affected nodes.	`2`
`affected_entities.previous.count`	long	resource deprecatedNumber of affected entities before the last change event.	`1`
`affected_entities.previous.hosts.count`	long	resource deprecatedNumber of affected hosts before the last change event.	`5`
`affected_entities.previous.kubernetes_nodes.count`	long	resource deprecatedNumber of affected Kubernetes nodes before the last change event.	`5`
`affected_entities.previous.process_groups.count`	long	resource deprecatedNumber of affected process groups before the last change event.	`2`
`affected_entities.process_groups.count`	long	resource stableNumber of affected process groups.	`2`
`affected_entities.types`	array	resource stableTypes of affected entities.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`

Information on changes regarding vulnerability's related entities.

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stableNumber of related applications.	`1`
`related_entities.databases.count`	long	resource stableNumber of related databases.	`1`
`related_entities.hosts.count`	long	resource stableNumber of related hosts.	`1`
`related_entities.kubernetes_clusters.count`	long	resource stableNumber of related Kubernetes clusters.	`1`
`related_entities.kubernetes_workloads.count`	long	resource stableNumber of related Kubernetes workloads.	`1`
`related_entities.previous.databases.count`	long	resource deprecatedNumber of related databases before the last change event.	`1`
`related_entities.services.count`	long	resource stableNumber of related services.	`1`

Vulnerability state events

Vulnerability state events are historical states at the vulnerability level. The current vulnerability state is exported to Grail regularly.

Query

Query vulnerability state events.

fetch security.events
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "VULNERABILITY"

Vulnerability state event data fields

General event information.

Attribute	Type	Description	Examples
`event.category`	string	stableCategorization based on the product and data generating this event.	`VULNERABILITY_MANAGEMENT`
`event.description`	string	stableHuman-readable description of an event.	`S-49 Remote Code Execution state event reported`
`event.group_label`	string	experimentalGroup label of an event.	`STATE_REPORT`
`event.kind`	string	stableGives high-level information about what kind of information the event contains without being specific about the contents of the event. It helps to determine the record type of a raw event.Tags: `permission`	`SECURITY_EVENT`
`event.level`	string	resource stableMain reference point to which the event or data is related. Possible values are `Vulnerability` (shows the global aggregation across the entire environment and comprises all entities and management zones) and `Entity` (shows the assessment based on the entity itself).	`VULNERABILITY`
`event.name`	string	stableThe human readable display name of an event type.	`Vulnerability historical state report event`
`event.provider`	string	stableSource of the event, for example, the name of the component or system that generated the event.Tags: `permission`	`Dynatrace`; `Snyk`
`event.provider_product`	string	resource stableName of the product providing this event.	`Runtime Vulnerability Analytics`; `Snyk Container`
`event.status`	string	stableStatus of an event as being either Active or Closed.	`OPEN`; `RESOLVED`; `MUTED`
`event.type`	string	stableThe unique type identifier of a given event.Tags: `permission`	`VULNERABILITY_STATE_REPORT_EVENT`
`timestamp`	timestamp	stableThe time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source.	`1649822520123123123`

Vulnerability state vulnerability data fields

Information about the vulnerability.

Attribute	Type	Description	Examples
`vulnerability.code_location.name`	string	stableName of the code location where the code-level vulnerability was detected.	`org.dynatrace.profileservice.BioController.markdownToHtml(String):80`
`vulnerability.cvss.base_score`	double	stableVulnerability's CVSS base score provided by NVD.	`8.1`
`vulnerability.cvss.vector`	string	experimentalVulnerability's CVSS vector defined by the provider.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.cvss.version`	string	stableVulnerability's CVSS score version.	`3.1`; `4.0`
`vulnerability.davis_assessment.assessment_mode`	string	stableAvailability of the information based on which the vulnerability assessment has been done.	`FULL`; `NOT_AVAILABLE`; `REDUCED`
`vulnerability.davis_assessment.assessment_mode_reasons`	string[]	experimentalReasons for the assessment mode.	`['LIMITED_BY_CONFIGURATION', 'LIMITED_AGENT_SUPPORT']`
`vulnerability.davis_assessment.data_assets_status`	string	stableVulnerability's reachability of related data assets by affected entities.	`NOT_AVAILABLE`; `NOT_DETECTED`; `REACHABLE`
`vulnerability.davis_assessment.exploit_status`	string	stableVulnerability's public exploits status.	`AVAILABLE`; `NOT_AVAILABLE`
`vulnerability.davis_assessment.exposure_status`	string	stableVulnerability's internet exposure status.	`NOT_AVAILABLE`; `NOT_DETECTED`; `PUBLIC_NETWORK`; `ADJACENT_NETWORK`
`vulnerability.davis_assessment.level`	string	stableVulnerability's risk level based on Davis Security Score.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.davis_assessment.score`	double	stableVulnerability's Davis Security Score (1-10) calculated by Dynatrace.	`8.1`
`vulnerability.davis_assessment.vector`	string	experimentalVulnerability's CVSS vector, adjusted with observability data; this vector is calculated by Dynatrace.	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L`; `CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:H/E:P/RL:T/RC:U/CR:L/IR:M/AR:H`
`vulnerability.davis_assessment.vulnerable_function_status`	string	stableUsage status of the vulnerable functions causing the vulnerability.	`IN_USE`; `NOT_AVAILABLE`; `NOT_IN_USE`
`vulnerability.description`	string	stableDescription of the vulnerability.	`More detailed description about improper input validation vulnerability.`
`vulnerability.display_id`	string	stableDynatrace user-readable identifier for the vulnerability.	`S-1234`
`vulnerability.external_id`	string	stableExternal provider's unique identifier for the vulnerability.	`SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646`
`vulnerability.external_url`	string	stableExternal provider's URL to the details page of the vulnerability.	`https://example.com`
`vulnerability.first_seen`	timestamp	stableTimestamp of when the vulnerability was first detected.	`2023-03-22T13:19:36.945Z`
`vulnerability.id`	string	stableDynatrace unique identifier for the vulnerability.	`2039861408676243188`
`vulnerability.is_fix_available`	boolean	experimentalIndicates if a vulnerability fix is available.
`vulnerability.mute.change_date`	timestamp	stableTimestamp of the vulnerability's last muted or unmuted action.	`2023-03-22T13:19:36.945Z`
`vulnerability.mute.reason`	string	stableReason for muting or unmuting the vulnerability.	`FALSE_POSITIVE`; `IGNORE`; `AFFECTED`; `CONFIGURATION_NOT_AFFECTED`; `OTHER`
`vulnerability.mute.status`	string	stableVulnerability's mute status.	`MUTED`; `NOT_MUTED`
`vulnerability.mute.user`	string	stableUser who last changed the vulnerability's mute status.	`user@example.com`
`vulnerability.references.cve`	string[]	stableList of the vulnerability's CVE IDs.	`['CVE-2021-41079']`
`vulnerability.references.cwe`	string[]	stableList of the vulnerability's CWE IDs.	`['CWE-20']`
`vulnerability.references.owasp`	string[]	stableList of vulnerability's OWASP IDs.	`['2021:A3']`
`vulnerability.remediation.description`	string	experimentalDescription of the vulnerability's remediation advice.	`Upgrade component to version 1.2.3 or higher`
`vulnerability.resolution.change_date`	timestamp	stableTimestamp of the vulnerability's last resolution status change.	`2023-03-22T13:19:37.466Z`
`vulnerability.resolution.status`	string	stableVulnerability's resolution status.	`OPEN`; `RESOLVED`
`vulnerability.risk.level`	string	stableVulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level.	`LOW`; `MEDIUM`; `HIGH`; `CRITICAL`; `NONE`
`vulnerability.risk.scale`	string	stableScale by which the vulnerability's risk score and risk score level defined by the provider are measured.	`Davis Security Score`
`vulnerability.risk.score`	double	stableVulnerability's risk score defined by the provider. For Dynatrace, Davis Security Score.	`8.1`
`vulnerability.stack`	string	experimentalLevel of the vulnerable component in the technological stack.	`CODE`; `CODE_LIBRARY`; `SOFTWARE`; `CONTAINER_ORCHESTRATION`
`vulnerability.technology`	string	stableTechnology of the vulnerable component.	`JAVA`; `DOTNET`; `GO`; `PHP`; `NODE_JS`
`vulnerability.title`	string	stableTitle of the vulnerability.	`Improper Input Validation`
`vulnerability.type`	string	stableClassification of the vulnerability based on commonly accepted enums, such as CWE.	`Improper Input Validation`
`vulnerability.url`	string	stableDynatrace URL to the details page of the vulnerability. \|	`https://example.com`

Vulnerability state: environmental data

This section contains information on the vulnerability's affected and related entities.

Vulnerability state affected entity fields

Attribute	Type	Description	Examples
`affected_entities.affected_processes.count`	long	resource stableNumber of affected processes.	`50`
`affected_entities.count`	long	resource stableNumber of affected entities.	`1`
`affected_entities.hosts.count`	long	resource stableNumber of affected hosts.	`2`
`affected_entities.kubernetes_nodes.count`	long	resource stableNumber of affected nodes.	`2`
`affected_entities.management_zones.ids`	array	resource stableIDs of the management zones to which the affected entities belong.	`mzid1`
`affected_entities.management_zones.names`	array	resource stableNames of the management zones to which the affected entities belong.	`mz1`
`affected_entities.monitored_processes.count`	long	resource stableNumber of processes of the process group.	`100`
`affected_entities.process_groups.count`	long	resource stableNumber of affected process groups.	`2`
`affected_entities.types`	array	resource stableTypes of affected entities.	`PROCESS_GROUP`; `HOST`; `KUBERNETES_NODE`
`affected_entities.vulnerable_components.ids`	array	resource stableDynatrace IDs of the vulnerable components causing the vulnerability.	`SOFTWARE_COMPONENT-0000000000000001`; `SOFTWARE_COMPONENT-0000000000000002`; `SOFTWARE_COMPONENT-0000000000000003`
`affected_entities.vulnerable_components.names`	array	resource stableNames of the vulnerable components causing the vulnerability. \|	`com.fasterxml.jackson.core:jackson-databind:2.10.0`; `node-sass:4.14.1`
`affected_entities.vulnerable_functions`	array	resource stableVulnerable functions detected, containing or causing the vulnerability.	`org.springframework.beans.CachedIntrospectionResults:init`; `java.lang.ProcessBuilder.<init>(String[])`; `(*DB).queryDC() (/usr/local/go/src/database/sql/sql.go)`

Attribute	Type	Description	Examples
`related_entities.applications.count`	long	resource stableNumber of related applications.	`1`
`related_entities.databases.count`	long	resource stableNumber of related databases.	`1`
`related_entities.hosts.count`	long	resource stableNumber of related hosts.	`1`
`related_entities.kubernetes_clusters.count`	long	resource stableNumber of related Kubernetes clusters.	`1`
`related_entities.kubernetes_workloads.count`	long	resource stableNumber of related Kubernetes workloads.	`1`
`related_entities.services.count`	long	resource stableNumber of related services.	`1`

Security events

Compliance finding events

Compliance finding events event data fields

Compliance finding events finding data fields

Compliance finding events scan data fields

Compliance finding events rule data fields

Compliance finding events standard data fields

Compliance finding events result fields

Compliance scan completed events

Compliance scan completed events metadata fields

Compliance scan completed events scan info fields

Detection finding events

Detection finding event fields

Optional detection finding event fields

Detection finding events technical fields

Entity change events

Query

Entity change events event data

Entity change events vulnerability data

Entity change events: environmental data

Affected entity

Related entities fields

Entity state events

Query

Entity state event data

Entity state vulnerability data

Entity state: environmental data

Entity state affected entity fields

Entity state related entity fields

Vulnerability change events

Query

Vulnerability state event data fields

Vulnerability state vulnerability data fields

Vulnerability change: Environmental data

Vulnerability change affected entity fields

Vulnerability change related entity fields

Vulnerability state events

Query

Vulnerability state event data fields

Vulnerability state vulnerability data fields

Vulnerability state: environmental data

Vulnerability state affected entity fields

Vulnerability state related entity fields