https://community.dynatrace.com/t5/DQL/DQL-behind-the-ThirdParty-Vulnerability-app/m-p/263170#M1461 <P>Hello&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/63301">@ANLTH</a>,<BR /><BR />Here is an answer I got from the Application Security team:</P> <DIV class="p-rich_text_section">"Unfortunately we are not writing ownership info to vulnerability state reports, the underlying data for Vulnerability dashboards in 3rd gen. The workaround is to 1) query affected entities 2) add a lookup query to fetch ownership info for the affected PGs. Here’s an example:"</DIV> <DIV class="p-rich_text_block--no-overflow"><BR /><LI-CODE lang="javascript">fetch events | filter dt.system.bucket=="default_security_events" | filter event.provider=="Dynatrace" | filter event.type=="VULNERABILITY_STATE_REPORT_EVENT" | filter event.level=="ENTITY" | sort timestamp, direction:"descending" | summarize { vulnerability.resolution.status = takeFirst(vulnerability.resolution.status), affected_entity.management_zones.names = takeFirst(affected_entity.management_zones.names), affected_entity.vulnerable_component.name = takeFirst(affected_entity.vulnerable_component.name), affected_entity.name = takeFirst(affected_entity.name), vulnerability.parent.mute.status = takeFirst(vulnerability.parent.mute.status), vulnerability.parent.resolution.status = takeFirst(vulnerability.parent.resolution.status), vulnerability.stack = takeFirst(vulnerability.stack), vulnerability.parent.risk.level = takeFirst(vulnerability.parent.risk.level) }, by: { vulnerability.id, affected_entity.id } | filter vulnerability.parent.resolution.status == "OPEN" AND vulnerability.parent.mute.status == "NOT_MUTED" | filter in(vulnerability.stack,{"CODE","CODE_LIBRARY","SOFTWARE","CONTAINER_ORCHESTRATION"}) | filter in(vulnerability.parent.risk.level,{"CRITICAL","HIGH","MEDIUM","LOW","NONE"}) | filter vulnerability.resolution.status=="OPEN" //add ownership information | lookup [ fetch dt.entity.process_group | fieldsAdd tags | parse toString(tags), "LD ('owner:'|'owner\\\\:') (SPACE)? LD:Team ('\"')" | fieldsRemove tags ], sourceField:affected_entity.id, lookupField:id, fields:{Team} // end of adding ownership info​</LI-CODE></DIV> <P>&nbsp;</P> Thu, 21 Nov 2024 10:43:16 GMT MaciejNeumann 2024-11-21T10:43:16Z https://community.dynatrace.com/t5/DQL/DQL-behind-the-ThirdParty-Vulnerability-app/m-p/248317#M982 <P>I am woriking on understanding how we shall use ownership in Dynatrace in relation to Applicaiton Security.</P> <P>I have added the Owner tag to some processes that has vulnerabilites, and I am able to filter by the tag and get the relevant vulnerabilites - the app is not able to derive the DQL behind the request and open it with a Notebook or Dashboard.</P> <P>How does the DQL behind the request look like?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ANLTH_0-1718355215364.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/20545i4EE4DB34BD578AD8/image-size/medium?v=v2&amp;px=400" role="button" title="ANLTH_0-1718355215364.png" alt="ANLTH_0-1718355215364.png" /></span></P> <P>&nbsp;</P> Mon, 17 Jun 2024 06:31:33 GMT https://community.dynatrace.com/t5/DQL/DQL-behind-the-ThirdParty-Vulnerability-app/m-p/248317#M982 ANLTH 2024-06-17T06:31:33Z https://community.dynatrace.com/t5/DQL/DQL-behind-the-ThirdParty-Vulnerability-app/m-p/263170#M1461 <P>Hello&nbsp;<a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/63301">@ANLTH</a>,<BR /><BR />Here is an answer I got from the Application Security team:</P> <DIV class="p-rich_text_section">"Unfortunately we are not writing ownership info to vulnerability state reports, the underlying data for Vulnerability dashboards in 3rd gen. The workaround is to 1) query affected entities 2) add a lookup query to fetch ownership info for the affected PGs. Here’s an example:"</DIV> <DIV class="p-rich_text_block--no-overflow"><BR /><LI-CODE lang="javascript">fetch events | filter dt.system.bucket=="default_security_events" | filter event.provider=="Dynatrace" | filter event.type=="VULNERABILITY_STATE_REPORT_EVENT" | filter event.level=="ENTITY" | sort timestamp, direction:"descending" | summarize { vulnerability.resolution.status = takeFirst(vulnerability.resolution.status), affected_entity.management_zones.names = takeFirst(affected_entity.management_zones.names), affected_entity.vulnerable_component.name = takeFirst(affected_entity.vulnerable_component.name), affected_entity.name = takeFirst(affected_entity.name), vulnerability.parent.mute.status = takeFirst(vulnerability.parent.mute.status), vulnerability.parent.resolution.status = takeFirst(vulnerability.parent.resolution.status), vulnerability.stack = takeFirst(vulnerability.stack), vulnerability.parent.risk.level = takeFirst(vulnerability.parent.risk.level) }, by: { vulnerability.id, affected_entity.id } | filter vulnerability.parent.resolution.status == "OPEN" AND vulnerability.parent.mute.status == "NOT_MUTED" | filter in(vulnerability.stack,{"CODE","CODE_LIBRARY","SOFTWARE","CONTAINER_ORCHESTRATION"}) | filter in(vulnerability.parent.risk.level,{"CRITICAL","HIGH","MEDIUM","LOW","NONE"}) | filter vulnerability.resolution.status=="OPEN" //add ownership information | lookup [ fetch dt.entity.process_group | fieldsAdd tags | parse toString(tags), "LD ('owner:'|'owner\\\\:') (SPACE)? LD:Team ('\"')" | fieldsRemove tags ], sourceField:affected_entity.id, lookupField:id, fields:{Team} // end of adding ownership info​</LI-CODE></DIV> <P>&nbsp;</P> Thu, 21 Nov 2024 10:43:16 GMT https://community.dynatrace.com/t5/DQL/DQL-behind-the-ThirdParty-Vulnerability-app/m-p/263170#M1461 MaciejNeumann 2024-11-21T10:43:16Z