https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239726#M723 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/40713">@PacoPorro</a>&nbsp;my bad.. i got it. Thanks a lot for providing dql.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tijust1_1-1710318881890.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18250i36FFEAA83E9ED746/image-size/large?v=v2&amp;px=999" role="button" title="tijust1_1-1710318881890.png" alt="tijust1_1-1710318881890.png" /></span></P><P>&nbsp;</P> Wed, 13 Mar 2024 08:33:21 GMT sujit_k_singh 2024-03-13T08:33:21Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239697#M720 <P>Hi,</P><P><SPAN>Do we have DQL functionality available to pull vulnerabilities for each host?</SPAN></P><P><SPAN>Let me know if anyone has done it. I am looking for a DQL query to fetch vulnerabilities for each host along with other details.</SPAN></P><P><SPAN>Thanks,</SPAN></P><P><SPAN>Tijust1</SPAN></P> Wed, 13 Mar 2024 05:15:24 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239697#M720 sujit_k_singh 2024-03-13T05:15:24Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239702#M721 <LI-CODE lang="php">fetch events | filter event.kind == "SECURITY_EVENT" | filter event.category == "VULNERABILITY_MANAGEMENT" | filter event.type == "VULNERABILITY_STATE_REPORT_EVENT" | filter event.level == "ENTITY" | fieldsAdd vulnerability.id, vulnerability.external_url, vulnerability.external_id, vulnerability.references.owasp, vulnerability.url, vulnerability.display_id, vulnerability.description, vulnerability.references.cve, vulnerability.title, related_entities.services.ids, vulnerability.parent.davis_assessment.exposure_status, vulnerability.davis_assessment.exploit_status, vulnerability.davis_assessment.exposure_status, affected_entities.vulnerable_components.ids, vulnerability.stack, related_entities.databases.ids, vulnerability.parent.davis_assessment.score, vulnerability.technology, vulnerability.references.cwe, related_entities.hosts.ids | expand related_entities.hosts.ids | lookup [ fetch dt.entity.host | fieldsAdd entity.name ], sourceField:related_entities.hosts.ids, lookupField:id, prefix:"host."</LI-CODE> Wed, 13 Mar 2024 07:26:46 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239702#M721 PacoPorro 2024-03-13T07:26:46Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239723#M722 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/40713">@PacoPorro</a>&nbsp;Thanks for quick response. is there way to get in table format as I am getting result like belo</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tijust1_0-1710318561693.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18249i1B1C11817BC2FA53/image-size/large?v=v2&amp;px=999" role="button" title="tijust1_0-1710318561693.png" alt="tijust1_0-1710318561693.png" /></span></P><P>&nbsp;</P> Wed, 13 Mar 2024 08:28:14 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239723#M722 sujit_k_singh 2024-03-13T08:28:14Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239726#M723 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/40713">@PacoPorro</a>&nbsp;my bad.. i got it. Thanks a lot for providing dql.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tijust1_1-1710318881890.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18250i36FFEAA83E9ED746/image-size/large?v=v2&amp;px=999" role="button" title="tijust1_1-1710318881890.png" alt="tijust1_1-1710318881890.png" /></span></P><P>&nbsp;</P> Wed, 13 Mar 2024 08:33:21 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239726#M723 sujit_k_singh 2024-03-13T08:33:21Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239730#M724 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/40713">@PacoPorro</a>&nbsp;is there way to get details for only one MZ. I mean if there is any filter option to choose certain MZ.</P> Wed, 13 Mar 2024 08:54:39 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239730#M724 sujit_k_singh 2024-03-13T08:54:39Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239734#M725 <P><a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/67382">@sujit_k_singh</a>&nbsp;</P><P>the above mentioned query will show you a lot of duplicates, as it shows you all the events from all snapshots, whereas you probably only want the most recent information.</P><P>for that you'd need a query similar to the one explained here: <A href="https://docs.dynatrace.com/docs/platform-modules/application-security/security-data-on-grail/examples#vulnerabilities-per-host" target="_blank" rel="noopener">https://docs.dynatrace.com/docs/platform-modules/application-security/security-data-on-grail/examples#vulnerabilities-per-host</A></P><P>slightly adjusted and adding the host information in the final table could e.g. look like this (changes in <STRONG>bold</STRONG>) :<STRONG><BR /></STRONG></P><PRE>fetch events<BR />| filter dt.system.bucket=="default_security_events"<BR />| filter event.provider=="Dynatrace"<BR />| filter event.type=="VULNERABILITY_STATE_REPORT_EVENT"<BR />| filter event.level=="ENTITY"<BR />// get latest snapshot<BR />| sort timestamp, direction:"descending"<BR />| summarize {<BR />vulnerability.parent.first_seen=takeFirst(vulnerability.parent.first_seen),<BR />vulnerability.resolution.status=takeFirst(vulnerability.resolution.status),<BR />vulnerability.mute.status=takeFirst(vulnerability.mute.status),<BR />vulnerability.parent.resolution.status=takeFirst(vulnerability.parent.resolution.status),<BR />vulnerability.parent.resolution.change_date=takeFirst(vulnerability.parent.resolution.change_date),<BR />vulnerability.parent.mute.status=takeFirst(vulnerability.parent.mute.status),<BR />vulnerability.parent.risk.score=takeFirst(vulnerability.parent.risk.score),<BR />vulnerability.risk.score=takeFirst(vulnerability.risk.score),<BR />vulnerability.parent.risk.level=takeFirst(vulnerability.parent.risk.level),<BR />vulnerability.risk.level=takeFirst(vulnerability.risk.level),<BR />vulnerability.stack=takeFirst(vulnerability.stack),<BR />vulnerability.type=takeFirst(vulnerability.type),<BR />vulnerability.external_id=takeFirst(vulnerability.external_id),<BR />vulnerability.references.cve=takeFirst(vulnerability.references.cve),<BR />vulnerability.technology=takeFirst(vulnerability.technology),<BR />vulnerability.resolution.change_date=takeFirst(vulnerability.resolution.change_date),<BR />vulnerability.mute.change_date=takeFirst(vulnerability.mute.change_date),<BR />vulnerability.title=takeFirst(vulnerability.title),<BR />vulnerability.davis_assessment.exposure_status=takeFirst(vulnerability.davis_assessment.exposure_status),<BR />vulnerability.davis_assessment.exploit_status=takeFirst(vulnerability.davis_assessment.exploit_status),<BR />vulnerability.davis_assessment.vulnerable_function_status=takeFirst(vulnerability.davis_assessment.vulnerable_function_status),<BR />vulnerability.davis_assessment.data_assets_status=takeFirst(vulnerability.davis_assessment.data_assets_status),<BR />affected_entity.vulnerable_component.name=takeFirst(affected_entity.vulnerable_component.name),<BR />affected_entity.management_zones.names=takeFirst(affected_entity.management_zones.names),<BR />affected_entity.name=takeFirst(affected_entity.name),<BR />related_entities.hosts.names=takeFirst(related_entities.hosts.names),<BR />related_entities.kubernetes_workloads.names=takeFirst(related_entities.kubernetes_workloads.names),<BR />related_entities.kubernetes_clusters.names=takeFirst(related_entities.kubernetes_clusters.names),<BR />related_entities.databases.count=takeFirst(related_entities.databases.count),<BR />timestamp=takeFirst(timestamp)<BR />}, by: {vulnerability.display_id, affected_entity.id}<BR />// end of get latest snapshot<BR /><STRONG>//| filter iAny(in("i-05f1305a50721e04d",related_entities.hosts.names[])) OR affected_entity.name=="i-05f1305a50721e04d" // filter by name of the related/affected host</STRONG><BR />// now summarize on the vulnerability level<BR />| summarize{<BR />vulnerability.parent.first_seen=takeFirst(vulnerability.parent.first_seen),<BR />vulnerability.parent.resolution.status=takeFirst(vulnerability.parent.resolution.status),<BR />vulnerability.parent.resolution.change_date=takeFirst(vulnerability.parent.resolution.change_date),<BR />vulnerability.parent.mute.status=takeFirst(vulnerability.parent.mute.status),<BR />vulnerability.title=takeFirst(vulnerability.title),<BR />vulnerability.references.cve=takeFirst(vulnerability.references.cve),<BR /><STRONG>related_entities.hosts.names=takeFirst(related_entities.hosts.names),</STRONG><BR />affected_entity.vulnerable_component.names=collectDistinct(affected_entity.vulnerable_component.name),<BR />Critical=countIf(vulnerability.risk.level=="CRITICAL"),<BR />High=countIf(vulnerability.risk.level=="HIGH"),<BR />Medium=countIf(vulnerability.risk.level=="MEDIUM"),<BR />Low=countIf(vulnerability.risk.level=="LOW"),<BR />vulnerability.risk.score=round(takeMax(vulnerability.risk.score),decimals:1),<BR />`Affected entities`=arraySize(collectDistinct(affected_entity.id)),<BR />`# Non-muted entities`=countIf(vulnerability.mute.status=="NOT_MUTED"),<BR />`# Afftected entities`=countIf(vulnerability.resolution.status=="OPEN"),<BR />`# Function in use`=countIf(vulnerability.davis_assessment.vulnerable_function_status=="IN_USE"),<BR />`# Exposure to internet`=countIf(vulnerability.davis_assessment.exposure_status=="PUBLIC_NETWORK"),<BR />`# Exploit published`=countIf(vulnerability.davis_assessment.exploit_status=="AVAILABLE"),<BR />`# Reachable databases`=countIf(vulnerability.davis_assessment.data_assets_status=="REACHABLE")<BR />}, by: {vulnerability.display_id}<BR />| fieldsAdd vulnerability.risk.level=if(Critical&gt;0,"CRITICAL",<BR />else:if(High&gt;0,"HIGH",<BR />else:if(Medium&gt;0,"MEDIUM",<BR />else:"LOW")))<BR />| fields<BR />vulnerability.display_id,<BR /><STRONG>related_entities.hosts.names,</STRONG><BR />vulnerability.risk.level,<BR />vulnerability.risk.score,<BR />vulnerability.title,<BR />vulnerability.references.cve,<BR />vulnerability.parent.resolution.status,<BR />vulnerability.parent.mute.status,<BR />vulnerability.parent.first_seen,<BR />status_sort=if(vulnerability.parent.resolution.status=="RESOLVED",3,else:if( vulnerability.parent.mute.status=="MUTED" OR `# Non-muted entities`==0,2,else:1)),<BR />`# Function in use`,<BR />`# Afftected entities`,<BR />`# Exposure to internet`,<BR />`# Exploit published`,<BR />`# Reachable databases`<BR />| sort status_sort, {vulnerability.risk.score, direction:"descending"}, {`# Function in use`, direction:"descending"},<BR />{`# Exposure to internet`, direction:"descending"}, {`# Exploit published`, direction:"descending"},<BR />{`# Reachable databases`, direction:"descending"}, {`# Afftected entities`,direction:"descending"}, {vulnerability.parent.first_seen,direction:"descending"}<BR />| fieldsRemove status_sort</PRE><P>&nbsp;</P><P>HTH,<BR />Chris</P> Wed, 13 Mar 2024 09:42:17 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/239734#M725 c_schwarzbauer 2024-03-13T09:42:17Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/240326#M740 <P>Do we have the option to get the same infomation (vulnerabilities per host) in Dynatrace Managed without DQL?</P><P>&nbsp;</P><P>Thank you.</P> Mon, 18 Mar 2024 17:19:58 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/240326#M740 DamianG 2024-03-18T17:19:58Z https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/240958#M764 <P>hi <a href="https://community.dynatrace.com/t5/user/viewprofilepage/user-id/52344">@DamianG</a>,</P><P>did you try using the Environment API v2, as described here: <A href="https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities" target="_blank">https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities</A> ?</P><P>using the 'relatedHostNames' (or similar) for filtering via the 'securityProblemSelector' should be able to address your use case, I think.</P><P>HTH, Chris</P> Mon, 25 Mar 2024 12:52:41 GMT https://community.dynatrace.com/t5/DQL/DQL-to-pull-vulnerabilities-for-each-host/m-p/240958#M764 c_schwarzbauer 2024-03-25T12:52:41Z