cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DQL behind the ThirdParty Vulnerability app

ANLTH
Observer

I am woriking on understanding how we shall use ownership in Dynatrace in relation to Applicaiton Security.

I have added the Owner tag to some processes that has vulnerabilites, and I am able to filter by the tag and get the relevant vulnerabilites - the app is not able to derive the DQL behind the request and open it with a Notebook or Dashboard.

How does the DQL behind the request look like?

 

ANLTH_0-1718355215364.png

 

1 REPLY 1

MaciejNeumann
Community Team
Community Team

Hello @ANLTH,

Here is an answer I got from the Application Security team:

"Unfortunately we are not writing ownership info to vulnerability state reports, the underlying data for Vulnerability dashboards in 3rd gen. The workaround is to 1) query affected entities 2) add a lookup query to fetch ownership info for the affected PGs. Here’s an example:"

fetch events
| filter dt.system.bucket=="default_security_events"
| filter event.provider=="Dynatrace"
| filter event.type=="VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level=="ENTITY"
| sort timestamp, direction:"descending"
| summarize {
	vulnerability.resolution.status = takeFirst(vulnerability.resolution.status),
	affected_entity.management_zones.names = takeFirst(affected_entity.management_zones.names),
	affected_entity.vulnerable_component.name = takeFirst(affected_entity.vulnerable_component.name),
	affected_entity.name = takeFirst(affected_entity.name),
	vulnerability.parent.mute.status = takeFirst(vulnerability.parent.mute.status),
	vulnerability.parent.resolution.status = takeFirst(vulnerability.parent.resolution.status),
	vulnerability.stack = takeFirst(vulnerability.stack),
	vulnerability.parent.risk.level = takeFirst(vulnerability.parent.risk.level)
},
 by: {
	vulnerability.id,
	affected_entity.id
}
| filter vulnerability.parent.resolution.status == "OPEN" AND vulnerability.parent.mute.status == "NOT_MUTED"
| filter in(vulnerability.stack,{"CODE","CODE_LIBRARY","SOFTWARE","CONTAINER_ORCHESTRATION"})
| filter in(vulnerability.parent.risk.level,{"CRITICAL","HIGH","MEDIUM","LOW","NONE"})

| filter vulnerability.resolution.status=="OPEN"

//add ownership information
| lookup [
fetch dt.entity.process_group
| fieldsAdd tags
| parse toString(tags), "LD ('owner:'|'owner\\\\:') (SPACE)? LD:Team ('\"')"
| fieldsRemove tags
], sourceField:affected_entity.id, lookupField:id, fields:{Team}
// end of adding ownership info​

 

If you have any questions about the Community, you can contact me at maciej.neumann@dynatrace.com

Featured Posts