This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DQL behind the ThirdParty Vulnerability app

Go to solution
ANLTH
Contributor

‎14 Jun 2024 09:56 AM - last edited on ‎17 Jun 2024 07:31 AM by Community Team

I am woriking on understanding how we shall use ownership in Dynatrace in relation to Applicaiton Security.

I have added the Owner tag to some processes that has vulnerabilites, and I am able to filter by the tag and get the relevant vulnerabilites - the app is not able to derive the DQL behind the request and open it with a Notebook or Dashboard.

How does the DQL behind the request look like?

 

ANLTH_0-1718355215364.png

 

Labels:
0 Kudos
Reply
1 REPLY 1

Go to solution
MaciejNeumann
Community Team
Community Team

‎21 Nov 2024 10:43 AM

Hello @ANLTH,

Here is an answer I got from the Application Security team:

"Unfortunately we are not writing ownership info to vulnerability state reports, the underlying data for Vulnerability dashboards in 3rd gen. The workaround is to 1) query affected entities 2) add a lookup query to fetch ownership info for the affected PGs. Here’s an example:"

fetch events
| filter dt.system.bucket=="default_security_events"
| filter event.provider=="Dynatrace"
| filter event.type=="VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level=="ENTITY"
| sort timestamp, direction:"descending"
| summarize {
	vulnerability.resolution.status = takeFirst(vulnerability.resolution.status),
	affected_entity.management_zones.names = takeFirst(affected_entity.management_zones.names),
	affected_entity.vulnerable_component.name = takeFirst(affected_entity.vulnerable_component.name),
	affected_entity.name = takeFirst(affected_entity.name),
	vulnerability.parent.mute.status = takeFirst(vulnerability.parent.mute.status),
	vulnerability.parent.resolution.status = takeFirst(vulnerability.parent.resolution.status),
	vulnerability.stack = takeFirst(vulnerability.stack),
	vulnerability.parent.risk.level = takeFirst(vulnerability.parent.risk.level)
},
 by: {
	vulnerability.id,
	affected_entity.id
}
| filter vulnerability.parent.resolution.status == "OPEN" AND vulnerability.parent.mute.status == "NOT_MUTED"
| filter in(vulnerability.stack,{"CODE","CODE_LIBRARY","SOFTWARE","CONTAINER_ORCHESTRATION"})
| filter in(vulnerability.parent.risk.level,{"CRITICAL","HIGH","MEDIUM","LOW","NONE"})

| filter vulnerability.resolution.status=="OPEN"

//add ownership information
| lookup [
fetch dt.entity.process_group
| fieldsAdd tags
| parse toString(tags), "LD ('owner:'|'owner\\\\:') (SPACE)? LD:Team ('\"')"
| fieldsRemove tags
], sourceField:affected_entity.id, lookupField:id, fields:{Team}
// end of adding ownership info​

 

If you have any questions about the Community, you can contact me at maciej.neumann@dynatrace.com
0 Kudos
Reply
Ask a question

Featured Posts