14 Jun 2024 09:56 AM - last edited on 17 Jun 2024 07:31 AM by MaciejNeumann
I am woriking on understanding how we shall use ownership in Dynatrace in relation to Applicaiton Security.
I have added the Owner tag to some processes that has vulnerabilites, and I am able to filter by the tag and get the relevant vulnerabilites - the app is not able to derive the DQL behind the request and open it with a Notebook or Dashboard.
How does the DQL behind the request look like?
21 Nov 2024 10:43 AM
Hello @ANLTH,
Here is an answer I got from the Application Security team:
fetch events
| filter dt.system.bucket=="default_security_events"
| filter event.provider=="Dynatrace"
| filter event.type=="VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level=="ENTITY"
| sort timestamp, direction:"descending"
| summarize {
vulnerability.resolution.status = takeFirst(vulnerability.resolution.status),
affected_entity.management_zones.names = takeFirst(affected_entity.management_zones.names),
affected_entity.vulnerable_component.name = takeFirst(affected_entity.vulnerable_component.name),
affected_entity.name = takeFirst(affected_entity.name),
vulnerability.parent.mute.status = takeFirst(vulnerability.parent.mute.status),
vulnerability.parent.resolution.status = takeFirst(vulnerability.parent.resolution.status),
vulnerability.stack = takeFirst(vulnerability.stack),
vulnerability.parent.risk.level = takeFirst(vulnerability.parent.risk.level)
},
by: {
vulnerability.id,
affected_entity.id
}
| filter vulnerability.parent.resolution.status == "OPEN" AND vulnerability.parent.mute.status == "NOT_MUTED"
| filter in(vulnerability.stack,{"CODE","CODE_LIBRARY","SOFTWARE","CONTAINER_ORCHESTRATION"})
| filter in(vulnerability.parent.risk.level,{"CRITICAL","HIGH","MEDIUM","LOW","NONE"})
| filter vulnerability.resolution.status=="OPEN"
//add ownership information
| lookup [
fetch dt.entity.process_group
| fieldsAdd tags
| parse toString(tags), "LD ('owner:'|'owner\\\\:') (SPACE)? LD:Team ('\"')"
| fieldsRemove tags
], sourceField:affected_entity.id, lookupField:id, fields:{Team}
// end of adding ownership info