Solved: API - get alerts for a process group third-party vul

Sami · ‎20 Dec 2022

Hi,

In an effort to pull the alerts for a process including the environmental specific factors (exposed, first seen for this process, data ) we have to do the following:

Pull all the alerts with the query parameter affectedPgNameContains using "GET all problems"
iterate over all the results to get the specifics for a process - using multiple other calls to "GET problem events"

A process that is not practical to scale !!

Is there a single API call that returns the alerts for a specific process ?

Ex. Get security alerts for affectedPgNameContains='something '

Thanks,

Sami

AurelienGravier · ‎21 Dec 2022

Hello @Sami,

I recommend checking the Dynatrace Api explorer "Environment API V2" in the endpoint "/securityProblems".

You could use the parameter "securityProblemSelector" to filter on the entity of your choice, for example :

Curl command generated :

curl -X GET "https://{environmentid}.live.dynatrace.com/api/v2/securityProblems?securityProblemSelector=affectedPgNameContains%28%22something%22%29&from=-3d" -H "accept: application/json; charset=utf-8"

Regards Aurélien.

Observability consultant - Dynatrace Associate/Pro/Services certified

AurelienGravier · ‎21 Dec 2022

Dynatrace API Explorer is accessible here for SaaS Environment :

https://{environmentid}.live.dynatrace.com/rest-api-doc/index.jsp

Observability consultant - Dynatrace Associate/Pro/Services certified

Sami · ‎21 Dec 2022

Hi Aurélien,

Unfortunately this is not what I am hoping for.

For this endpoint

input: process group name

output: all security alerts where this process is affected (no specifics if the process is exposed or the first detected timestamp for this process)

what I am looking for

input: process group name

output: list of security problems and the specifics for this process (exposure, when each security alert was first detected for this process, )

error: if the process searched for is not running or never ran return an error accordingly

AurelienGravier · ‎22 Dec 2022

Hi @Sami

Have you try to add addditionnal fields like +riskAssessment,+codeLevelVulnerabilityDetails :

curl -X GET "https://{environmentid}.live.dynatrace.com/api/v2/securityProblems?securityProblemSelector=affectedP..." -H "accept: application/json; charset=utf-8"

If you don't have information expected with these additional fields, you will need to iterate GET problem events with each Problem ID.

Regards

Observability consultant - Dynatrace Associate/Pro/Services certified

Sami · ‎23 Dec 2022

Hi @AurelienGravier ,

Unfortunately this does not help, codeanalysis is not of concern. and riskAssessment: A risk assessment of the security problem not specific to the process.

The only workaround is the iteration, but it is very api calls intensive to be used for automation, we need a new endpoint that directly provide the result.

+ @susanst00

Regards,

susanst00 · ‎28 Dec 2022

@Sami - As mentioned below, I don't think this is possible today, but I've created a product idea on your behalf.

-susan

Sami · ‎09 Jan 2023

Much appreciated @susanst00 you rock 🚀

AurelienGravier · ‎23 Dec 2022

OK I understand.
Personnaly, I often iterate easily a lot of entities on more than 1500 Hosts with ansible jobs for a client environment to automatically switch hosts from full stack monitoring to infra-only based on process group technologies detected on hosts. And it works like a charm.

Regards.

Observability consultant - Dynatrace Associate/Pro/Services certified

Sami · ‎23 Dec 2022

Could you please help suggest this as a product idea ?

AurelienGravier · ‎26 Dec 2022

Sure, you can submit it yourself here : https://community.dynatrace.com/t5/forums/postpage/board-id/DynatraceProductIdeas

Observability consultant - Dynatrace Associate/Pro/Services certified