05 Jun 2023 08:07 PM
Common Event Format (CEF) is an open logging and auditing format, that is quite used in the SIEM market. Being able to send events&logs from the Dynatrace AppSec monitoring to SIEM platforms seems quite an important use-case to me. It isn't supported by Dynatrace, but before putting in a Product Idea, would like to know if eventually someone went the extensions route to be able to get these events to SIEM?
22 Jun 2023 02:07 PM
great question and great future RFE 🙂
22 Jun 2023 08:23 PM
I am using FluentD to ingest Syslog and output it in Dynatrace : https://www.dynatrace.com/support/help/observe-and-explore/logs/log-monitoring/acquire-log-data/send...
Maybe you can use CEF input plugin in the same way: https://github.com/lunardial/fluent-plugin-parser_cef
23 Jun 2023 06:33 AM
I took a CEF example from this page then used logpusher to send it to Dynatrace via an OpenTelemetry collector. (see this video for how to use logpusher).
I then used DQL to filter my incoming log lines:
fetch logs, scanLimitGBytes: 1
| filter matchesPhrase(content, "act=blocked")
| sort timestamp desc
23 Jun 2023 10:11 AM
It's the other way around: I want to get the Dynatrace AppSec events to a SIEM platform.
26 Jun 2023 01:47 AM
Ahh OK. I misread the initial post. In which case, this seems like a very sensible think to build as an app / workflow.
26 Jun 2023 08:35 AM
Yes, this is a good direction for the development of AppSec in DT. I have a similar case at my client and it would be nice to send this information to another tool.
26 Jun 2023 09:15 AM
Yes, @adam_gardner gave a good solution for SaaS environments. In this case, it's a Managed environment though...