Skip to technology filters Skip to main content
Dynatrace Hub

Extend the platform,
empower your team.

Popular searches:
Home hero bg
Security InvestigatorSecurity Investigator
Security Investigator

Security Investigator

Fast and precise forensics for security and logs on Grail data with DQL queries.

App
Try in PlaygroundDocumentation
You can see your whole investigation flow as you go along with the ability to always jump back to the previous step of the investigation.Detailed view of the record will show all all record fields at once with the possibility to drill down to the details of the field or move between records without closing the detailsYou can use the data in results with the character precision. Creating new evidence of DQL filters can be done by simply selecting the interesting portion of the fieldEvidence and filter manipulations can also be done with multiple values at once: just select the range of IP-s and create a DQL filter based on the values!Security Investigators enables you to view your data in both wrapped and multi-line modes. Viewing stack traces in their original form has never been easier. With the Inspector view you can see the non-printable characters visualized in their original position.
  • Product information
  • Release notes

Overview

Dynatrace Security Investigator is one of the built-in apps shipped with Dynatrace. It's designed for evidence-driven security use cases based on the logs, metrics, and traces ingested into Grail.

Security Investigator enables you to

  • Keep your whole investigation flow in context
  • Perform complex security investigations on the data stored in Grail
  • Build DQL queries based on your findings in a fast and usable way 
  • Save and use found evidence to build your DQL queries and find answers to your questions
  • Navigate with ease to any point in your investigation history and review queries and results
  • Fetch detailed results in the original format to quickly understand the information

Use cases

  • Threat hunting and hunting for the unknown
  • Forensic analysis, where keeping track of the investigation is a must
  • Incident root cause analysis, where evidence-driven queries bring clarity to the incidents

Learn how to perform threat hunting and forensics

Are you looking for additional use cases and functionality? Let us know in the Dynatrace Community Forum!

Get started

Security Investigator comes preinstalled on Dynatrace SaaS environments. Launch the app and Create your first investigation scenario.

Dynatrace
Documentation
By Dynatrace
Dynatrace support center
Subscribe to new releases
Copy to clipboard

Related to Security Investigator

Grail logo

Grail

Dynatrace's data lakehouse providing unified storage for any type of data.

Full version history

ReleaseDate

Full version history

1.324.0

With this release you can now:

  • Create reference time and query filters directly from Performance Metrics charts
  • Upload files from your computer and store them as Lookup tables in Grail
  • Create lookup tables from your query results

Full version history

1.323.0

Minor Changes

  • to performance metrics
  • to results table

Full version history

1.320.1

Minor Changes

  • to performance metrics

Full version history

1.319

With this release You can now

  • View performance metrics of the system from query results
  • Set reference time from record details
  • Enrich IP addresses in your DQL query results

Full version history

1.317.2

With this release You can now

  • Enrich IP addresses for additional context from external sources
  • Download cases as templates and vice versa
  • Get more data with fetching data from Grail up to 300mb at once

Full version history

1.316.1

With this release You can now

  • Quickly shift your investigations based on metadata fields using Query Pivoting. Read more from Dynatrace documentation
  • Download cases as templates and vice versa
  • Copy your results in CSV format to operationalize your query results
  • Access filtering and copying functions from the Record Details view
  • Fetch data from Grail up to 300MB at once

Full version history

1.313.1

With this release you can now

  • Share cases with all environment users in read-only mode at once
  • Upload cases as templates and vice versa
  • Select all values in a column at once from the column header menu
  • Search results table by a keyword and jump to the next occurrence of your search keywords
  • See the in-place filters count above the results table
  • Define query editor settings - toggle between condensed and normal code view and enable/disable line wrap

Full version history

1.312.0

With this version you can now:

  • use chart visualization automatically when fetching timeseries data
  • use reference time as additional context when conducting investigations.
  • enable the line wrap option from settings for DQL query window

Full version history

1.310

With this release you can now

  • Save multi-line evidence to evidence list
  • Use automated charts for data visualization
  • Access security events in Grail

Full version history

1.308.0

With improved case management features, you can now

  • duplicate existing cases to create snapshots or continue cases that are shared with you
  • download and upload the cases to move them between environments
  • create use case templates as boilerplates for your investigations

To streamline investigations, you can work with your findings more efficiently by clicking on evidence to copy it directly from your Evidence list. You can use the copied evidence in DQL queries, or case reports directly and fast.

To speed up investigations and grasp results faster, you can now visualise your results as charts

Minor changes:

You can now

  • access query tree color labels and their titles from the query tree legend
  • view complex data elements (like arrays and records) in a multiline mode in the response table
  • share your cases from the main page without opening the case
  • share templates with everyone on your environment with one click
  • filter your cases and templates on the main page by their type: either view All the cases accessible by you, see only My cases or only cases that have been Shared with you.

Full version history

1.305.0

With this version of Security Investigator it is now possible to:

  • Create custom timeframe by clicking on analysis timeframe in result statistics.
  • Add time range filters for timestamp data type.

Full version history

1.304.3

With this version of Security Investigator it is now possible to:

  • Download selected nodes as a Notebooks document
  • Upload evidence to an evidence list from text file

Full version history

1.302.1

Patch Changes

  • Minor bug fixes.

Full version history

1.302

With this version of Security Investigator it is now possible to:

  • execute a query without creating a new node
  • add IP addresses from a string-type fields to IP evidence lists
  • create new cases from every page of the Security Investigator
  • access Distributed Traces when analyzing your logs by right-clicking on the record in the results table
  • see Duration datatype in the results table in a human-readable format

Full version history

1.298.8

Patch Changes

  • Fixed bugs related to sharing in safari.

Major Changes

  • Introducing Case Sharing: It is now possible to share your investigations with peers and stakeholders!
    • You can share your cases with either a link or share cases to a person or a group.
    • Cases can be shared in either a read-only mode or with edit privileges.
    • Read more at https://www.dynatrace.com/news/blog/collaborate-with-peers-in-hunting-security-threats/ .

Full version history

1.295

  • A search field has been added to highlight keywords in the result table.
  • User can set record limits for DQL queries in the App settings
  • Added color legend with customizable color labels in query tree.

Full version history

1.291

You can now:

  • View the query tree legend to see the explanations of different query node statuses.
  • Rename your cases on the main page in the Cards' menu.
  • Open the Security Investigator from other Dynatrace applications.

Full version history

1.290.0

Minor Changes

  • Updated result statistics and notifications.
  • Added a new result status indicator to the query tree.
  • Added a context menu to the field details window.

Full version history

1.289.0

Minor Changes

  • 138f865: Added filtering to the context menu in the record details window.
  • 29ce2db: Added an 'Add field' command for nested objects in the record details window.

Patch Changes

  • 5f84f0a: Added the selected record number to the record details window.
  • 9fa665a: Updated the result table context menu.
  • f05b039: Added a 'Copy field' option to the context menu in the results table.

Full version history

1.288.0

Patch Changes

  • 4574b72: Close inspect and complex view if DPL Architect is opened. Remove back button if inspect view is opened directly from result table.
  • f2c946e: Added possibility to cancel queries in multiple nodes that are running at the same time
  • 50573cb: Close DPL Architect if case is switched. Close toasts after 5 seconds.
  • 662d89d: Modify query tree deletion portion. Strip trailing newlines and scroll editor to bottom when DQL is added to query.
  • 542c37e: Cosmetic improvements
  • cda16d3: Update adding new evidence collections
  • 834049a: Add help menu
  • eb8a6cd: Add view-query intent

Full version history

1.0.0

Patch Changes

  • c6d0b00: Update record count on poll response
  • 51b21a8: Remove milliseconds in timeframe selector
  • 241ef0e: Add multiline and line wrap support
  • c92a971: Different nodes can be polled separately and result is updated only for selected node
  • b6d7178: Add case heading menu
  • a971214: Add filter out option
  • 62b4e45: Update result statistics timeframes
  • ce7d7fa: UI improvements
  • 8305454: Update complex view and timeframes
  • 787ada3: Fix submit forms with enter
  • f7c31f4: Add header filter and timeframe rename
  • 3cd4e5e: Multiple samples now can be passed to DPL Architect when clicking "Extract fields"
  • a35f624: Add metrics, bizevents and spans scopes
  • 11d1490: Add filter and delete for selection in collection details
  • 59e45c0: Analytics walk-through e2e tests
  • c1a9045: Ask the user if he wants to cancel polling queries
  • 58e79cd: Fix filterOut statements
  • 7f3d38b: Add new collection creation in context menu
  • 1fb2569: Update zooming in query tree
  • f3249db: Rework details panel
  • 6923e54: Add JSON formatting into detailed content viewer
  • 59b0f6b: Add evidences from collections list menu
Dynatrace Hub
Hub HomeGet data into DynatraceBuild your own app
Log Management and AnalyticsKubernetesAI and LLM ObservabilityInfrastructure ObservabilitySoftware DeliveryApplication ObservabilityApplication SecurityDigital ExperienceBusiness Observability
Filter
Type
Built and maintained by
Deployment model
SaaS
  • SaaS
  • Managed
Partner FinderBecome a partnerDynatrace Developer

All

0 Results filtered by:

Default empty state

We couldn't find any results

You can search all listings, or try a different spelling or keyword. Still nothing? Dynatrace makes it easy to create custom apps.

Find a partnerLearn to build apps