Security problems API - GET all problems

Lists all security problems detected in your applications.

The request produces an application/json payload.

Early Adopter

This request is an Early Adopter release and may be changed in non-compatible way.

GET
  • Managed https://{your-domain}/e/{your-environment-id}/api/v2/securityProblems
  • SaaS https://{your-environment-id}.live.dynatrace.com/api/v2/securityProblems

Authentication

To execute this request, you need the Read security problems (securityProblems.read) permission assigned to your API token. To learn how to obtain and use it, see Tokens and authentication.

Parameters

Parameter Type Description In Required
nextPageKey string

The cursor for the next page of results. You can find it in the nextPageKey field of the previous response.

The first page is always returned if you don't specify the nextPageKey query parameter.

When the nextPageKey is set to obtain subsequent pages, you must omit all other query parameters.

query optional
pageSize integer

The amount of security problems in a single response payload.

The maximal allowed page size is 500.

If not set, 100 is used.

query optional
securityProblemSelector string

Defines the scope of the query. Only security problems matching the specified criteria are included in the response.

You can add one or more of the following criteria. Values are not case-sensitive and the EQUALS operator is used unless otherwise specified.

  • Status: status("value"). Find the possible values in the description of the status field of the response. If not set, only open security problems are returned.
  • Muted: muted("value"). Possible values are TRUE or FALSE.
  • Risk level: riskLevel("value"). The Davis Risk Level. Find the possible values in the description of the riskLevel field of the response.
  • Minimum risk score: minRiskScore("5.5"). The Davis minimum Risk Score. The GREATER THAN OR EQUAL TO operator is used. Specify a number between 1.0 and 10.0.
  • Maximum risk score: maxRiskScore("5.5"). The Davis maximum Risk Score. The LESS THAN operator is used. Specify a number between 1.0 and 10.0.
  • Base risk level: baseRiskLevel("value"). The Base Risk Level from the CVSS. Find the possible values in the description of the riskLevel field of the response.
  • Minimum base risk score: minBaseRiskScore("5.5"). The Base minimum Risk Score from the CVSS. The GREATER THAN OR EQUAL TO operator is used. Specify a number between 1.0 and 10.0.
  • Maximum base risk score: maxBaseRiskScore("5.5"). The Base maximum Risk Score from the CVSS. The LESS THAN operator is used. Specify a number between 1.0 and 10.0.
  • Vulnerability ID contains: vulnerabilityIdContains("id-1"). The CONTAINS operator is used.
  • Vulnerability ID: vulnerabilityId("id-1","id-2"). Case insensitive EQUALS operator is used.
  • CVE ID: cveId("id").
  • Risk assessment riskAssessment("value-1","value-2") Possible values are EXPOSED, SENSITIVE, and EXPLOIT.
  • Affected host ID: affectedHostIds("value-1", "value-2"). Specify Dynatrace entity IDs here.
  • Affected host name: affectedHostNames("value-1", "value-2"). Values are case-sensitive.
  • Affected host name contains: affectedHostNameContains("value-1"). The CONTAINS operator is used.
  • Affected Kubernetes cluster ID: affectedKubernetesClusterIds("value-1", "value-2"). Specify Dynatrace entity IDs here.
  • Affected Kubernetes cluster name: affectedKubernetesClusterNames("value-1", "value-2"). Values are case-sensitive.
  • Affected Kubernetes cluster name contains: affectedKubernetesClusterNameContains("value-1"). The CONTAINS operator is used.
  • Affected Kubernetes workload ID: affectedKubernetesWorkloadIds("value-1", "value-2"). Specify Dynatrace entity IDs here.
  • Affected Kubernetes workload name: affectedKubernetesWorkloadNames("value-1", "value-2"). Values are case-sensitive.
  • Affected Kubernetes workload name contains: affectedKubernetesWorkloadNameContains("value-1"). The CONTAINS operator is used.
  • Management zone ID: managementZoneIds("mzId-1","mzId-2").
  • Management zone name: managementZones("name-1","name-2"). Values are case-sensitive.
  • Vulnerable process group ID: vulnerablePgIds("pgId-1", "pgId-2"). Specify Dynatrace entity IDs here.
  • Vulnerable process group name: vulnerablePgNames("name-1", "name-2"). Values are case-sensitive.
  • Vulnerable process group name contains: vulnerablePgNameContains("name-1"). The CONTAINS operator is used.
  • Host tags: hostTags("hostTag-1"). The CONTAINS operator is used.
  • Process group tags: pgTags("pgTag-1"). The CONTAINS operator is used.
  • Process group instance tags: pgiTags("pgiTag-1"). The CONTAINS operator is used.
  • Tags: tags("tag-1"). The CONTAINS operator is used. This selector picks hosts, process groups, and process group instances at the same time.
  • Display ID: displayIds("S-1234","S-5678"). The EQUALS operator is used.
  • Technology: technology("technology-1","technology-2"). Find the possible values in the description of the technology field of the response. The EQUALS operator is used.

Risk score and risk category are mutually exclusive (cannot be used at the same time).

To set several criteria, separate them with a comma (,). Only results matching (all criteria are included in the response.

Specify the value of a criterion as a quoted string. The following special characters must be escaped with a tilde (~) inside quotes:

  • Tilde ~
  • Quote "
query optional
sort string

Specifies a field for sorting the security problem list.

You can sort by the following properties with a sign prefix for the sorting order.

  • status: The security problem status (+ open first or - resolved first)
  • muted: The security problem mute state (+ muted first or - unmuted first)
  • technology: The security problem technology (+ ascending or - descending)
  • firstSeenTimestamp: The timestamp of the first occurrence of the security problem (+ new problems first or - old problems first)
  • securityProblemId: The auto-generated ID of the security problem (+ lower number first or - higher number first)
  • vulnerabilityId: The ID of the vulnerability (+ lower number first or - higher number first)
  • displayId: The display ID (+ lower number first or - higher number first)
  • riskAssessment.riskScore: The Davis security score (+ lower score first or - higher score first)
  • riskAssessment.riskLevel: The Davis security level (+ lower level first or - higher level first)
  • riskAssessment.exposed: Whether the problem is exposed to the internet (+ unexposed first or - exposed first)
  • riskAssessment.sensitiveDataAffected: Whether sensitive data is affected (+ unexposed first or - exposed first)

If no prefix is set, + is used.

query optional
fields string

Defines the list of problem properties to be removed from the response.

securityProblemId is always included in the result. The fields that are added by default and can be removed are listed below. To remove several fields, join them with a comma (for example -status,-firstSeenTimestamp).

  • status: The current status of the security problem.
  • muted: The current mute state of the security problem.
  • vulnerabilityId: The ID of the vulnerability.
  • vulnerabilityType: The type of the vulnerability.
  • technology: The technology of the security problem.
  • firstSeenTimestamp: The timestamp of the first occurrence of the security problem.
  • lastUpdatedTimestamp: The timestamp of the most recent security problem change.
  • riskAssessment: A risk assessment of the security problem.
  • riskAssessment.riskLevel: The Davis risk level of the security problem.
  • riskAssessment.riskScore: The Davis risk score of the security problem.
  • riskAssessment.riskVector: The Davis vector string of the security problem.
  • riskAssessment.baseRiskLevel: The risk level based on the CVSS of the security problem.
  • riskAssessment.baseRiskScore: The risk score based on the CVSS of the security problem.
  • riskAssessment.baseRiskVector: The vector string based on the CVSS of the security problem.
  • managementZones: The management zone where the security problem occurred.
query optional
from string

The start of the requested timeframe.

You can use one of the following formats:

  • Timestamp in UTC milliseconds.
  • Human-readable format of 2021-01-25T05:57:01.123+01:00. If no time zone is specified, UTC is used. You can use a space character instead of the T. Seconds and fractions of a second are optional.
  • Relative timeframe, back from now. The format is now-NU/A, where N is the amount of time, U is the unit of time, and A is an alignment. The alignment rounds all the smaller values to the nearest zero in the past. For example, now-1y/w is one year back, aligned by a week. You can also specify relative timeframe without an alignment: now-NU. Supported time units for the relative timeframe are:
    • m: minutes
    • h: hours
    • d: days
    • w: weeks
    • M: months
    • y: years

If not set, the relative timeframe of thirty days is used (now-30d).

query optional
to string

The end of the requested timeframe.

You can use one of the following formats:

  • Timestamp in UTC milliseconds.
  • Human-readable format of 2021-01-25T05:57:01.123+01:00. If no time zone is specified, UTC is used. You can use a space character instead of the T. Seconds and fractions of a second are optional.
  • Relative timeframe, back from now. The format is now-NU/A, where N is the amount of time, U is the unit of time, and A is an alignment. The alignment rounds all the smaller values to the nearest zero in the past. For example, now-1y/w is one year back, aligned by a week. You can also specify relative timeframe without an alignment: now-NU. Supported time units for the relative timeframe are:
    • m: minutes
    • h: hours
    • d: days
    • w: weeks
    • M: months
    • y: years

If not set, the current timestamp is used.

query optional

Response

Response codes

Code Description
200

Success

Response body

The SecurityProblemList object

A list of security problems.

Element Type Description
totalCount integer

The total number of entries in the result.

pageSize integer

The number of entries per page.

nextPageKey string

The cursor for the next page of results. Has the value of null on the last page.

Use it in the nextPageKey query parameter to obtain subsequent pages of the result.

securityProblems SecurityProblem[]

A list of security problems.

The SecurityProblem object

Parameters of a security problem

Element Type Description
securityProblemId string

The ID of the security problem.

displayId string

The displayId of the security problem.

status string

The status of the security problem.

muted boolean

Indicates if a security problem is muted.

vulnerabilityId string

The vulnerability ID of the security problem.

vulnerabilityType string

The type of the vulnerability.

technology string

The technology of the security problem.

firstSeenTimestamp integer

The timestamp of the first occurrence of the security problem.

lastUpdatedTimestamp integer

The timestamp of the most recent security problem change.

riskAssessment RiskAssessment
managementZones ManagementZone[]

Management zones to which the affected entities belong.

cveIds string[]

CVE IDs of the security problem.

The ManagementZone object

A short representation of a management zone.

Element Type Description
name string

The name of the management zone.

id string

The ID of the management zone.

The RiskAssessment object

Risk assessment of a security problem.

Element Type Description
riskLevel string

The Davis risk level.

It is calculated by Dynatrace on the basis of CVSS score

riskScore number

The Davis risk score (1-10).

It is calculated by Dynatrace on the basis of CVSS score.

riskVector string

The attack vector calculated by DT based on the CVSS attack vector.

baseRiskLevel string

The risk level from the CVSS score.

baseRiskScore number

The risk score (1-10) from the CVSS score.

baseRiskVector string

The original attack vector of the CVSS assessment.

exposed boolean

The entity is (true) or isn't (false) exposed to the internet.

sensitiveDataAffected boolean

The sensitive data is (true) or isn't (false) affected.

publicExploitAvailable boolean

A public exploit is (true) or isn't (false) available.