Security-monitoring rules

Security-monitoring rules allow you to set up fine-grained monitoring rules for processes, based on properties such as process tag, host tag, and management zone.

Define custom security-monitoring rules

You can define custom security-monitoring rules through the Dynatrace web UI or the Settings API.

In DynatraceVia Settings API

To add a new rule
1. In the Dynatrace menu, go to Settings > Application Security > Security-monitoring rules.
2. Select Add new rule to add a new rule.
3. Enter the requested information (mode, property, condition operator, and condition value).
4. Select Save changes to save your configuration.
To modify an existing rule
1. In the Dynatrace menu, go to Settings > Application Security > Security-monitoring rules.
2. Select the rule you want to modify.
3. Enter your changes.
4. Select Save changes to save your configuration.
To delete an existing rule
1. In the Dynatrace menu, go to Settings > Application Security > Security-monitoring rules.
2. Select the rule you want to delete.
3. Select Delete.
4. Select Save changes to save your configuration.

You can read or modify the rules using the Settings API.

To view a monitoring rule, use the GET an object request. Set the following parameters:

schemaIds=builtin:appsec.rule-settings
scopes=tenant

Example JSON response

JSON
{
  "items": [
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkYTc4NjY0NGItZmVjNC0zNzliLWI0MWItNThmYzgzOWZmYWY5vu9U3hXa3q0",
      "value": {
        "enabled": true,
        "mode": "MONITORING_OFF",
        "property": "PROCESS_TAG",
        "operator": "EQUALS",
        "value": "super secret process"
      }
    },
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNDhkZGYxNDMtYzc2Mi0zYzIwLWI1ODAtNTNhODEwOGZlMDBivu9U3hXa3q0",
      "value": {
        "enabled": true,
        "mode": "MONITORING_ON",
        "property": "HOST_TAG",
        "operator": "NOT_EQUALS",
        "value": "Test"
      }
    },
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNmY1NjZkNmItYWMyNy0zOTg2LWE1OGItNTU2ZTI1NTE5NTcyvu9U3hXa3q0",
      "value": {
        "enabled": false,
        "mode": "MONITORING_ON",
        "property": "MANAGEMENT_ZONE",
        "operator": "EQUALS",
        "value": "Monitorme"
      }
    }
  ],
  "totalCount": 3,
  "pageSize": 100
}

To modify a monitoring rule, use the POST an object request.

Example JSON body

JSON
[
  {
      "value": {
        "enabled": true,
        "mode": "MONITORING_ON",
        "property": "HOST_TAG",
        "operator": "EQUALS",
        "value": "REST"
      },
    "scope": "tenant",
    "schemaId": "builtin:appsec.rule-settings"
  },
    {
      "value": {
        "enabled": true,
        "mode": "MONITORING_OFF",
        "property": "PROCESS_TAG",
        "operator": "NOT_EQUALS",
        "value": "Test-Process"
      },
    "scope": "tenant",
    "schemaId": "builtin:appsec.rule-settings"
  }
]

Notes:

Each rule must be unique.
The rules are processed in order until the first match.
You can delete, modify, or reorder the rules.
It can take up to 15 minutes for changes to take effect throughout the system.
For Kubernetes environments, tags must be added both on the host and on the Kubernetes node.

FAQ

What happens if I change the order of the rules?
- The first matching rule will apply.
What happens if a Do not monitor rule that applies gets added?
- New security problems for the processes that match the rule won't be created.
- Existing security problems that only relate to matching processes are resolved.
What happens if a Do not monitor rule is deleted or doesn't apply anymore?
- New security problems for the processes that match the rule will be created.
- Related resolved security problems are reopened.

Limitations

It's currently not possible to define custom monitoring rules based on process tag property for Kubernetes environments.