• Home
  • Solutions
  • Application Security
  • Security data on Grail
  • Security events
  • Data structure

Data structure

Latest Dynatrace

Early Adopter

The Dynatrace semantic dictionary defines conventions for storing data in a normalized manner, regardless of the origin of the data. This is important for creating stable and robust applications and automations.

Security events are a special type of data representing various events generated by Dynatrace.

In the events data store, security events are stored in a dedicated bucket (default_security_events) and come as an additional event kind (event.kind=="SECURITY_EVENT") for better access control, data separation, and data retention period control.

Schematics

Data categories

The following is a schematic representation of the different data categories that can be ingested and stored in Grail for later analysis and reporting use cases. The common fields of the schema allow dashboards, notebooks, and other apps to access and process the data uniformly.

  • Common fields differ between the data categories.
  • There are optional vendor-specific fields and Dynatrace-enriched fields.

security-events-on-grail

Logical sections of security events schema

The following shows the logical sections of the security events schema.

semantic-dictionary

Security event types

The following shows different types of security events, with a focus on vulnerability management.

security event categorization

Security event groups

All security events can be categorized into two basic groups (event.group_label): change events and state reports.

security-event-groups

Change events

Change events (CHANGE_EVENT) are changes that occur to vulnerabilities or their affected entities.

In the example below, note the event.status_transition and change_list fields containing the context of the change.

sample-change-event

State reports

State reports (STATE_REPORT) represent the full historical state (of a vulnerability, for example) and are reported periodically over time.

In the example below, note the environmental context and related fields, including the information about the directly affected entities and the wider impact on the related entities of the environment.

sample-state-report

Security event types

The vulnerability management category includes the following event types (event.type):

  • VULNERABILITY_STATE_REPORT_EVENT: Historical vulnerability states reported periodically.
  • VULNERAVILITY_COVERAGE_REPORT_EVENT: Historical coverage events reported periodically.
  • VULNERABILITY_STATUS_CHANGE_EVENT: Vulnerability status changes reported on change. These include resolution and mute statuses.
  • VULNERABILITY_ASSESSMENT_CHANGE_EVENT: Vulnerability assessment changes reported on change. These include the Davis Security Score and Davis assessments.
  • VULNERABILITY_IMPACT_CHANGE_EVENT: Vulnerability environmental impact changes reported on change. These include changes in the counts of affected/related entities.

security-event-types

Security event levels

Vulnerability-related events can be reported on two different levels (event.level):

  • VULNERABILITY: The vulnerability on the global level, including, for example, general information, global statuses, and changes. The unique identifier is vulnerability.id or vulnerability.display_id.
  • ENTITY: The vulnerable entity with vulnerability-related information scoped to the entity. The unique identifier is a tuple of (affected_entity.id, vulnerability.id)

security-event-levels