Dynatrace semantic dictionary
Latest Dynatrace
Early Adopter
The Dynatrace semantic dictionary defines conventions for storing data in a normalized manner, regardless of the origin of the data. See below for a list of conventions defined for security events, which are a special type of data coming from either internal or external data sources. For more information, see Data structure.
Entity state events
Entity state events are the historical vulnerability states reported per entity level.
The current vulnerability state per entity is exported to Grail regularly.
fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "ENTITY"
Entity state: Event data
This section contains general event information.
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
event.category | string | Categorization based on the product and data generating this event. | VULNERABILITY_MANAGEMENT | Recommended |
event.description | string | The human-readable description text of an event. | S-49 Remote Code Execution state event reported | Recommended |
event.group_label | string | Group label of an event. | STATE_REPORT | Recommended |
event.kind | string | Gives high-level information about the kind of information the event contains, without being specific about the contents of the event. Helps to determine the record type of a raw event. Tags: permission | SECURITY_EVENT | Recommended |
event.level | string | Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself). | ENTITY | Recommended |
event.name | string | The human-readable display name of an event type. | Vulnerability historical state report event | Recommended |
event.provider | string | Source of the event (for example, the name of the component or system that generated the event). Tags: permission | OneAgent ; K8S ; Davis ; VMWare ; GCP ; AWS ; LIMA_USAGE_STREAM | Recommended |
event.provider_product | string | Name of the product providing this event. | Runtime Vulnerability Analytics ; Snyk Container | Recommended |
event.status | string | Status of an event as being either Active or Closed. | OPEN ; RESOLVED ; MUTED | Recommended |
event.type | string | The unique type identifier of a given event. Tags: permission | VULNERABILITY_STATE_REPORT_EVENT | Recommended |
timestamp | timestamp | The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it is populated at ingest time. Required for all events. In case of a correlated event (for example, ITIL events), this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 | Recommended |
Entity state: Vulnerability data
This section contains information about the vulnerability and its global parent, with a focus on the affected entities.
Attribute | Type | Description | Examples | Requirement Level | |
---|---|---|---|---|---|
vulnerability.cvss.base_score | double | Vulnerability's CVSS base score provided by NVD. | 8.1 | Recommended | |
vulnerability.cvss.version | string | Vulnerability's CVSS score version. | 3.1 | Recommended | |
vulnerability.davis_assessment.assessment_mode | string | Availability of the information based on which the vulnerability assessment has been done. | FULL ; NOT_AVAILABLE ; REDUCED | Recommended | |
vulnerability.davis_assessment.data_assets_status | string | Vulnerability's reachability of related data assets by affected entities. | NOT_AVAILABLE ; NOT_DETECTED ; REACHABLE | Recommended | |
vulnerability.davis_assessment.exploit_status | string | Vulnerability's public exploits status. | AVAILABLE ; NOT_AVAILABLE | Recommended | |
vulnerability.davis_assessment.exposure_status | string | Vulnerability's internet exposure status. | NOT_AVAILABLE ; NOT_DETECTED ; PUBLIC_NETWORK | Recommended | |
vulnerability.davis_assessment.level | string | Vulnerability's risk level based on Davis Security Score. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.davis_assessment.score | double | Vulnerability's Davis Security Score (1-10) calculated by Dynatrace. | 8.1 | Recommended | |
vulnerability.davis_assessment.vulnerable_function_status | string | Usage status of the vulnerable functions causing the vulnerability. | IN_USE ; NOT_AVAILABLE ; NOT_IN_USE | Recommended | |
vulnerability.description | string | Description of the vulnerability. | More detailed description about improper input validation vulnerability. | Recommended | |
vulnerability.display_id | string | Dynatrace user-readable identifier for the vulnerability. | S-1234 | Recommended | |
vulnerability.external_id | string | External provider's unique identifier for the vulnerability. | SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646 | Recommended | |
vulnerability.external_url | string | External provider's URL to the details page of the vulnerability. | https://example.com | Recommended | |
vulnerability.first_seen | timestamp | Timestamp of when the vulnerability was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.id | string | Dynatrace unique identifier for the vulnerability. | 2039861408676243188 | Recommended | |
vulnerability.mute.change_date | timestamp | Timestamp of the vulnerability's last muted or unmuted action. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.mute.reason | string | Reason for muting or unmuting the vulnerability. | Muted: False positive | Recommended | |
vulnerability.mute.status | string | Vulnerability's mute status. | MUTED ; NOT_MUTED | Recommended | |
vulnerability.mute.user | string | User who last changed the vulnerability's mute status. | user@example.com | Recommended | |
vulnerability.parent.davis_assessment.assessment_mode | string | Availability of the information based on which the parent vulnerability assessment has been done. | FULL ; NOT_AVAILABLE ; REDUCED | Recommended | |
vulnerability.parent.davis_assessment.data_assets_status | string | Parent vulnerability's reachability of related data assets by affected entities. | NOT_AVAILABLE ; NOT_DETECTED ; REACHABLE | Recommended | |
vulnerability.parent.davis_assessment.exposure_status | string | Parent vulnerability's internet exposure status. | NOT_AVAILABLE ; NOT_DETECTED ; PUBLIC_NETWORK | Recommended | |
vulnerability.parent.davis_assessment.level | string | Parent vulnerability's Davis Security Score level. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.parent.davis_assessment.score | double | Parent vulnerability's Davis Security Score (1-10) calculated by Dynatrace. | 8.1 | Recommended | |
vulnerability.parent.davis_assessment.vulnerable_function_status | string | Usage status of vulnerable functions causing the parent vulnerability. Status is IN_USE when there's at least one vulnerable function in use by an application. | IN_USE ; NOT_AVAILABLE ; NOT_IN_USE | Recommended | |
vulnerability.parent.first_seen | string | Timestamp of when the parent vulnerability was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.parent.mute.change_date | timestamp | Timestamp of the last mute or unmute action of the parent vulnerability. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.parent.mute.reason | string | The reason for muting or unmuting the parent vulnerability. | Muted: False positive | Recommended | |
vulnerability.parent.mute.status | string | Parent vulnerability's mute status. | MUTED ; NOT_MUTED | Recommended | |
vulnerability.parent.mute.user | string | User who last changed the parent vulnerability's mute status. | user@example.com | Recommended | |
vulnerability.parent.resolution.change_date | string | Timestamp of the parent vulnerability's last status change. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.parent.resolution.status | string | Current status of the parent vulnerability. | OPEN ; RESOLVED | Recommended | |
vulnerability.parent.risk.level | string | Parent vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.parent.risk.score | double | Parent vulnerability's risk score defined by the provider. For Dynatrace, the Davis Security Score. | 8.1 | Recommended | |
vulnerability.references.cve | string[] | List of the vulnerability's CVE IDs. | [CVE-2021-41079] | Recommended | |
vulnerability.references.cwe | string[] | List of the vulnerability's CWE IDs. | [CWE-20] | Recommended | |
vulnerability.references.owasp | string[] | List of vulnerability's OWASP IDs. | [2021:A3] | Recommended | |
vulnerability.resolution.change_date | timestamp | Timestamp of the vulnerability's last status change. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.resolution.status | string | Vulnerability's resolution status. | OPEN ; RESOLVED | Recommended | |
vulnerability.risk.level | string | Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.risk.scale | string | Scale by which the vulnerability's risk score and risk score level defined by the provider are measured. | Dynatrace security score | Recommended | |
vulnerability.risk.score | double | Vulnerability's risk score defined by the provider. For Dynatrace, the Davis Security Score. | 8.1 | Recommended | |
vulnerability.stack | string | Level of the vulnerable component in the technological stack. | CODE ; CODE_LIBRARY ; SOFTWARE ; CONTAINER_ORCHESTRATION | Recommended | |
vulnerability.technology | string | Technology of the vulnerable component. | JAVA ; DOT_NET ; GO ; PHP ; NODE_JS ; KUBERNETES | Recommended | |
vulnerability.title | string | Title of the vulnerability. | Improper Input Validation | Recommended | |
vulnerability.type | string | Classification of the vulnerability based on commonly accepted enums, such as CWE. | Improper Input Validation | Recommended | |
vulnerability.url | string | Dynatrace URL to the details page of the vulnerability. | https://example.com | Recommended |
Entity state: Environmental data
This section contains information about the vulnerability's affected and related entities.
Affected entities
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
affected_entity.affected_processes.ids | array | IDs of the processes that are currently affected by the vulnerability. | PROCESS_GROUP_INSTANCE-1 | Recommended |
affected_entity.affected_processes.names | array | Names of the processes that are currently affected by the vulnerability. | PROCESS_GROUP_INSTANCE-1 | Recommended |
affected_entity.id | string | ID of the affected entity. | PROCESS_GROUP-1 ; HOST-1 | Recommended |
affected_entity.management_zones.ids | array | IDs of the management zones to which the affected entity belongs. | mzid1 | Recommended |
affected_entity.management_zones.names | array | Names of the management zones to which the affected entity belongs. | mz1 | Recommended |
affected_entity.monitored_processes.count | long | Number of affected processes. | 100 | Recommended |
affected_entity.type | string | Type of affected entity. | PROCESS_GROUP ; HOST | Recommended |
affected_entity.vulnerable_component.id | string | ID of the vulnerable component causing the vulnerability. | SOFTWARE_COMPONENT-D8FCFFB4FDF7A3FF | Recommended |
affected_entity.vulnerable_component.name | string | Name of the vulnerable component causing the vulnerability. | log4j-core-2.6.2.jar | Recommended |
affected_entity.vulnerable_component.short_name | string | Short name of the vulnerable component causing the vulnerability. | log4j | Recommended |
affected_entity.vulnerable_functions | array | List of vulnerable functions detected to contain the vulnerability within the library. | org.springframework.beans.CachedIntrospectionResults:init | Recommended |
Related entities
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
related_entities.applications.count | long | Number of related applications. | 1 | Recommended |
related_entities.applications.ids | array | IDs of the applications related to the vulnerability's affected entities. | APPLICATION-1 | Recommended |
related_entities.databases.count | long | Number of related databases. | 1 | Recommended |
related_entities.databases.ids | array | IDs of the databases related to the vulnerability's affected entities. | DATABASE-1 | Recommended |
related_entities.hosts.count | long | Number of related hosts. | 1 | Recommended |
related_entities.hosts.ids | array | IDs of the hosts related to the vulnerability's affected entities. | HOST-1 | Recommended |
related_entities.kubernetes_clusters.count | long | Number of related Kubernetes clusters. | 1 | Recommended |
related_entities.kubernetes_clusters.ids | array | IDs of the Kubernetes clusters related to the vulnerability's affected entities. | KUBERNETES_CLUSTER-1 | Recommended |
related_entities.kubernetes_workloads.count | long | Number of related Kubernetes workloads. | 1 | Recommended |
related_entities.kubernetes_workloads.ids | array | IDs of the Kubernetes workloads related to the vulnerability's affected entities. | KUBERNETES_WORKLOAD-1 | Recommended |
related_entities.services.count | long | Number of related services. | 1 | Recommended |
related_entities.services.ids | array | IDs of the services related to the vulnerability's affected entities. | SERVICE-1 | Recommended |
Vulnerability state events
Vulnerability state events are the overall historical vulnerability states per vulnerability level.
The current vulnerability state is exported to Grail regularly.
fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATE_REPORT_EVENT"
| filter event.level == "VULNERABILITY"
Vulnerability state: Event data
This section contains general event information.
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
event.category | string | Categorization based on the product and data generating this event. | VULNERABILITY_MANAGEMENT | Recommended |
event.description | string | The human-readable description text of an event. | S-49 Remote Code Execution state event reported | Recommended |
event.group_label | string | Group label of an event. | STATE_REPORT | Recommended |
event.kind | string | Gives high-level information about what kind of information the event contains, without being specific about the contents of the event. Helps to determine the record type of a raw event. Tags: permission | SECURITY_EVENT | Recommended |
event.level | string | Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself). | VULNERABILITY | Recommended |
event.name | string | The human-readable display name of an event type. | Vulnerability historical state report event | Recommended |
event.provider | string | Source of the event, for example the name of the component or system that generated the event. Tags: permission | Dynatrace ; Snyk | Recommended |
event.provider_product | string | Name of the product providing this event. | Runtime Vulnerability Analytics ; Snyk Container | Recommended |
event.status | string | Status of an event as being either Active or Closed. | OPEN ; RESOLVED ; MUTED | Recommended |
event.type | string | The unique type identifier of a given event. Tags: permission | VULNERABILITY_STATE_REPORT_EVENT | Recommended |
timestamp | timestamp | The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (for example, ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 | Recommended |
Vulnerability state: Vulnerability data
This section contains information about the vulnerability.
Attribute | Type | Description | Examples | Requirement Level | |
---|---|---|---|---|---|
vulnerability.cvss.base_score | double | Vulnerability's CVSS base score provided by NVD. | 8.1 | Recommended | |
vulnerability.cvss.version | string | Vulnerability's CVSS score version. | 3.1 | Recommended | |
vulnerability.davis_assessment.assessment_mode | string | Availability of the information based on which the vulnerability assessment has been done. | FULL ; NOT_AVAILABLE ; REDUCED | Recommended | |
vulnerability.davis_assessment.data_assets_status | string | Vulnerability's reachability of related data assets by affected entities. | NOT_AVAILABLE ; NOT_DETECTED ; REACHABLE | Recommended | |
vulnerability.davis_assessment.exploit_status | string | Vulnerability's public exploits status. | AVAILABLE ; NOT_AVAILABLE | Recommended | |
vulnerability.davis_assessment.exposure_status | string | Vulnerability's internet exposure status. | NOT_AVAILABLE ; NOT_DETECTED ; PUBLIC_NETWORK | Recommended | |
vulnerability.davis_assessment.level | string | Vulnerability's risk level based on Davis Security Score. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.davis_assessment.score | double | Vulnerability's Davis Security Score (1-10) calculated by Dynatrace. | 8.1 | Recommended | |
vulnerability.davis_assessment.vulnerable_function_status | string | Usage status of the vulnerable functions causing the vulnerability. | IN_USE ; NOT_AVAILABLE ; NOT_IN_USE | Recommended | |
vulnerability.description | string | Description of the vulnerability. | More detailed description about improper input validation vulnerability. | Recommended | |
vulnerability.display_id | string | Dynatrace user-readable identifier for the vulnerability. | S-1234 | Recommended | |
vulnerability.external_id | string | External provider's unique identifier for the vulnerability. | SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646 | Recommended | |
vulnerability.external_url | string | External provider's URL to the details page of the vulnerability. | https://example.com | Recommended | |
vulnerability.first_seen | timestamp | Timestamp of when the vulnerability was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.id | string | Dynatrace unique identifier for the vulnerability. | 2039861408676243188 | Recommended | |
vulnerability.mute.change_date | timestamp | Timestamp of the vulnerability's last muted or unmuted action. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.mute.reason | string | Reason for muting or unmuting the vulnerability. | Muted: False positive | Recommended | |
vulnerability.mute.status | string | Vulnerability's mute status. | MUTED ; NOT_MUTED | Recommended | |
vulnerability.mute.user | string | User who last changed the vulnerability's mute status. | user@example.com | Recommended | |
vulnerability.references.cve | string[] | List of the vulnerability's CVE IDs. | [CVE-2021-41079] | Recommended | |
vulnerability.references.cwe | string[] | List of the vulnerability's CWE IDs. | [CWE-20] | Recommended | |
vulnerability.references.owasp | string[] | List of vulnerability's OWASP IDs. | [2021:A3] | Recommended | |
vulnerability.resolution.change_date | timestamp | Timestamp of the vulnerability's last status change. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.resolution.status | string | Vulnerability's resolution status. | OPEN ; RESOLVED | Recommended | |
vulnerability.risk.level | string | Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.risk.scale | string | Scale by which the vulnerability's risk score and risk score level defined by the provider are measured. | Dynatrace security score | Recommended | |
vulnerability.risk.score | double | Vulnerability's risk score defined by the provider. For Dynatrace, the Davis Security Score. | 8.1 | Recommended | |
vulnerability.stack | string | Level of the vulnerable component in the technological stack. | CODE ; CODE_LIBRARY ; SOFTWARE ; CONTAINER_ORCHESTRATION | Recommended | |
vulnerability.technology | string | Technology of the vulnerable component. | JAVA ; DOT_NET ; GO ; PHP ; NODE_JS ; KUBERNETES | Recommended | |
vulnerability.title | string | Title of the vulnerability. | Improper Input Validation | Recommended | |
vulnerability.type | string | Classification of the vulnerability based on commonly accepted enums, such as CWE. | Improper Input Validation | Recommended | |
vulnerability.url | string | Dynatrace URL to the details page of the vulnerability. | https://example.com | Recommended |
Vulnerability state: Environmental data
This section contains information on the vulnerability's affected and related entities.
Affected entities
Attribute | Type | Description | Examples | Requirement Level | |
---|---|---|---|---|---|
affected_entities.affected_processes.count | long | Number of affected processes. | 50 | Recommended | |
affected_entities.count | long | Number of affected entities. | 1 | Recommended | |
affected_entities.hosts.count | long | Number of affected hosts. | 2 | Recommended | |
affected_entities.kubernetes_nodes.count | long | Number of affected nodes. | 2 | Recommended | |
affected_entities.management_zones.ids | array | IDs of the management zones to which the affected entities belong. | mzid1 | Recommended | |
affected_entities.management_zones.names | array | Names of the management zones to which the affected entities belong. | mz1 | Recommended | |
affected_entities.monitored_processes.count | long | Number of processes of the process group. | 100 | Recommended | |
affected_entities.process_groups.count | long | Number of affected process groups. | 2 | Recommended | |
affected_entities.types | array | Types of affected entities. | PROCESS_GROUP ; HOST | Recommended | |
affected_entities.vulnerable_components.ids | array | Dynatrace IDs of the vulnerable components causing the vulnerability. | SOFTWARE_COMPONENT-0000000000000001 ; SOFTWARE_COMPONENT-0000000000000002 ; SOFTWARE_COMPONENT-0000000000000003 | Recommended | |
affected_entities.vulnerable_components.names | array | Names of the vulnerable components causing the vulnerability. | com.fasterxml.jackson.core:jackson-databind:2.10.0 ; node-sass:4.14.1 | Recommended | |
affected_entities.vulnerable_functions | array | Vulnerable functions detected to contain the vulnerability within the library. | org.example.class.ApiImplementation:initMethod | Recommended |
Related entities
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
related_entities.applications.count | long | Number of related applications. | 1 | Recommended |
related_entities.databases.count | long | Number of related databases. | 1 | Recommended |
related_entities.hosts.count | long | Number of related hosts. | 1 | Recommended |
related_entities.kubernetes_clusters.count | long | Number of related Kubernetes clusters. | 1 | Recommended |
related_entities.kubernetes_workloads.count | long | Number of related Kubernetes workloads. | 1 | Recommended |
related_entities.services.count | long | Number of related services. | 1 | Recommended |
Vulnerability change events
Vulnerability change events are overall change events per vulnerability-level.
An event is generated whenever a vulnerability undergoes a status or assessment change.
fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_STATUS_CHANGE_EVENT"
fetch events
| filter event.kind == "SECURITY_EVENT"
| filter event.category == "VULNERABILITY_MANAGEMENT"
| filter event.type == "VULNERABILITY_ASSESSMENT_CHANGE_EVENT"
Vulnerability change: Event data
This section contains general event information.
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
event.category | string | Standard categorization based on the significance of an event according to the ITIL event management standard (previously known as severity level ). | VULNERABILITY_MANAGEMENT | Recommended |
event.description | string | The human-readable description text of an event. | S-49 Remote Code Execution status has changed to OPEN. ; S-49 Remote Code Execution assessment has changed. | Recommended |
event.group_label | string | Group label of an event. | CHANGE_EVENT | Recommended |
event.kind | string | High-level information about what kind of information the event contains, without being specific about the contents of the event. Helps to determine the record type of a raw event. Tags: permission | SECURITY_EVENT | Recommended |
event.level | string | Main reference point to which the event or data is related. Possible values are Vulnerability (shows the global aggregation across the entire environment and comprises all entities and management zones) and Entity (shows the assessment based on the entity itself). | VULNERABILITY | Recommended |
event.name | string | The human-readable display name of an event type. | Vulnerability status change event ; Vulnerability assessment change event | Recommended |
event.provider | string | Source of the event, for example the name of the component or system that generated the event. Tags: permission | Dynatrace | Recommended |
event.provider_product | string | Name of the product providing this event. | Runtime Vulnerability Analytics ; Snyk Container | Recommended |
event.status | string | Status of an event as being either Active or Closed. | OPEN ; RESOLVED ; MUTED | Recommended |
event.status_transition | string | An enum that shows the transition of the above event state. | NEW_OPEN ; REOPEN ; CLOSE ; MUTE ; UNMUTE | Recommended |
event.trigger.type | string | Type of event trigger (for example, whether it was generated by the system, ingested via API, or triggered by the user). | DT_PLATFORM ; USER_ACTION | Recommended |
event.trigger.user | string | ID of the user who triggered the event. If generated by Dynatrace, the value is SYSTEM . | SYSTEM ; <user_id> | Recommended |
event.type | string | The unique type identifier of a given event. Tags: permission | VULNERABILITY_STATUS_CHANGE_EVENT ; VULNERABILITY_ASSESSMENT_CHANGE_EVENT | Recommended |
timestamp | timestamp | The time (UNIX Epoch time in nanoseconds) when the event originated, typically when it was created by the source. If no original timestamp is available, it will be populated at ingest time. Required for all events. In case of a correlated event (for example, ITIL events) this time could be different from the event.start time, as this time represents the actual timestamp when the "update" for the event was created. | 1649822520123123123 | Recommended |
Vulnerability change: Vulnerability data
This section contains information about the vulnerability and its status and assessment changes.
Attribute | Type | Description | Examples | Requirement Level | |
---|---|---|---|---|---|
vulnerability.cvss.base_score | double | Vulnerability's CVSS base score provided by NVD. | 8.1 | Recommended | |
vulnerability.cvss.version | string | Vulnerability's CVSS score version. | 3.1 | Recommended | |
vulnerability.davis_assessment.assessment_mode | string | Availability of the information based on which the vulnerability assessment has been done. | FULL ; NOT_AVAILABLE ; REDUCED | Recommended | |
vulnerability.davis_assessment.data_assets_status | string | Vulnerability's reachability of related data assets by affected entities. | NOT_AVAILABLE ; NOT_DETECTED ; REACHABLE | Recommended | |
vulnerability.davis_assessment.exploit_status | string | Vulnerability's public exploits status. | AVAILABLE ; NOT_AVAILABLE | Recommended | |
vulnerability.davis_assessment.exposure_status | string | Vulnerability's internet exposure status. | NOT_AVAILABLE ; NOT_DETECTED ; PUBLIC_NETWORK | Recommended | |
vulnerability.davis_assessment.level | string | Vulnerability's risk level based on Davis Security Score. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.davis_assessment.score | double | Vulnerability's Davis Security Score (1-10) calculated by Dynatrace. | 8.1 | Recommended | |
vulnerability.davis_assessment.vulnerable_function_status | string | Usage status of the vulnerable functions causing the vulnerability. | IN_USE ; NOT_AVAILABLE ; NOT_IN_USE | Recommended | |
vulnerability.description | string | Description of the vulnerability. | More detailed description about improper input validation vulnerability. | Recommended | |
vulnerability.display_id | string | Dynatrace user-readable identifier for the vulnerability. | S-1234 | Recommended | |
vulnerability.event_change_list | array | List of vulnerability attributes updated as part of the change event. Values in the list match a previous field. | vulnerability.risk.score ; vulnerability.davis_assessment.score ; vulnerability.davis_assessment.data_assets_status ; vulnerability.davis_assessment.exploit_status ; vulnerability.davis_assessment.exposure_status | Recommended | |
vulnerability.external_id | string | External provider's unique identifier for the vulnerability. | SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646 | Recommended | |
vulnerability.external_url | string | External provider's URL to the details page of the vulnerability. | https://example.com | Recommended | |
vulnerability.first_seen | timestamp | Timestamp of when the vulnerability was first detected. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.id | string | Dynatrace unique identifier for the vulnerability. | 2039861408676243188 | Recommended | |
vulnerability.mute.change_date | timestamp | Timestamp of the vulnerability's last muted or unmuted action. | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.mute.reason | string | Reason for muting or unmuting the vulnerability. | Muted: False positive | Recommended | |
vulnerability.mute.status | string | Vulnerability's mute status. | MUTED ; NOT_MUTED | Recommended | |
vulnerability.mute.user | string | User who last changed the vulnerability's mute status. | user@example.com | Recommended | |
vulnerability.previous.cvss.base | double | Vulnerability's previous CVSS base score (in case the CVSS base score has changed). | 8.1 | Recommended | |
vulnerability.previous.davis_assessment.data_assets_status | string | Vulnerability's previous reachability of related data assets by affected entities (in case the reachability has changed). | NOT_AVAILABLE ; NOT_DETECTED ; REACHABLE | Recommended | |
vulnerability.previous.davis_assessment.exploit_status | string | Vulnerability's previous public exploit status (in case the public exploit status has changed). | AVAILABLE ; NOT_AVAILABLE | Recommended | |
vulnerability.previous.davis_assessment.exposure_status | string | Vulnerability's previous internet exposure status (in case the internet exposure status has changed). | NOT_AVAILABLE ; NOT_DETECTED ; PUBLIC_NETWORK | Recommended | |
vulnerability.previous.davis_assessment.level | string | Vulnerability's previous risk level (in case the risk level has changed). | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.previous.davis_assessment.score | double | Vulnerability's previous Davis Security Score (in case Davis Security Score has changed). | 8.1 | Recommended | |
vulnerability.previous.davis_assessment.vulnerable_function_status | string | Vulnerability's previous vulnerable function status (in case the vulnerable function status has changed). | IN_USE ; NOT_AVAILABLE ; NOT_IN_USE | Recommended | |
vulnerability.previous.mute.change_date | string | Timestamp of the vulnerability's previous mute status (in case the mute status has changed). | 2023-03-22T13:19:36.945Z | Recommended | |
vulnerability.previous.mute.reason | string | Reason for last muting or unmuting the vulnerability (in case the reason for muting or unmuting the vulnerability has changed). | Muted: False positive | Recommended | |
vulnerability.previous.mute.status | string | Vulnerability's previous mute status (in case the mute status has changed). | MUTED ; NOT_MUTED | Recommended | |
vulnerability.previous.mute.user | string | User who last changed the vulnerability's mute status (in case the mute status was last changed by a different user). | user@example.com | Recommended | |
vulnerability.previous.resolution.status | string | Vulnerability's previous resolution status (in case the resolution status has changed). | OPEN ; RESOLVED | Recommended | |
vulnerability.previous.risk.level | string | Vulnerability's previous risk score level (in case the risk score level has changed). | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.previous.risk.score | double | Vulnerability's previous risk score (in case the risk score has changed). | 8.1 | Recommended | |
vulnerability.references.cve | string[] | List of the vulnerability's CVE IDs. | [CVE-2021-41079] | Recommended | |
vulnerability.references.cwe | string[] | List of the vulnerability's CWE IDs. | [CWE-20] | Recommended | |
vulnerability.references.owasp | string[] | List of vulnerability's OWASP IDs. | [2021:A3] | Recommended | |
vulnerability.resolution.change_date | timestamp | Timestamp of the vulnerability's last status change. | 2023-03-22T13:19:37.466Z | Recommended | |
vulnerability.resolution.status | string | Vulnerability's resolution status. | OPEN ; RESOLVED | Recommended | |
vulnerability.risk.level | string | Vulnerability's risk score level defined by the provider. For Dynatrace, the Davis Security Score level. | LOW ; MEDIUM ; HIGH ; CRITICAL | Recommended | |
vulnerability.risk.scale | string | Scale by which the vulnerability's risk score and risk score level defined by the provider are measured. | Dynatrace security score | Recommended | |
vulnerability.risk.score | double | Vulnerability's risk score defined by the provider. For Dynatrace, the Davis Security Score. | 8.1 | Recommended | |
vulnerability.stack | string | Level of the vulnerable component in the technological stack. | CODE ; CODE_LIBRARY ; SOFTWARE ; CONTAINER_ORCHESTRATION | Recommended | |
vulnerability.technology | string | Technology of the vulnerable component. | JAVA ; DOT_NET ; GO ; PHP ; NODE_JS ; KUBERNETES | Recommended | |
vulnerability.title | string | Title of the vulnerability. | Improper Input Validation | Recommended | |
vulnerability.type | string | Classification of the vulnerability based on commonly accepted enums, such as CWE. | Improper Input Validation | Recommended | |
vulnerability.url | string | Dynatrace URL to the details page of the vulnerability. | https://example.com | Recommended |
Vulnerability change: Environmental data
This section contains information on changes regarding vulnerability's affected and related entities.
Affected entities
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
affected_entities.count | long | Number of affected entities. | 1 | Recommended |
affected_entities.event_change_list | array | List of affected entity attributes updated as part of the change event. Values in the list match a previous field. | affected_entities.count ; affected_entities.process_groups.count ; affected_entities.kubernetes_nodes.count | Recommended |
affected_entities.hosts.count | long | Number of affected hosts. | 2 | Recommended |
affected_entities.kubernetes_nodes.count | long | Number of affected nodes. | 2 | Recommended |
affected_entities.previous.count | long | Number of affected entities before the last change event. | 1 | Recommended |
affected_entities.previous.hosts.count | long | Number of affected hosts before the last change event. | 5 | Recommended |
affected_entities.previous.kubernetes_nodes.count | long | Number of affected Kubernetes nodes before the last change event. | 5 | Recommended |
affected_entities.previous.process_groups.count | long | Number of affected process groups before the last change event. | 2 | Recommended |
affected_entities.process_groups.count | long | Number of affected process groups. | 2 | Recommended |
affected_entities.types | array | Types of affected entities. | PROCESS_GROUP ; HOST | Recommended |
Related entities
Attribute | Type | Description | Examples | Requirement Level |
---|---|---|---|---|
related_entities.databases.count | long | Number of related databases. | 1 | Recommended |
related_entities.event_change_list | array | List of related entity attributes updated as part of the change event. Values in the list match a previous field. | related_entities.databases.count | Recommended |
related_entities.previous.databases.count | long | Number of related databases before the last change event. | 1 | Recommended |