• Home
  • Platform modules
  • Application Security
  • Vulnerability Analytics
  • Third-party vulnerabilities
  • Monitoring rules - Third-party Vulnerability Analytics

Monitoring rules - Third-party Vulnerability Analytics

To include or exclude specific processes from being monitored by Application Security, you can set up fine-grained monitoring rules for Third-party Vulnerability Analytics, based on properties such as process tag, host tag, and management zone.

Define custom monitoring rules

You can define custom monitoring rules through the Dynatrace web UI or the Settings API.

To add a new rule

  1. In the Dynatrace menu, go to Settings > Application Security > Vulnerability Analytics > Monitoring rules: Third-party.
  2. Select Add new rule to add a new rule.
  3. Enter the requested information (mode, property, condition operator, and condition value).
  4. Select Save changes.

You can edit, disable, enable, or remove rules at any time.

You can read or modify the rules using the Settings API.

  • To view a monitoring rule, use the GET an object request. Set the following parameters:

    • schemaIds=builtin:appsec.rule-settings
    • scopes=tenant
    Example JSON response
    JSON
    {
  "items": [
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkYTc4NjY0NGItZmVjNC0zNzliLWI0MWItNThmYzgzOWZmYWY5vu9U3hXa3q0",
      "value": {
        "enabled": true,
        "mode": "MONITORING_OFF",
        "property": "PROCESS_TAG",
        "operator": "EQUALS",
        "value": "super secret process"
      }
    },
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNDhkZGYxNDMtYzc2Mi0zYzIwLWI1ODAtNTNhODEwOGZlMDBivu9U3hXa3q0",
      "value": {
        "enabled": true,
        "mode": "MONITORING_ON",
        "property": "HOST_TAG",
        "operator": "NOT_EQUALS",
        "value": "Test"
      }
    },
    {
      "objectId": "vu9U3hXa3q0AAAABABxidWlsdGluOmFwcHNlYy5ydWxlLXNldHRpbmdzAAZ0ZW5hbnQABnRlbmFudAAkNmY1NjZkNmItYWMyNy0zOTg2LWE1OGItNTU2ZTI1NTE5NTcyvu9U3hXa3q0",
      "value": {
        "enabled": false,
        "mode": "MONITORING_ON",
        "property": "MANAGEMENT_ZONE",
        "operator": "EQUALS",
        "value": "Monitorme"
      }
    }
  ],
  "totalCount": 3,
  "pageSize": 100
}

  • To modify a monitoring rule, use the POST an object request.

    Example JSON body
    JSON
    [
  {
      "value": {
        "enabled": true,
        "mode": "MONITORING_ON",
        "property": "HOST_TAG",
        "operator": "EQUALS",
        "value": "REST"
      },
    "scope": "tenant",
    "schemaId": "builtin:appsec.rule-settings"
  },
    {
      "value": {
        "enabled": true,
        "mode": "MONITORING_OFF",
        "property": "PROCESS_TAG",
        "operator": "NOT_EQUALS",
        "value": "Test-Process"
      },
    "scope": "tenant",
    "schemaId": "builtin:appsec.rule-settings"
  }
]

Note: For Kubernetes environments, you need to add tags both on the host and on the Kubernetes node.

Monitoring rules evaluation

After you add, edit or remove a rule, it can take up to 15 minutes for changes to take effect throughout the system. The configured monitoring rules are evaluated periodically (on internal worker runs), and on-demand (through calls to the REST API). Regardless of the calling context, the rule evaluation stays the same: given a set of entities, the algorithm decides whether a specific entity should be monitored or not. The rules are processed in order until the first match. Note that each rule must be unique.

  • If a rule matches a specific entity, the configured mode (Monitor, Do not monitor) is used, and subsequent rules are not evaluated for this particular entity.
  • If no rule matches a specific entity, the default mode (Monitor) is used.

FAQ

  • What happens if I change the order of the rules?
    • The first matching rule will apply.
  • What happens if a Do not monitor rule that applies gets added?
    • New vulnerabilities for the processes that match the rule won't be created.
    • Existing vulnerabilities that only relate to matching processes are resolved.
  • What happens if a Do not monitor rule is deleted or doesn't apply anymore?
    • New vulnerabilities for the processes that match the rule will be created.
    • Related resolved vulnerabilities are reopened.

Limitations

It's currently not possible to define custom monitoring rules based on process tag property for Kubernetes environments.