Dynatrace Application Security - Code-Level runtime vulnerability detection
| Id | 305093b4-0fa2-57bc-bced-caea782a6e9c |
| Rulename | Dynatrace Application Security - Code-Level runtime vulnerability detection |
| Description | Detect Code-level runtime vulnerabilities in your environment |
| Severity | Medium |
| Tactics | DefenseEvasion Execution Impact InitialAccess LateralMovement Persistence PrivilegeEscalation |
| Required data connectors | DynatraceRuntimeVulnerabilities |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_CodeLevelVulnerabilityDetection.yaml |
| Version | 1.0.3 |
| Arm template | 305093b4-0fa2-57bc-bced-caea782a6e9c.json |
DynatraceSecurityProblems
| where VulnerabilityType == "CODE_LEVEL" and DAVISRiskLevel == "CRITICAL" and Muted == false
| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId
queryFrequency: 1d
customDetails:
DAVISRiskVector: DAVISRiskVector
DisplayIdentifier: DisplayId
PackageName: PackageName
CVEIds: CVEIds
DAVISVulnFuncUsage: DAVISVulnerableFunctionUsage
Technology: Technology
VulnerabilityType: VulnerabilityType
SecProbIdentifier: SecurityProblemId
DAVISRiskLevel: DAVISRiskLevel
DAVISDataAssets: DAVISDataAssets
ExternVulnIdentifier: ExternalVulnerabilityId
DAVISRiskScore: DAVISRiskScore
DAVISPublicExploit: DAVISPublicExploit
SecurityProblemUrl: Url
DAVISExposure: DAVISExposure
tactics:
- DefenseEvasion
- Execution
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
id: 305093b4-0fa2-57bc-bced-caea782a6e9c
triggerOperator: gt
triggerThreshold: 0
query: |
DynatraceSecurityProblems
| where VulnerabilityType == "CODE_LEVEL" and DAVISRiskLevel == "CRITICAL" and Muted == false
| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId
severity: Medium
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
createIncident: false
requiredDataConnectors:
- connectorId: DynatraceRuntimeVulnerabilities
dataTypes:
- DynatraceSecurityProblems
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_CodeLevelVulnerabilityDetection.yaml
requiredTechniques:
- T1140
- T1059
- T1565
- T1659
- T1210
- T1554
- T1548
name: Dynatrace Application Security - Code-Level runtime vulnerability detection
description: Detect Code-level runtime vulnerabilities in your environment
alertDetailsOverride:
alertSeverityColumnName: Severity
alertDescriptionFormat: |
Code-Level runtime vulnerability ({{ExternalVulnerabilityId}}) detected in package ({{PackageName}}), more details available from Dynatrace at {{Url}}.
alertDisplayNameFormat: 'Dynatrace Code-Level runtime vulnerability detected - {{DisplayId}} : {{Title}}'
status: Available
queryPeriod: 1d