Dynatrace Application Security - Third-Party runtime vulnerability detection
| Id | af99b078-124b-543a-9a50-66ef87c09f6a |
| Rulename | Dynatrace Application Security - Third-Party runtime vulnerability detection |
| Description | Detect Third-Party runtime vulnerabilities in your environment insights by snyk |
| Severity | Medium |
| Tactics | DefenseEvasion Execution Impact InitialAccess LateralMovement Persistence PrivilegeEscalation |
| Required data connectors | DynatraceRuntimeVulnerabilities |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_ThirdPartyVulnerabilityDetection.yaml |
| Version | 1.0.2 |
| Arm template | af99b078-124b-543a-9a50-66ef87c09f6a.json |
DynatraceSecurityProblems
| where VulnerabilityType != "CODE_LEVEL" and DAVISRiskLevel == "CRITICAL" and Muted == false
| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId
description: |
'Detect Third-Party runtime vulnerabilities in your environment insights by snyk'
requiredTechniques:
- T1140
- T1059
- T1565
- T1659
- T1210
- T1554
- T1548
triggerThreshold: 0
tactics:
- DefenseEvasion
- Execution
- Impact
- InitialAccess
- LateralMovement
- Persistence
- PrivilegeEscalation
version: 1.0.2
incidentConfiguration:
createIncident: false
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: PT5H
enabled: false
matchingMethod: AllEntities
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Analytic Rules/DynatraceApplicationSecurity_ThirdPartyVulnerabilityDetection.yaml
triggerOperator: gt
status: Available
alertDetailsOverride:
alertDisplayNameFormat: 'Dynatrace Third-party runtime vulnerability detected - {{DisplayId}} : {{Title}}'
alertDescriptionFormat: |
Third-party runtime vulnerability ({{ExternalVulnerabilityId}}) detected in package ({{PackageName}}), more details available from Dynatrace at {{Url}}.
alertSeverityColumnName: Severity
eventGroupingSettings:
aggregationKind: AlertPerResult
id: af99b078-124b-543a-9a50-66ef87c09f6a
name: Dynatrace Application Security - Third-Party runtime vulnerability detection
queryFrequency: 1d
severity: Medium
customDetails:
CVEIds: CVEIds
DAVISRiskScore: DAVISRiskScore
PackageName: PackageName
DisplayIdentifier: DisplayId
SecProbIdentifier: SecurityProblemId
DAVISPublicExploit: DAVISPublicExploit
Technology: Technology
DAVISVulnFuncUsage: DAVISVulnerableFunctionUsage
SecurityProblemUrl: Url
VulnerabilityType: VulnerabilityType
ExternVulnIdentifier: ExternalVulnerabilityId
DAVISRiskVector: DAVISRiskVector
DAVISDataAssets: DAVISDataAssets
DAVISRiskLevel: DAVISRiskLevel
DAVISExposure: DAVISExposure
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: Url
identifier: Url
entityType: URL
query: |
DynatraceSecurityProblems
| where VulnerabilityType != "CODE_LEVEL" and DAVISRiskLevel == "CRITICAL" and Muted == false
| summarize arg_max(LastUpdatedTimeStamp, *) by SecurityProblemId
requiredDataConnectors:
- dataTypes:
- DynatraceSecurityProblems
connectorId: DynatraceRuntimeVulnerabilities