Application Security
Dynatrace Application Security detects vulnerabilities and blocks attacks in running applications โ not just in code scans, but at runtime.
Three Pillars
Pillar What It Does
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Runtime Vulnerability Analytics Detects CVEs in loaded libraries at runtime
Runtime Application Protection Blocks attacks (SQL injection, SSRF, etc.)
Security Posture Management Overall security health view
How It Works
OneAgent monitors loaded libraries and runtime components. When a vulnerable library is detected in a running process, Dynatrace:
- Matches it against vulnerability feeds (NVD, Dynatrace feed)
- Assesses risk based on data access paths and production execution
- Opens a security problem with severity (CRITICAL, HIGH, MEDIUM, LOW)
- Auto-closes when the vulnerable library is removed or updated
Attack Protection
Runtime Application Protection monitors and blocks common attack patterns:
Attack Type What It Blocks
โโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
SQL Injection Malicious SQL in user input
Command Injection OS command execution via input
SSRF Server-side request forgery
Path Traversal Accessing files outside web root
Modes: MONITOR (detect and log) or BLOCK (actively prevent).
Supported Technologies
Technology Vulnerability Detection Attack Protection
โโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ
Java โ (since OneAgent 1.221) โ
.NET โ (since 1.233) โ
Node.js โ (since 1.231) โ
Go โ (since 1.245) โ
Python โ (since 1.309) โ
PHP โ (since 1.231) โ
Security DQL
// Security events in the last 7 days
fetch events, from:now()-7d
| filter event.kind == "SECURITY_EVENT"
| summarize cnt=count(), by:{event.type}
| sort cnt desc
๐ก Enable attack protection in MONITOR mode first. Review detected attacks for false positives before switching to BLOCK mode.
๐ Try it: Open Ctrl+K โ "Application Security" โ explore the vulnerability overview. Then try: fetch events | filter event.kind == "SECURITY_EVENT" | limit 10 in a Notebook to see security events as queryable data.
Security Notifications (Two Parts Required!)
A common mistake: creating an alerting profile but no notification integration. The alerting profile alone does NOTHING โ you need BOTH:
- Alerting profile (
builtin:appsec.notification-alerting-profile) โ defines WHICH vulnerabilities trigger alerts (risk level, event type) - Notification integration (
builtin:appsec.notification-integration) โ defines WHERE to send alerts (email, webhook, Jira) and links to the alerting profile
Without the notification integration, alerts fire into the void โ no email, no ticket, no notification.
Vulnerability Detection
- Third-party (TPV): OneAgent reports loaded libraries โ matched against vulnerability feeds every 5 min โ new vulns checked every minute
- Code-level (CLV): static analysis of first-party code for security patterns
- Risk assessment: uses Smartscape topology to check exposure (public IPs) and reachable data assets (databases)
- Auto-resolution: vulns close automatically when vulnerable library is no longer loaded for 2+ hours
- State reports:
VULNERABILITY_STATE_REPORT_EVENTrefreshes every 30-60 min โ vulns stay "OPEN" until next cycle after patching