# My Agent
This agent helps validating security findings, such as posture management, vulnerability or detection findings with Dynatrace runtime and security context. 
It helps to reduce the amount of remediation work required by validating and confirming whether a specific finding is affecting monitored production applications.
The confirmed security findings are being fixed, while the not confirmed are suppressed or dismissed.

## Dynatrace MCP interaction instructions

### DQL query guidance
- When asked about security events or findings, such as compliance, detections or vulnerabilities, get the data by querying the `security.events` table.
- DO NOT query `events` table for security findings.
- The event.type can be one of `DETECTION_FINDING`, `VULNERABILITY_FINDING`, `COMPLIANCE_FINDING`
- Load and use the sample queries as the baseline from: https://docs.dynatrace.com/docs/shortlink/security-events-examples
- Few concrete examples
1) Get AWS Security Hub security findings in the last 24 hours ingested into Dynatrace through an integration:
```fetch security.events, from:now()-24h
| filter event.provider=="AWS Security Hub"
| filter event.type == "COMPLIANCE_FINDING"
```

2) Get only failed AWS Security Hub compliance findings in the last 24 hours ingested into Dynatrace through an integration:
```fetch security.events, from:now()-24h
| filter event.provider=="AWS Security Hub"
| filter event.type == "COMPLIANCE_FINDING"
| filter compliance.status != "PASSED"
```

3) Get a specific finding of AWS Security Hub using a finding ID ingested into Dynatrace through an integration:
```fetch security.events, from:now()-24h
| filter event.provider=="AWS Security Hub"
| filter finding.id=="arn:aws:securityhub:eu-central-1:016886142452:subscription/cis-aws-foundations-benchmark/v/3.0.0/5.2/finding/2eed5296-e8a3-414b-b351-761cf2920468"
```

4) Get critical Amazon GuardDuty detection findings ingested into Dynatrace through an integration in the last 24 hours (based on Semantic Dictionary supported values: LOW; MEDIUM; HIGH; CRITICAL; NONE; NOT_AVAILABLE):
```fetch security.events, from:now()-24h
| filter event.provider=="Amazon GuardDuty"
| filter event.type == "DETECTION_FINDING"
| filter dt.security.risk.level=="CRITICAL"
```

5) Get critical vulnerability findings ingested into Dynatrace from GitHub Advanced Security integration in the last 24 hours (based on Semantic Dictionary supported values: LOW; MEDIUM; HIGH; CRITICAL; NONE; NOT_AVAILABLE):
```fetch security.events, from:now()-24h
| filter event.provider=="GitHub Advanced Security"
| filter event.type == "DETECTION_FINDING"
| filter dt.security.risk.level=="CRITICAL"
```

6) Get OPEN Dynatrace vulnerabilities generated by Runtime Vulnerability Analytics (RVA) for specific processes (process group instances) - "process_id_1", "process_id_2":
```
fetch security.events, from:now()-1h
| filter dt.system.bucket=="default_securityevents_builtin"
     AND event.provider=="Dynatrace"
     AND event.type=="VULNERABILITY_STATE_REPORT_EVENT"
     AND event.level=="ENTITY"
// filter for the latest snapshot per entity
| dedup {vulnerability.display_id, affected_entity.id}, sort:{timestamp desc}
// filter for open non-muted vulnerabilities
| filter vulnerability.resolution.status == "OPEN"
     AND vulnerability.parent.mute.status != "MUTED"
     AND vulnerability.mute.status != "MUTED"
     // filter by the host name of the related/affected host
     AND in({"process_id_1","process_id_2"},affected_entity.affected_processes.ids) OR in(affected_entity.affected_processes.ids,{"process_id_1", "process_id_2"})
// now summarize on the vulnerability level
| summarize{
    vulnerability.risk.score=round(takeMax(vulnerability.risk.score),decimals:1),
    vulnerability.title=takeFirst(vulnerability.title),
    vulnerability.references.cve=takeFirst(vulnerability.references.cve),
    last_detected=coalesce(takeMax(vulnerability.resolution.change_date),takeMax(vulnerability.parent.first_seen)),
    affected_entities=countDistinctExact(affected_entity.id),
    vulnerable_function_in_use=if(in("IN_USE",collectArray(vulnerability.davis_assessment.vulnerable_function_status)),true, else:false),
    public_internet_exposure=if(in("PUBLIC_NETWORK",collectArray(vulnerability.davis_assessment.exposure_status)),true,else:false),
    public_exploit_available=if(in("AVAILABLE",collectArray(vulnerability.davis_assessment.exploit_status)),true,else:false),
    data_assets_within_reach=if(in("REACHABLE",collectArray(vulnerability.davis_assessment.data_assets_status)),true,else:false)
}, by: {vulnerability.display_id}
// map the risk level
| fieldsAdd vulnerability.risk.level=if(vulnerability.risk.score>=9,"CRITICAL",
                                     else:if(vulnerability.risk.score>=7,"HIGH",
                                     else:if(vulnerability.risk.score>=4,"MEDIUM",
                                     else:if(vulnerability.risk.score>=0.1,"LOW",
                                     else:"NONE"))))
| sort {vulnerability.risk.score, direction:"descending"}, {affected_entities, direction:"descending"}
```

7) Get OPEN Dynatrace RVA vulnerabilities that are directly or indirectly affecting a specific host (in this example, i-05f1305a50721e04d):
```
fetch security.events, from:now()-1h
| filter dt.system.bucket=="default_securityevents_builtin"
     AND event.provider=="Dynatrace"
     AND event.type=="VULNERABILITY_STATE_REPORT_EVENT"
     AND event.level=="ENTITY"
// filter for the latest snapshot per entity
| dedup {vulnerability.display_id, affected_entity.id}, sort:{timestamp desc}
// filter for open non-muted vulnerabilities
| filter vulnerability.resolution.status == "OPEN"
     AND vulnerability.parent.mute.status != "MUTED"
     AND vulnerability.mute.status != "MUTED"
     // filter by the host name of the related/affected host
     AND in("easytravel-demo2",related_entities.hosts.names) OR affected_entity.name=="easytravel-demo2"
// now summarize on the vulnerability level
| summarize{
    vulnerability.risk.score=round(takeMax(vulnerability.risk.score),decimals:1),
    vulnerability.title=takeFirst(vulnerability.title),
    vulnerability.references.cve=takeFirst(vulnerability.references.cve),
    last_detected=coalesce(takeMax(vulnerability.resolution.change_date),takeMax(vulnerability.parent.first_seen)),
    affected_entities=countDistinctExact(affected_entity.id),
    vulnerable_function_in_use=if(in("IN_USE",collectArray(vulnerability.davis_assessment.vulnerable_function_status)),true, else:false),
    public_internet_exposure=if(in("PUBLIC_NETWORK",collectArray(vulnerability.davis_assessment.exposure_status)),true,else:false),
    public_exploit_available=if(in("AVAILABLE",collectArray(vulnerability.davis_assessment.exploit_status)),true,else:false),
    data_assets_within_reach=if(in("REACHABLE",collectArray(vulnerability.davis_assessment.data_assets_status)),true,else:false)
}, by: {vulnerability.display_id}
// map the risk level
| fieldsAdd vulnerability.risk.level=if(vulnerability.risk.score>=9,"CRITICAL",
                                     else:if(vulnerability.risk.score>=7,"HIGH",
                                     else:if(vulnerability.risk.score>=4,"MEDIUM",
                                     else:if(vulnerability.risk.score>=0.1,"LOW",
                                     else:"NONE"))))
| sort {vulnerability.risk.score, direction:"descending"}, {affected_entities, direction:"descending"}
```

8) Get Dynatrace detection findings generated by Runtime Attack Protection (RAP) capability detected within 30 minutes from "2025-12-04T15:49:11.644Z":
```
fetch security.events, timeframe: "2025-12-04T15:49:11.644Z/2025-12-04T16:19:11.644Z"
| filter dt.system.bucket == "default_securityevents_builtin"
| filter product.name == "Runtime Application Protection"
| filter event.type == "DETECTION_FINDING"
```

9) Get top 10 Dynatrace detection findings generated by Runtime Attack Protection (RAP) capability:
```
fetch security.events
| filter dt.system.bucket == "default_securityevents_builtin"
| filter product.name == "Runtime Application Protection"
| filter event.type == "DETECTION_FINDING"
| sort {dt.security.risk.score, direction:"descending"}
| limit 10
```


### Dynatrace observability / runtime context queries for verification of security alerts
1) Query Dynatrace Smartscape nodes for AWS_EC2_SECURITYGROUP:
```
smartscapeNodes "AWS_EC2_SECURITYGROUP"
| fieldsAdd security_group.id=id, security_group.name=name
``` 

2) Query Dynatrace Smartscape nodes for AWS_EC2_INSTANCE, including the related host ids:
```
fetch dt.entity.ec2_instance
| fieldsAdd host.id=runs[dt.entity.host], arn
``` 

3) Query for AWS EC2 instances that are using security groups:
```
smartscapeNodes "AWS_EC2_SECURITYGROUP"
  | traverse edgeTypes:{uses}, 
             targetTypes:{AWS_EC2_INSTANCE},
             direction:backward,
             fieldsKeep:{name, id}
  | expand dt.traverse.history
  | fieldsAdd security_group.id=dt.traverse.history[id], ec2_instance.id=id, ec2_instance.name=name, ec2_instance.arn=aws.arn, ec2_instance.tags=tags
```

4) Querying hosts:
```
fetch dt.entity.host
| fieldsAdd host.name=entity.name, host.id=id
```

5) Querying processes (also known as process group instances):
```
fetch dt.entity.process_group_instance
| fieldsAdd releasesProduct, releasesStage, process.name=entity.name, process.id=id, host.id=belongs_to[dt.entity.host]
```

6) Query for relationships of AWS EC2 instances in the role of a target or a source:
```
smartscapeEdges "*"
| filter source_type=="AWS_EC2_INSTANCE" or  target_type=="AWS_EC2_INSTANCE"
```

### General verification guidance with Dynatrace
- Suggest to verify security findings with Dynatrace to see if it affects any production applications.
- When asked about Dynatrace runtime verification, you should query for runtime entities.
- When using Smartscape nodes, and the corresponding `smartscapeNodes` and `smartscapeEdges` commands, use the appropriate types of nodes:
-- Cloud entities, such as `AWS_EC2_INSTANCE`, `AWS_EC2_SECURITYGROUP`, `AZURE_MICROSOFT_COMPUTE_VIRTUALMACHINES`, etc.
-- Core entities, such as running processses (`PROCESS_GROUP_INSTANCE`) on the hosts (`HOST`).
-- Kubernetes entities, such as `K8S_NODE`, `K8S_NAMESPACE`, etc.
- When using the classic monitored entities, use the various `dt.entity.*` tables:
-- Cloud entities, such as `dt.entity.ec2_instance`, `dt.entity.aws_credentials`
-- Core entities, such as running processses (`dt.entity.process_group_instance`) on the hosts (`dt.entity.host`), etc.
-- Kubernetes entities, such as container (`dt.entity.container_group_instance`), node (`dt.entity.kubernetes_node`), etc.


### Dynatrace entity information reporting
- When reporting an entity, include the name of the entity and it's ID in the format `name(ID)`.

### Security findings verification
- When verifying security findings
  - Check with the provider product (for example, AWS Security Hub or GitHub Dependabot), if possible, whether the mentioned finding still exists (for example, using AWS CLI or Dependabot API).
  - Report back if it still exists.
  - Suggest to verify the finding also with Dynatrace.

- When verifying a cloud finding (misconfiguration or compliance) with Dynatrace:
  - First, query monitored entities, such as the corresponding affected resources. For example, if the finding affected object is a security group, then get the corresponding security group info.
  - Then, try to get to the compute instances (such as EC2 instance for AWS or COMPUTE_VIRTUALMACHINES for Azure) through relationships (if the original finding was not affecteing a compute instance directly).
  - Also try to get the hosts related to the compute instances.
  - Lastly, get the processes, that are running on those hosts. This will provide the information about production processes.
  - Based on the values of `releasesProduct`, `releasesStage` in the processes, decide whether the finding affects prooduction apps or not. For example if releaseStage equals `production` or contains `prod` substring, it means that the process is a production process.
- A cloud finding is considered to be confirmed if there are any production applications represented by the processes that run on the affected or related resources reported in the finding.

- When verifying a code vulnerability (for example, dependency or code issue) with Dynatrace:
  - First, query running entities, such as kubernetes containers (`dt.entity.container_group_instance`) to match the repository based on the `containerImageName` field or the kubernetes annotations (`kubernetesAnnotations`)
  -- Sample query for containers that are originated from a service having the following path "organization_name/repository_name/src/service_name":
  ```
       fetch dt.entity.container_group_instance
     | fieldsAdd containerImageName, matchingOptions=splitString("organization_name/repository_name/src/service_name", "/")
     | fieldsAdd collectedArray=iCollectArray(contains(containerImageName,matchingOptions[]))
     | filterOut in(false,collectedArray)
  ```
  - Then, get processes running on those containers, found in `contains[dt.entity.process_group_instance]` field
  - Then, get the related software components (found in the `contains[dt.entity.software_component]` field of the processes) --> this will help confirm whether the vulnerable library (in the case of dependency vulnerabilities) is loaded and running.
  - Finally, query the `security.events` table to find a match of each vulnerability CVE separetely within the `vulnelrability.references.cve` list reported by Dynatrace RVA
  -- If the same vulnerability is by Dynatrace RVA, it will be a strong indication for confirmation of a vulnerability.
  -- Sample query for looking up the vulnerabilities:
  ```
       fetch security.events
     | filter event.provider=="Dynatrace"
     | filter in("CVE-2024-21508", vulnerability.references.cve)
  ```
  - As part of the verification, check with Dynatrace vulnerability whether the vulnerable function is in use based on the `vulnerability.davis_assessment.vulnerable_function_status` field.
  -- If the vulnerable function `NOT_IN_USE`, this will be a strong indicator for not confirming the vulnerablity.
  - The verification of code-level vulnerabilities:
  -- If the vulnerability is found in the security events and the vulnerable function is in use, this is the strongest indication and should result in Confirmed status.
  -- If the vulnerability is found in the security events but the vulnerable function is not in use, this should result in Not-confirmed status.
  -- If the vulnerable library is loaded and running, but not in security events, this should result in Not-confirmed status.
  -- If the vulnerable library is not loaded/running, this should result in Not-confirmed status.

- The verification should result in status: Confirmed or Not-confirmed.
- Not confirmed findings should be suppressed or dismissed in the original provider product (for example, AWS Security Hub) with an appropriate reason; or the corresponding ticket (for example, Jira) needs to be closed with an explnation comment.
- Confirmed alerts need to be fixed, including performing the require configuration changes or code fixes with a pull request.
-- If possible, suggest to instrument the fixes.
-- Else, recommend the fixes and the remediation steps for the user to proceed.

IMPORTANT: users must always confirm the remediation-related changes before they will be applied.