Dynatrace introduces a new way to think about timestamps in your Security Investigator cases. The reference time concept uses relative timestamps to speed up incident response time.
Time is critical
Imagine an engineer performing root cause analysis by analyzing your application logs using Security Investigator. They discover the event in the logs that caused an incident, and as the next step, they want to analyze network flow logs from your Cloud Service Provider (CSP). Since network flow logs don’t contain any meaningful data about the request content or its response, it’s relatively difficult to understand which events in the network flow logs occurred before the incident and which ones followed it.
Dynatrace Security Investigator is one of the built-in apps shipped with Dynatrace. It’s designed for evidence-driven security use cases based on the logs, metrics, and traces ingested into Grail.
Security Investigator allows you to:
- Keep your whole investigation flow in context.
- Perform complex security investigations on the data stored in Grail.
- Build DQL queries based on your findings in a fast and usable way.
- Save and use found evidence to build your DQL queries and find answers to your questions.
- Navigate with ease to any point in your investigation history and review queries and results.
- Fetch detailed results in the original format to quickly understand the information.
Thanks to reference time, it‘s now possible to add the time perspective to keep track of the relative time between events you’re analyzing and the time that incidents occurred.
You can choose Set as reference time by right-clicking any Security Investigator timestamp field related to an event that caused an incident.
A new virtual column called timestamp_diff is then added to all the query nodes of the query tree. The virtual node contains the time difference between the set reference time and the timestamp of the event in the results table. So, even if you open another query node, you’ll still see the reference time offset field in the results menu displaying the time distance between the event and the set reference time.
The virtual offset column is created automatically for the first timestamp field in the results table (usually called timestamp), but it can be turned on for any timestamp field. You can do this from the column header menu or from the reference time menu.
This small, yet powerful feature allows engineers to speed up investigations and lock down event timestamps for easier navigation across their query results.
With reference time, you can efficiently navigate logs while maintaining an incident’s time context. It helps you track the time offset between events you’re analyzing and when the incident occurred. This allows you to uncover relevant threads and evidence, even from logs and events that might initially seem unrelated.
Reference time integrates diverse information, ensuring a consistent incident context across all data points.
For a more detailed example of how reference time speeds up threat hunting, please see the reference time use case in Dynatrace Documentation.
Get started
Visit Dynatrace Playground to see the reference time in action, or read more about how reference time speeds up threat hunting in Dynatrace Documentation.
___
© 2005 Dynatrace LLC
Dynatrace and the Dynatrace logo, are trademarks of the Dynatrace, Inc. group of companies. All other trademarks are the property of their respective owners.
Looking for answers?
Start a new discussion or ask for help in our Q&A forum.
Go to forum