Datadog dashboard made publicly accessible

audit

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a Datadog dashboard is made publicly accessible via a share link, which can expose internal metrics, logs, or business data to unauthenticated users.

Strategy

This rule monitors Datadog Dashboard audit events where @asset.type is dashboard_share_link and @action is created or modified. Public dashboard share links allow anyone with the URL to view the dashboard without authentication. Dashboards frequently contain sensitive operational data, infrastructure topology, service metrics, or business KPIs. Creating a public share link — intentionally or accidentally — can result in unintended data disclosure. Modification events are included to catch cases where an existing share link is reconfigured (for example, re-enabled after being disabled).

Triage and response

  • Verify whether {{@usr.email}} intended to make dashboard {{@asset.id}} publicly accessible.
  • Review the dashboard content for sensitive data including proprietary metrics, PII, infrastructure details, or internal business information.
  • Check whether the public URL has already been accessed by reviewing any associated access logs.
  • If the sharing was unintended or the content is sensitive, ask the user to disable the public share link immediately and confirm no unauthorized access occurred.
  • If public sharing is legitimately required, confirm that the dashboard content has been reviewed and approved for external viewing.