The Service Map for APM is here!

APM (Tracing) Security

This article is part of a series on data security.

The APM product supports multiple libraries and includes extensible tooling that allows customers the flexibility to submit nearly any data point they choose. This article describes the main filtering controls available for customers to control what APM data they submit to Datadog.

Filtering Baseline

Several filtering mechanisms are enforced as a baseline in an effort to provide sound defaults. In particular:

Environment variables are not collected by the Agent

SQL variables are obfuscated by default, even when not using prepared statements

For example, the following sql.query attribute: SELECT data FROM table WHERE key=123 LIMIT 10 would have its variables obfuscated, to become the following Resource name: SELECT data FROM table WHERE key = ? LIMIT ?

Numbers in Resource names (e.g. in request urls) are obfuscated by default

For example, the following elasticsearch attribute:

Elasticsearch : {
    method : GET,
    url : /user.0123456789/friends/_count
}

would have its number in the url obfuscated, to become the following Resource name: GET /user.?/friends/_count

In addition to this baseline, customers need to review and configure their APM deployment, including all integrations and frameworks provided by supported tracers, to appropriately control what data they submit to Datadog.

Tag Filtering

For customers using release 6, the Agent can be configured to obfuscate Tags associated with Spans based on the Tag’s name and pattern, and replace it with a user-defined string. To prevent the submission of specific Tags, use the replace_tags setting. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to redact sensitive data within your Tags.

Resource Filtering

For customers using release 6, the Agent can be configured to exclude a specific Resource from Traces sent by the Agent to the Datadog application. To prevent the submission of specific Resources, use the ignore_resources setting. This setting enables the creation of a list containing one or more regular expressions, which instructs the Agent to filter out Traces based on their Resource name.

Extending Tracers

The tracing libraries are designed to be extensible. Customers may consider writing a custom post-processor to intercept Spans then adjust or discard them accordingly (e.g. based on a regular expressions). For example, this could be achieved with the following constructs:

Tailored Instrumentation

If a customer requires tailored instrumentation for a specific application, they should consider relying on the Agent-side tracing API to select individual Spans to include in Traces submitted to Datadog. See the API documentation for additional information.

Further Reading

Additional helpful documentation, links, and articles: