Overview
Sensitive data, such as credit card numbers, bank routing numbers, and API keys are often exposed unintentionally in application logs, APM spans, and RUM events, which can expose your organization to financial and privacy risks.
Sensitive Data Scanner is a stream-based, pattern matching service used to identify, tag, and optionally redact or hash sensitive data. Security and compliance teams can implement Sensitive Data Scanner as a new line of defense, helping prevent against sensitive data leaks and limiting non-compliance risks.
To use Sensitive Data Scanner, set up a scanning group to define what data to scan and then set up scanning rules to determine what sensitive information to match within the data.
If you want to redact your sensitive data in your environment before shipping to your downstream destinations, see how to redact sensitive data with Observability Pipelines.
This document walks you through the following:
Note: See PCI DSS Compliance for information on setting up a PCI-compliant Datadog organization.
Permissions
By default, users with the Datadog Admin role have access to view and set up scanning rules. To allow other users access, grant the data_scanner_read or data_scanner_write permissions under Compliance to a custom role. See Access Control for details on how to set up roles and permissions.
Set up Sensitive Data Scanner
This section walks you through the following to set up Sensitive Data Scanner:
You can also redact sensitive data in tags.
Add a scanning group
A scanning group determines what data to scan. It consists of a query filter and a set of toggles to enable scanning for logs, APM, RUM, and events. See the Log Search Syntax documentation to learn more about query filters.
For Terraform, see the Datadog Sensitive Data Scanner group resource.
To set up a scanning group:
- Navigate to the Sensitive Data Scanner configuration page. Alternatively, go to Organization Settings > Manage Sensitive Data and click the Configuration tab.
- Click Add scanning group. Alternatively, click the Add dropdown menu on the top right corner of the page and select Add Scanning Group.
- Enter a query filter for the data you want to scan. At the top, click APM Spans to preview the filtered spans. Click Logs to see the filtered logs.
- Enter a name and description for the group.
- Click the toggle buttons to enable Sensitive Data Scanner for the products you want (for example, logs, APM spans, RUM events, and Datadog events).
- Click Create.
Add scanning rules
A scanning rule determines what sensitive information to match within the data defined by a scanning group. You can add predefined scanning rules from Datadog’s Scanning Rule Library or create your own rules using regex patterns. The data is scanned at ingestion time during processing. For logs, this means the scan is done before indexing and other routing decisions.
For Terraform, see the Datadog Sensitive Data Scanner rule resource.
To add scanning rules:
- Navigate to the Sensitive Data Scanner configuration page.
- Click the scanning group where you want to add the scanning rules.
- Click Add Scanning Rule. Alternatively, click the Add dropdown menu on the top right corner of the page and select Add Scanning Rule.
- Select whether you want to add a library rule or create a custom scanning rule.
The Scanning Rule Library contains predefined rules for detecting common patterns such as email addresses, credit card numbers, API keys, authorization tokens, and more.
- In the Add library rules to the scanning group section, select the library rules you want to use.
- In the Define rule target and action section, select if you want to scan the Entire Event or Specific Attributes.
- If you are scanning the entire event, you can optionally exclude specific attributes from getting scanned.
- If you are scanning specific attributes, specify which attributes you want to scan.
- For Create keyword dictionary, add keywords to refine detection accuracy when matching regex conditions. For example, if you are scanning for a sixteen-digit Visa credit card number, you can add keywords like
visa, credit, and card. You can also require that these keywords must be within a specified number of characters of a match. By default, keywords must be within 30 characters before a matched value. - For Define actions on match, select the action you want to take for the matched information. Note: Redaction, partial redaction, and hashing are all irreversible actions.
- Redact: Replaces all matching values with the text you specify in the Replacement text field.
- Partially Redact: Replaces a specified portion of all matched data. In the Redact section, specify the number of characters you want to redact and which part of the matched data to redact.
- Hash: Replaces all matched data with a unique identifier. The UTF-8 bytes of the match is hashed with the 64-bit fingerprint of FarmHash.
- Optionally, add tags you want to associate with events where the values match the specified regex pattern. Datadog recommends using
sensitive_data and sensitive_data_category tags. These tags can then be used in searches, dashboards, and monitors. See Control access to logs with sensitive data for information on how to use tags to determine who can access logs containing sensitive information. - For Set priority level, select the priority level for the rule based on your business needs.
- In the Name and describe the scanning rule section, enter a name for the rule. Optionally, add a description.
- Click Add Rules.
You can create custom scanning rules using regex patterns to scan for sensitive data.
- In the Define match conditions section, specify the regex pattern to use for matching against events in the Define regex field. Enter sample data in the Regex tester field to verify that your regex pattern is valid.
Sensitive Data Scanner supports Perl Compatible Regular Expressions (PCRE), but the following patterns are not supported:- Backreferences and capturing sub-expressions (lookarounds)
- Arbitrary zero-width assertions
- Subroutine references and recursive patterns
- Conditional patterns
- Backtracking control verbs
- The
\C “single-byte” directive (which breaks UTF-8 sequences) - The
\R newline match - The
\K start of match reset directive - Callouts and embedded code
- Atomic grouping and possessive quantifiers
- For Create keyword dictionary, add keywords to refine detection accuracy when matching regex conditions. For example, if you are scanning for a sixteen-digit Visa credit card number, you can add keywords like
visa, credit, and card. You can also require that these keywords must be within a specified number of characters of a match. By default, keywords must be within 30 characters before a matched value. - For Define actions on match, select the action you want to take for the matched information. Note: Redaction, partial redaction, and hashing are all irreversible actions.
- Redact: Replaces all matching values with the text you specify in the Replacement text field.
- Partially Redact: Replaces a specified portion of all matched data. In the Redact section, specify the number of characters you want to redact and which part of the matched data to redact.
- Hash: Replaces all matched data with a unique identifier. The UTF-8 bytes of the match is hashed with the 64-bit fingerprint of FarmHash.
- Optionally, add tags you want to associate with events where the values match the specified regex pattern. Datadog recommends using
sensitive_data and sensitive_data_category tags. These tags can then be used in searches, dashboards, and monitors. See Control access to logs with sensitive data for information on how to use tags to determine who can access logs containing sensitive information. - For Set priority level, select the priority level for the rule based on your business needs.
- In the Name and describe the scanning rule section, enter a name for the rule. Optionally, add a description.
- Click Add Rule.
Notes:
- Any rules that you add or update only affect data coming into Datadog after the rule was defined.
- Sensitive Data Scanner does not affect any rules you define on the Datadog Agent directly.
- To turn off Sensitive Data Scanner entirely, set the toggle to off for each Scanning Group and Scanning Rule so that they are disabled.
See Investigate Sensitive Data Issues for details on how to use the Summary page to triage your sensitive data issues.
Control access to logs with sensitive data
To control who can access logs containing sensitive data, use tags added by the Sensitive Data Scanner to build queries with role-based access control (RBAC). You can restrict access to specific individuals or teams until the data ages out after the retention period. See How to Set Up RBAC for Logs for more information.
To redact sensitive data contained in tags, you must remap the tag to an attribute and then redact the attribute. Uncheck Preserve source attribute in the remapper processor so that the tag is not preserved during the remapping.
To remap the tag to an attribute:
- Navigate to your log pipeline.
- Click Add Processor.
- Select Remapper in the processor type dropdown menu.
- Name the processor.
- Select Tag key(s).
- Enter the tag key.
- Enter a name for the attribute the tag key is remapped to.
- Disable Preserve source attribute.
- Click Create.
To redact the attribute:
- Navigate to your scanning group.
- Click Add Scanning Rule.
- Check the library rules you want to use.
- Select Specific Attributes for Scan entire event or portion of it.
- Enter the name of the attribute you created earlier to specify that you want it scanned.
- Select the action you want when there’s a match.
- Optionally, add tags.
- Click Add Rules.
Out-of-the-box dashboard
When Sensitive Data Scanner is enabled, an out-of-the-box dashboard summarizing sensitive data findings is automatically installed in your account. To access this dashboard, go to Dashboards > Dashboards List and search for Sensitive Data Scanner Overview.
Further Reading
Additional helpful documentation, links, and articles:
