Skip to content

Commit

Permalink
updates for account takeover (ATO) protection (#25246)
Browse files Browse the repository at this point in the history 
* updates for account takeover (ATO) protection

ASM collecting User Data by default for account takeover (ATO) protection

* incorp feedback

* Apply suggestions from code review

incorp EM's review

Co-authored-by: Julio Guerra <[email protected]>

* added link to User Monitoring and Protection

---------

Co-authored-by: Julio Guerra <[email protected]>
  • Loading branch information
@michaelcretzman @Julio-Guerra
michaelcretzman and Julio-Guerra authored Sep 18, 2024
1 parent 936ceaa commit aa73e17
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 4 deletions.
2 changes: 1 addition & 1 deletion content/en/security/application_security/how-appsec-works.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ Datadog Application Security [Threat Management][1] uses the information APM is

Services exposed to application attacks are highlighted directly in the security views embedded in APM ([Service Catalog][2], [Service Page][3], [Traces][4]).

Datadog Threat Monitoring and Detection identifies bad actors by collecting client IP addresses and manually-added user tags on all requests.
Datadog Threat Monitoring and Detection identifies bad actors by collecting client IP addresses, login account info (for example, user account/ID), and manually-added user tags on all requests.

<div class="alert alert-info"><strong>1-Click Enablement</strong><br>
If your service is running with <a href="/agent/remote_config/#enabling-remote-configuration">an Agent with Remote Configuration enabled and a tracing library version that supports it</a>, you can <a href="https://app.datadoghq.com/security/configuration/asm/setup">enable Application Security</a> from the Datadog UI without additional configuration of the Agent or tracing libraries.</div>
Expand Down
12 changes: 9 additions & 3 deletions content/en/security/application_security/threats/library_configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,15 @@ To add a passlist entry, do one of the following:

The data that you collect with Datadog can contain sensitive information that you want to filter out, obfuscate, scrub, filter, modify, or just not collect. Additionally, the data may contain synthetic traffic that might cause your threat detection be inaccurate, or cause Datadog to not accurately indicate the security of your services.

By default, ASM collects information from security traces to help you understand why the request was flagged as suspicious. Before sending the data, ASM scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a `<redacted>` flag. This enables you to observe that although the request was suspicious, the request data was not collected because of data security concerns.
By default, ASM collects information from security traces to help you understand why the request was flagged as suspicious. Before sending the data, ASM scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a `<redacted>` flag. This enables you to observe that although the request was suspicious, the request data was not collected because of data security concerns. User-related data, such user IDs of authenticated requests, are not part of the data being redacted.

To protect users' data, sensitive data scanning is activated by default in ASM. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2]. To customize scanning, set the value of these environment variables to a valid RE2 pattern:
To protect users data, **sensitive data scanning is activated by default in ASM**. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2]. To customize scanning, set the value of these environment variables to a valid [RE2][9] pattern:

* `DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP` - Pattern for scanning for keys whose values commonly contain sensitive data. If found, the values and any child nodes associated with the key are redacted.
* `DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP` - Pattern for scanning for values that could indicate sensitive data. If found, the value and all its child nodes are redacted.



<div class="alert alert-info"><strong>For Ruby only, starting in <code>ddtrace</code> version 1.1.0</strong>

<p>You can also configure scanning patterns in code:</p>
Expand Down Expand Up @@ -92,6 +94,9 @@ The following are examples of data that are flagged as sensitive by default:

See [APM Data Security][3] for information about other mechanisms in the Datadog Agent and libraries that can also be used to remove sensitive data.

See [Automatic user activity event tracking modes][10] for information on automatic user activity tracking modes and how to configure them. See how Datadog libraries allow you to configure auto-instrumentation by using the `DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE` environment variable with the short name for the mode: `ident|anon|disabled`.


## Configure a custom blocking page or payload

{{% asm-protection-page-configuration %}}
Expand All @@ -110,5 +115,6 @@ See [APM Data Security][3] for information about other mechanisms in the Datadog
[6]: /help/
[7]: /security/application_security/threats/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking
[8]: https://app.datadoghq.com/security/configuration/asm/services-config

[9]: https://github.com/google/re2/wiki/Syntax
[10]: /security/application_security/threats/add-user-info/?tab=set_user#automatic-user-activity-event-tracking-modes

11 changes: 11 additions & 0 deletions content/en/tracing/configure_data_security/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ The table below describes the personal data categories collected by the automati
| Geographic location | Longitude and latitude coordinates that can be used to identify an individual or household. |
| URI parameters | The parameter values in the variable part of the URI path or the URI query. |
| URI userinfo | The userinfo subcomponent of the URI that may contain the user name. |
| Login ID | Can include an account/user ID, name, or email address. |

The table below describes the default behavior of each language tracing library with regard to whether a data category is collected and whether it is obfuscated by default.

Expand All @@ -51,6 +52,7 @@ The table below describes the default behavior of each language tracing library
| Geographic location | | |
| URI parameters | <i class="icon-check-bold"></i> | |
| URI userinfo | | |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -67,6 +69,7 @@ The table below describes the default behavior of each language tracing library
| Geographic location | | |
| URI parameters | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| URI userinfo | | |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -83,6 +86,7 @@ The table below describes the default behavior of each language tracing library
| Geographic location | | |
| URI parameters | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| URI userinfo | | |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -99,6 +103,7 @@ The table below describes the default behavior of each language tracing library
| Geographic location | | |
| URI parameters | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| URI userinfo | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -115,6 +120,7 @@ The table below describes the default behavior of each language tracing library
| Geographic location | <i class="icon-check-bold"></i> | |
| URI parameters | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| URI userinfo | | |
| Login ID | <i class="icon-check-bold"></i> | |

[1]: /tracing/trace_collection/compatibility/python/#datastore-compatibility
{{% /tab %}}
Expand All @@ -132,6 +138,7 @@ The table below describes the default behavior of each language tracing library
| Geographic location | | |
| URI parameters | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| URI userinfo | | |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -153,6 +160,7 @@ The table below describes the default behavior of each language tracing library
| HTTP body | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| HTTP cookies | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| HTTP headers | <i class="icon-check-bold"></i> | <i class="icon-check-bold"></i> |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -172,6 +180,7 @@ The table below describes the default behavior of each language tracing library
| HTTP body | | |
| HTTP cookies | | |
| HTTP headers | | |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -191,6 +200,7 @@ The table below describes the default behavior of each language tracing library
| HTTP body | | |
| HTTP cookies | | |
| HTTP headers | | |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand All @@ -210,6 +220,7 @@ The table below describes the default behavior of each language tracing library
| HTTP body | | |
| HTTP cookies | | |
| HTTP headers | | |
| Login ID | <i class="icon-check-bold"></i> | |

{{% /tab %}}

Expand Down

0 comments on commit aa73e17

Please sign in to comment.