[DOCS-9921] Add attacker clustering & attacker fingerprint public doc #27194
+167
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Preview links (active after the
|
obordeau
reviewed
Jan 22, 2025
content/en/security/application_security/threats/attacker-clustering.md
Outdated
Show resolved
Hide resolved
obordeau
approved these changes
Jan 22, 2025
jkirsteins
reviewed
Jan 22, 2025
There was a problem hiding this comment.
For the screenshots provided:
- It's not obvious what the screenshots are illustrating, without context imho. I'd suggest adding some guidance on where to look. E.g. we show a screenshot for detection rule editor -> should be a red box showing that focus should be on the tag part.
- Or if we show the signal sidepanel, a red box should show that the interesting bit is the attacker section at the bottom.
- All of the IPs should be blurred out. IIRC that's the policy for screeenshots showing any kind of IP/user/email information, even if randomly generated.
content/en/security/application_security/threats/attacker-fingerprint.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/threats/attacker-fingerprint.md
Outdated
Show resolved
Hide resolved
|
|
||
| ## Overview | ||
|
|
||
| Datadog Attacker fingerprints are a threat hunting tool. They are automatically computed and added to your traces on attack or login attempts when Application Security Management (ASM) is enabled on your service. |
There was a problem hiding this comment.
are a threat hunting tool.
Are they useful for anything outside of attacker clustering?
My intuitive understanding is no - the data is fragmented across many attributes, and those are not very clear how to use manually.
Unless we can share some use cases that don't involve relying on Attacker Clustering, I'd suggest framing this as a feature mainly intended to power attacker clustering.
I'd go even further - if they don't have standalone use cases we can demonstrate, I think this content should be on the Attacker Clustering doc page and not separate.
There was a problem hiding this comment.
We might be able to use it for blocking or more advanced threat hunting (probably requires good example from @Taiki-San) so I would keep it on it's own page. However it's true that at the moment it's only used for clustering so I'll focus the explanation on that
content/en/security/application_security/threats/attacker-clustering.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/threats/attacker-clustering.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/threats/attacker-clustering.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/threats/attacker-clustering.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/threats/attacker-clustering.md
Outdated
Show resolved
Hide resolved
…tering.md Co-authored-by: Jānis Kiršteins <[email protected]>
…tering.md Co-authored-by: Jānis Kiršteins <[email protected]>
…tering.md Co-authored-by: Jānis Kiršteins <[email protected]>
…tering.md Co-authored-by: Jānis Kiršteins <[email protected]>
…erprint.md Co-authored-by: Jānis Kiršteins <[email protected]>
…erprint.md Co-authored-by: Jānis Kiršteins <[email protected]>
…of github.com:DataDog/documentation into emmanuelle.lejeail/attacker-clustering-fingerprinting
buraizu
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
Merge instructions
Merge readiness:
Merge queue is enabled in this repo. To have it automatically merged after it receives the required reviews, create the PR (from a branch that follows the
<yourname>/descriptionnaming convention) and then add the following PR comment:Additional notes