From a1caf678a14dd1a5da2accae08bb8898d7520130 Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Mon, 15 Jun 2026 16:57:58 -0600 Subject: [PATCH] [DOCS-14731] Add SDS supported actions table and Agent Observability scanning details --- .../llm_observability/data_security_and_rbac.md | 10 ++++++++++ .../sensitive_data_scanner/setup/_index.md | 3 ++- .../setup/telemetry_data.md | 16 +++++++++++++++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/content/en/llm_observability/data_security_and_rbac.md b/content/en/llm_observability/data_security_and_rbac.md index 9e2cd30fc14..e39696fd9ab 100644 --- a/content/en/llm_observability/data_security_and_rbac.md +++ b/content/en/llm_observability/data_security_and_rbac.md @@ -33,6 +33,14 @@ Agent Observability integrates with [Sensitive Data Scanner][3], which helps pre By proactively scanning for sensitive data, Agent Observability ensures that conversations remain secure and compliant with data protection regulations. This additional layer of security reinforces Datadog's commitment to maintaining the confidentiality and integration of user interactions with LLMs. +Sensitive Data Scanner scanning for Agent Observability uses a managed scanning group that Datadog creates automatically when you first open the [Agent Observability Settings page][4]. You cannot create additional scanning groups or delete the managed group. + +You can customize the rules in the managed group: + +- Add predefined rules from the [Scanning Rule Library][5]. +- Disable rules you do not need. +- Add custom rules to detect additional sensitive data patterns. + ## Further reading {{< partial name="whats-next/whats-next.html" >}} @@ -40,4 +48,6 @@ By proactively scanning for sensitive data, Agent Observability ensures that con [1]: /account_management/rbac/data_access [2]: /llm_observability/instrumentation/sdk/#span-processing [3]: /security/sensitive_data_scanner/ +[4]: https://app.datadoghq.com/sensitive-data-scanner/configuration/llm-spans +[5]: /security/sensitive_data_scanner/scanning_rules/library_rules/ diff --git a/content/en/security/sensitive_data_scanner/setup/_index.md b/content/en/security/sensitive_data_scanner/setup/_index.md index 6e549086f74..6638423a614 100644 --- a/content/en/security/sensitive_data_scanner/setup/_index.md +++ b/content/en/security/sensitive_data_scanner/setup/_index.md @@ -15,7 +15,7 @@ further_reading: Set up Sensitive Data Scanner to scan your: - Telemetry data, so you can identify sensitive data in your logs, APM spans, RUM events, and events from Event Management. See [Set Up for Telemetry Data][1] for instructions. -- Agent Observability data, so you can identify sensitive data in LLM traces, prompts, and completions. Navigate to the [Agent Observability Settings page][3] to configure scanning. +- Agent Observability data, so you can identify sensitive data in LLM traces, prompts, and completions. Configure scanning on the [Agent Observability Settings page][3]. See [Agent Observability Data Security and RBAC][5] for details. - Cloud storage data, so you can identify sensitive data in your Amazon S3 buckets. See [Set Up for Cloud Storage][2] for instructions. - Code repositories, so you can detect exposed secrets in source code. See [Secret Scanning][4] for instructions. @@ -27,3 +27,4 @@ Set up Sensitive Data Scanner to scan your: [2]: /security/sensitive_data_scanner/setup/cloud_storage/ [3]: https://app.datadoghq.com/sensitive-data-scanner/configuration/llm-spans [4]: /security/code_security/secret_scanning/ +[5]: /llm_observability/data_security_and_rbac/ diff --git a/content/en/security/sensitive_data_scanner/setup/telemetry_data.md b/content/en/security/sensitive_data_scanner/setup/telemetry_data.md index e6b282f80d3..25e476c39f4 100644 --- a/content/en/security/sensitive_data_scanner/setup/telemetry_data.md +++ b/content/en/security/sensitive_data_scanner/setup/telemetry_data.md @@ -53,6 +53,19 @@ This document goes through the following: - [How to control access to logs wth sensitive data](#control-access-to-logs-with-sensitive-data) - [How to redact sensitive data in tags](#redact-sensitive-data-in-tags) +## Supported actions by data source + +The action you can apply to matched sensitive data depends on the data source. The following table shows which actions Sensitive Data Scanner supports for each telemetry data source: + +| Action | Logs | APM | RUM | Events | +|------------------|------|-----|-----|--------| +| Redact | Yes | Yes | Yes | Yes | +| Partially redact | Yes | Yes | Yes | Yes | +| Hash | Yes | Yes | Yes | Yes | +| Mask | Yes | No | No | No | + +**Note**: Sensitive Data Scanner does not redact sensitive data in cloud storage resources. For cloud storage, Sensitive Data Scanner performs detection only. See [Set Up Sensitive Data Scanner for Cloud Storage][17] for more information. + ## Setup ### Permissions @@ -375,4 +388,5 @@ To turn off Sensitive Data Scanner entirely, set the toggle to **off** for each [13]: /observability_pipelines/processors/sensitive_data_scanner/ [14]: /observability_pipelines/configuration/set_up_pipelines/ [15]: /security/sensitive_data_scanner/scanning_rules/library_rules/ -[16]: /logs/log_configuration/archives/?tab=awss3#datadog-tags \ No newline at end of file +[16]: /logs/log_configuration/archives/?tab=awss3#datadog-tags +[17]: /security/sensitive_data_scanner/setup/cloud_storage/ \ No newline at end of file