Sensitive Data

App and API Protection matches known patterns for sensitive data in API requests and responses. If it finds a match, the endpoint is tagged with the category and type of sensitive data processed and displayed in API Endpoints.

The matching occurs within your application, and none of the sensitive data is sent to Datadog.

Supported data types

To see the supported data types (for example, payment:card), use the Schema Sensitive Data facet. You can also see the data type used in the Sensitive Data column.

Create API data scanners

By default, App and API Protection scans for PII, credentials, and payment types. Sensitive Data Detection provides API data scanners to define custom scanner data patterns beyond the defaults. These scanners improve visibility into the sensitive data of your API traffic.

In an API data scanner, you define a scanner category and type to classify API endpoints processing sensitive data (for example, health_info:patient_id). Next, you define the JSON key or value conditions that trigger the scanner.

When the scanner detects sensitive data, it tags the API endpoint with the category and type and displays it in API Endpoints.

To create an API data scanner and view its results, do the following:

1. In App and API Protection Policies, go to Sensitive Data Detection.
2. Click New Scanner.
3. In Select your scanner tags, define the category and type to classify the sensitive data. The scanner tags API endpoints with the format category:type.
4. In Define conditions on JSON keys and values, define the JSON key or value conditions to trigger the scanner.
5. Click Save Scanner. The scanner is enabled by default.
6. To view the results of the scanner, go to App and API Protection API Endpoints.
7. In the Schema Sensitive Data facet, the category and type of your custom scanner is listed in the format category:type. Custom scanner category:type tags are also visible in the Sensitive Data column of the explorer.

Request a personalized demo