[DOCS-11464] doc for new Users explorer #30842
Conversation
📝 Documentation Team Review RequiredThis pull request requires approval from the @DataDog/documentation team before it can be merged. Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes. |
Preview links (active after the
|
|
|
||
| ## Overview | ||
|
|
||
| Datadog App and API Protection identifies users as risks when one or more signals is associated with a user ID, email, or name. |
There was a problem hiding this comment.
The Users explorer includes all users that are associated with security traces, not signals. There are multiple ways customers can associate a user to a trace: https://docs.datadoghq.com/security/application_security/how-it-works/add-user-info/?tab=java#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability
There was a problem hiding this comment.
Users are identified by the @usr.id. When they are available, we also display the user name and e-mail.
There was a problem hiding this comment.
Users aren't a risk in themselves, or at least not generally. Some risks are about the user being under attack (for instance, attempts to compromise them) where they're the victim
There was a problem hiding this comment.
Also, if we're tracking traces, then any login attempt will cause a user to show up in there. In this case, the explorer becomes a user inventory (we then want to discourage a heavy handed approach to block any user in the explorer)
| - **Signal explorer**: Provides a list of actionable alerts such as Credential Stuffing Attack or Command Injection. Signals have workflow capabilities, a description, severity, and correlated Traces. Interactions include user assignment workflows, automated protection, analytics, search, and pivoting to Trace Explorer. | ||
| - **Trace explorer**: List of evidence for business logic events, such as logins, or attack payloads. Interactions include analytics and search. | ||
| - **Attackers explorer**: Identifies attackers as suspicious (IP addresses that have attacked in the last 24 hours up to a threshold) and flagged (IP addresses that have exceeded that threshold). | ||
| - **Users explorer**: List of authenticated users associated with one or more signals. Interactions include: |
There was a problem hiding this comment.
| - **Users explorer**: List of authenticated users associated with one or more signals. Interactions include: | |
| - **Users explorer**: List of authenticated users associated with one or more traces. Interactions include: |
content/en/security/application_security/security_signals/users_explorer.md
Show resolved
Hide resolved
| ### Threat Intel Category | ||
|
|
||
| **Benefit:** Shows the associated [Threat Intelligence Category][5]. | ||
|
|
||
| Comparing helps you: | ||
| * Understand the vector of compromise. | ||
| * Prioritize responses (for example, `hosting_proxy` might require different mitigation than `malware`). | ||
|
|
||
| ### Threat Intel Intention | ||
|
|
||
| **Benefit:** Clarifies **why the attacker stole the credentials** (fraud, espionage, resale, lateral movement, etc.). | ||
|
|
||
| Matching intentions reveal: | ||
| * Common attacker **goals**. | ||
| * Whether your users were part of a **targeted vs opportunistic** campaign. | ||
| * Whether you should expect **further action**, like BEC (business email compromise) or internal movement. |
There was a problem hiding this comment.
All the threat intel information provide insights about the attacker IPs reputation.
There was a problem hiding this comment.
Aligned, flagged IPs aren't necessarily bad, they're just known to sometimes be misused (often without the user knowing in case of residential_proxy) and worth paying closer attention to
| The Users explorer assigns one or more of the following risk categories to a user identified as a risk: | ||
|
|
||
| - **New Geolocation:** User activity from an unfamiliar location might signal unauthorized access or legitimate travel requiring verification. | ||
| - **Impossible Travel:** Occurs when a user logs in from two distant locations in an unrealistically short time, indicating possible credential compromise. |
There was a problem hiding this comment.
Worth highlighting that this sometimes misfire in case users are leveraging VPNs
|
|
||
| Comparing helps you: | ||
| * Understand the vector of compromise. | ||
| * Prioritize responses (for example, `hosting_proxy` might require different mitigation than `malware`). |
There was a problem hiding this comment.
Not really, maybe a better exemple would be corp_vpn (which are IPs used by businesses) and hosting_proxy which is almost exclusively malicious
content/en/security/application_security/security_signals/users_explorer.md
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Outdated
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Show resolved
Hide resolved
content/en/security/application_security/security_signals/users_explorer.md
Show resolved
Hide resolved
| @@ -0,0 +1,178 @@ | |||
| --- | |||
| title: Users Explorer | |||
There was a problem hiding this comment.
Just a general note that there is inconsistent capitalization for these explorers. For example, Attackers Explorer is all uppercase on its dedicated page.
There was a problem hiding this comment.
I checked and they should all be titlecase: https://datadoghq.atlassian.net/wiki/spaces/WRITING/pages/5369593857/Datadog+products+and+features#T
incorp peer edit Co-authored-by: Brett Blue <[email protected]>
DOCS-11464
New topic covering the new Users explorer for App and API Protection.
Merge instructions
Merge readiness: