Security Inbox

Available for:

Cloud Security Management | Application Security Management

Security Inbox provides a consolidated, actionable list of your most important security findings. It automatically contextualizes and correlates insights from Datadog security products across vulnerabilities, signals, misconfigurations, and identity risks into a unified, prioritized view of actions to take to strengthen your environment.

The Security Inbox shows prioritized security issues for remediation

Types of findings in Security Inbox

The findings that appear in Security Inbox are generated from Application Security Management (ASM) and Cloud Security Management (CSM). By default, these include the following types of findings:

  • A curated set of misconfigurations for CSM Misconfigurations, compiled by Datadog Security Research.
  • A curated set of identity risks for CSM Identity Risks, compiled by Datadog Security Research.
  • Application library vulnerabilities for Software Composition Analysis(SCA). All high and critical application library vulnerabilities on production services under attack appear in the inbox.
  • Application code vulnerabilities for Code Security vulnerabilities. All high and critical application code vulnerabilities appear in the inbox.
  • Attack Paths. An attack path outlines a series of interconnected misconfigurations, container image, host, and application vulnerabilities that malicious actors could leverage to gain unauthorized access, escalate privileges, or compromise sensitive data in your cloud environment. All attack paths are listed in Security Inbox by default.

Security Inbox also takes the following detected risks into consideration when determining which findings appear in the inbox:

  • Public accessibility: Publicly exposed resources carry elevated risk, especially if they contain vulnerabilities or misconfigurations. To learn more, see How Datadog Determines if Resources are Publicly Accessible.
  • Privileged access: Resources with privileged access carry elevated risk as they grant elevated permissions that can expand the attack surface.
  • Under attack: Resources that are seeing suspicious security activity carry elevated risks. Resources are flagged as “Under Attack” if a security signal has been detected on the resource in the last 15 days.
  • Exploit available: Vulnerabilities with public exploits available carry elevated risks. The availability of a public exploit is verified with different exploit databases, such as cisa.gov, exploit-db.com, and nvd.nist.gov.
  • In production: Vulnerabilities in production environments carry elevated risks. The environment is computed from the env and environment tags.

How Security Inbox prioritization works

Security Inbox ranks issues by considering the severity of a finding first, followed by the number of correlated risks, and then the number of impacted resources and services.

  • Severity (Critical, High, Medium, and Low): Severity is determined by the Datadog Security Scoring Framework for cloud misconfigurations and identity risks, and by CVSS 3.1 for vulnerabilities.
  • Number of detected risks: When two findings have the same severity, the one with a greater number of detected risks is given higher priority.
  • Number of impacted resources and services: If two findings share both the same severity and the same number of detected risks, the finding that impacts a greater number of resources and services is prioritized higher.

Note: The type of finding, detected risk, or impacted resource does not influence prioritization.

Using the security context map to identify and mitigate vulnerabilities

The security context map for Attack Paths provides a comprehensive view to help identify and address potential breach points. It effectively maps interconnected misconfigurations, permission gaps, and vulnerabilities that attackers might exploit.

Key features include:

  • Risk assessment: The map enables security teams to assess the broader impact of vulnerabilities and misconfigurations. This includes evaluating whether security policies—such as access paths and permissions—need updating, and understanding the compliance implications of exposure, particularly when sensitive data is at risk within the blast radius.
  • Actionable context for immediate response: The map includes service ownership information and other relevant context, allowing teams to make informed, real-time decisions. Teams can take action directly from the map by running integrated workflows, sharing security issue links, and accessing the AWS console view of resources for efficient remediation, all without switching tools.
The security context map showing a publicly accessible AWS EC2 instance with a critical misconfiguration

Further Reading

PREVIEWING: antoine.dussault/service-representation-ga-docs-us1