DataDog · maycmlee · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025
@@ -50,6 +50,5 @@ disable_toc: true
 
 {{< whatsnext desc="Sensitive Data Scanner Guides:" >}}
    {{< nextlink href="security/sensitive_data_scanner/guide/investigate_sensitive_data_findings" >}}Investigate Sensitive Data Findings{{< /nextlink >}}
-   {{< nextlink href="security/sensitive_data_scanner/guide/best_practices_for_creating_custom_rules" >}}Best Practices for Creating Custom Rules{{< /nextlink >}}
 {{< /whatsnext >}}
 
@@ -14,9 +14,6 @@ further_reading:
     - link: "coterm"
       tag: "Documentation"
       text: "CoTerm: Monitor terminal sessions and sensitive activities on local and remote systems"
-    - link: "/security/sensitive_data_scanner/guide/best_practices_for_creating_custom_rules"
-      tag: "Documentation"
-      text: "Best practices for creating custom rules"
     - link: "/data_security/"
       tag: "Documentation"
       text: "Reducing data related risks"

@@ -7,5 +7,4 @@ aliases:
 
 {{< whatsnext desc="Guides:" >}}
    {{< nextlink href="security/sensitive_data_scanner/guide/investigate_sensitive_data_findings" >}}Investigate Sensitive Data Findings{{< /nextlink >}}
-   {{< nextlink href="security/sensitive_data_scanner/guide/best_practices_for_creating_custom_rules" >}}Best Practices for Creating Custom Rules{{< /nextlink >}}
 {{< /whatsnext >}}
@@ -4,9 +4,6 @@ disable_toc: false
 aliases:
   - /sensitive_data_scanner/scanning_rules
 further_reading:
-- link: "/security/sensitive_data_scanner/guide/best_practices_for_creating_custom_rules/"
-  tag: "Documentation"
-  text: "Best practices for creating custom scanning rules"
 - link: https://www.datadoghq.com/blog/cloudcraft-security/
   tag: Blog
   text: Visually identify and prioritize security risks using Cloudcraft

@@ -9,9 +9,6 @@ further_reading:
     - link: "/security/sensitive_data_scanner/"
       tag: "Documentation"
       text: "Set up Sensitive Data Scanner"
-    - link: "/security/sensitive_data_scanner/guide/best_practices_for_creating_custom_rules"
-      tag: "Documentation"
-      text: "Best practices for creating custom rules"
 ---
 
 ## Overview

@@ -3,16 +3,15 @@ title: Telemetry Data
 disable_toc: false
 aliases:
   - /sensitive_data_scanner/setup/telemetry_data
+  - /security/sensitive_data_scanner/guide/best_practices_for_creating_custom_rules
+  - /sensitive_data_scanner/guide/best_practices_for_creating_custom_rules
 further_reading:
   - link: "/security/sensitive_data_scanner/scanning_rules/library_rules"
     tag: "Documentation"
     text: "Learn more about out-of-the-box library rules"
   - link: "/security/sensitive_data_scanner/scanning_rules/custom_rules"
     tag: "Documentation"
     text: "Learn more about creating custom rules"
-  - link: "/security/sensitive_data_scanner/guide/best_practices_for_creating_custom_rules/"
-    tag: "Documentation"
-    text: "Best practices for creating custom scanning rules"
 ---
 
 ## Overview
@@ -79,10 +78,14 @@ By default, a newly-created scanning group is disabled. To enable a scanning gro
 
 ### Add scanning rules
 
-A scanning rule determines what sensitive information to match within the data defined by a scanning group. You can add predefined scanning rules from Datadog's Scanning Rule Library or create your own rules using regex patterns. The data is scanned at ingestion time during processing. For logs, this means the scan is done before indexing and other routing decisions.
+A scanning rule determines what sensitive information to match within the data defined by a scanning group. You can add predefined scanning rules from Datadog's Scanning Rule Library or create your own rules using regular expression (regex) patterns. The data is scanned at ingestion time during processing. For logs, this means the scan is done before indexing and other routing decisions.
+
+Whenever possible, use Datadog's out-of-the-box library rules. These rules are predefined rules that detect common patterns such as email addresses, credit card numbers, API keys, authorization tokens, network and device information, and more. Each rule has recommended keywords for the keyword dictionary to refine matching accuracy. You can also [add your own keywords](#add-custom-keywords).
 
 For Terraform, see the [Datadog Sensitive Data Scanner rule][6] resource.
 
+#### Create a scanning rule
+
 To add scanning rules, perform the following steps:
 
 1. Navigate to the [Sensitive Data Scanner][5] settings page.
@@ -102,7 +105,7 @@ The Scanning Rule Library contains predefined rules for detecting common pattern
 
 #### Add custom keywords
 
-The [recommended keywords][15] are used by default when library rules are added. After adding library rules, you can edit each rule separately and add keywords to or remove keywords from the keyword dictionary.
+The [recommended keywords][15] are used by default when library rules are added. After adding library rules, you can edit each rule separately and add keywords to or remove keywords from the keyword dictionary. For example, if you are scanning for a sixteen-digit Visa credit card number, you can add keywords like `visa`, `credit`, and `card`.
 
 1. Navigate to the [Sensitive Data Scanner][5] settings page.
 1. Click the scanning group with the rule you want to edit.
@@ -127,7 +130,7 @@ You can create custom scanning rules using regex patterns to scan for sensitive
 1. Enter a name for the rule.
 1. In the **Priority** dropdown menu, select the priority level for the rule based on your business needs.
 1. (Optional) Enter a description for the rule.
-1. In the **Match conditions** section, specify the regex pattern to use for matching against events in the **Regex pattern** field.<br>
+1. In the **Match conditions** section, specify the regex pattern to use for matching against events in the **Regex pattern** field. Define regex patterns that are as precise as possible because generic patterns result in more false positives.<br>
     Sensitive Data Scanner supports Perl Compatible Regular Expressions (PCRE), but the following patterns are not supported:
     - Backreferences and capturing sub-expressions (lookarounds)
     - Arbitrary zero-width assertions
@@ -272,6 +275,13 @@ Use suppressions to ignore sensitive data matches you consider operationally saf
 - Suppressed matches are excluded from the Findings page, dashboards, alerts, and other reporting workflows.
 - Suppressions are defined per rule within a scanning group.
 
+#### Scan or exclude specific attributes
+
+To make matches more precise, you can also do one of the following:
+
+- Scan the entire event but exclude certain attributes from getting scanned. For example, if you are scanning for personally identifiable information (PII) like names, you might want to exclude attributes such as `resource_name` and `namespace`.
+- Scan for specific attributes to narrow the scope of the data that is scanned. For example, if you are scanning for names, you can choose specific attributes such as `first_name` and `last_name`.
+
 ### Edit scanning rules
 
 To edit scanning rules:

@@ -1,4 +1,4 @@
-1. In the **Action on Match** section, select if you want to scan the **Entire Event** or **Specific Attributes**.
+1. In the **Action on Match** section, select if you want to scan the **Entire Event** or **Specific Attributes**. See [Scan or exclude specific-attributes](#scan-or-exclude-specific-attributes) on how to make pattern matching more precise.
     - If you are scanning the entire event, you can optionally exclude specific attributes from getting scanned.
     - If you are scanning specific attributes, specify which attributes you want to scan.
 1. For **Define actions on match**, select the action you want to take for the matched information. **Note**: Redaction, partial redaction, and hashing are all irreversible actions.