Audit Trail Events

Docs > Account Management > Datadog Audit Trail > Audit Trail Events

Overview

Datadog Audit Trail records more than 100 types of audit events from across the Datadog platform. These audit events are categorized into different product categories as event names.

Platform Events

Access management
Agent
API request
Authentication
Dashboard
Integration
Monitor
Notebook
OAuth
Organization management
Security Notifications
Teams management

See the Audit Trail documentation for more information on setting up and configuring Audit Trail.

Audit Events

Access management events

Name	Description of audit event	Query in audit explorer
Application key (Service account user)	A user created, modified, or deleted an application key for a service account user.	`@evt.name:"Access Management" @asset.type:application_key`
Authentication methods (Org)	A user modified the allowed authentication methods for an org and what the previous and new values are.	`@evt.name:"Access Management" @asset.type:identity_provider`
Email	An email is added, disabled, or verified on the Datadog account as a user in the account.	`@evt.name:"Access Management" @asset.type:user`
Role modified	A role is modified and what the previous and new permissions are.	`@evt.name:"Access Management" @asset.type:role @action:modified`
Role created or deleted	A role is created or deleted in the org.	`@evt.name:"Access Management" @asset.type:role @action:(created OR deleted)`
Role access request	A user created, responded to, or deleted an access request for a role, and the value of the access request.	`@evt.name:"Access Management" @asset.type:role_request`
User’s role	A user is added or deleted from a role in the org.	`@evt.name:"Access Management" @asset.type:role @action:modified`
Password	A user modified their password in the org.	`@evt.name:"Access Management" @asset.type:password @action:modified`
Restriction policy	A restriction policy is modified for a resource.	`@evt.name:"Access Management" @asset.type:restriction_policy @action:(modified OR deleted)`
Email update (Support)	A user’s email was updated by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:modified`
User invite (Support)	A user was invited to the org by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:created`
User’s role (Support)	A user was added or deleted from a role in the org by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified`
Role modified (Support)	A role was modified by Datadog Support, and what the previous and new permissions are.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified`

Agent

Name	Description of audit event	Query in audit explorer
Agent enabled	A new Datadog Agent was enabled.	`@evt.name:"Datadog Agent" @action:created`
Agent flare created	Datadog Agent flare is created for support tickets.	`@evt.name:"Datadog Agent" @action:created @asset.type:agent_flare`
Agent configuration updated	A Datadog Agent configuration was updated.	`@evt.name:"Datadog Agent" @action:modified`

API request events

Name	Description of audit event	Query in audit explorer
API Request	An API Request is made across the Datadog platform.	`@evt.name:Request @action:accessed`

Application Performance Monitoring (APM) events

Name	Description of audit event	Query in audit explorer
Retention filter	A user created, modified, or deleted a retention filter and the previous and/or new values for the retention filter configuration.	`@evt.name:APM @asset.type:retention_filter`
Span-based metric	A user created, modified, or deleted a span-based metric and the previous and/or new values for the metric configuration.	`@evt.name:APM @asset.type:custom_metrics`
Facet	A user created, modified, or deleted a facet and the previous and/or new values for the facet configuration.	`@evt.name:APM @asset.type:facet`
Primary operation name	A user created, modified, or deleted the primary operation name of a service and the previous and/or new values for the configuration.	`@evt.name:APM @asset.type:service_operation_name`
Second Primary tag	A user added, modified, or deleted the second primary tag and the previous and/or new values for the configuration.	`@evt.name:APM @asset.type:second_primary_tag`
Sampling rates remotely configured	A user remotely configured the APM sampling rates.	`@evt.name:APM @asset.type:samplerconfig`

Application Security Management

Name	Description of audit event	Query in audit explorer
One-click Activation	A user activated or de-activated ASM on a service.	`@evt.name:"Application Security" @asset.type:compatible_services`
Protection	A user enabled or disabled the ASM protection.	`@evt.name:"Application Security" @asset.type:blocking_configuration`
Denylist	A user blocked, unblocked, or extended the blocking duration of an IP address or a user ID.	`@evt.name:"Application Security" @asset.type:ip_user_denylist`
Passlist	A user added, modified, or deleted an entry to the passlist.	`@evt.name:"Application Security" @asset.type:passlist_entry`
In-App WAF Policy	A user created, modified, or deleted an In-App WAF policy.	`@evt.name:"Application Security" @asset.type:policy_entry`
In-App WAF Custom Rule	A user validated, created, modified, or deleted an In-App WAF custom rule.	`@evt.name:"Application Security" @asset.type:waf_custom_rule`

Audit Trail events

Name	Description of audit event	Query in audit explorer
Download as CSV	A user exports list of Audit Events as CSV	`@evt.name:Audit Trail @asset.type:audit_events_csv`

Authentication events

Name	Description of audit event	Query in audit explorer
API key (Org settings)	An API key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:api_key`
Application key (Org settings)	An application key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:application_key`
Public API key (Org settings)	A public API key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:public_api_key`
User login	A user logs into Datadog and the authentication method used.	`@evt.name:Authentication @action:login`

CI Visibility events

Name	Description of audit event	Query in audit explorer
Repository default branch	A user modified the default branch of a repository.	`@evt.name:"CI Visibility" @asset.type:ci_app_repository @action:modified`
Test service settings	A user created or modified the settings of a test service.	`@evt.name:"CI Visibility" @asset.type:ci_app_test_service_settings (@action:created OR @action:modified)`
GitHub account settings	A user has modified the GitHub account settings.	`@evt.name:"CI Visibility" @asset.type:github_opt_ins (@action:modified OR @action:deleted)`
Exclusion filters	The exclusion filters have been modified.	`@evt.name:"CI Visibility" @asset.type:ci_app_exclusion_filters @action:modified`
Quality gates rule	A user has created, modified or deleted a quality gate rule.	`@evt.name:"CI Visibility" @asset.type:ci_app_quality_gates (@action:created OR @action:modified OR @action:deleted)`

Cloud Security Platform events

Name	Description of audit event	Query in audit explorer
CWS agent rule	A user accessed (fetched) a CWS agent rule in the Cloud Security Platform.	`@evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed`
Notification profile	A user created, updated, or deleted a notification profile in the Cloud Security Platform.	`@evt.name:"Cloud Security Platform" @asset.type:notification_profile`
Security rule	A user validated, updated, deleted, or created a security rule and the previous and new values for the rule.	`@evt.name:"Cloud Security Platform" @asset.type:security_rule`
Security signal	A user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal.	`@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified`
Report subscription	A user subscribed or unsubscribed from a K9 email report.	`@evt.name:"Cloud Security Platform" @asset.type:report_subscription`

Dashboard events

Name	Description of audit event	Query in audit explorer
Dashboard created	A dashboard is created and the new JSON value for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:created`
Dashboard deleted	A dashboard is deleted and the previous JSON value for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:deleted`
Dashboard embedded (Roadie)	A Datadog dashboard is embedded into a third party and a user views the dashboard.	`@evt.name:Dashboard @asset.type:embed @action:accessed`
Dashboard modified	A dashboard is modified and the previous and new JSON values for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:modified`
Dashboard user(s) added	A user added user ID(s) that can access a dashboard and the list of new user IDs.	`@evt.name:Dashboard @asset.type:dashboard_share_acl @action:created`
Dashboard user(s) deleted	A user deleted user ID(s) that can access a dashboard and the list of the deleted user ID(s).	`@evt.name:Dashboard @asset.type:dashboard_share_acl @action:deleted`
Public URL accessed	A public dashboard URL is accessed.	`@evt.name:Dashboard @asset.type:dashboard @action:accessed`
Public URL generated or deleted	A public URL to view a dashboard is generated or deleted.	`@evt.name:Dashboard @asset.type:dashboard_share_link`

Dynamic Instrumentation events

Name	Description of audit event	Query in audit explorer
Logs Probe	A user has successfully created, modified or deleted a logs probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:log_probe`
Metrics Probe	A user has successfully created, modified or deleted a metrics probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:span_probe`
Spans Probe	A user has successfully created, modified or deleted a spans probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:metric_probe`

Error Tracking events

Name	Description of audit event	Query in audit explorer
Error Tracking for Logs activation	A user has enabled or disabled Error Tracking for Logs product.	`@evt.name:"Error Tracking" @action:(created OR deleted) @asset.type:error_tracking_logs`
Create or Modify inclusion filter	A user has added or modified an inclusion filter.	`@evt.name:"Error Tracking" @asset.type:error_tracking_inclusion_filter`

Integration events

Name	Description of audit event	Query in audit explorer
Resource	Anytime a resource (channel, service, webhook, account, instance, and so on) is added, modified, or deleted from an integration, and the previous and new values for the configuration.	`@evt.name:Integration @asset.type:integration`

Log Management events

Name	Description of audit event	Query in audit explorer
Archive configuration	A user created, modified, or deleted the configuration of an archive and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:archive`
Custom metric	A user created, modified, or deleted a custom metric for logs and the previous and new values for the custom metric configuration.	`@evt.name:"Log Management" @asset.type:"custom metric"`
Exclusion filter configuration	A user created, modified, or deleted the configuration of an exclusion filter and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:"exclusion filter"`
Facet	A user created, modified, or deleted a facet in the log explorer and the previous and new values for the facet configuration.	`@evt.name:"Log Management" @asset.type:facet`
Historical view	A user created, modified, aborted, or deleted a historical view for logs and the previous and new values for the historical view configuration.	`@evt.name:"Log Management" @asset.type:historical_view`
Index configuration	A user created, modified, or deleted the configuration of an index and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:index`
Log pipeline	A user created, modified, or deleted a log pipeline or nested pipeline and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:pipeline`
Processor	A user created, modified, or deleted a processor within a pipeline and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:pipeline_processor`
Query (Public Beta)	A user ran a Log Management List query either in log explorer, Dashboards or through the Public API.	`@evt.name:"Log Management" @asset.type:logs_query`
Restriction query configuration	A user created, modified, or deleted the configuration of a restriction query in logs and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:restriction_query`
Standard attribute configuration	A user created, modified, or deleted the configuration of a standard attribute in logs and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:standard_attribute`
Download as CSV	A user exports list of logs as CSV	`@evt.name:"Log Management" @asset.type:logs_csv`

Metrics events

Name	Description of audit event	Query in audit explorer
Custom metric created	A user created a custom metric and the new value for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:created`
Custom metric deleted	A user deleted a custom metric and the previous value for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:deleted`
Custom metric modified	A user modified a custom metric and the previous and new values for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:modified`

Monitor events

Name	Description of audit event	Query in audit explorer
Monitor created	A monitor is created and the new JSON value for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:created`
Monitor deleted	A monitor is deleted and the previous JSON value for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:deleted`
Monitor modified	A monitor is modified and the previous and new JSON values for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:modified`
Monitor resolved	A monitor is resolved.	`@evt.name:Monitor @asset.type:monitor @action:resolved`

Notebook events

Name	Description of audit event	Query in audit explorer
Notebook created	A notebook is created and the new JSON value for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:created`
Notebook deleted	A notebook is deleted and the previous JSON value for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:deleted`
Notebook modified	A notebook is modified and the previous and new JSON values for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:modified`

OAuth events

Name	Description of audit event	Query in audit explorer
OAuth client	A user created, modified, or deleted an OAuth client and the previous and new values for the OAuth client.	`@evt.name:OAuth @asset.type:oauth_client`

Organization management events

Name	Description of audit event	Query in audit explorer
Audit Trail settings	A user modified Audit Trail settings and what the previous and new settings are.	`@evt.name:"Organization Management" @asset.type:audit_logs_settings`
Child org created	A user created a new child organization for an existing Datadog organization.	`@evt.name:"Organization Management" @asset.type:organization @action:created`

Real User Monitoring events

Name	Description of audit event	Query in audit explorer
RUM application created	A user created or deleted an application in RUM and the type of the application (Browser, Flutter, iOS, React Native, Android).	`@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:(created OR deleted)`
RUM application modified	A user modified an application in RUM, the new value of the application, and the type of the application (Browser, Flutter, iOS, React Native, Android).	`@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:modified`
Session replay viewed	A user viewed a session replay.	`@evt.name:"Real User Monitoring" @asset.type:session_replay @action:accessed`

Security Notification events

Name	Description of audit event	Query in audit explorer
Token leaked	Datadog has detected leaked Datadog API or Application Key that should be revoked.	`@evt.name:"Security Notification" @asset.type:(api_key OR application_key) @action:notification`
Login method override	Datadog has detected a user login method override that is different from the default login methods set for the organization.	`@evt.name:"Security Notification" @asset.type:user @action:notification`
Unusual login	Datadog has detected a unusual login event.	`@evt.name:"Security Notification" @asset.type:unusual_login @action:notification`
User invited with throwaway email	Datadog has detected that a user with an email from a free or disposable email provider was invited to the organization.	`@evt.name:"Security Notification" @asset.type:user_invite @action:notification`

Sensitive Data Scanner events

Name	Description of audit event	Query in audit explorer
Scanning group	A user created, modified, or deleted a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group`
Scanning rule	A user created, modified, or deleted a scanning rule within a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_rule`

Service Level Objectives (SLO) events

Name	Description of audit event	Query in audit explorer
SLO	A user creates, modifies, or deletes an SLO and the previous and new values for the SLO.	`@evt.name:SLO @asset.type:slo`
SLO correction	A user creates, modifies, or deletes an SLO correction and the previous and new values for the SLO correction.	`@evt.name:SLO @asset.type:slo_correction`

Synthetic Monitoring events

Name	Description of audit event	Query in audit explorer
Private location	A user created or deleted a private location for Synthetic tests.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_private_location`
Synthetic test created or deleted	A user created or deleted a Synthetic test.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:(created OR deleted)`
Synthetic test modified	A user modified a Synthetic test and the previous and new values for the configuration.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:modified`
Synthetic variable	A user created, modified, or deleted a Synthetic variable.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_variable`
Synthetic settings	A user modified Synthetic settings (quotas, PL access) and the previous and new setting values.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_settings @action:modified`

Reference Table events

Name	Description of audit event	Query in audit explorer
Reference Table	A user created, deleted, or modified a reference table.	`@evt.name:"Reference Tables" @asset.type:reference_table @action:(created OR deleted OR modified)`
Reference Table File	A user uploaded a file or imported a file with a cloud provider for a reference table.	`@evt.name:"Reference Tables" @asset.type:reference_table_file @action:(uploaded OR imported)`

Teams Management events

Name	Description of audit event	Query in audit explorer
Teams Management	A user created, deleted, or modified a team or team association.	`@evt.name:"Teams Management" @action:(created OR deleted OR modified)`

Workflow events

Name	Description of audit event	Query in audit explorer
Workflow	A user created, deleted, or modified a workflow, or a workflow executed.	`@evt.name:"Workflows" @asset.type:workflow @action:(created OR deleted OR modified OR executed)`
Workflow Schedule	A user created, deleted, or modified a schedule for a workflow.	`@evt.name:"Workflows" @asset.type:workflow_schedule @action:(created OR deleted OR modified)`
Workflow Action	A user responded to a Slack prompt during the execution of a workflow.	`@evt.name:"Workflows" @asset.type:workflow_action @action:(responded)`
Custom Connection	A user created, deleted, or modified a connection.	`@evt.name:"Custom Connections" @asset.type:custom_connection @action:(created OR deleted OR modified)`