--- title: Audit Trail Events description: >- Comprehensive reference of over 100 audit event types across Datadog platform products with detailed categorization and examples. breadcrumbs: Docs > Account Management > Datadog Audit Trail > Audit Trail Events --- # Audit Trail Events ## Overview{% #overview %} [Datadog Audit Trail](https://app.datadoghq.com/audit-trail) records more than 100 types of audit events from across the Datadog platform. These audit events are categorized into different product categories as event names. See the [Audit Trail documentation](https://docs.datadoghq.com/account_management/audit_trail/) for more information on setting up and configuring Audit Trail. ## Audit Events ### AI Guard{% #ai-guard %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | | [AI Guard Service Configuration](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22AI%20Guard%22%20%40asset.type%3A%22AI%20Guard%20Service%20Configuration%22%20%40action%3A%28modified%20OR%20deleted%29) | A user created or modified the AI Guard service configuration, including blocking enablement and Sensitive Data Scanner settings. | `@evt.name:"AI Guard" @asset.type:"AI Guard Service Configuration" @action:(modified OR deleted)` | | [AI Guard Evaluation Sensitivity](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22AI%20Guard%22%20%40asset.type%3A%22AI%20Guard%20Evaluation%20Sensitivity%22%20%40action%3A%28modified%20OR%20deleted%29) | A user modified or deleted the evaluation sensitivity thresholds in AI Guard. | `@evt.name:"AI Guard" @asset.type:"AI Guard Evaluation Sensitivity" @action:(modified OR deleted)` | | [AI Guard Tool Allowlist](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22AI%20Guard%22%20%40asset.type%3A%22AI%20Guard%20Tool%20Allowlist%22%20%40action%3A%28modified%20OR%20deleted%29) | A user created or deleted a tool allowlist entry in AI Guard. | `@evt.name:"AI Guard" @asset.type:"AI Guard Tool Allowlist" @action:(modified OR deleted)` | | [AI Guard Tool Blocking](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22AI%20Guard%22%20%40asset.type%3A%22AI%20Guard%20Tool%20Blocking%22%20%40action%3A%28modified%20OR%20deleted%29) | A user created or deleted a tool blocking rule in AI Guard. | `@evt.name:"AI Guard" @asset.type:"AI Guard Tool Blocking" @action:(modified OR deleted)` | ### API Request{% #api-request %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | ------------------------------------ | | [API Request](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ARequest%20%40action%3Aaccessed) | An API Request is made across the Datadog platform. | `@evt.name:Request @action:accessed` | ### Access Management{% #access-management %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | | [User invite (Support)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40evt.actor.type%3ASUPPORT_USER%20%40asset.type%3Auser%20%40action%3Acreated) | A user was invited to the org by Datadog Support. | `@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:created` | | [Application Key (Service Account User)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Aapplication_key) | A user created, modified, or deleted an application key for a service account user. | `@evt.name:"Access Management" @asset.type:application_key` | | [Email update (Support)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40evt.actor.type%3ASUPPORT_USER%20%40asset.type%3Auser%20%40action%3Amodified) | A user's email was updated by Datadog Support. | `@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:modified` | | [Email](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Auser) | An email is added, disabled, or verified on the Datadog account as a user in the account. | `@evt.name:"Access Management" @asset.type:user` | | [User's role (Support)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40evt.actor.type%3ASUPPORT_USER%20%40asset.type%3Arole%20%40action%3Amodified) | A user was added or deleted from a role in the org by Datadog Support. | `@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified` | | [Role modified (Support)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40evt.actor.type%3ASUPPORT_USER%20%40asset.type%3Arole%20%40action%3Amodified) | A role was modified by Datadog Support, and what the previous and new permissions are. | `@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified` | | [IP Allowlist Modified (Support)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40evt.actor.type%3ASUPPORT_USER%20%40asset.type%3Aip_allowlist%20%40action%3Amodified) | A new IP was added to the org's IP allowlist by Datadog Support. | `@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:ip_allowlist @action:modified` | | [Restriction policy](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Arestriction_policy%20%40action%3A%28modified%20OR%20deleted%29) | A restriction policy is modified for a resource. | `@evt.name:"Access Management" @asset.type:restriction_policy @action:(modified OR deleted)` | | [Authentication Methods (Org)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Aidentity_provider) | A user modified the allowed authentication methods for an org and what the previous and new values are. | `@evt.name:"Access Management" @asset.type:identity_provider` | | [User's role](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Arole%20%40action%3Amodified) | A user is added or deleted from a role in the org. | `@evt.name:"Access Management" @asset.type:role @action:modified` | | [Role access request](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Arole_request) | A user created, responded to, or deleted an access request for a role, and the value of the access request. | `@evt.name:"Access Management" @asset.type:role_request` | | [Role created or deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Arole%20%40action%3A%28created%20OR%20deleted%29) | A role is created or deleted in the org. | `@evt.name:"Access Management" @asset.type:role @action:(created OR deleted)` | | [Role modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Arole%20%40action%3Amodified) | A role is modified and what the previous and new permissions are. | `@evt.name:"Access Management" @asset.type:role @action:modified` | | [Password](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Access%20Management%22%20%40asset.type%3Apassword%20%40action%3Amodified) | A user modified their password in the org. Password update events are delivered to all orgs that user is active in, even if the org does not have password authentication configured. | `@evt.name:"Access Management" @asset.type:password @action:modified` | ### Actions Datastore{% #actions-datastore %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | | [Datastore item](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Apps%20Datastore%22%20%40asset.type%3A%28item%20OR%20item_query%29%20%40action%3A%28created%20OR%20deleted%20OR%20modified%20OR%20queried%29) | A user created, modified, deleted, or queried datastore items. | `@evt.name:"Apps Datastore" @asset.type:(item OR item_query) @action:(created OR deleted OR modified OR queried)` | | [Datastore](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Apps%20Datastore%22%20%40asset.type%3A%28datastore%20OR%20datastore_list%29%20%40action%3A%28queried%20OR%20created%20OR%20deleted%29) | A user created, deleted, queried, or listed datastores. | `@evt.name:"Apps Datastore" @asset.type:(datastore OR datastore_list) @action:(queried OR created OR deleted)` | ### App Builder{% #app-builder %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | | [Query started](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22App%20Builder%22%20%40asset.type%3Aquery%20%40action%3Astarted) | A user started a query. | `@evt.name:"App Builder" @asset.type:query @action:started` | | [Query executed](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22App%20Builder%22%20%40asset.type%3Aquery%20%40action%3Aexecuted) | A user executed a query. | `@evt.name:"App Builder" @asset.type:query @action:executed` | | [App](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22App%20Builder%22%20%40asset.type%3Aapp%20%40action%3A%28accessed%20OR%20created%20OR%20modified%20OR%20published%20OR%20deleted%20OR%20reverted%20OR%20unpublished%29) | A user accessed, created, modified, deleted, reverted, or unpublished an app. | `@evt.name:"App Builder" @asset.type:app @action:(accessed OR created OR modified OR published OR deleted OR reverted OR unpublished)` | | [API Request](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ARequest%20%40action%3Aaccessed) | An API Request is made across the Datadog platform. | `@evt.name:Request @action:accessed` | ### App and API Protection (AAP){% #app-and-api-protection-aap %} | Name | Description of Audit Event | Query In Audit Explorer | | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | | [Protection](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Application%20Security%22%20%40asset.type%3Ablocking_configuration) | A user enabled or disabled the AAP protection. | `@evt.name:"Application Security" @asset.type:blocking_configuration` | | [One-click Activation](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Application%20Security%22%20%40asset.type%3Acompatible_services) | A user activated or de-activated AAP on a service. | `@evt.name:"Application Security" @asset.type:compatible_services` | | [Denylist](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Application%20Security%22%20%40asset.type%3Aip_user_denylist) | A user blocked, unblocked, or extended the blocking duration of an IP address or a user ID. | `@evt.name:"Application Security" @asset.type:ip_user_denylist` | | [In-App WAF Custom Rule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Application%20Security%22%20%40asset.type%3Awaf_custom_rule) | A user validated, created, modified, or deleted an In-App WAF custom rule. | `@evt.name:"Application Security" @asset.type:waf_custom_rule` | | [In-App WAF Policy](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Application%20Security%22%20%40asset.type%3Apolicy_entry) | A user created, modified, or deleted an In-App WAF policy. | `@evt.name:"Application Security" @asset.type:policy_entry` | | [Passlist](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Application%20Security%22%20%40asset.type%3Aip_user_denylist) | A user added, modified, or deleted an entry to the passlist. | `@evt.name:"Application Security" @asset.type:ip_user_denylist` | ### Application Performance Monitoring (APM){% #application-performance-monitoring-apm %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------- | | [Retention filter](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40asset.type%3Aretention_filter) | A user created, modified, or deleted a [retention filter](https://docs.datadoghq.com/account_management/audit_trail/) and the previous and/or new values for the retention filter configuration. | `@evt.name:APM @asset.type:retention_filter` | | [Primary operation name](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40asset.type%3Aservice_operation_name) | A user created, modified, or deleted the [primary operation name](https://docs.datadoghq.com/tracing/guide/configuring-primary-operation/) of a service and the previous and/or new values for the configuration. | `@evt.name:APM @asset.type:service_operation_name` | | [Span-based metric](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40asset.type%3Acustom_metrics) | A user created, modified, or deleted a [span-based metric](https://docs.datadoghq.com/tracing/trace_pipeline/generate_metrics/) and the previous and/or new values for the metric configuration. | `@evt.name:APM @asset.type:custom_metrics` | | [Custom metrics](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Acustom_metrics) | A user created, modified, or deleted a custom metric | `@evt.name:APM @action:(created OR modified OR deleted) @asset.type:custom_metrics` | | [Facet](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40asset.type%3Afacet) | A user created, modified, or deleted a [facet](https://docs.datadoghq.com/tracing/trace_explorer/facets/) and the previous and/or new values for the facet configuration. | `@evt.name:APM @asset.type:facet` | | [Second primary tag](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40asset.type%3Asecond_primary_tag) | A user added, modified, or deleted the [second primary tag](https://docs.datadoghq.com/tracing/guide/setting_primary_tags_to_scope/#add-a-second-primary-tag-in-datadog) and the previous or new values for the configuration. | `@evt.name:APM @asset.type:second_primary_tag` | | [Sampling rates remotely configured](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40asset.type%3Asamplerconfig) | A user remotely configured the APM sampling rates. | `@evt.name:APM @asset.type:samplerconfig` | | [Saved view](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAPM%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Asaved_view) | A user created, modified, or deleted a saved view. | `@evt.name:APM @action:(created OR modified OR deleted) @asset.type:saved_view` | ### Audit Trail{% #audit-trail %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | --------------------------------------------------------------------- | | [Audit Trail settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Organization%20Management%22%20%40asset.type%3Aaudit_logs_settings) | A user modified Audit Trail settings and what the previous and new settings are. | `@evt.name:"Organization Management" @asset.type:audit_logs_settings` | | [Download as CSV](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Audit%20Trail%22%20%40asset.type%3Aaudit_events_csv) | A user exports list of Audit Events as CSV | `@evt.name:"Audit Trail" @asset.type:audit_events_csv` | ### Authentication{% #authentication %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------------------------ | | [API key (Org settings)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAuthentication%20%40asset.type%3Aapi_key) | An API key is accessed, listed, created, or deleted in the Organization Settings page. | `@evt.name:Authentication @asset.type:api_key` | | [User login](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAuthentication%20%40action%3Alogin) | A user logs into Datadog and the authentication method used. | `@evt.name:Authentication @action:login` | | [Public API key (Org settings)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAuthentication%20%40asset.type%3Apublic_api_key) | A public API key is accessed, listed, created, or deleted in the Organization Settings page. | `@evt.name:Authentication @asset.type:public_api_key` | | [Application key (Org settings)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AAuthentication%20%40asset.type%3Aapplication_key) | An application key is accessed, listed, created, or deleted in the Organization Settings page. | `@evt.name:Authentication @asset.type:application_key` | ### Bits AI SRE{% #bits-ai-sre %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | | [Manual Investigation](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Bits%20AI%20SRE%22%20%40asset.type%3Ainvestigation%20%40action%3A%28started%20OR%20completed%29) | A user started or completed a manual investigation. | `@evt.name:"Bits AI SRE" @asset.type:investigation @action:(started OR completed)` | | [Tool Call](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Bits%20AI%20SRE%22%20%40asset.type%3Atool_call%20%40action%3Acreated) | A tool call was executed in a manual investigation. | `@evt.name:"Bits AI SRE" @asset.type:tool_call @action:created` | | [Monitor Rate Limit](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Bits%20AI%20SRE%22%20%40asset.type%3Amonitor_rate_limit%20%40action%3A%28modified%29) | A user modified the monitor rate limit for automatic investigations. | `@evt.name:"Bits AI SRE" @asset.type:monitor_rate_limit @action:(modified)` | | [Automatic Investigations Monitor Toggle](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Bits%20AI%20SRE%22%20%40asset.type%3Aautomatic_investigations_monitor_toggle%20%40action%3A%28enabled%20OR%20disabled%29) | A user enabled or disabled automatic investigations for a monitor. | `@evt.name:"Bits AI SRE" @asset.type:automatic_investigations_monitor_toggle @action:(enabled OR disabled)` | ### Bits Dev{% #bits-dev %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Code Session](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Bits%20Dev%22%20%40asset.type%3A%28code_session%20OR%20session%20OR%20chat%29%20%40action%3A%28created%20OR%20modified%20OR%20enabled%20OR%20disabled%20OR%20messaged%20OR%20linked%20OR%20unlinked%29) | A user started or modified a Bits Dev code session. | `@evt.name:"Bits Dev" @asset.type:(code_session OR session OR chat) @action:(created OR modified OR enabled OR disabled OR messaged OR linked OR unlinked)` | ### CI Visibility{% #ci-visibility %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | | [GitHub account settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22CI%20Visibility%22%20%40asset.type%3Agithub_opt_ins%20%28%40action%3Amodified%20OR%20%40action%3Adeleted%29) | A user has modified the GitHub account settings. | `@evt.name:"CI Visibility" @asset.type:github_opt_ins (@action:modified OR @action:deleted)` | | [Test service settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22CI%20Visibility%22%20%40asset.type%3Aci_app_test_service_settings%20%28%40action%3Acreated%20OR%20%40action%3Amodified%29) | A user created or modified the settings of a test service. | `@evt.name:"CI Visibility" @asset.type:ci_app_test_service_settings (@action:created OR @action:modified)` | | [Repository default branch](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22CI%20Visibility%22%20%40asset.type%3Aci_app_repository%20%40action%3Amodified) | A user modified the default branch of a repository. | `@evt.name:"CI Visibility" @asset.type:ci_app_repository @action:modified` | | [Exclusion filters](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22CI%20Visibility%22%20%40asset.type%3Aci_app_exclusion_filters%20%40action%3Amodified) | The exclusion filters have been modified. | `@evt.name:"CI Visibility" @asset.type:ci_app_exclusion_filters @action:modified` | ### Case Management{% #case-management %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | ---------------------------------------------------------------------------- | | [Automation rule modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Aautomation_rule%20%40action%3Amodified) | A user modified a case management automation rule. | `@evt.name:"Case Management" @asset.type:automation_rule @action:modified` | | [Project created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Aproject%20%40action%3Acreated) | A user created a case management project. | `@evt.name:"Case Management" @asset.type:project @action:created` | | [Project modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Aproject%20%40action%3Amodified) | A user modified a case management project. | `@evt.name:"Case Management" @asset.type:project @action:modified` | | [Project deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Aproject%20%40action%3Adeleted) | A user deleted a case management project. | `@evt.name:"Case Management" @asset.type:project @action:deleted` | | [Automation rule created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Aautomation_rule%20%40action%3Acreated) | A user created a case management automation rule. | `@evt.name:"Case Management" @asset.type:automation_rule @action:created` | | [Notification rule deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Anotification_rule%20%40action%3Adeleted) | A user deleted a case management notification rule. | `@evt.name:"Case Management" @asset.type:notification_rule @action:deleted` | | [Notification rule modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Anotification_rule%20%40action%3Amodified) | A user modified a case management notification rule. | `@evt.name:"Case Management" @asset.type:notification_rule @action:modified` | | [Notification rule created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Anotification_rule%20%40action%3Acreated) | A user created a case management notification rule. | `@evt.name:"Case Management" @asset.type:notification_rule @action:created` | | [Automation rule deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Case%20Management%22%20%40asset.type%3Aautomation_rule%20%40action%3Adeleted) | A user deleted a case management automation rule. | `@evt.name:"Case Management" @asset.type:automation_rule @action:deleted` | ### Cloud Security Platform{% #cloud-security-platform %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | [Report Subscription](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Cloud%20Security%20Platform%22%20%40asset.type%3Areport_subscription) | A user subscribed or unsubscribed from a K9 email report. | `@evt.name:"Cloud Security Platform" @asset.type:report_subscription` | | [CWS Agent Rule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Cloud%20Security%20Platform%22%20%40asset.type%3Acws_agent_rule%20%40action%3Aaccessed) | A user accessed (fetched) a CWS agent rule in the Cloud Security Platform. | `@evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed` | | [Risk Insights Notification Rule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Cloud%20Security%20Platform%22%20%40asset.type%3Arisk_insights_notification_rule) | A user created, updated, or deleted a Risk Insights notification rule. | `@evt.name:"Cloud Security Platform" @asset.type:risk_insights_notification_rule` | | [Security Signal](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Cloud%20Security%20Platform%22%20%40asset.type%3Asecurity_signal%20%40action%3Amodified) | A user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal. | `@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified` | | [Security Rule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Cloud%20Security%20Platform%22%20%40asset.type%3Asecurity_rule) | A user validated, updated, deleted, or created a security rule and the previous and new values for the rule. | `@evt.name:"Cloud Security Platform" @asset.type:security_rule` | | [Notification Profile](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Cloud%20Security%20Platform%22%20%40asset.type%3Anotification_profile) | A user created, updated, or deleted a notification profile in the Cloud Security Platform. | `@evt.name:"Cloud Security Platform" @asset.type:notification_profile` | ### Dashboard{% #dashboard %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | | [Dashboard deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Adashboard%20%40action%3Adeleted) | A dashboard is deleted. Also provides the previous JSON value for the dashboard. | `@evt.name:Dashboard @asset.type:dashboard @action:deleted` | | [Public URL accessed](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Adashboard%20%40action%3Aaccessed) | A public dashboard URL is accessed. | `@evt.name:Dashboard @asset.type:dashboard @action:accessed` | | [Dashboard user(s) added](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Adashboard_share_acl%20%40action%3Acreated) | A user added user ID(s) that can access a dashboard and the list of new user IDs. | `@evt.name:Dashboard @asset.type:dashboard_share_acl @action:created` | | [Dashboard modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Adashboard%20%40action%3Amodified) | A dashboard is modified. Also provides the previous and new JSON values for the dashboard. | `@evt.name:Dashboard @asset.type:dashboard @action:modified` | | [Dashboard user(s) deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Adashboard_share_acl%20%40action%3Adeleted) | A user deleted user ID(s) that can access a dashboard and the list of the deleted user ID(s). | `@evt.name:Dashboard @asset.type:dashboard_share_acl @action:deleted` | | [Dashboard embedded (Roadie)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Aembed%20%40action%3Aaccessed) | A Datadog dashboard is embedded into a third party. | `@evt.name:Dashboard @asset.type:embed @action:accessed` | | [Dashboard created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Adashboard%20%40action%3Acreated) | A dashboard is created and the new JSON value for the dashboard. | `@evt.name:Dashboard @asset.type:dashboard @action:created` | | [Public URL generated or deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ADashboard%20%40asset.type%3Adashboard_share_link) | A public URL to view a dashboard is generated or deleted. | `@evt.name:Dashboard @asset.type:dashboard_share_link` | ### Data Streams Monitoring{% #data-streams-monitoring %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------------------------------ | | [DSM Kafka messages read](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Data%20Streams%20Monitoring%22%20%40asset.type%3Adsm_kafka_message%20%40action%3Aaccessed) | A user read Kafka messages via Data Streams Monitoring. | `@evt.name:"Data Streams Monitoring" @asset.type:dsm_kafka_message @action:accessed` | | [DSM Kafka message produced](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Data%20Streams%20Monitoring%22%20%40asset.type%3Adsm_kafka_message%20%40action%3Acreated) | A user produced a Kafka message via Data Streams Monitoring. | `@evt.name:"Data Streams Monitoring" @asset.type:dsm_kafka_message @action:created` | | [DSM Kafka topic created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Data%20Streams%20Monitoring%22%20%40asset.type%3Adsm_kafka_topic%20%40action%3Acreated) | A user created a Kafka topic via Data Streams Monitoring. | `@evt.name:"Data Streams Monitoring" @asset.type:dsm_kafka_topic @action:created` | ### Datadog Agent{% #datadog-agent %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | -------------------------------------------------------------------------- | | [Agent flare created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Datadog%20Agent%22%20%40action%3Acreated%20%40asset.type%3Aagent_flare) | Datadog Agent flare is created for support tickets. | `@evt.name:"Datadog Agent" @action:created @asset.type:agent_flare` | | [Agent enabled](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Datadog%20Agent%22%20%40action%3Acreated) | A new Datadog Agent was enabled. | `@evt.name:"Datadog Agent" @action:created` | | [Agent API key updated](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Datadog%20Agent%22%20%40metadata.event_name%3A%22Agent%20API%20Key%20Updated%22) | A Datadog Agent API key was changed. | `@evt.name:"Datadog Agent" @metadata.event_name:"Agent API Key Updated"` | | [Agent upgrade succeeded](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Datadog%20Agent%22%20%40metadata.event_name%3A%22Agent%20Upgrade%20Succeeded%22) | A Datadog Agent was successfully upgraded. | `@evt.name:"Datadog Agent" @metadata.event_name:"Agent Upgrade Succeeded"` | | [Agent upgrade failed](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Datadog%20Agent%22%20%40metadata.event_name%3A%22Agent%20Upgrade%20Failed%22) | A Datadog Agent remote upgrade attempt failed. | `@evt.name:"Datadog Agent" @metadata.event_name:"Agent Upgrade Failed"` | | [Agent configuration updated](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Datadog%20Agent%22%20%40action%3Amodified) | A Datadog Agent configuration was updated. | `@evt.name:"Datadog Agent" @action:modified` | ### Dynamic Instrumentation{% #dynamic-instrumentation %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | [Logs Probe](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Dynamic%20Instrumentation%22%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Alog_probe) | A user has successfully created, modified or deleted a logs probe with Dynamic Instrumentation. | `@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:log_probe` | | [Metrics Probe](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Dynamic%20Instrumentation%22%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Aspan_probe) | A user has successfully created, modified or deleted a metrics probe with Dynamic Instrumentation. | `@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:span_probe` | | [Spans Probe](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Dynamic%20Instrumentation%22%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Ametric_probe) | A user has successfully created, modified or deleted a spans probe with Dynamic Instrumentation. | `@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:metric_probe` | ### Error Tracking{% #error-tracking %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- | | [Create or modify inclusion filter](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Error%20Tracking%22%20%40asset.type%3Aerror_tracking_inclusion_filter) | A user has added or modified an inclusion filter. | `@evt.name:"Error Tracking" @asset.type:error_tracking_inclusion_filter` | | [Error Tracking for Logs activation](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Error%20Tracking%22%20%40action%3A%28created%20OR%20deleted%29%20%40asset.type%3Aerror_tracking_logs) | A user has enabled or disabled Error Tracking for the Logs product. | `@evt.name:"Error Tracking" @action:(created OR deleted) @asset.type:error_tracking_logs` | ### Event Management{% #event-management %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | ------------------------------------------------------------ | | [Custom metrics](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Event%20Management%22%20%40asset.type%3Acustom_metrics) | A user created, modified, or deleted a custom metric | `@evt.name:"Event Management" @asset.type:custom_metrics` | | [Correlation pattern](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Event%20Management%22%20%40asset.type%3Aevent_correlation) | A user created a correlation pattern. | `@evt.name:"Event Management" @asset.type:event_correlation` | ### Exception Replay{% #exception-replay %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | | [Exception Replay Redaction Settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Exception%20Replay%22%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Aredaction_settings) | A user has created, modified or deleted a redaction setting for Exception Replay. | `@evt.name:"Exception Replay" @action:(created OR modified OR deleted) @asset.type:redaction_settings` | ### Infrastructure Monitoring{% #infrastructure-monitoring %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------- | | [Enable Container Image Trends](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Infrastructure%20Monitoring%22%20%40asset.type%3Aconfigure_container_image_trends%20%40action%3Aenabled) | A user enabled Container Image Trends. | `@evt.name:"Infrastructure Monitoring" @asset.type:configure_container_image_trends @action:enabled` | | [Disable Container Image Trends](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Infrastructure%20Monitoring%22%20%40asset.type%3Aconfigure_container_image_trends%20%40action%3Adisabled) | A user disabled Container Image Trends. | `@evt.name:"Infrastructure Monitoring" @asset.type:configure_container_image_trends @action:disabled` | ### Integration{% #integration %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- | | [Resource](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AIntegration%20%40asset.type%3Aintegration) | Anytime a resource (channel, service, webhook, account, instance, and so on) is added, modified, or deleted from an integration, and the previous and new values for the configuration. | `@evt.name:Integration @asset.type:integration` | ### LLM Observability{% #llm-observability %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | | [Evaluation Metrics](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22LLM%20Observability%22%20%40action%3A%28enabled%20OR%20modified%20OR%20disabled%29%20%40asset.type%3Aevaluations) | A user has enabled, disabled, or modified the configuration (for example, set sample rate) of an [out-of-the-box evaluation][165](https://docs.datadoghq.com/llm_observability/evaluations/ootb_evaluations) metric for an application. | `@evt.name:"LLM Observability" @action:(enabled OR modified OR disabled) @asset.type:evaluations` | ### Live Debugger{% #live-debugger %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------- | | [Live Debugger Redaction Settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Live%20Debugger%22%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Aredaction_settings) | A user has created, modified or deleted a redaction setting for Live Debugger. | `@evt.name:"Live Debugger" @action:(created OR modified OR deleted) @asset.type:redaction_settings` | ### Log Management{% #log-management %} | Name | Description of Audit Event | Query In Audit Explorer | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | | [Archive configuration](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Aarchive) | A user created, modified, or deleted the configuration of an archive and the previous and new values for the configuration. | `@evt.name:"Log Management" @asset.type:archive` | | [Archiving order modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40action%3Amodified%20%40asset.type%3Aarchive_list) | A user modified the order of archives. | `@evt.name:"Log Management" @action:modified @asset.type:archive_list` | | [Custom metric](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3A%22custom%20metric%22) | A user created, modified, or deleted a custom metric for logs and the previous and new values for the custom metric configuration. | `@evt.name:"Log Management" @asset.type:"custom metric"` | | [Exclusion filter configuration](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3A%22exclusion%20filter%22) | A user created, modified, or deleted the configuration of an exclusion filter and the previous and new values for the configuration. | `@evt.name:"Log Management" @asset.type:"exclusion filter"` | | [Index configuration](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Aindex) | A user created, modified, or deleted the configuration of an index and the previous and new values for the configuration. | `@evt.name:"Log Management" @asset.type:index` | | [Index order modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40action%3Amodified%20%40asset.type%3Aindex_list) | A user modified the order of indexes. | `@evt.name:"Log Management" @action:modified @asset.type:index_list` | | [Log pipeline](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Apipeline) | A user created, modified, or deleted a log pipeline or nested pipeline and the previous and new values for the configuration. | `@evt.name:"Log Management" @asset.type:pipeline` | | [Processor](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Apipeline_processor) | A user created, modified, or deleted a processor within a pipeline and the previous and new values for the configuration. | `@evt.name:"Log Management" @asset.type:pipeline_processor` | | [Facet](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Afacet) | A user created, modified, or deleted a facet in the Log Explorer and the previous and new values for the facet configuration. | `@evt.name:"Log Management" @asset.type:facet` | | [Standard attribute configuration](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Astandard_attribute) | A user created, modified, or deleted the configuration of a standard attribute in logs and the previous and new values for the configuration. | `@evt.name:"Log Management" @asset.type:standard_attribute` | | [Query (Public Beta)](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Alogs_query) | A user ran a Log Management List query either in Log Explorer, Dashboards or through the Public API. | `@evt.name:"Log Management" @asset.type:logs_query` | | [Restriction query configuration](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Arestriction_query) | A user created, modified, or deleted the configuration of a restriction query in logs and the previous and new values for the configuration. | `@evt.name:"Log Management" @asset.type:restriction_query` | | [Download as CSV](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Alogs_csv) | A user exports list of logs as CSV. | `@evt.name:"Log Management" @asset.type:logs_csv` | | [Historical view](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Ahistorical_view) | A user created, modified, aborted, or deleted a historical view for logs and the previous and new values for the historical view configuration. | `@evt.name:"Log Management" @asset.type:historical_view` | | [Saved view](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Asaved_view) | A user created, modified, or deleted a saved view in the Log Explorer. | `@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:saved_view` | | [Log forwarding](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Alog_forwarding) | A user created, modified, or deleted a custom destination. | `@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:log_forwarding` | | [Rehydration Settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Log%20Management%22%20%40asset.type%3Arehydration_settings%20%40action%3A%28modified%29) | A user modified the logs rehydration settings. | `@evt.name:"Log Management" @asset.type:rehydration_settings @action:(modified)` | ### Metrics{% #metrics %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | | [Custom metric modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AMetrics%20%40asset.type%3Ametric%20%40action%3Amodified) | A user modified a custom metric and the previous and new values for the custom metric configuration. | `@evt.name:Metrics @asset.type:metric @action:modified` | | [Custom metric created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AMetrics%20%40asset.type%3Ametric%20%40action%3Acreated) | A user created a custom metric and the new value for the custom metric configuration. | `@evt.name:Metrics @asset.type:metric @action:created` | | [Custom metric deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AMetrics%20%40asset.type%3Ametric%20%40action%3Adeleted) | A user deleted a custom metric. Also provides the previous value for the custom metric configuration. | `@evt.name:Metrics @asset.type:metric @action:deleted` | ### Monitor{% #monitor %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | -------------------------------------------------------- | | [Monitor created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AMonitor%20%40asset.type%3Amonitor%20%40action%3Acreated) | A monitor is created and the new JSON value for the monitor. | `@evt.name:Monitor @asset.type:monitor @action:created` | | [Monitor modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AMonitor%20%40asset.type%3Amonitor%20%40action%3Amodified) | A monitor is modified and the previous and new JSON values for the monitor. | `@evt.name:Monitor @asset.type:monitor @action:modified` | | [Monitor deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AMonitor%20%40asset.type%3Amonitor%20%40action%3Adeleted) | A monitor is deleted. Also provides the previous JSON value for the monitor. | `@evt.name:Monitor @asset.type:monitor @action:deleted` | | [Monitor resolved](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AMonitor%20%40asset.type%3Amonitor%20%40action%3Aresolved) | A monitor is resolved. | `@evt.name:Monitor @asset.type:monitor @action:resolved` | ### Network Device Monitoring{% #network-device-monitoring %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | ------------------------------------------------------------------------------------------ | | [Access network device tags](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device_tags%20%40action%3Aaccessed) | A user accessed network device tags. | `@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:accessed` | | [Access network device groups](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device%20%40action%3Aaccessed) | A user accessed network device groups. | `@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed` | | [Access network device facets](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device%20%40action%3Aaccessed) | A user accessed network device facets. | `@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed` | | [Access network devices list](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device%20%40action%3Aaccessed) | A user accessed the network devices list. | `@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed` | | [Access network interfaces](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device%20%40action%3Aaccessed) | A user accessed network interfaces. | `@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed` | | [Access network MIB leaves](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device%20%40action%3Aaccessed) | A user accessed network MIB leaves. | `@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed` | | [Modify network interface tags](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device_tags%20%40action%3Amodified) | A user modified network interface tags. | `@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:modified` | | [Modify network device tags](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device_tags%20%40action%3Amodified) | A user modified network device tags. | `@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:modified` | | [Access network interface tags](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device_tags%20%40action%3Aaccessed) | A user accessed network interface tags. | `@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:accessed` | | [Access network device details](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device%20%40action%3Aaccessed) | A user accessed network device details. | `@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed` | | [Modify Netflow port mappings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetflow_port_mappings%20%40action%3Amodified) | A user modified Netflow port mappings. | `@evt.name:"Network Device Monitoring" @asset.type:netflow_port_mappings @action:modified` | | [Delete Netflow port mappings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetflow_port_mappings%20%40action%3Adeleted) | A user deleted Netflow port mappings. | `@evt.name:"Network Device Monitoring" @asset.type:netflow_port_mappings @action:deleted` | | [Access network device profiles](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Network%20Device%20Monitoring%22%20%40asset.type%3Anetwork_device%20%40action%3Aaccessed) | A user accessed network device profiles. | `@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed` | ### Notebook{% #notebook %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------------------------- | | [Notebook created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ANotebook%20%40asset.type%3Anotebook%20%40action%3Acreated) | A notebook is created and the new JSON value for the notebook. | `@evt.name:Notebook @asset.type:notebook @action:created` | | [Notebook deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ANotebook%20%40asset.type%3Anotebook%20%40action%3Adeleted) | A notebook is deleted and the previous JSON value for the notebook. | `@evt.name:Notebook @asset.type:notebook @action:deleted` | | [Notebook modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ANotebook%20%40asset.type%3Anotebook%20%40action%3Amodified) | A notebook is modified and the previous and new JSON values for the notebook. | `@evt.name:Notebook @asset.type:notebook @action:modified` | ### OAuth{% #oauth %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------ | | [OAuth client](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AOAuth%20%40asset.type%3Aoauth_client) | A user created, modified, or deleted an OAuth client and the previous and new values for the OAuth client. | `@evt.name:OAuth @asset.type:oauth_client` | ### Observability Pipelines{% #observability-pipelines %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | | [Access worker version list](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipeline%20%40action%3Aaccessed%20%40asset.name%3A%22worker%20versions%20list%22) | A user accessed the worker versions list. | `@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker versions list"` | | [Access configuration count](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipeline%20%40action%3Aaccessed%20%40asset.name%3A%22configuration%20count%22) | A user accessed the configuration count for a pipeline. | `@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"configuration count"` | | [Access deployment list](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Adeployment) | A user accessed the deployment list for a pipeline. | `@evt.name:"Observability Pipelines" @asset.type:deployment` | | [Access worker component list](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipeline%20%40action%3Aaccessed%20%40asset.name%3A%22worker%20component%20list%22) | A user accessed the worker component list for a pipeline. | `@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker component list"` | | [Access version hash list](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipeline%20%40action%3Aaccessed%20%40asset.name%3A%22version%20hash%20list%22) | A user accessed the version hash list for a pipeline. | `@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"version hash list"` | | [Validate worker configuration component](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipeline%20%40action%3Aaccessed%20%40asset.name%3A%22worker%20configuration%20component%22) | A user successfully validated the worker configuration component. | `@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker configuration component"` | | [Access pipeline draft](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Adraft) | A user accessed the pipeline draft. | `@evt.name:"Observability Pipelines" @asset.type:draft` | | [Create draft pipeline](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipelines_draft%20%40action%3Acreated) | A user created a draft pipeline. | `@evt.name:"Observability Pipelines" @asset.type:pipelines_draft @action:created` | | [Modify draft pipeline](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipelines_draft%20%40action%3Amodified) | A user modified a draft pipeline. | `@evt.name:"Observability Pipelines" @asset.type:pipelines_draft @action:modified` | | [Access Pipeline configuration](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipelines_configuration%20%40action%3Aaccessed) | A user accessed the pipeline configuration for a specific pipeline by ID. | `@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:accessed` | | [Modify pipeline](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipelines_configuration%20%40action%3Amodified) | A user modified an existing pipeline configuration. | `@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:modified` | | [Create pipeline](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipelines_configuration%20%40action%3Acreated) | A user created a pipeline. | `@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:created` | | [Delete pipeline](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipelines_configuration%20%40action%3Adeleted) | A user deleted a pipeline. | `@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:deleted` | | [Access Pipeline configuration list](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipelines_configuration_list%20%40action%3Aaccessed) | A user accessed the pipeline configuration list. | `@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration_list @action:accessed` | | [Access Pipeline](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Aobs_pipelines%20%40action%3Aaccessed) | A user accessed a pipeline. | `@evt.name:"Observability Pipelines" @asset.type:obs_pipelines @action:accessed` | | [Access pipeline list](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipeline%20%40action%3Aaccessed%20%40asset.name%3A%22pipeline%20list%22) | A user accessed the pipeline list. | `@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"pipeline list"` | | [Access pipeline by ID](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Observability%20Pipelines%22%20%40asset.type%3Apipeline%20%40action%3Aaccessed%20%40asset.name%3A%22pipeline%22) | A user accessed a specific pipeline by ID. | `@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"pipeline"` | ### On-Call{% #on-call %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -------------------------------------------------------------------- | | [Create a schedule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aschedule%20%40action%3Acreated) | A user created a schedule. | `@evt.name:"On-Call" @asset.type:schedule @action:created` | | [Modify a schedule override](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aoverride%20%40action%3Amodified) | A user modified a schedule override. | `@evt.name:"On-Call" @asset.type:override @action:modified` | | [Delete a schedule override](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aoverride%20%40action%3Adeleted) | A user deleted a schedule override. | `@evt.name:"On-Call" @asset.type:override @action:deleted` | | [Modify team rules](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Ateam_rules%20%40action%3Amodified) | A user modified team rules. | `@evt.name:"On-Call" @asset.type:team_rules @action:modified` | | [Create a schedule override](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aoverride%20%40action%3Acreated) | A user created a schedule override. | `@evt.name:"On-Call" @asset.type:override @action:created` | | [Modify a schedule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aschedule%20%40action%3Amodified) | A user modified a schedule. | `@evt.name:"On-Call" @asset.type:schedule @action:modified` | | [Delete a schedule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aschedule%20%40action%3Adeleted) | A user deleted a schedule. | `@evt.name:"On-Call" @asset.type:schedule @action:deleted` | | [Create an escalation policy](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aescalation_policy%20%40action%3Acreated) | A user created an escalation policy. | `@evt.name:"On-Call" @asset.type:escalation_policy @action:created` | | [Modify an escalation policy](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aescalation_policy%20%40action%3Amodified) | A user modified an escalation policy. | `@evt.name:"On-Call" @asset.type:escalation_policy @action:modified` | | [Delete an escalation policy](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Aescalation_policy%20%40action%3Adeleted) | A user deleted an escalation policy. | `@evt.name:"On-Call" @asset.type:escalation_policy @action:deleted` | | [Create team rules](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22On-Call%22%20%40asset.type%3Ateam_rules%20%40action%3Acreated) | A user created team rules. | `@evt.name:"On-Call" @asset.type:team_rules @action:created` | ### Organization Management{% #organization-management %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | | [Child org created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Organization%20Management%22%20%40asset.type%3Aorganization%20%40action%3Acreated) | A user created a new child organization for an existing Datadog organization. | `@evt.name:"Organization Management" @asset.type:organization @action:created` | | [Audit Trail settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Organization%20Management%22%20%40asset.type%3Aaudit_logs_settings) | A user modified Audit Trail settings and what the previous and new settings are. | `@evt.name:"Organization Management" @asset.type:audit_logs_settings` | ### Private Action Runners{% #private-action-runners %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- | | [Query intent](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Private%20Action%20Runners%22%20%40asset.type%3Aquery_intent%20%40action%3A%28validated%20OR%20created%29) | A user successfully created a query intent, or a runner successfully validated a query intent. | `@evt.name:"Private Action Runners" @asset.type:query_intent @action:(validated OR created)` | | [Private action runner](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Private%20Action%20Runners%22%20%40asset.type%3Aprivate_action_runner%20%40action%3A%28accessed%20OR%20created%20OR%20deleted%20OR%20modified%20OR%20attached%29) | A user successfully accessed, created, deleted, or modified a runner, or a user attached a runner to a connection. | `@evt.name:"Private Action Runners" @asset.type:private_action_runner @action:(accessed OR created OR deleted OR modified OR attached)` | | [Runner enrollment token](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Private%20Action%20Runners%22%20%40asset.type%3Arunner_enrollment%20%40action%3A%28completed%20OR%20created%29) | A user successfully created a runner enrollment token, or a runner successfully completed enrollment. | `@evt.name:"Private Action Runners" @asset.type:runner_enrollment @action:(completed OR created)` | ### Quality Gates{% #quality-gates %} | Name | Description of Audit Event | Query In Audit Explorer | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | [Quality gates rule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22CI%20Visibility%22%20%40asset.type%3Aci_app_quality_gates%20%28%40action%3Acreated%20OR%20%40action%3Amodified%20OR%20%40action%3Adeleted%29) | A user has created, modified, or deleted a quality gate rule. | `@evt.name:"CI Visibility" @asset.type:ci_app_quality_gates (@action:created OR @action:modified OR @action:deleted)` | ### Real User Monitoring{% #real-user-monitoring %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | | [RUM application created](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Real%20User%20Monitoring%22%20%40asset.type%3Areal_user_monitoring_application%20%40action%3A%28created%20OR%20deleted%29) | A user created or deleted an application in RUM and the type of the application (Browser, Flutter, iOS, React Native, Android). | `@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:(created OR deleted)` | | [RUM application modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Real%20User%20Monitoring%22%20%40asset.type%3Areal_user_monitoring_application%20%40action%3Amodified) | A user modified an application in RUM, the new value of the application, and the type of the application (Browser, Flutter, iOS, React Native, Android). | `@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:modified` | | [Session replay viewed](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Real%20User%20Monitoring%22%20%40asset.type%3Asession_replay%20%40action%3Aaccessed) | A user viewed a session replay. | `@evt.name:"Real User Monitoring" @asset.type:session_replay @action:accessed` | ### Reference Tables{% #reference-tables %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | | [Reference Table](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Reference%20Tables%22%20%40asset.type%3Areference_table%20%40action%3A%28created%20OR%20deleted%20OR%20modified%29) | A user created, deleted, or modified a reference table. | `@evt.name:"Reference Tables" @asset.type:reference_table @action:(created OR deleted OR modified)` | | [Reference Table File](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Reference%20Tables%22%20%40asset.type%3Areference_table_file%20%40action%3A%28uploaded%20OR%20imported%29) | A user uploaded a file or imported a file with a cloud provider for a reference table. | `@evt.name:"Reference Tables" @asset.type:reference_table_file @action:(uploaded OR imported)` | ### Security Notification{% #security-notification %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | | [Automatic password reset](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Security%20Notification%22%20%40asset.type%3Apassword%20%40action%3Anotification%20%40metadata.automatic_password_reset_reason%3A*) | Datadog has automatically reset a user password because it was found in a known credentials leak. | `@evt.name:"Security Notification" @asset.type:password @action:notification @metadata.automatic_password_reset_reason:*` | | [Token leaked](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Security%20Notification%22%20%40asset.type%3A%28api_key%20OR%20application_key%29%20%40action%3Anotification) | Datadog has detected a leaked Datadog API or Application Key that should be revoked. | `@evt.name:"Security Notification" @asset.type:(api_key OR application_key) @action:notification` | | [Login method override](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Security%20Notification%22%20%40asset.type%3Auser%20%40action%3Anotification) | Datadog has detected a user login method override that is different from the default login methods set for the organization. | `@evt.name:"Security Notification" @asset.type:user @action:notification` | | [Unusual login](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Security%20Notification%22%20%40asset.type%3Aunusual_login%20%40action%3Anotification) | Datadog has detected a unusual login event. | `@evt.name:"Security Notification" @asset.type:unusual_login @action:notification` | | [User invited with throwaway email](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Security%20Notification%22%20%40asset.type%3Auser_invite%20%40action%3Anotification) | Datadog has detected that a user with an email from a free or disposable email provider was invited to the organization. | `@evt.name:"Security Notification" @asset.type:user_invite @action:notification` | ### Sensitive Data Scanner{% #sensitive-data-scanner %} | Name | Description of Audit Event | Query In Audit Explorer | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | | [Scanning rule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Sensitive%20Data%20Scanner%22%20%40asset.type%3Asensitive_data_scanner_scanning_rule) | A user created, modified, or deleted a scanning rule within a scanning group in Sensitive Data Scanner and the previous and new values for the configuration. | `@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_rule` | | [Scanning group](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Sensitive%20Data%20Scanner%22%20%40asset.type%3Asensitive_data_scanner_scanning_group) | A user created, modified, or deleted a scanning group in Sensitive Data Scanner and the previous and new values for the configuration. | `@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group` | | [Scanning group order modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Sensitive%20Data%20Scanner%22%20%40asset.type%3Asensitive_data_scanner_scanning_group_list) | A user modified the order of scanning groups. | `@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group_list` | ### Service Level Objectives{% #service-level-objectives %} | Name | Description of Audit Event | Query In Audit Explorer | | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | | [SLO](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ASLO%20%40asset.type%3Aslo) | A user creates, modifies, or deletes an SLO and the previous and new values for the SLO. | `@evt.name:SLO @asset.type:slo` | | [SLO correction](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ASLO%20%40asset.type%3Aslo_correction) | A user creates, modifies, or deletes an SLO correction and the previous and new values for the SLO correction. | `@evt.name:SLO @asset.type:slo_correction` | ### Sheets{% #sheets %} | Name | Description of Audit Event | Query In Audit Explorer | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- | | [Spreadsheet](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ASheets%20%40asset.type%3Aspreadsheet%20%40action%3A%28created%20OR%20modified%20OR%20deleted%20OR%20accessed%29) | A user creates, modifies, deletes, or accesses a spreadsheet. | `@evt.name:Sheets @asset.type:spreadsheet @action:(created OR modified OR deleted OR accessed)` | | [Table](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ASheets%20%40asset.type%3Atable%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29) | A user creates, modifies, or deletes a table within a spreadsheet. | `@evt.name:Sheets @asset.type:table @action:(created OR modified OR deleted)` | | [Pivot](https://app.datadoghq.com/audit-trail?query=%40evt.name%3ASheets%20%40asset.type%3Apivot%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29) | A user creates, modifies, or deletes a pivot within a spreadsheet. | `@evt.name:Sheets @asset.type:pivot @action:(created OR modified OR deleted)` | ### Synthetic Monitoring{% #synthetic-monitoring %} | Name | Description of Audit Event | Query In Audit Explorer | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | | [Synthetic test created or deleted](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Synthetics%20Monitoring%22%20%40asset.type%3Asynthetics_test%20%40action%3A%28created%20OR%20deleted%29) | A user created or deleted a Synthetic test. | `@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:(created OR deleted)` | | [Synthetic settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Synthetics%20Monitoring%22%20%40asset.type%3Asynthetics_settings%20%40action%3Amodified) | A user modified Synthetic settings (quotas, PL access) and the previous and new setting values. | `@evt.name:"Synthetics Monitoring" @asset.type:synthetics_settings @action:modified` | | [Synthetic variable](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Synthetics%20Monitoring%22%20%40asset.type%3Asynthetics_variable) | A user created, modified, or deleted a Synthetic variable. | `@evt.name:"Synthetics Monitoring" @asset.type:synthetics_variable` | | [Synthetic test modified](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Synthetics%20Monitoring%22%20%40asset.type%3Asynthetics_test%20%40action%3Amodified) | A user modified a Synthetic test and the previous and new values for the configuration. | `@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:modified` | | [Private location](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Synthetics%20Monitoring%22%20%40asset.type%3Asynthetics_private_location) | A user created or deleted a private location for Synthetic tests. | `@evt.name:"Synthetics Monitoring" @asset.type:synthetics_private_location` | ### Teams Management{% #teams-management %} | Name | Description of Audit Event | Query In Audit Explorer | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | ----------------------------------------------------------------------- | | [Teams Management](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Teams%20Management%22%20%40action%3A%28created%20OR%20deleted%20OR%20modified%29) | A user created, deleted, or modified a team or team association. | `@evt.name:"Teams Management" @action:(created OR deleted OR modified)` | ### Test Optimization{% #test-optimization %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | [Test Optimization settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Test%20Optimization%22%20%40asset.type%3Atest_optimization_settings%20%28%40action%3Amodified%20OR%20%40action%3Adeleted%29) | A user modified or deleted the settings of a repository or a service. | `@evt.name:"Test Optimization" @asset.type:test_optimization_settings (@action:modified OR @action:deleted)` | | [Flaky test status](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Test%20Optimization%22%20%40asset.type%3A%22test_optimization_management%22%20%40action%3Amodified) | A user modified the status of a flaky test. | `@evt.name:"Test Optimization" @asset.type:"test_optimization_management" @action:modified` | | [Test optimization default settings](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Test%20Optimization%22%20%40asset.type%3Atest_optimization_default_settings%20%28%40action%3Amodified%20OR%20%40action%3Adeleted%29) | A user modified or deleted the default settings. | `@evt.name:"Test Optimization" @asset.type:test_optimization_default_settings (@action:modified OR @action:deleted)` | ### Workflows{% #workflows %} | Name | Description of Audit Event | Query In Audit Explorer | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------- | | [Custom Connection](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Custom%20Connections%22%20%40asset.type%3Acustom_connection%20%40action%3A%28created%20OR%20deleted%20OR%20modified%29) | A user created, deleted, or modified a connection. | `@evt.name:"Custom Connections" @asset.type:custom_connection @action:(created OR deleted OR modified)` | | [Workflow](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Workflows%22%20%40asset.type%3Aworkflow%20%40action%3A%28created%20OR%20deleted%20OR%20modified%20OR%20executed%29) | A user created, deleted, or modified a workflow, or a workflow executed. | `@evt.name:"Workflows" @asset.type:workflow @action:(created OR deleted OR modified OR executed)` | | [Workflow Schedule](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Workflows%22%20%40asset.type%3Aworkflow_schedule%20%40action%3A%28created%20OR%20deleted%20OR%20modified%29) | A user created, deleted, or modified a schedule for a workflow. | `@evt.name:"Workflows" @asset.type:workflow_schedule @action:(created OR deleted OR modified)` | | [Workflow Action](https://app.datadoghq.com/audit-trail?query=%40evt.name%3A%22Workflows%22%20%40asset.type%3Aworkflow_action%20%40action%3A%28responded%29) | A user responded to a Slack prompt during the execution of a workflow. | `@evt.name:"Workflows" @asset.type:workflow_action @action:(responded)` | | [Notifications](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AWorkflows%20%40action%3A%28created%20OR%20modified%20OR%20deleted%29%20%40asset.type%3Aworkflow_notifications) | A notification configuration was created, modified, or deleted for a workflow. | `@evt.name:Workflows @action:(created OR modified OR deleted) @asset.type:workflow_notifications` | | [Step completed](https://app.datadoghq.com/audit-trail?query=%40evt.name%3AWorkflows%20%40action%3Acompleted%20%40asset.type%3Astep) | A step was completed. | `@evt.name:Workflows @action:completed @asset.type:step` | #### Platform Events - Access Management - Actions Datastore - API Request - Authentication - Dashboard - Datadog Agent - Integration - Monitor - Notebook - OAuth - Organization Management - Private Action Runners - Teams Management - Test Optimization #### Product-Specific Events - AI Guard - App and API Protection (AAP) - App Builder - Application Performance Monitoring (APM) - Audit Trail - Bits AI SRE - Bits Dev - Case Management - CI Visibility - Cloud Security Platform - Data Streams Monitoring - Dynamic Instrumentation - Error Tracking - Event Management - Exception Replay - Infrastructure Monitoring - Live Debugger - LLM Observability - Log Management - Metrics - Network Device Monitoring - Observability Pipelines - On-Call - Quality Gates - Real User Monitoring - Reference Tables - Security Notification - Sensitive Data Scanner - Service Level Objectives - Sheets - Synthetic Monitoring - Workflows ## Further Reading{% #further-reading %} - [Learn more about Audit Trail](https://docs.datadoghq.com/account_management/audit_trail/)