Audit Trail Events

Overview

Datadog Audit Trail records more than 100 types of audit events from across the Datadog platform. These audit events are categorized into different product categories as event names.

Platform Events

Product-Specific Events

See the Audit Trail documentation for more information on setting up and configuring Audit Trail.

Audit Events

Access management events

NameDescription of audit eventQuery in audit explorer
Application key (Service account user)A user created, modified, or deleted an application key for a service account user.@evt.name:"Access Management" @asset.type:application_key
Authentication methods (Org)A user modified the allowed authentication methods for an org and what the previous and new values are.@evt.name:"Access Management" @asset.type:identity_provider
EmailAn email is added, disabled, or verified on the Datadog account as a user in the account.@evt.name:"Access Management" @asset.type:user
Role modifiedA role is modified and what the previous and new permissions are.@evt.name:"Access Management" @asset.type:role @action:modified
Role created or deletedA role is created or deleted in the org.@evt.name:"Access Management" @asset.type:role @action:(created OR deleted)
Role access requestA user created, responded to, or deleted an access request for a role, and the value of the access request.@evt.name:"Access Management" @asset.type:role_request
User’s roleA user is added or deleted from a role in the org.@evt.name:"Access Management" @asset.type:role @action:modified

API request events

NameDescription of audit eventQuery in audit explorer
API RequestAn API Request is made across the Datadog platform.@evt.name:Request @action:accessed

Authentication events

NameDescription of audit eventQuery in audit explorer
API key (Org settings)An API key is accessed, listed, created, or deleted in the Organization Settings page.@evt.name:Authentication @asset.type:api_key
Application key (Org settings)An application key is accessed, listed, created, or deleted in the Organization Settings page.@evt.name:Authentication @asset.type:application_key
Public API key (Org settings)A public API key is accessed, listed, created, or deleted in the Organization Settings page.@evt.name:Authentication @asset.type:public_api_key
User loginA user logs into Datadog and the authentication method used.@evt.name:Authentication @action:login

Cloud Security Platform events

NameDescription of audit eventQuery in audit explorer
CWS agent ruleA user accessed (fetched) a CWS agent rule in the Cloud Security Platform.@evt.name:“Cloud Security Platform” @asset.type:cws_agent_rule @action:accessed
Notification profileA user created, updated, or deleted a notification profile in the Cloud Security Platform.@evt.name:"Cloud Security Platform" @asset.type:notification_profile
Security ruleA user updated, deleted, or created a security rule and the previous and new values for the rule.@evt.name:"Cloud Security Platform" @asset.type:security_rule
Security signalA user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal.@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified

Dashboard events

NameDescription of audit eventQuery in audit explorer
Dashboard createdA dashboard is created and the new JSON value for the dashboard.@evt.name:Dashboard @asset.type:dashboard @action:created
Dashboard deletedA dashboard is deleted and the previous JSON value for the dashboard.@evt.name:Dashboard @asset.type:dashboard @action:deleted
Dashboard embedded (Roadie)A Datadog dashboard is embedded into a third party and a user views the dashboard.@evt.name:Dashboard @asset.type:embed @action:accessed
Dashboard modifiedA dashboard is modified and the previous and new JSON values for the dashboard.@evt.name:Dashboard @asset.type:dashboard @action:modified
Dashboard user(s) addedA user added user ID(s) that can access a dashboard and the list of new user IDs.@evt.name:Dashboard @asset.type:dashboard_share_acl @action:created
Dashboard user(s) deletedA user deleted user ID(s) that can access a dashboard and the list of the deleted user ID(s).@evt.name:Dashboard @asset.type:dashboard_share_acl @action:deleted
Public URL accessedA public dashboard URL is accessed.@evt.name:Dashboard @asset.type:dashboard @action:accessed
Public URL generated or deletedA public URL to view a dashboard is generated or deleted.@evt.name:Dashboard @asset.type:dashboard_share_link

Integration events

NameDescription of audit eventQuery in audit explorer
ResourceAnytime a resource (channel, service, webhook, account, instance, and so on) is added, modified, or deleted from an integration, and the previous and new values for the configuration.@evt.name:Integration @asset.type:integration

Log Management events

NameDescription of audit eventQuery in audit explorer
Archive configurationA user created, modified, or deleted the configuration of an archive and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:archive
Custom metricA user created, modified, or deleted a custom metric for logs and the previous and new values for the custom metric configuration.@evt.name:"Log Management" @asset.type:"custom metric"
Exclusion filter configurationA user created, modified, or deleted the configuration of an exclusion filter and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:"exclusion filter"
FacetA user created, modified, or deleted a facet in the log explorer and the previous and new values for the facet configuration.@evt.name:"Log Management" @asset.type:facet
Historical viewA user created, modified, aborted, or deleted a historical view for logs and the previous and new values for the historical view configuration.@evt.name:"Log Management" @asset.type:historical_view
Index configurationA user created, modified, or deleted the configuration of an index and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:index
Log pipelineA user created, modified, or deleted a log pipeline or nested pipeline and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:pipeline
ProcessorA user created, modified, or deleted a processor within a pipeline and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:pipeline_processor
Restriction query configurationA user created, modified, or deleted the configuration of a restriction query in logs and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:restriction_query
Standard attribute configurationA user created, modified, or deleted the configuration of a standard attribute in logs and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:standard_attribute

APM events

NameDescription of audit eventQuery in audit explorer
Retention filterA user created, modified, or deleted a retention filter and the previous and/or new values for the retention filter configuration.@evt.name:APM @asset.type:retention_filter
Span-based metricA user created, modified, or deleted a span-based metric and the previous and/or new values for the metric configuration.@evt.name:APM @asset.type:custom_metrics
FacetA user created, modified, or deleted a facet and the previous and/or new values for the facet configuration.@evt.name:APM @asset.type:facet
Primary operation nameA user created, modified, or deleted the primary operation name of a service and the previous and/or new values for the configuration.@evt.name:APM @asset.type:service_operation_name
Second Primary tagA user added, modified, or deleted the second primary tag and the previous and/or new values for the configuration.@evt.name:APM @asset.type:second_primary_tag

Metrics events

NameDescription of audit eventQuery in audit explorer
Custom metric createdA user created a custom metric and the new value for the custom metric configuration.@evt.name:Metrics @asset.type:metric @action:created
Custom metric deletedA user deleted a custom metric and the previous value for the custom metric configuration.@evt.name:Metrics @asset.type:metric @action:deleted
Custom metric modifiedA user modified a custom metric and the previous and new values for the custom metric configuration.@evt.name:Metrics @asset.type:metric @action:modified

Monitor events

NameDescription of audit eventQuery in audit explorer
Monitor createdA monitor is created and the new JSON value for the monitor.@evt.name:Monitor @asset.type:monitor @action:created
Monitor deletedA monitor is deleted and the previous JSON value for the monitor.@evt.name:Monitor @asset.type:monitor @action:deleted
Monitor modifiedA monitor is modified and the previous and new JSON values for the monitor.@evt.name:Monitor @asset.type:monitor @action:modified
Monitor resolvedA monitor is resolved.@evt.name:Monitor @asset.type:monitor @action:resolved

Notebook events

NameDescription of audit eventQuery in audit explorer
Notebook createdA notebook is created and the new JSON value for the notebook.@evt.name:Notebook @asset.type:notebook @action:created
Notebook deletedA notebook is deleted and the previous JSON value for the notebook.@evt.name:Notebook @asset.type:notebook @action:deleted
Notebook modifiedA notebook is modified and the previous and new JSON values for the notebook.@evt.name:Notebook @asset.type:notebook @action:modified

OAuth events

NameDescription of audit eventQuery in audit explorer
OAuth clientA user created, modified, or deleted an OAuth client and the previous and new values for the OAuth client.@evt.name:OAuth @asset.type:oauth_client

Organization management events

NameDescription of audit eventQuery in audit explorer
Audit Trail settingsA user modified Audit Trail settings and what the previous and new settings are.@evt.name:"Organization Management" @asset.type:audit_logs_settings

Real User Monitoring events

NameDescription of audit eventQuery in audit explorer
RUM application createdA user created or deleted an application in RUM and the type of the application (Browser, Flutter, IOS, React Native, Android).@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:(created OR deleted)
RUM application modifiedA user modified an application in RUM, the new value of the application, and the type of the application (Browser, Flutter, IOS, React Native, Android).@evt.name:“Real User Monitoring” @asset.type:real_user_monitoring_application @action:modified

Sensitive Data Scanner events

NameDescription of audit eventQuery in audit explorer
Scanning groupA user created, modified, or deleted a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group
Scanning ruleA user created, modified, or deleted a scanning rule within a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_rule

Service Level Objectives (SLO) events

NameDescription of audit eventQuery in audit explorer
SLOA user creates, modifies, or deletes an SLO and the previous and new values for the SLO.@evt.name:SLO @asset.type:slo
SLO correctionA user creates, modifies, or deletes an SLO correction and the previous and new values for the SLO correction.@evt.name:SLO @asset.type:slo_correction

Support administration events

NameDescription of audit eventQuery in audit explorer
Support admin accessA Datadog support admin accesses the account and the reason for it.@evt.name:"Support Administration" @action:login

Synthetic Monitoring events

NameDescription of audit eventQuery in audit explorer
Private locationA user created or deleted a private location for Synthetic tests.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_private_location
Synthetic test created or deletedA user created or deleted a Synthetic test.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:(created OR deleted)
Synthetic test modifiedA user modified a Synthetic test and the previous and new values for the configuration.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:modified
Synthetic variableA user created, modified, or deleted a Synthetic variable.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_variable
Synthetic settingsA user modified Synthetic settings (quotas, PL access) and the previous and new setting values.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_settings @action:modified

Reference Table events

NameDescription of audit eventQuery in audit explorer
Reference TableA user created, deleted, or modified a reference table.@evt.name:"Reference Tables" @asset.type:reference_table @action:(created OR deleted OR modified)
Reference Table FileA user uploaded a file or imported a file with a cloud provider for a reference table.@evt.name:"Reference Tables" @asset.type:reference_table_file @action:(uploaded OR imported)

CI Visibility events

NameDescription of audit eventQuery in audit explorer
Repository Default BranchA user modified the default branch of a repository, and the previous and new values for the default branch.@evt.name:"CI Visibility" @asset.type:ci_app_repository

Further Reading

Additional helpful documentation, links, and articles: