Datadog Audit Trail records more than 100 types of audit events from across the Datadog platform. These audit events are categorized into different product categories as event names.
See the Audit Trail documentation for more information on setting up and configuring Audit Trail.
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Application key (Service account user) | A user created, modified, or deleted an application key for a service account user. | @evt.name:"Access Management" @asset.type:application_key |
| Authentication methods (Org) | A user modified the allowed authentication methods for an org and what the previous and new values are. | @evt.name:"Access Management" @asset.type:identity_provider |
| An email is added, disabled, or verified on the Datadog account as a user in the account. | @evt.name:"Access Management" @asset.type:user | |
| Role modified | A role is modified and what the previous and new permissions are. | @evt.name:"Access Management" @asset.type:role @action:modified |
| Role created or deleted | A role is created or deleted in the org. | @evt.name:"Access Management" @asset.type:role @action:(created OR deleted) |
| Role access request | A user created, responded to, or deleted an access request for a role, and the value of the access request. | @evt.name:"Access Management" @asset.type:role_request |
| User’s role | A user is added or deleted from a role in the org. | @evt.name:"Access Management" @asset.type:role @action:modified |
| Password | A user modified their password in the org. | @evt.name:"Access Management" @asset.type:password @action:modified |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| API Request | An API Request is made across the Datadog platform. | @evt.name:Request @action:accessed |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Retention filter | A user created, modified, or deleted a retention filter and the previous and/or new values for the retention filter configuration. | @evt.name:APM @asset.type:retention_filter |
| Span-based metric | A user created, modified, or deleted a span-based metric and the previous and/or new values for the metric configuration. | @evt.name:APM @asset.type:custom_metrics |
| Facet | A user created, modified, or deleted a facet and the previous and/or new values for the facet configuration. | @evt.name:APM @asset.type:facet |
| Primary operation name | A user created, modified, or deleted the primary operation name of a service and the previous and/or new values for the configuration. | @evt.name:APM @asset.type:service_operation_name |
| Second Primary tag | A user added, modified, or deleted the second primary tag and the previous and/or new values for the configuration. | @evt.name:APM @asset.type:second_primary_tag |
| Sampling rates remotely configured | A user remotely configured the APM sampling rates. | @evt.name:APM @asset.type:samplerconfig |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Denylist | A user blocked, unblocked, or extended the blocking duration of an IP address. | @evt.name:"Application Security" @asset.type:ip_denylist |
| Event Rules | A user enabled or disabled an ASM event rule. | @evt.name:"Application Security" @asset.type:event_rules |
| One-click Activation | A user activated or de-activated ASM on a service. | @evt.name:"Application Security" @asset.type:compatible_services |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Download as CSV | A user exports list of Audit Events as CSV | @evt.name:Audit Trail @asset.type:audit_events_csv |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| API key (Org settings) | An API key is accessed, listed, created, or deleted in the Organization Settings page. | @evt.name:Authentication @asset.type:api_key |
| Application key (Org settings) | An application key is accessed, listed, created, or deleted in the Organization Settings page. | @evt.name:Authentication @asset.type:application_key |
| Public API key (Org settings) | A public API key is accessed, listed, created, or deleted in the Organization Settings page. | @evt.name:Authentication @asset.type:public_api_key |
| User login | A user logs into Datadog and the authentication method used. | @evt.name:Authentication @action:login |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Repository Default Branch | A user modified the default branch of a repository, and the previous and new values for the default branch. | @evt.name:"CI Visibility" @asset.type:ci_app_repository |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| CWS agent rule | A user accessed (fetched) a CWS agent rule in the Cloud Security Platform. | @evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed |
| Notification profile | A user created, updated, or deleted a notification profile in the Cloud Security Platform. | @evt.name:"Cloud Security Platform" @asset.type:notification_profile |
| Security rule | A user updated, deleted, or created a security rule and the previous and new values for the rule. | @evt.name:"Cloud Security Platform" @asset.type:security_rule |
| Security signal | A user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal. | @evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Dashboard created | A dashboard is created and the new JSON value for the dashboard. | @evt.name:Dashboard @asset.type:dashboard @action:created |
| Dashboard deleted | A dashboard is deleted and the previous JSON value for the dashboard. | @evt.name:Dashboard @asset.type:dashboard @action:deleted |
| Dashboard embedded (Roadie) | A Datadog dashboard is embedded into a third party and a user views the dashboard. | @evt.name:Dashboard @asset.type:embed @action:accessed |
| Dashboard modified | A dashboard is modified and the previous and new JSON values for the dashboard. | @evt.name:Dashboard @asset.type:dashboard @action:modified |
| Dashboard user(s) added | A user added user ID(s) that can access a dashboard and the list of new user IDs. | @evt.name:Dashboard @asset.type:dashboard_share_acl @action:created |
| Dashboard user(s) deleted | A user deleted user ID(s) that can access a dashboard and the list of the deleted user ID(s). | @evt.name:Dashboard @asset.type:dashboard_share_acl @action:deleted |
| Public URL accessed | A public dashboard URL is accessed. | @evt.name:Dashboard @asset.type:dashboard @action:accessed |
| Public URL generated or deleted | A public URL to view a dashboard is generated or deleted. | @evt.name:Dashboard @asset.type:dashboard_share_link |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Resource | Anytime a resource (channel, service, webhook, account, instance, and so on) is added, modified, or deleted from an integration, and the previous and new values for the configuration. | @evt.name:Integration @asset.type:integration |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Archive configuration | A user created, modified, or deleted the configuration of an archive and the previous and new values for the configuration. | @evt.name:"Log Management" @asset.type:archive |
| Custom metric | A user created, modified, or deleted a custom metric for logs and the previous and new values for the custom metric configuration. | @evt.name:"Log Management" @asset.type:"custom metric" |
| Exclusion filter configuration | A user created, modified, or deleted the configuration of an exclusion filter and the previous and new values for the configuration. | @evt.name:"Log Management" @asset.type:"exclusion filter" |
| Facet | A user created, modified, or deleted a facet in the log explorer and the previous and new values for the facet configuration. | @evt.name:"Log Management" @asset.type:facet |
| Historical view | A user created, modified, aborted, or deleted a historical view for logs and the previous and new values for the historical view configuration. | @evt.name:"Log Management" @asset.type:historical_view |
| Index configuration | A user created, modified, or deleted the configuration of an index and the previous and new values for the configuration. | @evt.name:"Log Management" @asset.type:index |
| Log pipeline | A user created, modified, or deleted a log pipeline or nested pipeline and the previous and new values for the configuration. | @evt.name:"Log Management" @asset.type:pipeline |
| Processor | A user created, modified, or deleted a processor within a pipeline and the previous and new values for the configuration. | @evt.name:"Log Management" @asset.type:pipeline_processor |
| Restriction query configuration | A user created, modified, or deleted the configuration of a restriction query in logs and the previous and new values for the configuration. | @evt.name:"Log Management" @asset.type:restriction_query |
| Standard attribute configuration | A user created, modified, or deleted the configuration of a standard attribute in logs and the previous and new values for the configuration. | @evt.name:"Log Management" @asset.type:standard_attribute |
| Download as CSV | A user exports list of logs as CSV | @evt.name:"Log Management" @asset.type:logs_csv |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Custom metric created | A user created a custom metric and the new value for the custom metric configuration. | @evt.name:Metrics @asset.type:metric @action:created |
| Custom metric deleted | A user deleted a custom metric and the previous value for the custom metric configuration. | @evt.name:Metrics @asset.type:metric @action:deleted |
| Custom metric modified | A user modified a custom metric and the previous and new values for the custom metric configuration. | @evt.name:Metrics @asset.type:metric @action:modified |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Monitor created | A monitor is created and the new JSON value for the monitor. | @evt.name:Monitor @asset.type:monitor @action:created |
| Monitor deleted | A monitor is deleted and the previous JSON value for the monitor. | @evt.name:Monitor @asset.type:monitor @action:deleted |
| Monitor modified | A monitor is modified and the previous and new JSON values for the monitor. | @evt.name:Monitor @asset.type:monitor @action:modified |
| Monitor resolved | A monitor is resolved. | @evt.name:Monitor @asset.type:monitor @action:resolved |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Notebook created | A notebook is created and the new JSON value for the notebook. | @evt.name:Notebook @asset.type:notebook @action:created |
| Notebook deleted | A notebook is deleted and the previous JSON value for the notebook. | @evt.name:Notebook @asset.type:notebook @action:deleted |
| Notebook modified | A notebook is modified and the previous and new JSON values for the notebook. | @evt.name:Notebook @asset.type:notebook @action:modified |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| OAuth client | A user created, modified, or deleted an OAuth client and the previous and new values for the OAuth client. | @evt.name:OAuth @asset.type:oauth_client |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Audit Trail settings | A user modified Audit Trail settings and what the previous and new settings are. | @evt.name:"Organization Management" @asset.type:audit_logs_settings |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| RUM application created | A user created or deleted an application in RUM and the type of the application (Browser, Flutter, IOS, React Native, Android). | @evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:(created OR deleted) |
| RUM application modified | A user modified an application in RUM, the new value of the application, and the type of the application (Browser, Flutter, IOS, React Native, Android). | @evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:modified |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Token leaked | Datadog has detected leaked Datadog API or Application Key that should be revoked. | @evt.name:"Security Notification" @asset.type:(api_key OR application_key) @action:notification |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Scanning group | A user created, modified, or deleted a scanning group in Sensitive Data Scanner and the previous and new values for the configuration. | @evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group |
| Scanning rule | A user created, modified, or deleted a scanning rule within a scanning group in Sensitive Data Scanner and the previous and new values for the configuration. | @evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_rule |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| SLO | A user creates, modifies, or deletes an SLO and the previous and new values for the SLO. | @evt.name:SLO @asset.type:slo |
| SLO correction | A user creates, modifies, or deletes an SLO correction and the previous and new values for the SLO correction. | @evt.name:SLO @asset.type:slo_correction |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Private location | A user created or deleted a private location for Synthetic tests. | @evt.name:"Synthetics Monitoring" @asset.type:synthetics_private_location |
| Synthetic test created or deleted | A user created or deleted a Synthetic test. | @evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:(created OR deleted) |
| Synthetic test modified | A user modified a Synthetic test and the previous and new values for the configuration. | @evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:modified |
| Synthetic variable | A user created, modified, or deleted a Synthetic variable. | @evt.name:"Synthetics Monitoring" @asset.type:synthetics_variable |
| Synthetic settings | A user modified Synthetic settings (quotas, PL access) and the previous and new setting values. | @evt.name:"Synthetics Monitoring" @asset.type:synthetics_settings @action:modified |
| Name | Description of audit event | Query in audit explorer |
|---|---|---|
| Reference Table | A user created, deleted, or modified a reference table. | @evt.name:"Reference Tables" @asset.type:reference_table @action:(created OR deleted OR modified) |
| Reference Table File | A user uploaded a file or imported a file with a cloud provider for a reference table. | @evt.name:"Reference Tables" @asset.type:reference_table_file @action:(uploaded OR imported) |
Additional helpful documentation, links, and articles:
