Audit Trail Events

Docs > Account Management > Datadog Audit Trail > Audit Trail Events

Overview

Datadog Audit Trail records more than 100 types of audit events from across the Datadog platform. These audit events are categorized into different product categories as event names.

Platform Events

Access management
Agent
API request
Authentication
Dashboard
Integration
Monitor
Notebook
OAuth
Organization management
Security Notifications
Teams management

Product-Specific Events

App Builder
Application Performance Monitoring (APM)
App and API Protection (AAP)
Audit Trail
CI Visibility
Quality Gates
Cloud Security Platform
Dynamic Instrumentation
Error Tracking
Infrastructure Monitoring
Log Management
LLM Observability
Metrics
Real User Monitoring
Security Notification events
Sensitive Data Scanner
Service Level Objectives
Sheets
Synthetic Monitoring
Reference Tables
Workflows
App Datastore
Event Management
Private Action Runners
Observability Pipelines
On-Call
Network Device Monitoring

See the Audit Trail documentation for more information on setting up and configuring Audit Trail.

Audit Events

Access management events

Name	Description of audit event	Query in audit explorer
Application key (Service account user)	A user created, modified, or deleted an application key for a service account user.	`@evt.name:"Access Management" @asset.type:application_key`
Authentication methods (Org)	A user modified the allowed authentication methods for an org and what the previous and new values are.	`@evt.name:"Access Management" @asset.type:identity_provider`
Email	An email is added, disabled, or verified on the Datadog account as a user in the account.	`@evt.name:"Access Management" @asset.type:user`
Password	A user modified their password in the org. Password update events are delivered to all orgs that user is active in, even if the org does not have password authentication configured.	`@evt.name:"Access Management" @asset.type:password @action:modified`
Role modified	A role is modified and what the previous and new permissions are.	`@evt.name:"Access Management" @asset.type:role @action:modified`
Role created or deleted	A role is created or deleted in the org.	`@evt.name:"Access Management" @asset.type:role @action:(created OR deleted)`
Role access request	A user created, responded to, or deleted an access request for a role, and the value of the access request.	`@evt.name:"Access Management" @asset.type:role_request`
User’s role	A user is added or deleted from a role in the org.	`@evt.name:"Access Management" @asset.type:role @action:modified`
Restriction policy	A restriction policy is modified for a resource.	`@evt.name:"Access Management" @asset.type:restriction_policy @action:(modified OR deleted)`
Email update (Support)	A user’s email was updated by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:modified`
User invite (Support)	A user was invited to the org by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:created`
User’s role (Support)	A user was added or deleted from a role in the org by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified`
Role modified (Support)	A role was modified by Datadog Support, and what the previous and new permissions are.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified`
IP Allowlist Modified (Support)	A new IP was added to the org’s IP allowlist by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:ip_allowlist @action:modified`

Agent

Name	Description of audit event	Query in audit explorer
Agent configuration updated	A Datadog Agent configuration was updated.	`@evt.name:"Datadog Agent" @action:modified`
Agent enabled	A new Datadog Agent was enabled.	`@evt.name:"Datadog Agent" @action:created`
Agent flare created	Datadog Agent flare is created for support tickets.	`@evt.name:"Datadog Agent" @action:created @asset.type:agent_flare`
Agent API key updated	A Datadog Agent API key was changed.	`@evt.name:"Datadog Agent" @metadata.event_name:"Agent API Key Updated"`
Agent upgrade succeeded	A Datadog Agent was successfully upgraded.	`@evt.name:"Datadog Agent" @metadata.event_name:"Agent Upgrade Succeeded"`
Agent upgrade failed	A Datadog Agent remote upgrade attempt failed.	`@evt.name:"Datadog Agent" @metadata.event_name:"Agent Upgrade Failed"`

API request events

Name	Description of audit event	Query in audit explorer
API Request	An API Request is made across the Datadog platform.	`@evt.name:Request @action:accessed`

App Builder events

Name	Description of audit event	Query in audit explorer
App	A user accessed, created, modified, deleted, reverted, or unpublished an app.	`@evt.name:"App Builder" @asset.type:app @action:(accessed OR created OR modified OR published OR deleted OR reverted OR unpublished)`
Query started	A user started a query.	`@evt.name:"App Builder" @asset.type:query @action:started`
Query executed	A user executed a query.	`@evt.name:"App Builder" @asset.type:query @action:executed`

Application Performance Monitoring (APM) events

Name	Description of audit event	Query in audit explorer
Retention filter	A user created, modified, or deleted a retention filter and the previous and/or new values for the retention filter configuration.	`@evt.name:APM @asset.type:retention_filter`
Span-based metric	A user created, modified, or deleted a span-based metric and the previous and/or new values for the metric configuration.	`@evt.name:APM @asset.type:custom_metrics`
Custom metrics	A user created, modified, or deleted a custom metric	`@evt.name:APM @action:(created OR modified OR deleted) @asset.type:custom_metrics`
Facet	A user created, modified, or deleted a facet and the previous and/or new values for the facet configuration.	`@evt.name:APM @asset.type:facet`
Primary operation name	A user created, modified, or deleted the primary operation name of a service and the previous and/or new values for the configuration.	`@evt.name:APM @asset.type:service_operation_name`
Second primary tag	A user added, modified, or deleted the second primary tag and the previous or new values for the configuration.	`@evt.name:APM @asset.type:second_primary_tag`
Sampling rates remotely configured	A user remotely configured the APM sampling rates.	`@evt.name:APM @asset.type:samplerconfig`
Saved view	A user created, modified, or deleted a saved view.	`@evt.name:APM @action:(created OR modified OR deleted) @asset.type:saved_view`

App and API Protection

Name	Description of audit event	Query in audit explorer
One-click Activation	A user activated or de-activated AAP on a service.	`@evt.name:"Application Security" @asset.type:compatible_services`
Protection	A user enabled or disabled the AAP protection.	`@evt.name:"Application Security" @asset.type:blocking_configuration`
Denylist	A user blocked, unblocked, or extended the blocking duration of an IP address or a user ID.	`@evt.name:"Application Security" @asset.type:ip_user_denylist`
Passlist	A user added, modified, or deleted an entry to the passlist.	`@evt.name:"Application Security" @asset.type:passlist_entry`
In-App WAF Policy	A user created, modified, or deleted an In-App WAF policy.	`@evt.name:"Application Security" @asset.type:policy_entry`
In-App WAF Custom Rule	A user validated, created, modified, or deleted an In-App WAF custom rule.	`@evt.name:"Application Security" @asset.type:waf_custom_rule`

Audit Trail events

Name	Description of audit event	Query in audit explorer
Audit Trail settings	A user modified Audit Trail settings and what the previous and new settings are.	`@evt.name:"Organization Management" @asset.type:audit_logs_settings`
Download as CSV	A user exports list of Audit Events as CSV	`@evt.name:Audit Trail @asset.type:audit_events_csv`

Authentication events

Name	Description of audit event	Query in audit explorer
API key (Org settings)	An API key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:api_key`
Application key (Org settings)	An application key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:application_key`
Public API key (Org settings)	A public API key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:public_api_key`
User login	A user logs into Datadog and the authentication method used.	`@evt.name:Authentication @action:login`

CI Visibility events

Name	Description of audit event	Query in audit explorer
Exclusion filters	The exclusion filters have been modified.	`@evt.name:"CI Visibility" @asset.type:ci_app_exclusion_filters @action:modified`
Repository default branch	A user modified the default branch of a repository.	`@evt.name:"CI Visibility" @asset.type:ci_app_repository @action:modified`
GitHub account settings	A user has modified the GitHub account settings.	`@evt.name:"CI Visibility" @asset.type:github_opt_ins (@action:modified OR @action:deleted)`

Quality Gates events

Name	Description of audit event	Query in audit explorer
Quality gates rule	A user has created, modified, or deleted a quality gate rule.	`@evt.name:"Quality Gates" @asset.type:ci_app_quality_gates (@action:created OR @action:modified OR @action:deleted)`

Cloud Security Platform events

Name	Description of audit event	Query in audit explorer
CWS agent rule	A user accessed (fetched) a CWS agent rule in the Cloud Security Platform.	`@evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed`
Notification profile	A user created, updated, or deleted a notification profile in the Cloud Security Platform.	`@evt.name:"Cloud Security Platform" @asset.type:notification_profile`
Security rule	A user validated, updated, deleted, or created a security rule and the previous and new values for the rule.	`@evt.name:"Cloud Security Platform" @asset.type:security_rule`
Security signal	A user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal.	`@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified`
Report subscription	A user subscribed or unsubscribed from a K9 email report.	`@evt.name:"Cloud Security Platform" @asset.type:report_subscription`

Dashboard events

Name	Description of audit event	Query in audit explorer
Dashboard created	A dashboard is created and the new JSON value for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:created`
Dashboard embedded (Roadie)	A Datadog dashboard is embedded into a third party (Roadie) and a user views the dashboard.	`@evt.name:Dashboard @asset.type:embed @action:accessed`
Dashboard modified	A dashboard is modified. Also provides the previous and new JSON values for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:modified`
Dashboard deleted	A dashboard is deleted. Also provides the previous JSON value for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:deleted`
Dashboard user(s) added	A user added user ID(s) that can access a dashboard and the list of new user IDs.	`@evt.name:Dashboard @asset.type:dashboard_share_acl @action:created`
Dashboard user(s) deleted	A user deleted user ID(s) that can access a dashboard and the list of the deleted user ID(s).	`@evt.name:Dashboard @asset.type:dashboard_share_acl @action:deleted`
Public URL accessed	A public dashboard URL is accessed.	`@evt.name:Dashboard @asset.type:dashboard @action:accessed`
Public URL generated or deleted	A public URL to view a dashboard is generated or deleted.	`@evt.name:Dashboard @asset.type:dashboard_share_link`

Dynamic Instrumentation events

Name	Description of audit event	Query in audit explorer
Logs Probe	A user has successfully created, modified or deleted a logs probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:log_probe`
Metrics Probe	A user has successfully created, modified or deleted a metrics probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:span_probe`
Spans Probe	A user has successfully created, modified or deleted a spans probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:metric_probe`

Error Tracking events

Name	Description of audit event	Query in audit explorer
Create or Modify inclusion filter	A user has added or modified an inclusion filter.	`@evt.name:"Error Tracking" @asset.type:error_tracking_inclusion_filter`
Error Tracking for Logs activation	A user has enabled or disabled Error Tracking for the Logs product.	`@evt.name:"Error Tracking" @action:(created OR deleted) @asset.type:error_tracking_logs`

Integration events

Name	Description of audit event	Query in audit explorer
Resource	Anytime a resource (channel, service, webhook, account, instance, and so on) is added, modified, or deleted from an integration, and the previous and new values for the configuration.	`@evt.name:Integration @asset.type:integration`

Log Management events

Name	Description of audit event	Query in audit explorer
Archive configuration	A user created, modified, or deleted the configuration of an archive and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:archive`
Archiving order modified	A user modified the order of archives.	`@evt.name:"Log Management" @action:modified @asset.type:archive_list`
Custom metric	A user created, modified, or deleted a custom metric for logs and the previous and new values for the custom metric configuration.	`@evt.name:"Log Management" @asset.type:"custom metric"`
Exclusion filter configuration	A user created, modified, or deleted the configuration of an exclusion filter and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:"exclusion filter"`
Index configuration	A user created, modified, or deleted the configuration of an index and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:index`
Index order modified	A user modified the order of indexes.	`@evt.name:"Log Management" @action:modified @asset.type:index_list`
Log pipeline	A user created, modified, or deleted a log pipeline or nested pipeline and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:pipeline`
Processor	A user created, modified, or deleted a processor within a pipeline and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:pipeline_processor`
Facet	A user created, modified, or deleted a facet in the Log Explorer and the previous and new values for the facet configuration.	`@evt.name:"Log Management" @asset.type:facet`
Standard attribute configuration	A user created, modified, or deleted the configuration of a standard attribute in logs and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:standard_attribute`
Query (Public Beta)	A user ran a Log Management List query either in Log Explorer, Dashboards or through the Public API.	`@evt.name:"Log Management" @asset.type:logs_query`
Restriction query configuration	A user created, modified, or deleted the configuration of a restriction query in logs and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:restriction_query`
Download as CSV	A user exports list of logs as CSV	`@evt.name:"Log Management" @asset.type:logs_csv`
Historical view	A user created, modified, aborted, or deleted a historical view for logs and the previous and new values for the historical view configuration.	`@evt.name:"Log Management" @asset.type:historical_view`
Saved view	A user created, modified, or deleted a saved view.	`@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:saved_view`
Log forwarding	A user created, modified, or deleted a custom destination.	`@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:log_forwarding`

LLM Observability

Name	Description of audit event	Query in audit explorer
Evaluation Metrics	A user has enabled, disabled, or modified the configuration (for example, set sample rate) of an out-of-the-box evaluation metric for an application.	`@evt.name:"LLM Observability" @action:(enabled OR modified OR disabled) @asset.type:evaluations`

Metrics events

Name	Description of audit event	Query in audit explorer
Custom metric created	A user created a custom metric and the new value for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:created`
Custom metric modified	A user modified a custom metric and the previous and new values for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:modified`
Custom metric deleted	A user deleted a custom metric. Also provides the previous value for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:deleted`

Monitor events

Name	Description of audit event	Query in audit explorer
Monitor created	A monitor is created and the new JSON value for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:created`
Monitor modified	A monitor is modified and the previous and new JSON values for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:modified`
Monitor deleted	A monitor is deleted. Also provides the previous JSON value for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:deleted`
Monitor resolved	A monitor is resolved.	`@evt.name:Monitor @asset.type:monitor @action:resolved`

Notebook events

Name	Description of audit event	Query in audit explorer
Notebook created	A notebook is created and the new JSON value for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:created`
Notebook modified	A notebook is modified and the previous and new JSON values for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:modified`
Notebook deleted	A notebook is deleted and the previous JSON value for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:deleted`

OAuth events

Name	Description of audit event	Query in audit explorer
OAuth client	A user created, modified, or deleted an OAuth client and the previous and new values for the OAuth client.	`@evt.name:OAuth @asset.type:oauth_client`

Organization management events

Name	Description of audit event	Query in audit explorer
Audit Trail settings	A user modified Audit Trail settings and what the previous and new settings are.	`@evt.name:"Organization Management" @asset.type:audit_logs_settings`
Child org created	A user created a new child organization for an existing Datadog organization.	`@evt.name:"Organization Management" @asset.type:organization @action:created`

Real User Monitoring events

Name	Description of audit event	Query in audit explorer
RUM application created	A user created or deleted an application in RUM and the type of the application (Browser, Flutter, iOS, React Native, Android).	`@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:(created OR deleted)`
RUM application modified	A user modified an application in RUM, the new value of the application, and the type of the application (Browser, Flutter, iOS, React Native, Android).	`@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:modified`
Session replay viewed	A user viewed a session replay.	`@evt.name:"Real User Monitoring" @asset.type:session_replay @action:accessed`

Security Notification events

Name	Description of audit event	Query in audit explorer
Login method override	Datadog has detected a user login method override that is different from the default login methods set for the organization.	`@evt.name:"Security Notification" @asset.type:user @action:notification`
Token leaked	Datadog has detected a leaked Datadog API or Application Key that should be revoked.	`@evt.name:"Security Notification" @asset.type:(api_key OR application_key) @action:notification`
Unusual login	Datadog has detected a unusual login event.	`@evt.name:"Security Notification" @asset.type:unusual_login @action:notification`
User invited with throwaway email	Datadog has detected that a user with an email from a free or disposable email provider was invited to the organization.	`@evt.name:"Security Notification" @asset.type:user_invite @action:notification`

Sensitive Data Scanner events

Name	Description of audit event	Query in audit explorer
Scanning group	A user created, modified, or deleted a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group`
Scanning group order modified	A user modified the order of scanning groups.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group_list`
Scanning rule	A user created, modified, or deleted a scanning rule within a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_rule`

Service Level Objectives (SLO) events

Name	Description of audit event	Query in audit explorer
SLO	A user creates, modifies, or deletes an SLO and the previous and new values for the SLO.	`@evt.name:SLO @asset.type:slo`
SLO correction	A user creates, modifies, or deletes an SLO correction and the previous and new values for the SLO correction.	`@evt.name:SLO @asset.type:slo_correction`

Sheets events

Name	Description of audit event	Query in audit explorer
Spreadsheet	A user creates, modifies, deletes, or accesses a spreadsheet.	`@evt.name:Sheets @asset.type:spreadsheet @action:(created OR modified OR deleted OR accessed)`
Table	A user creates, modifies, or deletes a table within a spreadsheet.	`@evt.name:Sheets @asset.type:table @action:(created OR modified OR deleted)`
Pivot	A user creates, modifies, or deletes a pivot within a spreadsheet.	`@evt.name:Sheets @asset.type:pivot @action:(created OR modified OR deleted)`

Synthetic Monitoring events

Name	Description of audit event	Query in audit explorer
Private location	A user created or deleted a private location for Synthetic tests.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_private_location`
Synthetic settings	A user modified Synthetic settings (quotas, PL access) and the previous and new setting values.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_settings @action:modified`
Synthetic test created or deleted	A user created or deleted a Synthetic test.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:(created OR deleted)`
Synthetic test modified	A user modified a Synthetic test and the previous and new values for the configuration.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:modified`
Synthetic variable	A user created, modified, or deleted a Synthetic variable.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_variable`

Reference Table events

Name	Description of audit event	Query in audit explorer
Reference Table	A user created, deleted, or modified a reference table.	`@evt.name:"Reference Tables" @asset.type:reference_table @action:(created OR deleted OR modified)`
Reference Table File	A user uploaded a file or imported a file with a cloud provider for a reference table.	`@evt.name:"Reference Tables" @asset.type:reference_table_file @action:(uploaded OR imported)`

Teams Management events

Name	Description of audit event	Query in audit explorer
Teams Management	A user created, deleted, or modified a team or team association.	`@evt.name:"Teams Management" @action:(created OR deleted OR modified)`

Test Optimization events

Name	Description of audit event	Query in audit explorer
Test Optimization settings	A user modified or deleted the settings of a repository.	`@evt.name:"Test Optimization" @asset.type:test_optimization_settings (@action:modified OR @action:deleted)`

Workflow events

Name	Description of audit event	Query in audit explorer
Workflow	A user created, deleted, or modified a workflow, or a workflow executed.	`@evt.name:"Workflows" @asset.type:workflow @action:(created OR deleted OR modified OR executed)`
Workflow Schedule	A user created, deleted, or modified a schedule for a workflow.	`@evt.name:"Workflows" @asset.type:workflow_schedule @action:(created OR deleted OR modified)`
Workflow Action	A user responded to a Slack prompt during the execution of a workflow.	`@evt.name:"Workflows" @asset.type:workflow_action @action:(responded)`
Notifications	A notification configuration was created, modified, or deleted for a workflow.	`@evt.name:Workflows @action:(created OR modified OR deleted) @asset.type:workflow_notifications`
Custom Connection	A user created, deleted, or modified a connection.	`@evt.name:"Custom Connections" @asset.type:custom_connection @action:(created OR deleted OR modified)`
Step completed	A step was completed.	`@evt.name:Workflows @action:completed @asset.type:step`

App Datastore

Name	Description of audit event	Query in audit explorer
Datastore	A user created, deleted, queried, or listed datastores.	`@evt.name:"Apps Datastore" @asset.type:(datastore OR datastore_list) @action:(queried OR created OR deleted)`
Datastore item	A user created, modified, deleted, or queried datastore items.	`@evt.name:"Apps Datastore" @asset.type:(item OR item_query) @action:(created OR deleted OR modified OR queried)`

Event Management

Name	Description of audit event	Query in audit explorer
Correlation pattern	A user created a correlation pattern.	`@evt.name:"Event Management" @asset.type:event_correlation`
Custom metrics	A user created modified or deleted a custom metric.	`@evt.name:"Event Management" @asset.type:custom_metrics`

Private Action Runners

Name	Description of audit event	Query in audit explorer
Private action runner	A user successfully accessed, created, deleted, or modified a runner, or a user attached a runner to a connection.	`@evt.name:"Private Action Runners" @asset.type:private_action_runner @action:(accessed OR created OR deleted OR modified OR attached)`
Query intent	A user successfully created a query intent, or a runner successfully validated a query intent.	`@evt.name:"Private Action Runners" @asset.type:query_intent @action:(validated OR created)`
Runner enrollment token	A user successfully created a runner enrollment token, or a runner successfully completed enrollment.	`@evt.name:"Private Action Runners" @asset.type:runner_enrollment @action:(completed OR created)`

Observability Pipelines

Name	Description of audit event	Query in audit explorer
Create draft pipeline	A user created a draft pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_draft @action:created`
Modify draft pipeline	A user modified a draft pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_draft @action:modified`
Access Pipeline configuration	A user accessed the pipeline configuration for a specific pipeline by ID.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:accessed`
Modify Pipeline	A user modified an existing pipeline configuration.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:modified`
Create pipeline	A user created a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:created`
Delete pipeline	A user deleted a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:deleted`
Access pipeline configuration list	A user accessed the pipeline configuration list.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration_list @action:accessed`
Access pipeline	A user accessed a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:obs_pipelines @action:accessed`
Access worker version list	A user accessed the worker versions list.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker versions list"`
Access configuration count	A user accessed the configuration count for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"configuration count"`
Access pipeline list	A user accessed the pipeline list.	`evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"pipeline list"`
Access pipeline by ID	A user accessed a specific pipeline by ID.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"pipeline"`
Validate worker configuration component	A user successfully validated the worker configuration component.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker configuration component"`
Access version hash list	A user accessed the version hash list for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"version hash list"`
Access worker component list	A user accessed the worker component list for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker component list"`
Access deployment list	A user accessed the deployment list for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:deployment`
Access pipeline draft	A user accessed a draft pipeline.	`@evt.name:"Observability Pipelines" @asset.type:draft`

On-Call

Name	Description of audit event	Query in audit explorer
Create a schedule	A user created a schedule.	`@evt.name:"On-Call" @asset.type:schedule @action:created`
Modify a schedule	A user modified a schedule.	`@evt.name:"On-Call" @asset.type:schedule @action:modified`
Delete a schedule	A user deleted a schedule.	`@evt.name:"On-Call" @asset.type:schedule @action:deleted`
Create an escalation policy	A user created an escalation policy.	`@evt.name:"On-Call" @asset.type:escalation_policy @action:created`
Modify an escalation policy	A user modified an escalation policy.	`@evt.name:"On-Call" @asset.type:escalation_policy @action:modified`
Delete an escalation policy	A user deleted an escalation policy.	`@evt.name:"On-Call" @asset.type:escalation_policy @action:deleted`
Create team rules	A user created team rules.	`@evt.name:"On-Call" @asset.type:team_rules @action:created`
Modify team rules	A user modified team rules.	`@evt.name:"On-Call" @asset.type:team_rules @action:modified`
Create a schedule override	A user created a schedule override.	`@evt.name:"On-Call" @asset.type:override @action:created`
Modify a schedule override	A user modified a schedule override.	`@evt.name:"On-Call" @asset.type:override @action:modified`
Delete a schedule override	A user deleted a schedule override.	`@evt.name:"On-Call" @asset.type:override @action:deleted`

Infrastructure Monitoring

Name	Description of audit event	Query in audit explorer
Enable Container Image Trends	A user enabled Container Image Trends.	`@evt.name:"Infrastructure Monitoring" @asset.type:configure_container_image_trends @action:enabled`
Disable Container Image Trends	A user disabled Container Image Trends.	`@evt.name:"Infrastructure Monitoring" @asset.type:configure_container_image_trends @action:disabled`

Network Device Monitoring

Name	Description of audit event	Query in audit explorer
Modify NetFlow port mappings	A user modified NetFlow port mappings.	`@evt.name:"Network Device Monitoring" @asset.type:netflow_port_mappings @action:modified`
Delete NetFlow port mappings	A user deleted NetFlow port mappings.	`@evt.name:"Network Device Monitoring" @asset.type:netflow_port_mappings @action:deleted`
Access network device profiles	A user accessed network device profiles.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network device details	A user accessed network device details.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network interfaces	A user accessed network interfaces.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network devices list	A user accessed the network devices list.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network device facets	A user accessed network device facets.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network device groups	A user accessed network device groups.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network device tags	A user accessed network device tags.	`@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:accessed`
Modify network device tags	A user modified network device tags."	`@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:modified`
Access network MIB leaves	A user accessed network MIB leaves.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`