Audit Trail Events

Docs > Account Management > Datadog Audit Trail > Audit Trail Events

Overview

Datadog Audit Trail records more than 100 types of audit events from across the Datadog platform. These audit events are categorized into different product categories as event names.

See the Audit Trail documentation for more information on setting up and configuring Audit Trail.

Audit Events

API Request

Name	Description of Audit Event	Query In Audit Explorer
API Request	An API Request is made across the Datadog platform.	`@evt.name:Request @action:accessed`

Access Management

Name	Description of Audit Event	Query In Audit Explorer
User invite (Support)	A user was invited to the org by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:created`
Role modified (Support)	A role was modified by Datadog Support, and what the previous and new permissions are.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified`
Role created or deleted	A role is created or deleted in the org.	`@evt.name:"Access Management" @asset.type:role @action:(created OR deleted)`
Role access request	A user created, responded to, or deleted an access request for a role, and the value of the access request.	`@evt.name:"Access Management" @asset.type:role_request`
User's role	A user is added or deleted from a role in the org.	`@evt.name:"Access Management" @asset.type:role @action:modified`
Restriction policy	A restriction policy is modified for a resource.	`@evt.name:"Access Management" @asset.type:restriction_policy @action:(modified OR deleted)`
Role modified	A role is modified and what the previous and new permissions are.	`@evt.name:"Access Management" @asset.type:role @action:modified`
Email update (Support)	A user's email was updated by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:modified`
User's role (Support)	A user was added or deleted from a role in the org by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified`
Password	A user modified their password in the org. Password update events are delivered to all orgs that user is active in, even if the org does not have password authentication configured.	`@evt.name:"Access Management" @asset.type:password @action:modified`
IP Allowlist Modified (Support)	A new IP was added to the org's IP allowlist by Datadog Support.	`@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:ip_allowlist @action:modified`
Application Key (Service Account User)	A user created, modified, or deleted an application key for a service account user.	`@evt.name:"Access Management" @asset.type:application_key`
Authentication Methods (Org)	A user modified the allowed authentication methods for an org and what the previous and new values are.	`@evt.name:"Access Management" @asset.type:identity_provider`
Email	An email is added, disabled, or verified on the Datadog account as a user in the account.	`@evt.name:"Access Management" @asset.type:user`

Actions Datastore

Name	Description of Audit Event	Query In Audit Explorer
Datastore	A user created, deleted, queried, or listed datastores.	`@evt.name:"Apps Datastore" @asset.type:(datastore OR datastore_list) @action:(queried OR created OR deleted)`
Datastore item	A user created, modified, deleted, or queried datastore items.	`@evt.name:"Apps Datastore" @asset.type:(item OR item_query) @action:(created OR deleted OR modified OR queried)`

Agent

Name	Description of Audit Event	Query In Audit Explorer
Agent flare created	Datadog Agent flare is created for support tickets.	`@evt.name:"Datadog Agent" @action:created @asset.type:agent_flare`
Agent upgrade failed	A Datadog Agent remote upgrade attempt failed.	`@evt.name:"Datadog Agent" @metadata.event_name:"Agent Upgrade Failed"`
Agent configuration updated	A Datadog Agent configuration was updated.	`@evt.name:"Datadog Agent" @action:modified`
Agent API key updated	A Datadog Agent API key was changed.	`@evt.name:"Datadog Agent" @metadata.event_name:"Agent API Key Updated"`
Agent upgrade succeeded	A Datadog Agent was successfully upgraded.	`@evt.name:"Datadog Agent" @metadata.event_name:"Agent Upgrade Succeeded"`
Agent enabled	A new Datadog Agent was enabled.	`@evt.name:"Datadog Agent" @action:created`

App Builder

Name	Description of Audit Event	Query In Audit Explorer
Query executed	A user executed a query.	`@evt.name:"App Builder" @asset.type:query @action:executed`
API Request	An API Request is made across the Datadog platform.	`@evt.name:Request @action:accessed`
Query started	A user started a query.	`@evt.name:"App Builder" @asset.type:query @action:started`
App	A user accessed, created, modified, deleted, reverted, or unpublished an app.	`@evt.name:"App Builder" @asset.type:app @action:(accessed OR created OR modified OR published OR deleted OR reverted OR unpublished)`

App and API Protection (AAP)

Name	Description of Audit Event	Query In Audit Explorer
In-App WAF Custom Rule	A user validated, created, modified, or deleted an In-App WAF custom rule.	`@evt.name:"Application Security" @asset.type:waf_custom_rule`
In-App WAF Policy	A user created, modified, or deleted an In-App WAF policy.	`@evt.name:"Application Security" @asset.type:policy_entry`
Passlist	A user added, modified, or deleted an entry to the passlist.	`@evt.name:"Application Security" @asset.type:ip_user_denylist`
Denylist	A user blocked, unblocked, or extended the blocking duration of an IP address or a user ID.	`@evt.name:"Application Security" @asset.type:ip_user_denylist`
Protection	A user enabled or disabled the AAP protection.	`@evt.name:"Application Security" @asset.type:blocking_configuration`
One-click Activation	A user activated or de-activated AAP on a service.	`@evt.name:"Application Security" @asset.type:compatible_services`

Application Performance Monitoring (APM)

Name	Description of Audit Event	Query In Audit Explorer
Retention filter	A user created, modified, or deleted a retention filter and the previous and/or new values for the retention filter configuration.	`@evt.name:APM @asset.type:retention_filter`
Primary operation name	A user created, modified, or deleted the primary operation name of a service and the previous and/or new values for the configuration.	`@evt.name:APM @asset.type:service_operation_name`
Span-based metric	A user created, modified, or deleted a span-based metric and the previous and/or new values for the metric configuration.	`@evt.name:APM @asset.type:custom_metrics`
Custom metrics	A user created, modified, or deleted a custom metric	`@evt.name:APM @action:(created OR modified OR deleted) @asset.type:custom_metrics`
Facet	A user created, modified, or deleted a facet and the previous and/or new values for the facet configuration.	`@evt.name:APM @asset.type:facet`
Second primary tag	A user added, modified, or deleted the second primary tag and the previous or new values for the configuration.	`@evt.name:APM @asset.type:second_primary_tag`
Sampling rates remotely configured	A user remotely configured the APM sampling rates.	`@evt.name:APM @asset.type:samplerconfig`
Saved view	A user created, modified, or deleted a saved view.	`@evt.name:APM @action:(created OR modified OR deleted) @asset.type:saved_view`

Audit Trail

Name	Description of Audit Event	Query In Audit Explorer
Audit Trail settings	A user modified Audit Trail settings and what the previous and new settings are.	`@evt.name:"Organization Management" @asset.type:audit_logs_settings`
Download as CSV	A user exports list of Audit Events as CSV	`@evt.name:Audit Trail @asset.type:audit_events_csv`

Authentication

Name	Description of Audit Event	Query In Audit Explorer
Public API key (Org settings)	A public API key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:public_api_key`
API key (Org settings)	An API key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:api_key`
Application key (Org settings)	An application key is accessed, listed, created, or deleted in the Organization Settings page.	`@evt.name:Authentication @asset.type:application_key`
User login	A user logs into Datadog and the authentication method used.	`@evt.name:Authentication @action:login`

Bits AI SRE

Name	Description of Audit Event	Query In Audit Explorer
Tool Call	A tool call was executed in a manual investigation.	`@evt.name:"Bits AI SRE" @asset.type:tool_call @action:created`
Manual Investigation	A user started or completed a manual investigation.	`@evt.name:"Bits AI SRE" @asset.type:investigation @action:(started OR completed)`
Automatic Investigations Monitor Toggle	A user enabled or disabled automatic investigations for a monitor.	`@evt.name:"Bits AI SRE" @asset.type:automatic_investigations_monitor_toggle @action:(enabled OR disabled)`
Monitor Rate Limit	A user modified the monitor rate limit for automatic investigations.	`@evt.name:"Bits AI SRE" @asset.type:monitor_rate_limit @action:(modified)`

CI Visibility

Name	Description of Audit Event	Query In Audit Explorer
Exclusion filters	The exclusion filters have been modified.	`@evt.name:"CI Visibility" @asset.type:ci_app_exclusion_filters @action:modified`
Repository default branch	A user modified the default branch of a repository.	`@evt.name:"CI Visibility" @asset.type:ci_app_repository @action:modified`
Test service settings	A user created or modified the settings of a test service.	`@evt.name:"CI Visibility" @asset.type:ci_app_test_service_settings (@action:created OR @action:modified)`
GitHub account settings	A user has modified the GitHub account settings.	`@evt.name:"CI Visibility" @asset.type:github_opt_ins (@action:modified OR @action:deleted)`

Cloud Security Platform

Name	Description of Audit Event	Query In Audit Explorer
CWS Agent Rule	A user accessed (fetched) a CWS agent rule in the Cloud Security Platform.	`@evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed`
Report Subscription	A user subscribed or unsubscribed from a K9 email report.	`@evt.name:"Cloud Security Platform" @asset.type:report_subscription`
Security Signal	A user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal.	`@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified`
Security Rule	A user validated, updated, deleted, or created a security rule and the previous and new values for the rule.	`@evt.name:"Cloud Security Platform" @asset.type:security_rule`
Notification Profile	A user created, updated, or deleted a notification profile in the Cloud Security Platform.	`@evt.name:"Cloud Security Platform" @asset.type:notification_profile`

Dashboard

Name	Description of Audit Event	Query In Audit Explorer
Dashboard modified	A dashboard is modified. Also provides the previous and new JSON values for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:modified`
Dashboard deleted	A dashboard is deleted. Also provides the previous JSON value for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:deleted`
Dashboard user(s) added	A user added user ID(s) that can access a dashboard and the list of new user IDs.	`@evt.name:Dashboard @asset.type:dashboard_share_acl @action:created`
Dashboard embedded (Roadie)	A Datadog dashboard is embedded into a third party.	`@evt.name:Dashboard @asset.type:embed @action:accessed`
Dashboard created	A dashboard is created and the new JSON value for the dashboard.	`@evt.name:Dashboard @asset.type:dashboard @action:created`
Public URL generated or deleted	A public URL to view a dashboard is generated or deleted.	`@evt.name:Dashboard @asset.type:dashboard_share_link`
Dashboard user(s) deleted	A user deleted user ID(s) that can access a dashboard and the list of the deleted user ID(s).	`@evt.name:Dashboard @asset.type:dashboard_share_acl @action:deleted`
Public URL accessed	A public dashboard URL is accessed.	`@evt.name:Dashboard @asset.type:dashboard @action:accessed`

Dynamic Instrumentation

Name	Description of Audit Event	Query In Audit Explorer
Logs Probe	A user has successfully created, modified or deleted a logs probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:log_probe`
Metrics Probe	A user has successfully created, modified or deleted a metrics probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:span_probe`
Spans Probe	A user has successfully created, modified or deleted a spans probe with Dynamic Instrumentation.	`@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:metric_probe`

Error Tracking

Name	Description of Audit Event	Query In Audit Explorer
Create or modify inclusion filter	A user has added or modified an inclusion filter.	`@evt.name:"Error Tracking" @asset.type:error_tracking_inclusion_filter`
Error Tracking for Logs activation	A user has enabled or disabled Error Tracking for the Logs product.	`@evt.name:"Error Tracking" @action:(created OR deleted) @asset.type:error_tracking_logs`

Event Management

Name	Description of Audit Event	Query In Audit Explorer
Custom metrics	A user created, modified, or deleted a custom metric	`@evt.name:"Event Management" @asset.type:custom_metrics`
Correlation pattern	A user created a correlation pattern.	`@evt.name:"Event Management" @asset.type:event_correlation`

Infrastructure Monitoring

Name	Description of Audit Event	Query In Audit Explorer
Disable Container Image Trends	A user disabled Container Image Trends.	`@evt.name:"Infrastructure Monitoring" @asset.type:configure_container_image_trends @action:disabled`
Enable Container Image Trends	A user enabled Container Image Trends.	`@evt.name:"Infrastructure Monitoring" @asset.type:configure_container_image_trends @action:enabled`

Integration

Name	Description of Audit Event	Query In Audit Explorer
Resource	Anytime a resource (channel, service, webhook, account, instance, and so on) is added, modified, or deleted from an integration, and the previous and new values for the configuration.	`@evt.name:Integration @asset.type:integration`

LLM Observability

Name	Description of Audit Event	Query In Audit Explorer
Evaluation Metrics	A user has enabled, disabled, or modified the configuration (for example, set sample rate) of an out-of-the-box evaluation][165 metric for an application.	`@evt.name:"LLM Observability" @action:(enabled OR modified OR disabled) @asset.type:evaluations`

Log Management

Name	Description of Audit Event	Query In Audit Explorer
Standard attribute configuration	A user created, modified, or deleted the configuration of a standard attribute in logs and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:standard_attribute`
Log pipeline	A user created, modified, or deleted a log pipeline or nested pipeline and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:pipeline`
Archive configuration	A user created, modified, or deleted the configuration of an archive and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:archive`
Archiving order modified	A user modified the order of archives.	`@evt.name:"Log Management" @action:modified @asset.type:archive_list`
Custom metric	A user created, modified, or deleted a custom metric for logs and the previous and new values for the custom metric configuration.	`@evt.name:"Log Management" @asset.type:"custom metric"`
Exclusion filter configuration	A user created, modified, or deleted the configuration of an exclusion filter and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:"exclusion filter"`
Index configuration	A user created, modified, or deleted the configuration of an index and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:index`
Index order modified	A user modified the order of indexes.	`@evt.name:"Log Management" @action:modified @asset.type:index_list`
Log forwarding	A user created, modified, or deleted a custom destination.	`@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:log_forwarding`
Saved view	A user created, modified, or deleted a saved view in the Log Explorer.	`@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:saved_view`
Historical view	A user created, modified, aborted, or deleted a historical view for logs and the previous and new values for the historical view configuration.	`@evt.name:"Log Management" @asset.type:historical_view`
Download as CSV	A user exports list of logs as CSV.	`@evt.name:"Log Management" @asset.type:logs_csv`
Restriction query configuration	A user created, modified, or deleted the configuration of a restriction query in logs and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:restriction_query`
Query (Public Beta)	A user ran a Log Management List query either in Log Explorer, Dashboards or through the Public API.	`@evt.name:"Log Management" @asset.type:logs_query`
Facet	A user created, modified, or deleted a facet in the Log Explorer and the previous and new values for the facet configuration.	`@evt.name:"Log Management" @asset.type:facet`
Processor	A user created, modified, or deleted a processor within a pipeline and the previous and new values for the configuration.	`@evt.name:"Log Management" @asset.type:pipeline_processor`

Metrics

Name	Description of Audit Event	Query In Audit Explorer
Custom metric created	A user created a custom metric and the new value for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:created`
Custom metric modified	A user modified a custom metric and the previous and new values for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:modified`
Custom metric deleted	A user deleted a custom metric. Also provides the previous value for the custom metric configuration.	`@evt.name:Metrics @asset.type:metric @action:deleted`

Monitor

Name	Description of Audit Event	Query In Audit Explorer
Monitor resolved	A monitor is resolved.	`@evt.name:Monitor @asset.type:monitor @action:resolved`
Monitor created	A monitor is created and the new JSON value for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:created`
Monitor modified	A monitor is modified and the previous and new JSON values for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:modified`
Monitor deleted	A monitor is deleted. Also provides the previous JSON value for the monitor.	`@evt.name:Monitor @asset.type:monitor @action:deleted`

Network Device Monitoring

Name	Description of Audit Event	Query In Audit Explorer
Access network devices list	A user accessed the network devices list.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network interfaces	A user accessed network interfaces.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Delete Netflow port mappings	A user deleted Netflow port mappings.	`@evt.name:"Network Device Monitoring" @asset.type:netflow_port_mappings @action:deleted`
Access network device profiles	A user accessed network device profiles.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network device details	A user accessed network device details.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Modify Netflow port mappings	A user modified Netflow port mappings.	`@evt.name:"Network Device Monitoring" @asset.type:netflow_port_mappings @action:modified`
Access network MIB leaves	A user accessed network MIB leaves.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Modify network interface tags	A user modified network interface tags.	`@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:modified`
Modify network device tags	A user modified network device tags.	`@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:modified`
Access network interface tags	A user accessed network interface tags.	`@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:accessed`
Access network device tags	A user accessed network device tags.	`@evt.name:"Network Device Monitoring" @asset.type:network_device_tags @action:accessed`
Access network device groups	A user accessed network device groups.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`
Access network device facets	A user accessed network device facets.	`@evt.name:"Network Device Monitoring" @asset.type:network_device @action:accessed`

Notebook

Name	Description of Audit Event	Query In Audit Explorer
Notebook deleted	A notebook is deleted and the previous JSON value for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:deleted`
Notebook modified	A notebook is modified and the previous and new JSON values for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:modified`
Notebook created	A notebook is created and the new JSON value for the notebook.	`@evt.name:Notebook @asset.type:notebook @action:created`

OAuth

Name	Description of Audit Event	Query In Audit Explorer
OAuth client	A user created, modified, or deleted an OAuth client and the previous and new values for the OAuth client.	`@evt.name:OAuth @asset.type:oauth_client`

Observability Pipelines

Name	Description of Audit Event	Query In Audit Explorer
Access Pipeline	A user accessed a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:obs_pipelines @action:accessed`
Create draft pipeline	A user created a draft pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_draft @action:created`
Delete pipeline	A user deleted a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:deleted`
Access Pipeline configuration list	A user accessed the pipeline configuration list.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration_list @action:accessed`
Create pipeline	A user created a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:created`
Access worker version list	A user accessed the worker versions list.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker versions list"`
Access configuration count	A user accessed the configuration count for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"configuration count"`
Access pipeline list	A user accessed the pipeline list.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"pipeline list"`
Access pipeline by ID	A user accessed a specific pipeline by ID.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"pipeline"`
Validate worker configuration component	A user successfully validated the worker configuration component.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker configuration component"`
Access version hash list	A user accessed the version hash list for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"version hash list"`
Access worker component list	A user accessed the worker component list for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipeline @action:accessed @asset.name:"worker component list"`
Access deployment list	A user accessed the deployment list for a pipeline.	`@evt.name:"Observability Pipelines" @asset.type:deployment`
Access pipeline draft	A user accessed the pipeline draft.	`@evt.name:"Observability Pipelines" @asset.type:draft`
Modify pipeline	A user modified an existing pipeline configuration.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:modified`
Access Pipeline configuration	A user accessed the pipeline configuration for a specific pipeline by ID.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_configuration @action:accessed`
Modify draft pipeline	A user modified a draft pipeline.	`@evt.name:"Observability Pipelines" @asset.type:pipelines_draft @action:modified`

On-Call

Name	Description of Audit Event	Query In Audit Explorer
Create team rules	A user created team rules.	`@evt.name:"On-Call" @asset.type:team_rules @action:created`
Modify an escalation policy	A user modified an escalation policy.	`@evt.name:"On-Call" @asset.type:escalation_policy @action:modified`
Modify a schedule	A user modified a schedule.	`@evt.name:"On-Call" @asset.type:schedule @action:modified`
Delete a schedule	A user deleted a schedule.	`@evt.name:"On-Call" @asset.type:schedule @action:deleted`
Create an escalation policy	A user created an escalation policy.	`@evt.name:"On-Call" @asset.type:escalation_policy @action:created`
Create a schedule	A user created a schedule.	`@evt.name:"On-Call" @asset.type:schedule @action:created`
Delete an escalation policy	A user deleted an escalation policy.	`@evt.name:"On-Call" @asset.type:escalation_policy @action:deleted`
Modify team rules	A user modified team rules.	`@evt.name:"On-Call" @asset.type:team_rules @action:modified`
Delete a schedule override	A user deleted a schedule override.	`@evt.name:"On-Call" @asset.type:override @action:deleted`
Modify a schedule override	A user modified a schedule override.	`@evt.name:"On-Call" @asset.type:override @action:modified`
Create a schedule override	A user created a schedule override.	`@evt.name:"On-Call" @asset.type:override @action:created`

Organization Management

Name	Description of Audit Event	Query In Audit Explorer
Child org created	A user created a new child organization for an existing Datadog organization.	`@evt.name:"Organization Management" @asset.type:organization @action:created`
Audit Trail settings	A user modified Audit Trail settings and what the previous and new settings are.	`@evt.name:"Organization Management" @asset.type:audit_logs_settings`

Private Action Runners

Name	Description of Audit Event	Query In Audit Explorer
Runner enrollment token	A user successfully created a runner enrollment token, or a runner successfully completed enrollment.	`@evt.name:"Private Action Runners" @asset.type:runner_enrollment @action:(completed OR created)`
Private action runner	A user successfully accessed, created, deleted, or modified a runner, or a user attached a runner to a connection.	`@evt.name:"Private Action Runners" @asset.type:private_action_runner @action:(accessed OR created OR deleted OR modified OR attached)`
Query intent	A user successfully created a query intent, or a runner successfully validated a query intent.	`@evt.name:"Private Action Runners" @asset.type:query_intent @action:(validated OR created)`

Quality Gates

Name	Description of Audit Event	Query In Audit Explorer
Quality gates rule	A user has created, modified, or deleted a quality gate rule.	`@evt.name:"CI Visibility" @asset.type:ci_app_quality_gates (@action:created OR @action:modified OR @action:deleted)`

Real User Monitoring

Name	Description of Audit Event	Query In Audit Explorer
RUM application created	A user created or deleted an application in RUM and the type of the application (Browser, Flutter, iOS, React Native, Android).	`@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:(created OR deleted)`
Session replay viewed	A user viewed a session replay.	`@evt.name:"Real User Monitoring" @asset.type:session_replay @action:accessed`
RUM application modified	A user modified an application in RUM, the new value of the application, and the type of the application (Browser, Flutter, iOS, React Native, Android).	`@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:modified`

Reference Tables

Name	Description of Audit Event	Query In Audit Explorer
Reference Table File	A user uploaded a file or imported a file with a cloud provider for a reference table.	`@evt.name:"Reference Tables" @asset.type:reference_table_file @action:(uploaded OR imported)`
Reference Table	A user created, deleted, or modified a reference table.	`@evt.name:"Reference Tables" @asset.type:reference_table @action:(created OR deleted OR modified)`

Security Notification

Name	Description of Audit Event	Query In Audit Explorer
User invited with throwaway email	Datadog has detected that a user with an email from a free or disposable email provider was invited to the organization.	`@evt.name:"Security Notification" @asset.type:user_invite @action:notification`
Unusual login	Datadog has detected a unusual login event.	`@evt.name:"Security Notification" @asset.type:unusual_login @action:notification`
Token leaked	Datadog has detected a leaked Datadog API or Application Key that should be revoked.	`@evt.name:"Security Notification" @asset.type:(api_key OR application_key) @action:notification`
Automatic password reset	Datadog has automatically reset a user password because it was found in a known credentials leak.	`@evt.name:"Security Notification" @asset.type:password @action:notification @metadata.automatic_password_reset_reason:*`
Login method override	Datadog has detected a user login method override that is different from the default login methods set for the organization.	`@evt.name:"Security Notification" @asset.type:user @action:notification`

Sensitive Data Scanner

Name	Description of Audit Event	Query In Audit Explorer
Scanning group order modified	A user modified the order of scanning groups.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group_list`
Scanning group	A user created, modified, or deleted a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group`
Scanning rule	A user created, modified, or deleted a scanning rule within a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.	`@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_rule`

Service Level Objectives

Name	Description of Audit Event	Query In Audit Explorer
SLO correction	A user creates, modifies, or deletes an SLO correction and the previous and new values for the SLO correction.	`@evt.name:SLO @asset.type:slo_correction`
SLO	A user creates, modifies, or deletes an SLO and the previous and new values for the SLO.	`@evt.name:SLO @asset.type:slo`

Sheets

Name	Description of Audit Event	Query In Audit Explorer
Spreadsheet	A user creates, modifies, deletes, or accesses a spreadsheet.	`@evt.name:Sheets @asset.type:spreadsheet @action:(created OR modified OR deleted OR accessed)`
Pivot	A user creates, modifies, or deletes a pivot within a spreadsheet.	`@evt.name:Sheets @asset.type:pivot @action:(created OR modified OR deleted)`
Table	A user creates, modifies, or deletes a table within a spreadsheet.	`@evt.name:Sheets @asset.type:table @action:(created OR modified OR deleted)`

Synthetic Monitoring

Name	Description of Audit Event	Query In Audit Explorer
Synthetic test created or deleted	A user created or deleted a Synthetic test.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:(created OR deleted)`
Private location	A user created or deleted a private location for Synthetic tests.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_private_location`
Synthetic variable	A user created, modified, or deleted a Synthetic variable.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_variable`
Synthetic settings	A user modified Synthetic settings (quotas, PL access) and the previous and new setting values.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_settings @action:modified`
Synthetic test modified	A user modified a Synthetic test and the previous and new values for the configuration.	`@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:modified`

Teams Management

Name	Description of Audit Event	Query In Audit Explorer
Teams Management	A user created, deleted, or modified a team or team association.	`@evt.name:"Teams Management" @action:(created OR deleted OR modified)`

Test Optimization

Name	Description of Audit Event	Query In Audit Explorer
Test Optimization settings	A user modified or deleted the settings of a repository or a service.	`@evt.name:"Test Optimization" @asset.type:test_optimization_settings (@action:modified OR @action:deleted)`
Test optimization default settings	A user modified or deleted the default settings.	`@evt.name:"Test Optimization" @asset.type:test_optimization_default_settings (@action:modified OR @action:deleted)`
Flaky test status	A user modified the status of a flaky test.	`@evt.name:"Test Optimization" @asset.type:"test_optimization_management" @action:modified`

Workflows

Name	Description of Audit Event	Query In Audit Explorer
Workflow	A user created, deleted, or modified a workflow, or a workflow executed.	`@evt.name:"Workflows" @asset.type:workflow @action:(created OR deleted OR modified OR executed)`
Step completed	A step was completed.	`@evt.name:Workflows @action:completed @asset.type:step`
Custom Connection	A user created, deleted, or modified a connection.	`@evt.name:"Custom Connections" @asset.type:custom_connection @action:(created OR deleted OR modified)`
Notifications	A notification configuration was created, modified, or deleted for a workflow.	`@evt.name:Workflows @action:(created OR modified OR deleted) @asset.type:workflow_notifications`
Workflow Action	A user responded to a Slack prompt during the execution of a workflow.	`@evt.name:"Workflows" @asset.type:workflow_action @action:(responded)`
Workflow Schedule	A user created, deleted, or modified a schedule for a workflow.	`@evt.name:"Workflows" @asset.type:workflow_schedule @action:(created OR deleted OR modified)`