Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Datadog Audit Trail records more than 100 types of audit events from across the Datadog platform. These audit events are categorized into different product categories as event names.

Platform Events

Product-Specific Events

See the Audit Trail documentation for more information on setting up and configuring Audit Trail.

Audit Events

Access management events

NameDescription of audit eventQuery in audit explorer
Application key (Service account user)A user created, modified, or deleted an application key for a service account user.@evt.name:"Access Management" @asset.type:application_key
Authentication methods (Org)A user modified the allowed authentication methods for an org and what the previous and new values are.@evt.name:"Access Management" @asset.type:identity_provider
EmailAn email is added, disabled, or verified on the Datadog account as a user in the account.@evt.name:"Access Management" @asset.type:user
PasswordA user modified their password in the org. Password update events are delivered to all orgs that user is active in, even if the org does not have password authentication configured.@evt.name:"Access Management" @asset.type:password @action:modified
Role modifiedA role is modified and what the previous and new permissions are.@evt.name:"Access Management" @asset.type:role @action:modified
Role created or deletedA role is created or deleted in the org.@evt.name:"Access Management" @asset.type:role @action:(created OR deleted)
Role access requestA user created, responded to, or deleted an access request for a role, and the value of the access request.@evt.name:"Access Management" @asset.type:role_request
User’s roleA user is added or deleted from a role in the org.@evt.name:"Access Management" @asset.type:role @action:modified
Restriction policyA restriction policy is modified for a resource.@evt.name:"Access Management" @asset.type:restriction_policy @action:(modified OR deleted)
Email update (Support)A user’s email was updated by Datadog Support.@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:modified
User invite (Support)A user was invited to the org by Datadog Support.@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:user @action:created
User’s role (Support)A user was added or deleted from a role in the org by Datadog Support.@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified
Role modified (Support)A role was modified by Datadog Support, and what the previous and new permissions are.@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:role @action:modified
IP Allowlist Modified (Support)A new IP was added to the org’s IP allowlist by Datadog Support.@evt.name:"Access Management" @evt.actor.type:SUPPORT_USER @asset.type:ip_allowlist @action:modified

Agent

NameDescription of audit eventQuery in audit explorer
Agent configuration updatedA Datadog Agent configuration was updated.@evt.name:"Datadog Agent" @action:modified
Agent enabledA new Datadog Agent was enabled.@evt.name:"Datadog Agent" @action:created
Agent flare createdDatadog Agent flare is created for support tickets.@evt.name:"Datadog Agent" @action:created @asset.type:agent_flare

API request events

NameDescription of audit eventQuery in audit explorer
API RequestAn API Request is made across the Datadog platform.@evt.name:Request @action:accessed

App Builder events

NameDescription of audit eventQuery in audit explorer
AppA user accessed, created, modified, deleted, reverted, or unpublished an app.@evt.name:"App Builder" @asset.type:app @action:(accessed OR created OR modified OR published OR deleted OR reverted OR unpublished)
Query startedA user started a query.@evt.name:"App Builder" @asset.type:query @action:started
Query executedA user executed a query.@evt.name:"App Builder" @asset.type:query @action:executed

Application Performance Monitoring (APM) events

NameDescription of audit eventQuery in audit explorer
Retention filterA user created, modified, or deleted a retention filter and the previous and/or new values for the retention filter configuration.@evt.name:APM @asset.type:retention_filter
Span-based metricA user created, modified, or deleted a span-based metric and the previous and/or new values for the metric configuration.@evt.name:APM @asset.type:custom_metrics
Custom metricsA user created, modified, or deleted a custom metric@evt.name:APM @action:(created OR modified OR deleted) @asset.type:custom_metrics
FacetA user created, modified, or deleted a facet and the previous and/or new values for the facet configuration.@evt.name:APM @asset.type:facet
Primary operation nameA user created, modified, or deleted the primary operation name of a service and the previous and/or new values for the configuration.@evt.name:APM @asset.type:service_operation_name
Second primary tagA user added, modified, or deleted the second primary tag and the previous or new values for the configuration.@evt.name:APM @asset.type:second_primary_tag
Sampling rates remotely configuredA user remotely configured the APM sampling rates.@evt.name:APM @asset.type:samplerconfig
Saved viewA user created, modified, or deleted a saved view.@evt.name:APM @action:(created OR modified OR deleted) @asset.type:saved_view

Application Security Management

NameDescription of audit eventQuery in audit explorer
One-click ActivationA user activated or de-activated ASM on a service.@evt.name:"Application Security" @asset.type:compatible_services
ProtectionA user enabled or disabled the ASM protection.@evt.name:"Application Security" @asset.type:blocking_configuration
DenylistA user blocked, unblocked, or extended the blocking duration of an IP address or a user ID.@evt.name:"Application Security" @asset.type:ip_user_denylist
PasslistA user added, modified, or deleted an entry to the passlist.@evt.name:"Application Security" @asset.type:passlist_entry
In-App WAF PolicyA user created, modified, or deleted an In-App WAF policy.@evt.name:"Application Security" @asset.type:policy_entry
In-App WAF Custom RuleA user validated, created, modified, or deleted an In-App WAF custom rule.@evt.name:"Application Security" @asset.type:waf_custom_rule

Audit Trail events

NameDescription of audit eventQuery in audit explorer
Audit Trail settingsA user modified Audit Trail settings and what the previous and new settings are.@evt.name:"Organization Management" @asset.type:audit_logs_settings
Download as CSVA user exports list of Audit Events as CSV@evt.name:Audit Trail @asset.type:audit_events_csv

Authentication events

NameDescription of audit eventQuery in audit explorer
API key (Org settings)An API key is accessed, listed, created, or deleted in the Organization Settings page.@evt.name:Authentication @asset.type:api_key
Application key (Org settings)An application key is accessed, listed, created, or deleted in the Organization Settings page.@evt.name:Authentication @asset.type:application_key
Public API key (Org settings)A public API key is accessed, listed, created, or deleted in the Organization Settings page.@evt.name:Authentication @asset.type:public_api_key
User loginA user logs into Datadog and the authentication method used.@evt.name:Authentication @action:login

CI Visibility events

NameDescription of audit eventQuery in audit explorer
Exclusion filtersThe exclusion filters have been modified.@evt.name:"CI Visibility" @asset.type:ci_app_exclusion_filters @action:modified
Quality gates ruleA user has created, modified, or deleted a quality gate rule.@evt.name:"CI Visibility" @asset.type:ci_app_quality_gates (@action:created OR @action:modified OR @action:deleted)
Repository default branchA user modified the default branch of a repository.@evt.name:"CI Visibility" @asset.type:ci_app_repository @action:modified
Test service settingsA user created or modified the settings of a test service.@evt.name:"CI Visibility" @asset.type:ci_app_test_service_settings (@action:created OR @action:modified)
GitHub account settingsA user has modified the GitHub account settings.@evt.name:"CI Visibility" @asset.type:github_opt_ins (@action:modified OR @action:deleted)

Cloud Security Platform events

NameDescription of audit eventQuery in audit explorer
CWS agent ruleA user accessed (fetched) a CWS agent rule in the Cloud Security Platform.@evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed
Notification profileA user created, updated, or deleted a notification profile in the Cloud Security Platform.@evt.name:"Cloud Security Platform" @asset.type:notification_profile
Security ruleA user validated, updated, deleted, or created a security rule and the previous and new values for the rule.@evt.name:"Cloud Security Platform" @asset.type:security_rule
Security signalA user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal.@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified
Report subscriptionA user subscribed or unsubscribed from a K9 email report.@evt.name:"Cloud Security Platform" @asset.type:report_subscription

Dashboard events

NameDescription of audit eventQuery in audit explorer
Dashboard createdA dashboard is created and the new JSON value for the dashboard.@evt.name:Dashboard @asset.type:dashboard @action:created
Dashboard embedded (Roadie)A Datadog dashboard is embedded into a third party (Roadie) and a user views the dashboard.@evt.name:Dashboard @asset.type:embed @action:accessed
Dashboard modifiedA dashboard is modified. Also provides the previous and new JSON values for the dashboard.@evt.name:Dashboard @asset.type:dashboard @action:modified
Dashboard deletedA dashboard is deleted. Also provides the previous JSON value for the dashboard.@evt.name:Dashboard @asset.type:dashboard @action:deleted
Dashboard user(s) addedA user added user ID(s) that can access a dashboard and the list of new user IDs.@evt.name:Dashboard @asset.type:dashboard_share_acl @action:created
Dashboard user(s) deletedA user deleted user ID(s) that can access a dashboard and the list of the deleted user ID(s).@evt.name:Dashboard @asset.type:dashboard_share_acl @action:deleted
Public URL accessedA public dashboard URL is accessed.@evt.name:Dashboard @asset.type:dashboard @action:accessed
Public URL generated or deletedA public URL to view a dashboard is generated or deleted.@evt.name:Dashboard @asset.type:dashboard_share_link

Dynamic Instrumentation events

NameDescription of audit eventQuery in audit explorer
Logs ProbeA user has successfully created, modified or deleted a logs probe with Dynamic Instrumentation.@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:log_probe
Metrics ProbeA user has successfully created, modified or deleted a metrics probe with Dynamic Instrumentation.@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:span_probe
Spans ProbeA user has successfully created, modified or deleted a spans probe with Dynamic Instrumentation.@evt.name:"Dynamic Instrumentation" @action:(created OR modified OR deleted) @asset.type:metric_probe

Error Tracking events

NameDescription of audit eventQuery in audit explorer
Create or Modify inclusion filterA user has added or modified an inclusion filter.@evt.name:"Error Tracking" @asset.type:error_tracking_inclusion_filter
Error Tracking for Logs activationA user has enabled or disabled Error Tracking for the Logs product.@evt.name:"Error Tracking" @action:(created OR deleted) @asset.type:error_tracking_logs

Integration events

NameDescription of audit eventQuery in audit explorer
ResourceAnytime a resource (channel, service, webhook, account, instance, and so on) is added, modified, or deleted from an integration, and the previous and new values for the configuration.@evt.name:Integration @asset.type:integration

Log Management events

NameDescription of audit eventQuery in audit explorer
Archive configurationA user created, modified, or deleted the configuration of an archive and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:archive
Archiving order modifiedA user modified the order of archives.@evt.name:"Log Management" @action:modified @asset.type:archive_list
Custom metricA user created, modified, or deleted a custom metric for logs and the previous and new values for the custom metric configuration.@evt.name:"Log Management" @asset.type:"custom metric"
Exclusion filter configurationA user created, modified, or deleted the configuration of an exclusion filter and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:"exclusion filter"
Index configurationA user created, modified, or deleted the configuration of an index and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:index
Index order modifiedA user modified the order of indexes.@evt.name:"Log Management" @action:modified @asset.type:index_list
Log pipelineA user created, modified, or deleted a log pipeline or nested pipeline and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:pipeline
ProcessorA user created, modified, or deleted a processor within a pipeline and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:pipeline_processor
FacetA user created, modified, or deleted a facet in the Log Explorer and the previous and new values for the facet configuration.@evt.name:"Log Management" @asset.type:facet
Standard attribute configurationA user created, modified, or deleted the configuration of a standard attribute in logs and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:standard_attribute
Query (Public Beta)A user ran a Log Management List query either in Log Explorer, Dashboards or through the Public API.@evt.name:"Log Management" @asset.type:logs_query
Restriction query configurationA user created, modified, or deleted the configuration of a restriction query in logs and the previous and new values for the configuration.@evt.name:"Log Management" @asset.type:restriction_query
Download as CSVA user exports list of logs as CSV@evt.name:"Log Management" @asset.type:logs_csv
Historical viewA user created, modified, aborted, or deleted a historical view for logs and the previous and new values for the historical view configuration.@evt.name:"Log Management" @asset.type:historical_view
Saved viewA user created, modified, or deleted a saved view.@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:saved_view
Log forwardingA user created, modified, or deleted a custom destination.@evt.name:"Log Management" @action:(created OR modified OR deleted) @asset.type:log_forwarding

Metrics events

NameDescription of audit eventQuery in audit explorer
Custom metric createdA user created a custom metric and the new value for the custom metric configuration.@evt.name:Metrics @asset.type:metric @action:created
Custom metric modifiedA user modified a custom metric and the previous and new values for the custom metric configuration.@evt.name:Metrics @asset.type:metric @action:modified
Custom metric deletedA user deleted a custom metric. Also provides the previous value for the custom metric configuration.@evt.name:Metrics @asset.type:metric @action:deleted

Monitor events

NameDescription of audit eventQuery in audit explorer
Monitor createdA monitor is created and the new JSON value for the monitor.@evt.name:Monitor @asset.type:monitor @action:created
Monitor modifiedA monitor is modified and the previous and new JSON values for the monitor.@evt.name:Monitor @asset.type:monitor @action:modified
Monitor deletedA monitor is deleted. Also provides the previous JSON value for the monitor.@evt.name:Monitor @asset.type:monitor @action:deleted
Monitor resolvedA monitor is resolved.@evt.name:Monitor @asset.type:monitor @action:resolved

Notebook events

NameDescription of audit eventQuery in audit explorer
Notebook createdA notebook is created and the new JSON value for the notebook.@evt.name:Notebook @asset.type:notebook @action:created
Notebook modifiedA notebook is modified and the previous and new JSON values for the notebook.@evt.name:Notebook @asset.type:notebook @action:modified
Notebook deletedA notebook is deleted and the previous JSON value for the notebook.@evt.name:Notebook @asset.type:notebook @action:deleted

OAuth events

NameDescription of audit eventQuery in audit explorer
OAuth clientA user created, modified, or deleted an OAuth client and the previous and new values for the OAuth client.@evt.name:OAuth @asset.type:oauth_client

Organization management events

NameDescription of audit eventQuery in audit explorer
Audit Trail settingsA user modified Audit Trail settings and what the previous and new settings are.@evt.name:"Organization Management" @asset.type:audit_logs_settings
Child org createdA user created a new child organization for an existing Datadog organization.@evt.name:"Organization Management" @asset.type:organization @action:created

Real User Monitoring events

NameDescription of audit eventQuery in audit explorer
RUM application createdA user created or deleted an application in RUM and the type of the application (Browser, Flutter, iOS, React Native, Android).@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:(created OR deleted)
RUM application modifiedA user modified an application in RUM, the new value of the application, and the type of the application (Browser, Flutter, iOS, React Native, Android).@evt.name:"Real User Monitoring" @asset.type:real_user_monitoring_application @action:modified
Session replay viewedA user viewed a session replay.@evt.name:"Real User Monitoring" @asset.type:session_replay @action:accessed

Security Notification events

NameDescription of audit eventQuery in audit explorer
Login method overrideDatadog has detected a user login method override that is different from the default login methods set for the organization.@evt.name:"Security Notification" @asset.type:user @action:notification
Token leakedDatadog has detected a leaked Datadog API or Application Key that should be revoked.@evt.name:"Security Notification" @asset.type:(api_key OR application_key) @action:notification
Unusual loginDatadog has detected a unusual login event.@evt.name:"Security Notification" @asset.type:unusual_login @action:notification
User invited with throwaway emailDatadog has detected that a user with an email from a free or disposable email provider was invited to the organization.@evt.name:"Security Notification" @asset.type:user_invite @action:notification

Sensitive Data Scanner events

NameDescription of audit eventQuery in audit explorer
Scanning groupA user created, modified, or deleted a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group
Scanning group order modifiedA user modified the order of scanning groups.@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_group_list
Scanning ruleA user created, modified, or deleted a scanning rule within a scanning group in Sensitive Data Scanner and the previous and new values for the configuration.@evt.name:"Sensitive Data Scanner" @asset.type:sensitive_data_scanner_scanning_rule

Service Level Objectives (SLO) events

NameDescription of audit eventQuery in audit explorer
SLOA user creates, modifies, or deletes an SLO and the previous and new values for the SLO.@evt.name:SLO @asset.type:slo
SLO correctionA user creates, modifies, or deletes an SLO correction and the previous and new values for the SLO correction.@evt.name:SLO @asset.type:slo_correction

Synthetic Monitoring events

NameDescription of audit eventQuery in audit explorer
Private locationA user created or deleted a private location for Synthetic tests.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_private_location
Synthetic settingsA user modified Synthetic settings (quotas, PL access) and the previous and new setting values.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_settings @action:modified
Synthetic test created or deletedA user created or deleted a Synthetic test.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:(created OR deleted)
Synthetic test modifiedA user modified a Synthetic test and the previous and new values for the configuration.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_test @action:modified
Synthetic variableA user created, modified, or deleted a Synthetic variable.@evt.name:"Synthetics Monitoring" @asset.type:synthetics_variable

Reference Table events

NameDescription of audit eventQuery in audit explorer
Reference TableA user created, deleted, or modified a reference table.@evt.name:"Reference Tables" @asset.type:reference_table @action:(created OR deleted OR modified)
Reference Table FileA user uploaded a file or imported a file with a cloud provider for a reference table.@evt.name:"Reference Tables" @asset.type:reference_table_file @action:(uploaded OR imported)

Teams Management events

NameDescription of audit eventQuery in audit explorer
Teams ManagementA user created, deleted, or modified a team or team association.@evt.name:"Teams Management" @action:(created OR deleted OR modified)

Workflow events

NameDescription of audit eventQuery in audit explorer
WorkflowA user created, deleted, or modified a workflow, or a workflow executed.@evt.name:"Workflows" @asset.type:workflow @action:(created OR deleted OR modified OR executed)
Workflow ScheduleA user created, deleted, or modified a schedule for a workflow.@evt.name:"Workflows" @asset.type:workflow_schedule @action:(created OR deleted OR modified)
Workflow ActionA user responded to a Slack prompt during the execution of a workflow.@evt.name:"Workflows" @asset.type:workflow_action @action:(responded)
NotificationsA notification configuration was created, modified, or deleted for a workflow.@evt.name:Workflows @action:(created OR modified OR deleted) @asset.type:workflow_notifications
Custom ConnectionA user created, deleted, or modified a connection.@evt.name:"Custom Connections" @asset.type:custom_connection @action:(created OR deleted OR modified)
Step completedA step was completed.@evt.name:Workflows @action:completed @asset.type:step

Further Reading

Documentation, liens et articles supplémentaires utiles: