---
title: Audit Trail Monitor
description: >-
  Alert when a specified type of audit trail event is detected or exceeds a
  threshold.
breadcrumbs: Docs > Monitors > Monitor Types > Audit Trail Monitor
---

# Audit Trail Monitor

## Overview{% #overview %}

Audit Trail monitors alert you when a specified type of audit event exceeds a user-defined threshold over a given period of time.

## Monitor creation{% #monitor-creation %}

To create an [Audit Trail monitor](https://app.datadoghq.com/monitors/create/audit) in Datadog, use the main navigation: *Monitors –> New Monitor –> Audit Trail*.

{% alert level="info" %}
There is a default limit of 1000 monitors per account. If you are encountering this limit, consider using [multi alerts](https://docs.datadoghq.com/monitors/configuration/?tab=thresholdalert#multi-alert), or [Contact Support](https://docs.datadoghq.com/help/).
{% /alert %}

### Define the search query{% #define-the-search-query %}

Define a search query for your Audit Events. Search queries follow the same [search syntax](https://docs.datadoghq.com/logs/explorer/search_syntax/) as in the Log Explorer.

For example, if you want to be alerted when a specific API key is making a certain number of requests, set `count by` to that API key ID, `@metadata.api_key.id`. You can then group by a specific user ID, `@usr.id`, or user email, `@usr.email`, to receive a notification specifying which user is making the request.

### Set alert conditions{% #set-alert-conditions %}

Set an alert threshold for the value you want to be alerted on. For example, if you want to be alerted when the number of API requests reaches 15 or above, set the alert threshold for number of API requests to `Alert threshold > 15`. Set the warning threshold to any number before 15 to receive a warning prior to a threshold being met.

You can also choose to never resolve, or to automatically resolve, an event from a triggered state. Set a value between `[Never]` (default) and `After 24 Hours`.

### Say what's happening{% #say-whats-happening %}

Create a notification name. For example, `API requests threshold met for {{[@usr.id].name}}`. You can use [variables](https://docs.datadoghq.com/monitors/notify/variables/) to automatically populate a username, email, etc. in the title to quickly gain insight into which account or user is triggering an alert.

Create a monitor message. This can include the steps required for team members to resolve an incident if one is occurring.

You can then select a value from `[Never]` to `Every 24 Hours` to renotify you if the monitor has not been resolved. You can also set tags and priority to better correlate data in the event of an incident.

### Configure notifications and automations{% #configure-notifications-and-automations %}

Select services and team members to notify. For example, you can alert your on-call compliance team with PagerDuty, or alert your team by Slack or email to begin assessment of the alert.

You can also select if you want to notify a service or team when an alert is modified with the `Do Not Notify` dropdown option.

## Further Reading{% #further-reading %}

- [Learn more about Audit Trail](https://docs.datadoghq.com/account_management/audit_trail/)
- [Configure your monitor notifications](https://docs.datadoghq.com/monitors/notifications/)
- [Schedule a downtime to mute a monitor](https://docs.datadoghq.com/monitors/downtimes/)