Audit Datadog Security Events
Available for:
Cloud SIEM
|
Cloud Security Management
|
Application Security Management
As an administrator or security team member, you can use Audit Trail to see what actions your team is taking in Datadog Security. As an individual, you can see a stream of your own actions. For security admins or InfoSec teams, audit trail events help with compliance checks and maintaining audit trails of who did what, and when, for your Datadog resources.
To view audit logs generated by actions taken in Datadog Security, navigate to the Audit Trail page in Datadog. The following product-specific events are available for Datadog Security:
| Name | Description of audit event | Query in audit explorer |
|---|
| CWS agent rule | A user accessed (fetched) a CWS agent rule in the Cloud Security Platform. | @evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed |
| Notification profile | A user created, updated, or deleted a notification profile in the Cloud Security Platform. | @evt.name:"Cloud Security Platform" @asset.type:notification_profile |
| Security rule | A user validated, updated, deleted, or created a security rule and the previous and new values for the rule. | @evt.name:"Cloud Security Platform" @asset.type:security_rule |
| Security signal | A user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal. | @evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified |
| Report subscription | A user subscribed or unsubscribed from a K9 email report. | @evt.name:"Cloud Security Platform" @asset.type:report_subscription |
Application Security Management
| Name | Description of audit event | Query in audit explorer |
|---|
| One-click Activation | A user activated or de-activated ASM on a service. | @evt.name:"Application Security" @asset.type:compatible_services |
| Protection | A user enabled or disabled the ASM protection. | @evt.name:"Application Security" @asset.type:blocking_configuration |
| Denylist | A user blocked, unblocked, or extended the blocking duration of an IP address or a user ID. | @evt.name:"Application Security" @asset.type:ip_user_denylist |
| Passlist | A user added, modified, or deleted an entry to the passlist. | @evt.name:"Application Security" @asset.type:passlist_entry |
| In-App WAF Policy | A user created, modified, or deleted an In-App WAF policy. | @evt.name:"Application Security" @asset.type:policy_entry |
| In-App WAF Custom Rule | A user validated, created, modified, or deleted an In-App WAF custom rule. | @evt.name:"Application Security" @asset.type:waf_custom_rule |
Further Reading
Additional helpful documentation, links, and articles:
