Audit Datadog Security Events

Available for:

Cloud SIEM | Cloud Security Management | Application Security Management

As an administrator or security team member, you can use Audit Trail to see what actions your team is taking in Datadog Security. As an individual, you can see a stream of your own actions. For security admins or InfoSec teams, audit trail events help with compliance checks and maintaining audit trails of who did what, and when, for your Datadog resources.

To view audit logs generated by actions taken in Datadog Security, navigate to the Audit Trail page in Datadog. The following product-specific events are available for Datadog Security:

Cloud Security Platform

NameDescription of audit eventQuery in audit explorer
CWS agent ruleA user accessed (fetched) a CWS agent rule in the Cloud Security Platform.@evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed
Notification profileA user created, updated, or deleted a notification profile in the Cloud Security Platform.@evt.name:"Cloud Security Platform" @asset.type:notification_profile
Security ruleA user validated, updated, deleted, or created a security rule and the previous and new values for the rule.@evt.name:"Cloud Security Platform" @asset.type:security_rule
Security signalA user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal.@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified
Report subscriptionA user subscribed or unsubscribed from a K9 email report.@evt.name:"Cloud Security Platform" @asset.type:report_subscription

Application Security Management

NameDescription of audit eventQuery in audit explorer
One-click ActivationA user activated or de-activated ASM on a service.@evt.name:"Application Security" @asset.type:compatible_services
ProtectionA user enabled or disabled the ASM protection.@evt.name:"Application Security" @asset.type:blocking_configuration
DenylistA user blocked, unblocked, or extended the blocking duration of an IP address or a user ID.@evt.name:"Application Security" @asset.type:ip_user_denylist
PasslistA user added, modified, or deleted an entry to the passlist.@evt.name:"Application Security" @asset.type:passlist_entry
In-App WAF PolicyA user created, modified, or deleted an In-App WAF policy.@evt.name:"Application Security" @asset.type:policy_entry
In-App WAF Custom RuleA user validated, created, modified, or deleted an In-App WAF custom rule.@evt.name:"Application Security" @asset.type:waf_custom_rule

Further Reading

PREVIEWING: may/unit-testing