Labsco
datadog-labs logo

dd-audit

β˜… 138

by datadog-labs Β· part of datadog-labs/agent-skills

Audit Trail investigations - who changed what, key compromise, cost spike root cause, compliance evidence (SOC 2/PCI), and AI activity auditing.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeQuick setup
🧩 One of 7 skills in the datadog-labs/agent-skills package β€” works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates β€” you don't need to read it to use the skill, but it's here to audit before installing.


name: dd-audit description: Audit Trail investigations - who changed what, key compromise, cost spike root cause, compliance evidence (SOC 2/PCI), and AI activity auditing. metadata: version: "0.1.0" author: datadog-labs repository: https://github.com/datadog-labs/agent-skills tags: datadog,audit,audit-trail,security,compliance,dd-audit alwaysApply: "false"

Datadog Audit Trail

Investigate user activity, configuration changes, access patterns, and compliance evidence using pup audit-logs.

Sub-Skills

Sub-skillUse when
security-investigation"Who changed X?", "What did this user do?", "Show me deletions in the last 24h"
key-compromise"Was this API key compromised?", "What did key XYZ do?", "Investigate suspicious key activity"
cost-spike-investigation"Why did my bill go up?", "What caused this usage spike?", "Investigate LLM cost increase"
compliance-report"Generate SOC 2 evidence", "PCI audit log", "User provisioning report for auditor"
ai-activity-audit"What did the AI assistant do?", "Audit MCP tool calls", "AI governance report"

Commands

# List recent events
pup audit-logs list --from 1h --limit 100

# Search with a query
pup audit-logs search --query "@action:deleted" --from 24h

# JSON output for piping to jq
pup audit-logs search --query "@usr.email:alice@example.com" --from 7d -o json | jq '.data[].attributes'

Event Schema Quick Reference

FieldDescriptionExample values
@usr.emailActor emailalice@example.com
@evt.actor.typeHow action was takenUSER, API_KEY, SUPPORT_USER
@actionVerbcreated, modified, deleted, accessed, login
@evt.nameEvent categoryDashboard, Monitor, Authentication, Access Management
@asset.typeResource typedashboard, monitor, api_key, role, user
@asset.idResource identifierabc-123
@metadata.api_key.idAPI key used (if applicable)key_abc123
@metadata.app_key.idApp key used (if applicable)app_abc123
@network.client.ipClient IP address1.2.3.4
@network.client.geoip.country.nameCountryUnited States
@network.client.geoip.as.nameASN nameAmazon.com
@http.url_details.pathAPI endpoint path/api/v1/dashboard/xyz

Search Syntax

Same Lucene-style syntax as Log Explorer:

QueryMeaning
@evt.name:DashboardExact field match
@action:deletedAction filter
@usr.email:alice@example.comSpecific user
@evt.name:Monitor AND @action:modifiedCompound
-@action:deletedNegation
@usr.email:*Field exists
@network.client.ip:1.2.3.4IP filter

Retention

Default retention is 90 days. If querying beyond 90 days, archive to S3/GCS/Azure Blob must be configured. Always check whether the requested time window falls within retention before running a query.

References