Datadog Audit Trail
Datadog Audit Trail captures a record of every action taken by users and administrators in your Datadog organization — including dashboard and monitor changes, authentication events, API key management, user administration, and configuration updates across all Datadog products.
RunReveal polls the Datadog Audit Logs API every 60 seconds and will backfill up to 30 days of events on first connect.
Ingest Methods
API Polling
Setup
- Go to Sources in RunReveal
- Click the Datadog Audit Trail source tile
- Give it a name
- Select your Datadog Site (the regional endpoint your organization uses)
- Enter your API Key and Application Key, then click Connect Source
Datadog Site
Datadog operates multiple regional sites. Select the one that matches your organization's Datadog account:
| Site | URL |
|---|---|
| US1 (default) | datadoghq.com |
| US3 | us3.datadoghq.com |
| US5 | us5.datadoghq.com |
| EU1 | datadoghq.eu |
| AP1 | ap1.datadoghq.com |
| AP2 | ap2.datadoghq.com |
| US1-FED | ddog-gov.com |
If you're unsure which site your organization uses, check the URL you use to log in to Datadog — it will contain the site domain.
API Key
- In Datadog, navigate to Organization Settings → API Keys
- Click New Key, give it a descriptive name (e.g.,
RunReveal), and copy the key value
Application Key
The Application Key authorizes RunReveal to read audit events. The key inherits the permissions of the user or service account it belongs to, so that account must have the Audit Logs Read permission.
- In Datadog, navigate to Organization Settings → Application Keys
- Click New Key, give it a descriptive name (e.g.,
RunReveal Audit), and copy the key value
Permission Required: The Application Key's owner must have the audit_logs_read permission. If you see authorization errors after connecting, verify the key owner has this permission under Organization Settings → Roles.
Least Privilege: For security, create a dedicated service account with only the audit_logs_read permission and generate the Application Key from that account rather than a personal account.
Verify It's Working
Once added, logs should begin flowing within a minute. Validate with:
Event Types Collected
Datadog Audit Trail covers a broad range of organizational activity:
- Authentication — User logins, API key usage, session events
- Dashboards — Create, update, and delete actions
- Monitors — Alert configuration changes
- API & Application Keys — Key creation, rotation, and deletion
- User Management — Invitations, role changes, team membership updates
- Notebooks & Logs — Configuration and pipeline changes
- Integrations — Third-party integration changes
- Settings — Organization-wide configuration updates
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: datadog_audit_logs (51 columns)
datadog_audit_logs (51 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
| Column | Type |
|---|---|
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
ddEventID | String |
ddService | String |
ddMessage | String |
ddEvtName | String |
ddEvtCategory | String |
ddEvtOutcome | String |
ddUsrEmail | String |
ddUsrID | String |
ddUsrName | String |
ddClientIP | String |
ddHTTPMethod | String |
ddHTTPStatusCode | String |
Helpful Links
- Datadog Audit Trail Overview - Official documentation for the Audit Trail feature
- Datadog Audit Logs API - API reference for the endpoint RunReveal polls
- Datadog API and Application Keys - Guide to creating and managing API and Application keys
- Datadog Role-Based Access Control - How to configure the Audit Logs Read permission