dd-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDatadog Audit Trail
Datadog 审计追踪
Investigate user activity, configuration changes, access patterns, and compliance evidence using .
pup audit-logs使用调查用户活动、配置变更、访问模式以及合规证据。
pup audit-logsSub-Skills
子技能
| Sub-skill | Use when |
|---|---|
| security-investigation | "Who changed X?", "What did this user do?", "Show me deletions in the last 24h" |
| key-compromise | "Was this API key compromised?", "What did key XYZ do?", "Investigate suspicious key activity" |
| cost-spike-investigation | "Why did my bill go up?", "What caused this usage spike?", "Investigate LLM cost increase" |
| compliance-report | "Generate SOC 2 evidence", "PCI audit log", "User provisioning report for auditor" |
| ai-activity-audit | "What did the AI assistant do?", "Audit MCP tool calls", "AI governance report" |
| 子技能 | 使用场景 |
|---|---|
| security-investigation | 当你需要查询“谁修改了X?”、“该用户做了什么?”、“展示过去24小时内的删除操作”时使用 |
| key-compromise | 当你需要查询“这个API密钥是否泄露?”、“密钥XYZ执行了哪些操作?”、“调查可疑密钥活动”时使用 |
| cost-spike-investigation | 当你需要查询“我的账单为什么上涨?”、“是什么导致了用量激增?”、“调查LLM成本增长”时使用 |
| compliance-report | 当你需要“生成SOC 2合规证据”、“导出PCI审计日志”、“为审计员生成用户权限配置报告”时使用 |
| ai-activity-audit | 当你需要查询“AI助手执行了哪些操作?”、“审计MCP工具调用记录”、“生成AI治理报告”时使用 |
Prerequisites
前提条件
bash
pup auth login # OAuth2 (recommended)bash
pup auth login # OAuth2 (推荐方式)or set DD_API_KEY + DD_APP_KEY with audit_logs_read scope
或者设置具备audit_logs_read权限的DD_API_KEY和DD_APP_KEY
undefinedundefinedCommands
命令
bash
undefinedbash
undefinedList recent events
列出近期事件
pup audit-logs list --from 1h --limit 100
pup audit-logs list --from 1h --limit 100
Search with a query
使用查询语句搜索
pup audit-logs search --query "@action:deleted" --from 24h
pup audit-logs search --query "@action:deleted" --from 24h
JSON output for piping to jq
输出JSON格式以便通过管道传递给jq
pup audit-logs search --query "@usr.email:alice@example.com" --from 7d -o json | jq '.data[].attributes'
undefinedpup audit-logs search --query "@usr.email:alice@example.com" --from 7d -o json | jq '.data[].attributes'
undefinedEvent Schema Quick Reference
事件架构快速参考
| Field | Description | Example values |
|---|---|---|
| Actor email | |
| How action was taken | |
| Verb | |
| Event category | |
| Resource type | |
| Resource identifier | |
| API key used (if applicable) | |
| App key used (if applicable) | |
| Client IP address | |
| Country | |
| ASN name | |
| API endpoint path | |
| 字段 | 描述 | 示例值 |
|---|---|---|
| 执行者邮箱 | |
| 操作执行方式 | |
| 操作动词 | |
| 事件类别 | |
| 资源类型 | |
| 资源标识符 | |
| 使用的API密钥(如适用) | |
| 使用的应用密钥(如适用) | |
| 客户端IP地址 | |
| 国家 | |
| ASN名称 | |
| API端点路径 | |
Search Syntax
搜索语法
Same Lucene-style syntax as Log Explorer:
| Query | Meaning |
|---|---|
| Exact field match |
| Action filter |
| Specific user |
| Compound |
| Negation |
| Field exists |
| IP filter |
与日志探索器相同的Lucene风格语法:
| 查询语句 | 含义 |
|---|---|
| 精确字段匹配 |
| 操作过滤 |
| 指定用户 |
| 复合查询 |
| 排除查询 |
| 字段存在性查询 |
| IP过滤 |
Retention
保留期限
Default retention is 90 days. If querying beyond 90 days, archive to S3/GCS/Azure Blob must be configured. Always check whether the requested time window falls within retention before running a query.
默认保留期限为90天。如果要查询90天之前的内容,必须配置归档到S3/GCS/Azure Blob。执行查询前,请务必确认请求的时间窗口在保留期限内。
Troubleshooting
故障排除
| Problem | Cause | Fix |
|---|---|---|
| 403 Forbidden | Missing | Add scope to app key in Datadog UI |
| Empty results | Time window outside retention | Check archive config; default max is 90 days |
| Timeout | Query too broad | Narrow time window or add more filters |
| No IP data | Internal action or pre-enrichment event | Not all events have geo data |
| 问题 | 原因 | 解决方法 |
|---|---|---|
| 403 Forbidden | 缺少 | 在Datadog界面中为应用密钥添加该权限 |
| 无查询结果 | 时间窗口超出保留期限 | 检查归档配置;默认最长保留90天 |
| 查询超时 | 查询范围过广 | 缩小时间窗口或添加更多过滤条件 |
| 无IP数据 | 内部操作或预富集事件 | 并非所有事件都包含地理数据 |