dd-audit-key-compromise
Audit Trail: API Key Compromise Investigation
Reconstruct what a Datadog API key did, where requests originated, and which resources were affected.
Prerequisites
pup auth login # OAuth2 (recommended)
# or set DD_API_KEY + DD_APP_KEY with audit_logs_read scope
You need the key ID of the suspect key (not the key value). Find it in Datadog UI under Organization Settings > API Keys, or from context showing @metadata.api_key.id.
Investigation Workflow
Step 1 — Establish timeline
pup audit-logs search --query "@metadata.api_key.id:KEY_ID" --from 90d --limit 200 -o json \
More from datadog-labs/agent-skills
dd-pup
Datadog CLI (Rust). OAuth2 auth with token refresh.
655dd-apm
APM - install, onboard, instrument, enable, set up, configure, traces, services, dependencies, performance analysis. Use for any request involving Datadog APM setup, instrumentation (SSI, ddtrace, agent install), or analysis.
568dd-logs
Log management - search, archives, metrics, and cost control.
568dd-monitors
Monitor management - list, search, file-based create, and alerting best practices.
550agent-skills
Datadog skills for AI agents. Essential monitoring, logging, tracing and observability.
546dd-docs
Datadog docs lookup using docs.datadoghq.com/llms.txt and linked Markdown pages.
539