By name: dd-audit-compliance-report description: Generate auditor-ready compliance evidence from Datadog Audit Trail for SOC 2 and PCI DSS. Maps framework controls to specific query patterns and produces formatted output. metadata: version: "0.1.0" author: datadog-labs repository: https://github.com/datadog-labs/agent-skills tags: datadog,audit,compliance,soc2,pci,dd-audit alwaysApply: "false"
Audit Trail: Compliance Evidence Report
Generate auditor-ready evidence from Datadog Audit Trail for SOC 2 and PCI DSS control requirements.
Prerequisites
pup auth login # OAuth2 (recommended)
# or set DD_API_KEY + DD_APP_KEY with audit_logs_read scope
Read First
See references/control-mapping.md for the full control → query mapping table and retention requirements by framework.
Retention Check (Run First)
PCI requires 12 months. Datadog default retention is 90 days. Check whether archive is configured:
pup audit-logs search --query "@evt.name:\"Audit Trail\" @action:modified" --from 90d -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
user: .attributes.attributes.usr.email,
action: .attributes.attributes.action,
resource: .attributes.attributes.asset.type
}]'
If the requested time window exceeds 90 days and no archive is confirmed, surface this gap in the report header.
Workflow
- Confirm: framework (SOC 2 / PCI DSS), time window, org scope
- Run retention check
- Run each relevant control query
- Format output using the Evidence Report template
SOC 2 Queries
CC6.2 — User Provisioning / Deprovisioning
pup audit-logs search \
--query "@evt.name:\"Access Management\" @asset.type:user @action:(created OR deleted OR modified)" \
--from PERIOD_START --to PERIOD_END --limit 500 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
actor: .attributes.attributes.usr.email,
action: .attributes.attributes.action,
affected_user: .attributes.attributes.asset.id
}]'
CC6.3 — Role and Permission Changes
pup audit-logs search \
--query "@evt.name:\"Access Management\" @asset.type:role" \
--from PERIOD_START --to PERIOD_END --limit 500 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
actor: .attributes.attributes.usr.email,
action: .attributes.attributes.action,
role_id: .attributes.attributes.asset.id
}]'
CC6.6 — Failed Logins and Suspicious Access
pup audit-logs search \
--query "@evt.name:Authentication @action:login @status:error" \
--from PERIOD_START --to PERIOD_END --limit 500 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
user: .attributes.attributes.usr.email,
ip: .attributes.attributes.network.client.ip,
country: .attributes.attributes.network.client.geoip.country.name
}]'
CC7.2 — Privileged / Support User Actions
pup audit-logs search \
--query "@evt.actor.type:SUPPORT_USER" \
--from PERIOD_START --to PERIOD_END --limit 500 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
support_actor: .attributes.attributes.usr.email,
action: .attributes.attributes.action,
resource_type: .attributes.attributes.asset.type,
resource_id: .attributes.attributes.asset.id
}]'
PCI DSS Queries
PCI 10.2.2 — Actions by Privileged Users
Same as CC7.2 above. Also include org-level admin actions:
pup audit-logs search \
--query "@evt.name:\"Organization Management\"" \
--from PERIOD_START --to PERIOD_END --limit 200 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
actor: .attributes.attributes.usr.email,
action: .attributes.attributes.action,
resource_type: .attributes.attributes.asset.type
}]'
PCI 10.2.3 — Access to Audit Trail Itself
pup audit-logs search \
--query "@evt.name:\"Audit Trail\"" \
--from PERIOD_START --to PERIOD_END --limit 200 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
actor: .attributes.attributes.usr.email,
action: .attributes.attributes.action,
resource_type: .attributes.attributes.asset.type
}]'
PCI 10.2.4 — Invalid Access Attempts
Same as CC6.6 failed logins above.
PCI 10.2.5 — All Authentication Events
pup audit-logs search \
--query "@evt.name:Authentication @action:login" \
--from PERIOD_START --to PERIOD_END --limit 1000 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
user: .attributes.attributes.usr.email,
auth_method: .attributes.attributes.auth_method,
result: .attributes.attributes.status,
ip: .attributes.attributes.network.client.ip,
country: .attributes.attributes.network.client.geoip.country.name
}]'
PCI 10.2.7 — Object Creation and Deletion
pup audit-logs search \
--query "@action:(created OR deleted)" \
--from PERIOD_START --to PERIOD_END --limit 1000 -o json \
| jq '[.data[] | {
timestamp: .attributes.timestamp,
user: .attributes.attributes.usr.email,
action: .attributes.attributes.action,
resource_type: .attributes.attributes.asset.type,
resource_id: .attributes.attributes.asset.id,
ip: .attributes.attributes.network.client.ip
}]'
Evidence Report Template
# Datadog Audit Trail — Compliance Evidence Report
Framework: [SOC 2 / PCI DSS]
Organization: [org name]
Period: [start] to [end]
Generated: [date]
## Scope Boundary
This report covers administrative actions within the Datadog platform.
It does not cover actions taken within systems that Datadog monitors.
## Retention Status
[✓ Full period covered by Audit Trail retention]
[⚠ Requested period exceeds 90-day default. Archive config required for complete coverage.]
---
## [Control ID] — [Control Name]
Events found: [N]
| Timestamp | Actor | Action | Resource Type | Resource ID | IP | Country |
|-----------|-------|--------|---------------|-------------|-----|---------|
| ... | ... | ... | ... | ... | ... | ... |
[Repeat per control]
---
## Gaps
[List any controls where data was unavailable or incomplete, and why]
Scope Caveat
Datadog Audit Trail covers the Datadog platform as the system being audited. For PCI purposes, this is evidence that the monitoring platform's access controls are functioning — not direct evidence about the cardholder data environment (CDE) itself. Auditors should understand this scope boundary.