dd-audit-security-investigation
Installation
SKILL.md
Audit Trail: Security Investigation
Answer common security investigation questions using pup audit-logs.
Prerequisites
pup auth login # OAuth2 (recommended)
# or set DD_API_KEY + DD_APP_KEY with audit_logs_read scope
Command Execution Order
- Clarify the investigation scope: who, what resource type, what time window.
- Run the most specific query first; broaden only if results are empty.
- If results are large, pipe to
jqto group or summarize. - Highlight anomalies: bulk operations, unusual geo, off-hours activity, support user actions.
Common Investigation Queries
Related skills
More from datadog-labs/agent-skills
dd-pup
Datadog CLI (Rust). OAuth2 auth with token refresh.
664dd-apm
APM - install, onboard, instrument, enable, set up, configure, traces, services, dependencies, performance analysis. Use for any request involving Datadog APM setup, instrumentation (SSI, ddtrace, agent install), or analysis.
576dd-logs
Log management - search, archives, metrics, and cost control.
575dd-monitors
Monitor management - list, search, file-based create, and alerting best practices.
558agent-skills
Datadog skills for AI agents. Essential monitoring, logging, tracing and observability.
554dd-docs
Datadog docs lookup using docs.datadoghq.com/llms.txt and linked Markdown pages.
546