Dynatrace has a built-in audit logging based on Grail.
Regular DQL queries can be used to retrieve configuration changes and each single read/write operation to a Dynatrace resource. These events are stored for one year.
Grail-based audit logging is enabled by default and can't be turned off.
The following table describes the required permissions to access the audit logs.
ALLOW storage:system:read WHERE storage:event.kind="AUDIT_EVENT""AUDIT_EVENT".ALLOW storage:buckets:read WHERE storage:bucket-name="dt_system_events""dt_system_events".For more details, refer to IAM policy reference.
To filter for events that are related to changes or actions performed within the settings of the system, use the following query:
fetch dt.system.events| filter event.kind == "AUDIT_EVENT"| filter event.provider == "SETTINGS"
To filter system events to provide details about audit events specifically from changes to Dynatrace Notebooks, use the following query:
fetch dt.system.events| filter event.kind == "AUDIT_EVENT"| filter event.provider == "API_GATEWAY"| filter contains(resource, "documents")| filter app.id == "dynatrace.notebooks"| filter event.type == "PATCH"
Grail-based audit logs store the user ID instead of an email address to comply with data privacy regulations.
The following permission is required to access the user information.
ALLOW iam:users:read;You can use a platform API to retrieve user details by providing the environment or account ID and the user ID. For example:
GET /platform/iam/v1/organizational-levels/{level-type}/{level-id}/users/{uuid}
For more details, refer to Identity and access management (IAM).
export default async function () {var environmentID = "<environment-id>";var userID = "<user-id>";var myUrl = '/platform/iam/v1/organizational-levels/environment/'+environmentID+'/users/'+userID;var myResponse= fetch(myUrl).then((response) => response.json()).then((data) => data.email);return myResponse;}