Audit Trail: API Key Compromise Investigation Reconstruct what a Datadog API key did, where requests originated, and which resources were affected. Prerequisites You need the key ID of the suspect key (not the key value). Find it in Datadog UI under Organization Settings API Keys, or from context showing . Investigation Workflow Step 1 — Establish timeline Step 2 — Geo/IP breakdown Step 3 — Endpoint breakdown Step 4 — Destructive action check Step 5 — When was the key created and by whom? Anomaly Flags | Signal | Why it matters | |--------|----------------| | Country not in org's normal basel…