Datadog audit trail disabled
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when Datadog audit trail logging is disabled. Audit trail provides visibility into configuration changes and user activity.
Strategy
This rule monitors Datadog audit trail events where @asset.type is audit_trail_state and @asset.new_value.enabled changes to false. Audit trail logging captures all configuration changes, authentication events, and administrative actions within the Datadog platform. Disabling audit trail eliminates security visibility and prevents detection of malicious activity. Attackers commonly disable logging systems after gaining unauthorized access to hide their actions and maintain persistence without detection.
Triage and response
- Verify if
{{@usr.email}} has authorization to disable audit trail by confirming with platform administrators and checking change management records. - Determine the duration audit trail was disabled by identifying when it was re-enabled or if it remains disabled.
- Review all administrative actions and configuration changes made by
{{@usr.email}} immediately before and during the time audit trail was disabled. - Check for suspicious authentication activity from
{{@usr.email}} such as unusual login locations or times that might indicate account compromise. - Investigate if other security controls were modified during the same timeframe including detection rules, notification profiles, or log forwarding configurations.
- Examine user and role modifications to identify if unauthorized access was granted while audit logging was disabled.
