Datadog security notification rule modified or deleted
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects modifications or deletions of security notification rules in Datadog Cloud SIEM. Notification rules control alert routing to security responders.
Strategy
This rule monitors Datadog audit trail events for changes to notification profiles through @action:modified or @action:deleted events where @asset.type is notification_profile. Notification profiles determine how security signals are routed to incident response teams. Modifications could reduce alert coverage or change recipient lists, while deletions eliminate alerting channels entirely. These changes may indicate attempts to suppress security alerts or operate undetected within the environment.
Triage and response
- Verify if
{{@usr.email}} has authorization to modify notification rules by checking with the security team or change management records. - Review the affected notification rule
{{@asset.name}} to understand which security signals were impacted by this change. - Examine
@asset.prev_value and @asset.new_value attributes to identify specific modifications made to recipients, channels, or filtering conditions. - Check if critical security signals are still being delivered to appropriate incident response teams after this change.
- Investigate other audit trail activity from
{{@usr.email}} during the same timeframe for additional suspicious modifications to security controls. - Determine if any security rule deletions or modifications occurred shortly before or after this notification rule change.
