Datadog organization login method changed
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when the login method or identity provider configuration is modified at the organization level in Datadog.
Strategy
This rule monitors Datadog Access Management audit events where @asset.type is identity_provider and @action is modified. The organization-level identity provider configuration controls how all users authenticate into the org (for example, SAML, Google OIDC, password). Modifying this setting can weaken authentication controls, enable alternative login paths, or remove SSO enforcement — all of which are techniques used for persistence or to facilitate unauthorized access. Legitimate changes to identity provider configuration should be rare and planned.
Triage and response
- Confirm whether
{{@usr.email}} had a business justification for modifying the identity provider configuration. - Review the previous and new values in the audit log to understand exactly what changed (for example, SSO enforcement disabled, new SAML provider added).
- Verify the timing aligns with a planned change or change management process.
- If the change is unauthorized, revert the identity provider configuration to its previous state and investigate how the actor gained access to make org-level settings changes.
- Check for other account or security configuration changes made by the same user around the same time.
