Datadog audit trail disabled

audit

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when Datadog audit trail logging is disabled. Audit trail provides visibility into configuration changes and user activity.

Strategy

This rule monitors Datadog audit trail events where @asset.type is audit_trail_state and @asset.new_value.enabled changes to false. Audit trail logging captures all configuration changes, authentication events, and administrative actions within the Datadog platform. Disabling audit trail eliminates security visibility and prevents detection of malicious activity. Attackers commonly disable logging systems after gaining unauthorized access to hide their actions and maintain persistence without detection.

Triage and response

  • Verify if {{@usr.email}} has authorization to disable audit trail by confirming with platform administrators and checking change management records.
  • Determine the duration audit trail was disabled by identifying when it was re-enabled or if it remains disabled.
  • Review all administrative actions and configuration changes made by {{@usr.email}} immediately before and during the time audit trail was disabled.
  • Check for suspicious authentication activity from {{@usr.email}} such as unusual login locations or times that might indicate account compromise.
  • Investigate if other security controls were modified during the same timeframe including detection rules, notification profiles, or log forwarding configurations.
  • Examine user and role modifications to identify if unauthorized access was granted while audit logging was disabled.