---
title: Datadog audit trail disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Datadog audit trail disabled
---

# Datadog audit trail disabled
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detects when Datadog audit trail logging is disabled. Audit trail provides visibility into configuration changes and user activity.

## Strategy{% #strategy %}

This rule monitors Datadog audit trail events where `@asset.type` is `audit_trail_state` and `@asset.new_value.enabled` changes to `false`. Audit trail logging captures all configuration changes, authentication events, and administrative actions within the Datadog platform. Disabling audit trail eliminates security visibility and prevents detection of malicious activity. Attackers commonly disable logging systems after gaining unauthorized access to hide their actions and maintain persistence without detection.

## Triage and response{% #triage-and-response %}

- Verify if `{{@usr.email}}` has authorization to disable audit trail by confirming with platform administrators and checking change management records.
- Determine the duration audit trail was disabled by identifying when it was re-enabled or if it remains disabled.
- Review all administrative actions and configuration changes made by `{{@usr.email}}` immediately before and during the time audit trail was disabled.
- Check for suspicious authentication activity from `{{@usr.email}}` such as unusual login locations or times that might indicate account compromise.
- Investigate if other security controls were modified during the same timeframe including detection rules, notification profiles, or log forwarding configurations.
- Examine user and role modifications to identify if unauthorized access was granted while audit logging was disabled.