--- title: Datadog security notification rule modified or deleted description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Datadog security notification rule modified or deleted --- # Datadog security notification rule modified or deleted Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) ## Goal{% #goal %} Detects modifications or deletions of security notification rules in Datadog Cloud SIEM. Notification rules control alert routing to security responders. ## Strategy{% #strategy %} This rule monitors Datadog audit trail events for changes to notification profiles through `@action:modified` or `@action:deleted` events where `@asset.type` is `notification_profile`. Notification profiles determine how security signals are routed to incident response teams. Modifications could reduce alert coverage or change recipient lists, while deletions eliminate alerting channels entirely. These changes may indicate attempts to suppress security alerts or operate undetected within the environment. ## Triage and response{% #triage-and-response %} - Verify if `{{@usr.email}}` has authorization to modify notification rules by checking with the security team or change management records. - Review the affected notification rule `{{@asset.name}}` to understand which security signals were impacted by this change. - Examine `@asset.prev_value` and `@asset.new_value` attributes to identify specific modifications made to recipients, channels, or filtering conditions. - Check if critical security signals are still being delivered to appropriate incident response teams after this change. - Investigate other audit trail activity from `{{@usr.email}}` during the same timeframe for additional suspicious modifications to security controls. - Determine if any security rule deletions or modifications occurred shortly before or after this notification rule change.