For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-wwq.md. A documentation index is available at /llms.txt.

Anthropic Compliance audit-log forwarding disabled

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detects when Compliance API logging or the Compliance API itself is disabled for an Anthropic organization, suspending the audit feed.

Strategy

This rule monitors Anthropic Compliance activities for org_compliance_api_settings_updated with @compliance_api_logging_enabled:false or @compliance_api_enabled:false. Disabling Compliance API logging, or disabling the Compliance API itself, means future activity is not recorded for export, effectively turning off the audit feed downstream consumers rely on (this SIEM integration included). This is the highest-severity event surface for the integration. Treat any non-emergency disablement as suspected audit-log tampering.

Triage and response

  • Immediately confirm {{@usr.email}} is a Primary Owner with documented authority to change Compliance API settings.
  • Verify whether there is an active incident, planned outage, or contractual reason for the change.
  • Examine the actor’s recent activity for compromise indicators (suspicious login, MFA bypass, recent privilege escalation).
  • If the action was unauthorized, re-enable Compliance API logging or the Compliance API immediately and treat all activity during the disabled window as potentially un-audited.
  • Audit downstream activity once logging resumes for indicators of what the attacker did during the gap (compare against last-seen IDs in your ingestion pipeline).