--- title: Anthropic Compliance audit-log forwarding disabled description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > Anthropic Compliance audit-log forwarding disabled --- # Anthropic Compliance audit-log forwarding disabled {% alert level="danger" %} This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/). {% /alert %} Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) ## Goal{% #goal %} Detects when Compliance API logging or the Compliance API itself is disabled for an Anthropic organization, suspending the audit feed. ## Strategy{% #strategy %} This rule monitors Anthropic Compliance activities for `org_compliance_api_settings_updated` with `@compliance_api_logging_enabled:false` or `@compliance_api_enabled:false`. Disabling Compliance API logging, or disabling the Compliance API itself, means future activity is not recorded for export, effectively turning off the audit feed downstream consumers rely on (this SIEM integration included). **This is the highest-severity event surface for the integration.** Treat any non-emergency disablement as suspected audit-log tampering. ## Triage and response{% #triage-and-response %} - Immediately confirm `{{@usr.email}}` is a Primary Owner with documented authority to change Compliance API settings. - Verify whether there is an active incident, planned outage, or contractual reason for the change. - Examine the actor's recent activity for compromise indicators (suspicious login, MFA bypass, recent privilege escalation). - If the action was unauthorized, re-enable Compliance API logging or the Compliance API immediately and treat all activity during the disabled window as potentially un-audited. - Audit downstream activity once logging resumes for indicators of what the attacker did during the gap (compare against last-seen IDs in your ingestion pipeline).