AN0804: Analytic 0804
Disabling or altering security and audit logs in SaaS admin panels (e.g., Slack, Zoom, Salesforce). Defender view: API calls or admin console changes that stop event exports or logging integrations.
Analyst context for executives and security teams
This analytic matters because SaaS audit logging is often the evidence trail executives, SOC teams, incident responders, and auditors rely on after an account misuse or admin change. If security or audit logs are disabled or altered in SaaS admin panels, an organization may lose visibility at the moment it most needs proof of what happened, who changed what, and whether business-critical collaboration or CRM data was affected.
Executive priority
Prioritize this as a control assurance and incident-readiness issue for SaaS environments. Leaders should ask whether critical SaaS platforms have logging/export settings protected, monitored, and periodically verified, especially where those logs support compliance evidence, investigations, managed detection, or third-party integrations. The business risk is not just the configuration change itself; it is the loss of reliable evidence for response decisions and audit accountability.
Technical view
The supplied analytic is scoped to SaaS and describes API calls or admin console changes that stop event exports or logging integrations in tools such as Slack, Zoom, or Salesforce. SOC and detection teams should validate whether SaaS admin activity logs capture changes to audit logging, event export, webhook, SIEM, or logging integration settings. IR teams should treat unexpected logging disablement or alteration as a high-value investigation lead because it can reduce downstream visibility. No ATT&CK tactic or relationship context was supplied, so local mapping to use cases and response severity should be based on the affected SaaS service and business criticality.
Likely telemetry
- SaaS admin activity logs
- SaaS API audit events
- Configuration change history for audit logging and event export settings
- Events for enabling, disabling, or modifying logging integrations
- Identity context for the administrator or service account making the change
Detection direction
- Inventory SaaS platforms where audit logs or event exports can be disabled or modified from an admin console or API.
- Alert on changes that disable, pause, disconnect, or alter security logging, audit exports, or logging integrations.
- Correlate the change with the actor identity, admin role, authentication context, and change ticket or approved maintenance window.
- Tune expected false positives around planned platform migrations, SIEM connector replacement, retention-policy changes, or vendor integration maintenance.
- Validate blind spots where SaaS logs are only available in the provider console and are not independently exported or monitored.
Mitigation priorities
- Restrict who can change SaaS audit logging and event export settings using least-privilege admin roles.
- Require strong approval and change-management evidence for logging configuration changes.
- Periodically verify that critical SaaS audit exports and integrations remain enabled and delivering events.
- Protect service accounts or integration credentials used for log export.
- Where available, use independent monitoring of log pipeline health so a stopped export is noticed quickly.
Analyst notes and limits
This object is a MITRE ATT&CK detection analytic, AN0804, for SaaS environments. It focuses on disabling or altering security and audit logs in SaaS admin panels and the defender view is API calls or admin console changes that stop event exports or logging integrations. No relationships, tactics, labels, or official detection logic were supplied, so the take emphasizes validation and control assurance rather than a specific ATT&CK technique chain.
The official detection field is not provided and no relationship context is supplied. The examples Slack, Zoom, and Salesforce are included in the official description, but coverage depends on each organization’s SaaS licensing, audit-log availability, API telemetry, integration design, and retention settings. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.
Analytic 0804
Disabling or altering security and audit logs in SaaS admin panels (e.g., Slack, Zoom, Salesforce). Defender view: API calls or admin console changes that stop event exports or logging integrations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d1394e7ff238… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0804Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.