Insider Threat Matrix™Insider Threat Matrix™
  • ID: AF034
  • Created: 07th July 2026
  • Updated: 07th July 2026
  • MITRE ATT&CK®: T1685T1685.001T1685.002T1685.004
  • Contributor: The ITM Team

Disable Logging

A subject disables, suppresses, or materially weakens logging to prevent activity from being recorded. This behavior targets the systems, services, configurations, agents, or pipelines responsible for generating, collecting, forwarding, or retaining event data. By preventing telemetry from being created or preserved, the subject reduces the evidentiary record available to investigators and may create a deliberate visibility gap around unauthorized activity.

 

Disable Logging may involve stopping audit services, changing audit policy, disabling log forwarding, modifying retention settings, suppressing application logs, impairing endpoint telemetry, or preventing specific categories of events from being written. It may occur on endpoints, servers, cloud workloads, identity platforms, administrative systems, or security tooling where the subject has sufficient access to influence logging behavior.