This detection rule identifies potential security threats associated with the disabling or alteration of audit logs on Microsoft SQL Server (MSSQL). Specifically, it triggers when an attacker (or an unauthorized user) executes the `ALTER SERVER AUDIT` or `DROP SERVER AUDIT` commands. These commands can modify or completely remove existing audit policies, which may serve as a means to obscure malicious activities by erasing activity logs relevant to attacker interactions with the database. The detection rule operates by monitoring event logs generated by MSSQL when changes to the server audit configuration are attempted. The rule targets specific events, particularly Event ID 33205, which corresponds to MSSQL audit log changes, and it checks for relevant indicators in the log data such as keywords associated with disabling audit settings. Since such modifications should be infrequent, any identified events may indicate an attempted compromise and should be investigated promptly. Properly configured, this detection rule provides a high-level warning that can help prevent undetected malicious activity by highlighting potential defense evasion strategies employed by attackers.