For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-1lw.md. A documentation index is available at /llms.txt.

Anthropic Compliance primary owner transferred

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Goal

Detects when the Primary Owner role of an Anthropic organization is transferred to another member.

Strategy

This rule monitors Anthropic Compliance activities for primary_owner_transferred events. The Primary Owner is the most privileged role in an Anthropic organization; they alone can enable or disable Compliance API logging, manage HIPAA settings, and initiate organization deletion. Transfer of this role is a rare and high-impact action that warrants immediate verification regardless of context.

Triage and response

  • Immediately confirm the transfer from {{@previous_owner_id}} to {{@new_owner_id}} was authorized and follows the organization’s documented succession process.
  • Verify the receiving user is a legitimate organization member with no compromise indicators.
  • Examine the actor’s authentication history and recent activity for signs of account takeover.
  • Review whether the previous owner’s account remains active and what role they now hold.
  • If the action was unauthorized, contact Anthropic support immediately to reverse the transfer.