For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-7dn.md. A documentation index is available at /llms.txt.

Anthropic Compliance SSO disabled on organization

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

Goal

Detects when SSO is disabled on an Anthropic organization, allowing users to authenticate using weaker fallback methods.

Strategy

This rule monitors Anthropic Compliance activities for org_sso_toggled events with @enabled set to false. When SSO is turned off, users can log in using social providers (Google, Apple, Microsoft) or magic-link instead of the organization’s identity provider, bypassing centralized session controls, conditional access policies, and group-based provisioning. Disabling SSO is a classic pre-attack step taken either by a compromised admin or a malicious insider.

Triage and response

  • Verify whether {{@usr.email}} had a documented reason to disable SSO (planned migration, IDP outage).
  • Examine subsequent login activity (social_login_succeeded, magic_link_login_succeeded) for users authenticating using non-SSO methods.
  • Review any privilege escalation events that occurred shortly before this change.
  • Confirm whether SSO was promptly re-enabled.