For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-gb2.md. A documentation index is available at /llms.txt.

Anthropic Compliance admin role assignment granted

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Goal

Detects when an admin role is directly assigned to a principal using the Compliance API’s role_assignment_granted activity.

Strategy

This rule monitors Anthropic Compliance activities for role_assignment_granted where @role resolves to one of admin, owner, primary_owner, or membership_admin — either unprefixed or under a resource namespace (e.g. chat_project:owner, platform:admin). Unlike the invite-acceptance flow, this activity captures direct administrative grants (and re-grants) including the affected @target_id, @target_type, @resource_type, and @resource_id. High-fidelity signal for admin elevation.

Triage and response

  • Confirm {{@usr.email}} is authorized to grant administrative roles.
  • Identify the principal receiving the role using @target_id and @target_type.
  • Verify the resource scope of the assignment using @resource_type and @resource_id.
  • Review the granted role against the principal’s expected responsibilities.
  • Examine the granting user’s authentication history for compromise indicators.