---
title: Anthropic Compliance SSO connection deactivated or deleted
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anthropic Compliance SSO connection
  deactivated or deleted
---

# Anthropic Compliance SSO connection deactivated or deleted

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1556-modify-authentication-process](https://attack.mitre.org/techniques/T1556) 
## Goal{% #goal %}

Detects when an Anthropic SSO connection is deactivated or deleted.

## Strategy{% #strategy %}

This rule monitors Anthropic Compliance activities for `org_sso_connection_deactivated` and `org_sso_connection_deleted` events. Removing the SSO connection is a step beyond disabling enforcement; it eliminates the identity-provider relationship entirely. The activity carries `@connection_id` and `@connection_type` (deactivated only), identifying which IDP was removed.

## Triage and response{% #triage-and-response %}

- Confirm `{{@usr.email}}` had authorization to remove SSO connection `{{@connection_id}}`.
- Identify whether a replacement SSO connection was added (`org_sso_add_initiated`, `org_sso_connection_activated`) or whether the organization is now without centralized SSO.
- Review login activity following this change for users authenticating with non-SSO fallbacks.
- Pair with `org_domain_verified` events to detect attacker-introduced replacement domains.