For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-mph.md. A documentation index is available at /llms.txt.

Anthropic Compliance SSO connection deactivated or deleted

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

Goal

Detects when an Anthropic SSO connection is deactivated or deleted.

Strategy

This rule monitors Anthropic Compliance activities for org_sso_connection_deactivated and org_sso_connection_deleted events. Removing the SSO connection is a step beyond disabling enforcement; it eliminates the identity-provider relationship entirely. The activity carries @connection_id and @connection_type (deactivated only), identifying which IDP was removed.

Triage and response

  • Confirm {{@usr.email}} had authorization to remove SSO connection {{@connection_id}}.
  • Identify whether a replacement SSO connection was added (org_sso_add_initiated, org_sso_connection_activated) or whether the organization is now without centralized SSO.
  • Review login activity following this change for users authenticating with non-SSO fallbacks.
  • Pair with org_domain_verified events to detect attacker-introduced replacement domains.