---
title: Anthropic Compliance login from suspicious IP address
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anthropic Compliance login from
  suspicious IP address
---

# Anthropic Compliance login from suspicious IP address

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detects a successful Anthropic login originating from an IP address enriched as Tor, an anonymizing botnet proxy, a hosting proxy, a residential proxy, or otherwise flagged as suspicious or malicious by threat intelligence.

## Strategy{% #strategy %}

This rule monitors Anthropic Compliance activities for successful authentication events (`sso_login_succeeded`, `social_login_succeeded`, `magic_link_login_succeeded`) where the originating `ip_address` has been enriched by Datadog threat intelligence as Tor, botnet proxy, hosting proxy, residential proxy, or with a `suspicious` or `malicious` intent classification. Legitimate users rarely authenticate from these networks, so the signal-to-noise ratio is generally high.

## Triage and response{% #triage-and-response %}

- Confirm whether `{{@usr.email}}` has a documented reason to log in using an anonymizing service.
- Examine the IP enrichment details to determine the category of the suspicious source.
- Compare the `user_agent` and any IDP MFA method (`@mfa_method`) against the user's known baseline.
- Check for follow-on administrative or sensitive actions taken in the session immediately after this login.
- If the action was unauthorized, revoke active sessions for `{{@usr.email}}` using `session_revoked` and force a password or passwordless reset.