For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-oyj.md. A documentation index is available at /llms.txt.

Anthropic Compliance login from suspicious IP address

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detects a successful Anthropic login originating from an IP address enriched as Tor, an anonymizing botnet proxy, a hosting proxy, a residential proxy, or otherwise flagged as suspicious or malicious by threat intelligence.

Strategy

This rule monitors Anthropic Compliance activities for successful authentication events (sso_login_succeeded, social_login_succeeded, magic_link_login_succeeded) where the originating ip_address has been enriched by Datadog threat intelligence as Tor, botnet proxy, hosting proxy, residential proxy, or with a suspicious or malicious intent classification. Legitimate users rarely authenticate from these networks, so the signal-to-noise ratio is generally high.

Triage and response

  • Confirm whether {{@usr.email}} has a documented reason to log in using an anonymizing service.
  • Examine the IP enrichment details to determine the category of the suspicious source.
  • Compare the user_agent and any IDP MFA method (@mfa_method) against the user’s known baseline.
  • Check for follow-on administrative or sensitive actions taken in the session immediately after this login.
  • If the action was unauthorized, revoke active sessions for {{@usr.email}} using session_revoked and force a password or passwordless reset.