---
title: Anthropic Compliance organization IP restriction removed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Anthropic Compliance organization IP
  restriction removed
---

# Anthropic Compliance organization IP restriction removed

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detects when an organization-level IP restriction is removed from an Anthropic organization.

## Strategy{% #strategy %}

This rule monitors Anthropic Compliance activities for `org_ip_restriction_deleted` events. IP restrictions act as a network-level allowlist for the organization; removing one expands the surface from which legitimate and malicious sessions can originate. Particularly suspicious when paired with subsequent logins from new geographies.

## Triage and response{% #triage-and-response %}

- Confirm `{{@usr.email}}` is authorized to manage the organization's IP allowlist.
- Determine whether the removal is part of a planned network change (office move, VPN deprecation).
- Review the actor's authentication history for compromise indicators preceding the change.
- Examine subsequent login activity for sessions originating from IPs that would have been blocked by the removed restriction.
- If the action was unauthorized, re-create the IP restriction using `org_ip_restriction_created` immediately.