For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-s58.md. A documentation index is available at /llms.txt.

Anthropic Compliance organization IP restriction removed

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detects when an organization-level IP restriction is removed from an Anthropic organization.

Strategy

This rule monitors Anthropic Compliance activities for org_ip_restriction_deleted events. IP restrictions act as a network-level allowlist for the organization; removing one expands the surface from which legitimate and malicious sessions can originate. Particularly suspicious when paired with subsequent logins from new geographies.

Triage and response

  • Confirm {{@usr.email}} is authorized to manage the organization’s IP allowlist.
  • Determine whether the removal is part of a planned network change (office move, VPN deprecation).
  • Review the actor’s authentication history for compromise indicators preceding the change.
  • Examine subsequent login activity for sessions originating from IPs that would have been blocked by the removed restriction.
  • If the action was unauthorized, re-create the IP restriction using org_ip_restriction_created immediately.