For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-sa1.md. A documentation index is available at /llms.txt.

Anthropic Compliance organization admin invite sent

This rule is part of a beta feature. To learn more, contact Support.
claude-compliance-logs

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Goal

Detects when a user sends an Anthropic organization invite with an administrative role (admin, owner, primary_owner, or membership_admin).

Strategy

This rule monitors Anthropic Compliance activities for org_user_invite_sent with @invited_role set to an administrative role. Anthropic’s Console does not emit a discrete “role change” activity for new members, so invite-sent is the earliest signal of intended privilege escalation.

Triage and response

  • Verify whether the invite sent by {{@usr.email}} to {{@invited_email}} is authorized.
  • Examine the inviting user’s recent activity for signs of compromise (suspicious IP login, MFA-bypass attempts).
  • Check whether the invited email address belongs to a legitimate organization member or a newly added external domain.
  • Determine if the inviting user has appropriate authority to grant administrative access.