Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when a user’s built-in organization role is elevated to a privileged role (admin, owner, primary_owner, or membership_admin). Catches both admin-grants-another-user privilege escalation and self-elevation scenarios, while suppressing SCIM-driven changes from the customer’s IdP.

Strategy

This rule monitors Anthropic Compliance activities for claude_user_role_updated where the post-change role (@current_role) is one of the built-in privileged roles. The query is grouped by both the actor (@usr.email) and the target (@user_email) so triage can immediately spot self-elevation (the two values match).

SCIM-driven role changes (@actor.type:scim_directory_sync_actor) are excluded because they originate from the customer’s IdP and are audited upstream. Re-include them if monitoring IdP-driven privilege bumps is a requirement.

This rule covers the built-in role model (user/developer/billing/admin/owner/primary_owner/membership_admin/claude_code_user/managed). RBAC custom-role assignments are covered separately by anthropic-compliance-admin-role-assignment-granted.

Triage and response

• Compare {{@usr.email}} with {{@user_email}} to identify self-elevation, where the actor and target are the same identity.
• Verify the actor has documented authority to grant {{@current_role}} to the target user.
• Review @previous_role and @current_role to assess the elevation magnitude.
• Check @actor.type; for admin_api_key_actor, identify @actor.admin_api_key_id and validate its scope and owner.
• Correlate either identity with recent admin-invite-sent, suspicious-login, primary-owner-transferred, sso-disabled, or compliance-api-logging-disabled signals.
• Revert unauthorized role changes and revoke the actor’s active sessions, magic-link tokens, and owned admin API keys.