Skip to main content

May 21st, 2026 - Content Release

  • This content release includes:
    • New support for Anthropic Claude activity logging via the Claude Compliance API, enabling detection and monitoring of administrative actions, Compliance API access, data exports, IP restriction changes, and anomalous resource activity across Claude organizations
    • Six new detection rules targeting administrative abuse and data loss risk: unauthorized API key creation, compliance logging disablement, IP restriction deletion, first-time data exports, and spikes in Compliance API calls or resource deletions
    • New parser and 70+ log mappers for Anthropic Claude Activity Logs to support ingestion and normalization of Claude organization activity data
    • Additional changes are enumerated below

Rules

  • [New] MATCH-S01156 Claude Admin or Platform API Key Created
    • This rule triggers when a new Admin or Platform API key is created within a Claude organization.
  • [New] MATCH-S01155 Claude Compliance API Logging Disabled
    • This rule triggers when an administrator disables Compliance API activity logging for the organization.
  • [New] MATCH-S01157 Claude Organization IP Restriction Deleted
    • This rule triggers when an IP restriction is deleted from a Claude organization, removing a network access control.
  • [New] FIRST-S00102 First Seen User Initiating Claude Data Export
    • This rule triggers the first time a user initiates a Claude organization data export within a 90-day baseline window.
  • [New] OUTLIER-S00034 Outlier in Claude Compliance API Calls from User
    • This rule triggers when the number of Compliance API calls from a single user in a one-hour window exceeds the established baseline by 2 standard deviations with a minimum floor of 15 calls.
  • [New] OUTLIER-S00035 Outlier in Claude Resource Deletions from User
    • This rule triggers when the number of Claude resource deletions (chats, projects, and files) from a single user in a one-hour window exceeds the established baseline by 2 standard deviations with a minimum floor of 5 deletions.
  • [Updated] OUTLIER-S00007 Spike in Windows Administrative Privileges Granted for User
    • This rule has been updated to force case insensitivity in the match expression for user accounts, ensuring more consistent detection of spikes in administrative privileges granted regardless of username casing.

Log Mappers

  • [New] Claude - Admin API Key Events
  • [New] Claude - Authentication Events
  • [New] Claude - account_deleted
  • [New] Claude - api_key_created
  • [New] Claude - claude_artifact_sharing_updated
  • [New] Claude - claude_artifact_viewed
  • [New] Claude - claude_chat_created
  • [New] Claude - claude_chat_deleted
  • [New] Claude - claude_chat_viewed
  • [New] Claude - claude_code_review_config_updated
  • [New] Claude - claude_code_review_repository_added
  • [New] Claude - claude_code_review_repository_removed
  • [New] Claude - claude_code_security_center_config_updated
  • [New] Claude - claude_file_deleted
  • [New] Claude - claude_file_uploaded
  • [New] Claude - claude_file_viewed
  • [New] Claude - claude_organization_settings_updated
  • [New] Claude - claude_project_created
  • [New] Claude - claude_project_deleted
  • [New] Claude - claude_project_sharing_updated
  • [New] Claude - claude_project_viewed
  • [New] Claude - claude_skill_created
  • [New] Claude - claude_user_settings_updated
  • [New] Claude - cli_plugin_exec_policy_updated
  • [New] Claude - compliance_api_accessed
  • [New] Claude - desktop_extension_allowlisted
  • [New] Claude - desktop_extension_blocklisted
  • [New] Claude - desktop_extension_deleted
  • [New] Claude - desktop_extension_removed_from_allowlist
  • [New] Claude - desktop_extension_unblocked
  • [New] Claude - domain_claim_initiated
  • [New] Claude - mcp_server_created
  • [New] Claude - mcp_server_deleted
  • [New] Claude - mcp_server_updated
  • [New] Claude - mcp_tool_policy_updated
  • [New] Claude - org_compliance_api_settings_updated
  • [New] Claude - org_cowork_disabled
  • [New] Claude - org_data_export_completed
  • [New] Claude - org_data_export_started
  • [New] Claude - org_invite_link_disabled
  • [New] Claude - org_invite_link_generated
  • [New] Claude - org_ip_restriction_created
  • [New] Claude - org_ip_restriction_deleted
  • [New] Claude - org_ip_restriction_updated
  • [New] Claude - org_member_invites_disabled
  • [New] Claude - org_member_invites_enabled
  • [New] Claude - org_sso_connection_activated
  • [New] Claude - org_sso_connection_deactivated
  • [New] Claude - org_sso_connection_deleted
  • [New] Claude - org_user_invite_accepted
  • [New] Claude - org_user_invite_sent
  • [New] Claude - platform_api_key_created
  • [New] Claude - platform_federation_issuer_archived
  • [New] Claude - platform_federation_issuer_updated
  • [New] Claude - platform_federation_rule_archived
  • [New] Claude - platform_federation_rule_updated
  • [New] Claude - platform_federation_rule_workspace_added
  • [New] Claude - platform_federation_rule_workspace_removed
  • [New] Claude - platform_file_deleted
  • [New] Claude - platform_file_uploaded
  • [New] Claude - platform_service_account_archived
  • [New] Claude - platform_service_account_updated
  • [New] Claude - platform_workspace_created
  • [New] Claude - platform_workspace_rate_limit_deleted
  • [New] Claude - platform_workspace_rate_limit_updated
  • [New] Claude - role_assignment_granted
  • [New] Claude - tunnel_token_minted
  • [New] Claude - tunnel_token_revoked
  • [New] Claude - user_consent_revoked
  • [New] Claude - user_logged_out
  • [New] Claude Activity Logs - Catch All
  • [Updated] Imperva Incapsula Logs

Parsers

  • [New] /Parsers/System/Anthropic/Claude Activity Logs
Status
Legal
Privacy Statement
Terms of Use
CA Privacy Notice

Copyright © 2026 by Sumo Logic, Inc.