The Anthropic Role Granted rule is an experimental detection that watches Anthropic.Activity logs for role_assignment_granted events to surface visibility into how roles are allocated across the organization. It is designed to help analytics build a taxonomy of roles and understand project-level versus organization-level permission patterns before raising alerts on elevated privileges. The rule focuses on auditing role grants rather than proactively blocking access, aligning with its objective to normalize data and mature the log source. Core logic (as described in the runbook) includes correlating actor activity within a 6-hour window around the alert to classify whether a grant is part of routine project creation or an isolated privilege grant; evaluating whether the target_id has received other roles in the prior 7 days to identify potential privilege accumulation; and assessing actor IPs against known VPN/proxy services or previously observed addresses for that actor to detect anomalous access sources. The rule maps to MITRE ATT&CK coverage (TA0004:T1098) to provide a contextual framework for privilege-related events. The included Tests illustrate a positive match for a role_assignment_granted event and a negative test for a non-matching event type, validating the rule’s event-type specificity. Overall, this rule acts as a foundational visibility layer to inform future, more aggressive controls as the log source matures.