Detects creation of new Anthropic service keys by a user actor. The rule relies on Anthropic.Activity events with type service_key_created and captures details such as service_key_id, service_name, key_name, and scopes. Since service keys grant programmatic access to an account, their creation should be authorized and auditable. The rule surfaces when a service key is created and provides context including actor email, IP address, and user_agent to aid verification. The runbook advises correlating the event within a ±6 hour window to identify routine provisioning, checking if the actor has created keys in the past 90 days, and validating whether the originating IP is from known VPN/proxy services or matches prior activity for the actor. This detection is mapped to MITRE ATT&CK TA0006.T1098.001 (Credential Access: Application Keys). The rule helps detect potential unauthorized credential issuance and supports incident response with evidence from the key details and actor footprint.