Detects deletion of an admin API key in Anthropic Admin API activity. Admin API key deletion events (type: admin_api_key_deleted) can indicate an attacker revoking legitimate credentials to disrupt operations or erase traces after exploiting a key. The rule supports distinguishing deletions from routine rotations by correlating nearby events, such as admin_api_key_created, and evaluating the actor’s origin. It also assesses the actor’s IP address against known VPN/proxy services or previously observed addresses to gauge risk. MITRE ATT&CK mapping: TA0006:T1098.001 (Credential Access). The rule is labeled Medium severity and is intended to surface credential-related misuse patterns in Anthropic activity logs. Runbook guidance emphasizes verifying the event authenticity, checking for concurrent or near-time key creation (rotation), and reviewing IP provenance and access history for the actor to determine containment actions or further investigation.