This rule monitors Anthropic.Activity logs for org_user_deleted events to detect when a user is removed from an Anthropic organization. It captures deleted_user_id and deleted_user_email to identify who was removed, and includes actor context (actor.email_address, actor.user_id, ip_address, user_agent) to identify who performed the deletion. The rule supports compliance visibility into user lifecycle changes and enables investigations into whether deletions were part of routine offboarding or isolated/unauthorized actions. The included Runbook guides correlation of events around the time of deletion, checks for prior unusual activity by the deleted user, and flags potential bulk removals by the actor within a recent window.