Detects when an organization's IP allow-list (IP restriction) is deleted by monitoring Anthropic.Activity events for the type org_ip_restriction_deleted. Deleting IP restrictions removes IP-based access controls, potentially allowing access from any IP and expanding the attack surface after an admin-rights foothold. The rule correlates the deletion with the actor (email, user_id, and IP if available), cross-references the actor's current IP against previously observed IPs in the past 30 days, and checks for other related org_ip_restriction events (created or updated) within a 1-hour window around the alert to distinguish a policy replacement from a standalone deletion. The detection maps to MITRE ATT&CK TA0005:T1562.001 (Impair Defenses). Runbook steps include validating suspicious activity by reviewing 24-hour actor activity, verifying IP consistency with historical activity, and assessing whether other policy changes occurred near the event; if indicators align with suspicious behavior, initiate incident response actions such as containment, change management review, and policy revert if necessary. False positives may occur during legitimate security policy changes; correlate with administrator change management logs and consider geo-IP anomalies or anomalous admin IPs when evaluating.