Detects creation of new admin API keys within Anthropic, which grant elevated privileges and potential access to sensitive resources. The rule monitors Anthropic.Activity events for type admin_api_key_created. Key identifiers present in the log, such as admin_api_key_id and scopes, indicate the specific key and its permissions. The rule is designed to surface instances where admin keys are created, enabling security teams to verify authorization and detect misuse. The associated runbook recommends cross-checking actor activity around the event, historical key creation patterns, and network context to distinguish legitimate administrative actions from abuse. The rule maps to credential-access techniques (MITRE ATT&CK TA0006:T1098.001). The rule is marked Experimental and has a Medium severity, underscoring the need for validation and tuning in production.