This rule detects when the primary owner role of an Anthropic organization is transferred to another member, an action with extreme privilege that grants full organizational control. It triggers on Anthropic.Activity events where the event type is primary_owner_transferred and captures actor details (email_address, user_id, ip_address) along with the previous_owner_id and new_owner_id. Given the high impact, the rule is marked as High severity and Experimental. Runbook guidance emphasizes cross-event correlation to reduce noise and identify potential account compromise: (1) inspect all Anthropic.Activity events by actor:email_address in the 24 hours preceding the transfer to surface suspicious activity; (2) compare actor:ip_address to the actor’s known IPs over the past 30 days to detect unusual or hijacked sessions; (3) review any related alerts for the actor in the past 7 days to identify prior compromise indicators. The rule maps to MITRE ATT&CK technique TA0003:T1098.003 (Account Manipulation). Test cases include a positive signal with a primary_owner_transferred event for owner@example.com and a negative sample with a different event type, ensuring the rule differentiates ownership changes from other role assignments. Overall, this rule supports rapid detection of potentially malicious or unintended ownership changes and prompts immediate investigation when observed.