This rule detects deletion of an Anthropic MCP server integration within the organization. Deleting an approved integration could be used by an attacker to erase traces or modify configuration without authorization. The rule identifies the specific integration using mcp_server_name and mcp_server_id from the Anthropic.Activity event type mcp_server_deleted. It is triggered by logs of that event type and records the actor (email, user_id) and the deleted server details to aid investigation. The included runbook guides analysts to determine if the deletion was part of a delete-then-recreate remediation (to fix a configuration) or a standalone malicious action, to assess whether the actor has performed other administrative actions around the event, and to scan for prior activity from the same actor in the last 7 days to detect potential account compromise.