Detects when an Anthropic Claude artifact's sharing audience is changed to public, enabling access to anyone with the link. The rule monitors Anthropic.Activity logs for claude_artifact_sharing_updated events where the claude_artifact_id has an audience entry with type: public. It uses the actor's email_address to identify the actor triggering the change and records the context around the event (1 hour before/after). If a public share is detected, it also checks whether the artifact has been viewed or accessed by external users within 24 hours after the sharing change and whether the actor has publicly shared other artifacts in the past 30 days to identify patterns. The rule maps to MITRE ATT&CK TA0010:T1567 (Exfiltration/Cloud Storage). It includes a runbook to investigate: gather related Anthropic.Activity events around the change, verify external access to the artifact after the change, and search for repeat public-sharing behavior by the actor. It includes tests that validate a public-sharing event, a non-public sharing event, and non-matching event types to prevent false positives. The rule is geared toward preventing inadvertent exposure of sensitive content stored in cloud artifacts within Anthropic Claude and guiding incident response should exposure occur.