Detects when Anthropic organization-wide settings are updated via claude_organization_settings_updated events. The rule triggers on changes to organization-level configuration (for example SSO, data retention, and access controls) and surfaces the updates field describing which settings changed. It correlates the actor (email, IP address, and user_agent) with the event to help distinguish routine administrative activity from potentially unauthorized changes. The included example shows an org_settings update with an updates field detailing changed configurations (e.g., vcs_connections) and contrasts it with a non-matching event type to illustrate positive vs. negative test cases. The runbook outlines steps to assess whether the action is part of normal admin activity and to check the actor’s history and IP reputation. The rule aligns with MITRE ATT&CK TA0005:T1562 (Impair Defenses) by flagging privileged configuration changes that could weaken security posture. Suggested responses include validating the change with change management, auditing related activity within the same window, and enforcing least-privilege controls for organization settings.