Detects creation of a new MCP (Model Context Protocol) server integration as an external data pathway that could be used for data exfiltration. The rule watches Anthropic.Activity events of type mcp_server_created and flags new MCP servers for verification, with emphasis on approvals when created by external contractors or service accounts. It enables contextual triage by correlating actor identity (email, IP) and past MCP server activity, and by checking IPs against known VPNs/proxies or previously seen addresses for the actor. Runbook guidance includes cross-checking actor domain (external vs internal), past MCP server activity within 90 days, and potential IP reputation. The rule includes test cases that validate a contractor-created MCP server and exclude unrelated event types. MITRE ATT&CK mapping is TA0010:T1567 (Exfiltration/Unapproved Service). This rule helps reduce risk from new external data pathways introduced via MCP server integrations by enforcing approval, scope, and monitoring of actor behavior and infrastructure interactions.