The rule detects critical changes to identity security posture by monitoring Anthropic.Activity logs for SSO configuration changes at the organization level. Specifically, it flags when Single Sign-On is toggled off (is_enabled = false) or when an SSO connection is deactivated (org_sso_connection_deactivated). Such changes allow users to bypass the identity provider and rely on weaker authentication, potentially enabling attacker persistence with reduced visibility. The detection correlates events around the time of the change (e.g., 24 hours prior for actor activity, 1 hour around the alert for SSO-related events) and cross-checks the actor’s IP against their historical activity (last 30 days) to identify anomalies. The included tests illustrate the intended behavior: a “SSO toggled off” event matches, an “SSO toggled on” event does not, an “SSO connection deactivated” event matches, and unrelated event types do not. The rule maps to MITRE ATT&CK technique TA0005:T1562.001 (Impair Defenses). Runbook steps guide investigators to validate whether the change was legitimate (maintenance, vendor change) or indicative of compromise, and to assess potential risk by examining prior activity, source IP history, and authentication context before and after the change. Overall, this rule aims to quickly surface deviations in identity defense controls that could undermine access safeguards and visibility into IdP activity, enabling timely containment and remediation if necessary.