Detects deletion of Anthropic platform spend limits. A deleted spend limit without a subsequent recreate could indicate an attacker removing financial guardrails to enable large-scale API usage or data exfiltration. Note that normal admin workflow often involves a delete immediately followed by a create (editing a limit). The rule relies on Anthropic.Activity events of type platform_spend_limit_deleted and cross-references for a potential delete-then-create within a short window to distinguish between destructive action and legitimate admin edits. It also prompts analysts to check for other admin actions by the same actor (e.g., claude_organization_settings_updated, role_assignment_granted) within a 6-hour window around the alert and to review past seven days of alerts by the actor for signs of account compromise. A MITRE ATT&CK mapping is provided to TA0040:T1496 (Resource Hijacking) to reflect possible misuse of resources following the deletion. The rule is marked Experimental with Medium severity. The provided tests illustrate a deletion event with no immediate recreate yielding a positive match, and a delete followed by a create within seconds yielding no match, aligning with expected admin-edit behavior.