Detection rules › Panther
Anthropic Service Key Created
Detects when a new service key is created. Service keys provide programmatic access and their creation should be verified as authorized. The service_key_id, service_name, key_name, and scopes fields identify the key and its permissions.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098.001 Account Manipulation: Additional Cloud Credentials |
| Privilege Escalation | T1098.001 Account Manipulation: Additional Cloud Credentials |
Rule body yaml
AnalysisType: rule
RuleID: Anthropic.Activity.Service.Key.Created
DisplayName: "Anthropic Service Key Created"
Enabled: true
Filename: anthropic_service_key_created.py
LogTypes:
- Anthropic.Activity
Severity: Medium
Description: >
Detects when a new service key is created. Service keys provide
programmatic access and their creation should be verified as authorized.
The service_key_id, service_name, key_name, and scopes fields identify
the key and its permissions.
Runbook: |
1. Find all Anthropic.Activity events by actor:email_address in the 6 hours before and after the alert to determine if this is part of routine service account setup
2. Check if actor:email_address has created service keys in the past 90 days to determine if this is a first-time action
3. Check if actor:ip_address is associated with known VPN/proxy services or matches previously seen IP addresses for this actor
Tags:
- Anthropic
- Credential Access
Reports:
MITRE ATT&CK:
- TA0006:T1098.001 # Account Manipulation: Additional Cloud Credentials
Tests:
- Name: Service key created
ExpectedResult: true
Log:
{
"id": "activity_01ABC123",
"created_at": "2026-05-07T10:00:00Z",
"organization_id": "org_01XYZ",
"type": "service_key_created",
"actor": {
"type": "user_actor",
"email_address": "admin@example.com",
"user_id": "user_01ABC",
"ip_address": "10.0.0.1",
"user_agent": "Mozilla/5.0"
}
}
- Name: Non-matching event type
ExpectedResult: false
Log:
{
"id": "activity_01DEF456",
"created_at": "2026-05-07T10:00:00Z",
"organization_id": "org_01XYZ",
"type": "service_key_revoked",
"actor": {
"type": "user_actor",
"email_address": "admin@example.com",
"user_id": "user_01ABC",
"ip_address": "10.0.0.1"
}
}
Detection logic
Condition
type eq "service_key_created"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
event_type | type |
actor_type | actor.type |
actor_email | actor.email_address |
actor_user_id | actor.user_id |
ip_address | actor.ip_address |
user_agent | actor.user_agent |
api_key_id | actor.api_key_id |
organization_id | |
ips | p_any_ip_addresses |