Anthropic

The Anthropic integration collects compliance activity audit logs from Anthropic organizations. Enterprise, Team, and Claude Platform organizations generate audit events for security-relevant activities such as user authentication, organization administration, role and permission changes, API key lifecycle, Claude.ai and Claude Code usage, MCP server configuration, billing updates, and Compliance API access. This integration enables security and compliance teams to monitor administrative activity, detect unauthorized changes, and maintain an audit trail of organization operations in Elasticsearch and Kibana.

This integration requires a Claude Enterprise, Team, or Claude Platform organization with the Compliance API enabled. Individual and consumer accounts cannot create the required API keys.

The integration polls the Anthropic Activity Feed at https://api.anthropic.com/v1/compliance/activities on a configurable schedule. Authentication requires the read:compliance_activities scope, which can be carried by either a Compliance Access Key (sk-ant-api01-...) or an Admin API Key (sk-ant-admin01-...).

The Anthropic integration collects compliance activity events covering 300+ activity types across these categories:

• Authentication events: Sign-ins, sign-outs, magic links, social login, and mobile login attempts.
• Organization administration: Organization settings, domains, invites, member management, data exports, IP restrictions, HIPAA settings, and parent/child organization relationships.
• Access control and RBAC: Role assignments, group membership, SSO and SCIM provisioning, directory sync, and workspace permissions.
• API key management: Admin API keys, platform API keys, and user API keys — creation, updates, and deletion.
• Claude.ai content: Chat lifecycle, artifacts, projects, file uploads, and sharing settings.
• Claude Code and security: Code review configuration, security scans, webhooks, and repository settings.
• MCP and integrations: MCP server configuration, connector requests, and desktop extension activity.
• Billing and subscription: Payment methods, billing emails, usage limits, and subscription changes.
• Compliance API usage: Access to the Compliance API itself via compliance_api_accessed events.

• Security monitoring: Track sign-ins, API key creation, RBAC changes, SSO/SCIM provisioning, and privileged admin actions on the Anthropic organization.
• Compliance auditing: Retain a queryable, ECS-aligned record of organization-level changes for regulatory and internal-review requirements.
• Operational visibility: Monitor Claude.ai and Claude Code usage patterns, MCP server changes, and billing configuration updates.
• Incident investigation: Correlate audit events with actor identity, organization context, and timestamps to investigate security incidents.

• A Claude Enterprise, Team, or Claude Platform organization with the Compliance API enabled.
• An Admin API Key or Compliance Access Key with the read:compliance_activities scope.
• Elastic Agent installed on a host with outbound HTTPS access to api.anthropic.com.

For the full Anthropic-side setup, see Get access to the Compliance API.

Compliance API access is enabled on request by Anthropic. Contact your Anthropic representative to request enablement for your parent organization. After enablement:

• claude.ai organizations (Claude Enterprise): a Compliance access keys section appears at claude.ai → Organization settings → Data and privacy.
• Claude Console organizations: Admin API keys created after enablement automatically carry the read:compliance_activities scope. Admin API keys created before enablement cannot call the Activity Feed and must be recreated.

This integration reads the Activity Feed only, so either key type in the following table works as long as it carries read:compliance_activities. Choose the key type that matches your organization:

1. Sign in to claude.ai as the primary owner of the parent organization.
2. Go to Organization settings → Data and privacy and find the Compliance access keys section.
3. Click Create key, name the key, and select the read:compliance_activities scope. This is the minimum scope required for this integration.
4. Click Create and copy the secret key immediately. Anthropic displays the full secret only once.

1. Sign in to Claude Console as an organization admin.
2. Go to Settings → Admin keys.
3. Click Create key, name the key, and click Create.
4. Copy the secret key immediately. Anthropic displays the full secret only once.

Admin API keys receive read:compliance_activities only when the Compliance API was enabled for the organization before the key was created. If you receive HTTP 403 errors, create a new Admin API Key after confirming Compliance API access is enabled.

Elastic Agent must be installed. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

Elastic Agent polls the Anthropic Compliance API and ships collected events to Elasticsearch, where they are processed by the integration's ingest pipeline.

Complete the Anthropic-side setup before deploying — request Compliance API access and create an API key with the read:compliance_activities scope. See Get access to the Compliance API for key types, scope details, and rotation guidance.

1. In Kibana, navigate to Management → Integrations and search for Anthropic.
2. Click Add Anthropic and enter the Compliance Access Key or Admin API Key you created.
3. Configure the polling interval (default: 5 minutes). The default initial lookback is 24 hours.
4. Optionally filter collection by activity type, actor ID, or organization ID to scope events to specific users, event types, or child organizations.
5. Save the integration policy and assign it to the Elastic Agent policy that should collect Anthropic data.

After deploying the integration:

1. Wait one polling interval (default 5 minutes).
2. In Kibana, open Discover and filter for data_stream.dataset: "anthropic.audit".
3. Verify that events are being ingested with populated @timestamp, event.action, and actor fields.
4. Generate an Anthropic admin action (for example, sign in to the console or create an API key) and confirm a corresponding event appears within roughly one polling interval.

For help with Elastic ingest tools, check Common problems.

HTTP 401 (authentication_error): The API key is invalid or has been revoked. Create a new key and update the integration policy.

HTTP 403 (permission_error): The key does not have the read:compliance_activities scope, or Compliance API access is not enabled on the organization. Re-enable Compliance API, recreate the key, and update the policy.

HTTP 429 (rate_limit_error): The parent organization has exceeded the Compliance API limit of 600 requests per minute (shared across all keys). Increase the polling interval or reduce the number of integration policies pointing at the same parent organization.

No new events: Check Elastic Agent logs for request errors and verify the API key and integration policy settings are correct.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

The Compliance API rate limit of 600 requests per minute is enforced per Anthropic parent organization and shared across every key. Multiple Elastic deployments pulling from the same parent organization compete for this budget. For multi-tenant collection, configure one integration policy per Anthropic parent organization.

The audit data stream collects compliance activity events from the Anthropic Compliance API. It produces one document per activity, covering authentication, organization administration, RBAC, API key lifecycle, Claude.ai and Claude Code content, MCP servers, billing, and Compliance API access.

{
    "@timestamp": "2026-05-22T09:00:00.000Z",
    "agent": {
        "ephemeral_id": "4abb0374-f25a-408a-a4f3-254ddd13c46f",
        "id": "497dcb88-5d3d-474f-9a92-8c57df6b0ca8",
        "name": "elastic-agent-24394",
        "type": "filebeat",
        "version": "8.19.0"
    },
    "anthropic": {
        "audit": {
            "actor": {
                "type": "user_actor"
            },
            "claude_chat_id": "claude_chat_01EXAMPLEconv01",
            "claude_project_id": "claude_proj_01EXAMPLEproj01",
            "organization_uuid": "91011112-1314-4151-6171-8191a1b1c1d1"
        }
    },
    "data_stream": {
        "dataset": "anthropic.audit",
        "namespace": "65544",
        "type": "logs"
    },
    "ecs": {
        "version": "9.3.0"
    },
    "elastic_agent": {
        "id": "497dcb88-5d3d-474f-9a92-8c57df6b0ca8",
        "snapshot": false,
        "version": "8.19.0"
    },
    "event": {
        "action": "claude_chat_created",
        "agent_id_status": "verified",
        "category": [
            "web"
        ],
        "dataset": "anthropic.audit",
        "id": "activity_01MOCKpage03a",
        "ingested": "2026-05-29T05:10:18Z",
        "kind": "event",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "cel"
    },
    "organization": {
        "id": "org_01EXAMPLEabcdef123456789"
    },
    "related": {
        "ip": [
            "198.51.100.10"
        ],
        "user": [
            "alice.johnson@example.com",
            "user_01EXAMPLEalice01"
        ]
    },
    "source": {
        "as": {
            "number": 64501,
            "organization": {
                "name": "Documentation ASN"
            }
        },
        "geo": {
            "city_name": "Amsterdam",
            "continent_name": "Europe",
            "country_iso_code": "NL",
            "country_name": "Netherlands",
            "location": {
                "lat": 52.37404,
                "lon": 4.88969
            },
            "region_iso_code": "NL-NH",
            "region_name": "North Holland"
        },
        "ip": "198.51.100.10"
    },
    "tags": [
        "forwarded",
        "anthropic-audit"
    ],
    "user": {
        "email": "alice.johnson@example.com",
        "id": "user_01EXAMPLEalice01",
        "name": "alice.johnson"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
        "os": {
            "full": "Windows 10",
            "name": "Windows",
            "version": "10"
        }
    }
}
		

These inputs can be used with this integration:

To collect logs via API endpoint, configure the following parameters:

• API Endpoint URL
• API credentials (tokens, keys, or username/password)
• Request interval (how often to fetch data)

These APIs are used with this integration:

• Query the Activity Feed — Activity Feed behavior, filtering, pagination, and activity object schema.
• List Compliance Activities — API reference for GET /v1/compliance/activities.
• Get access to the Compliance API — request access, create keys, and choose between Compliance Access Keys and Admin API Keys.
• Compliance API errors — error types, rate limits, and retry behavior.

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

← →

×

×