Elastic Security now monitors Claude activity via Compliance API
New integration ingests 300+ event types from Claude Enterprise, Team, and Platform into Elastic Security, enabling unified AI monitoring and compliance.
Elastic has released an integration enabling security teams to monitor activity across Anthropic’s Claude Enterprise, Claude Team, and Claude Platform via the Compliance API, the company announced on June 12, 2026. The integration ingests over 300 event types—including actor identity, timestamps, and source IPs—directly into Elastic Security, automatically mapping them to the Elastic Common Schema (ECS) without requiring custom parsing. This eliminates a common barrier for SOC teams, who can now analyze Claude usage alongside existing telemetry without additional data normalization.
The move addresses a pressing need as enterprises scale their use of Claude. Security and compliance officers increasingly face questions about who is accessing these systems, how they authenticate, and what configuration changes are occurring. Anthropic’s Compliance API provides the raw audit data, but Elastic’s integration makes it actionable within established workflows, avoiding the need for new consoles or dedicated teams.
Comprehensive audit trails and prebuilt visibility
The integration captures a broad spectrum of events, including MCP server connections, API key lifecycle events, SSO and identity-provider changes, role and permission modifications, data exports, and spikes in magic_link_login_failed attempts. Each event is timestamped and tied to a specific actor, enabling full audit trails for forensic investigations. This granularity allows SOC teams to trace actions back to individual users, a critical capability for incident response and compliance reporting.
Prebuilt dashboards provide immediate visibility into key metrics, such as unique users, error rates, unique MCP servers, and total event counts over time. They also break down activity by event type, highlighting top categories like configuration, IAM, authentication, file, and web events. Additional visualizations identify the most active MCP servers or skills, as well as the top users by volume of activity. These dashboards reduce the time-to-value for security teams, who can start monitoring Claude usage without building custom visualizations from scratch.
Beyond Compliance API data, the integration supports runtime telemetry from Claude Code and Cowork via OpenTelemetry, though this requires a separate setup. This complements the audit logs by capturing agent-level details—such as tools called, files touched, and commands executed—offering a deeper operational view of how Claude is being used in development and collaborative workflows.
AI-assisted detection and cross-source correlation
One of the integration’s most notable features is its AI-powered rule creation, which allows analysts to describe detection logic in plain English. The system then automatically generates validated ES|QL queries, reducing the time and expertise typically required to write manual detections. For example, an analyst could input a rule like “Alert me when a user exports data to an unusual location,” and the system would produce the corresponding query. This capability is particularly valuable for teams less familiar with Elastic’s query language but still need to implement robust monitoring for Claude-related risks.
The integration also enables cross-source correlation, allowing security teams to combine Claude events with telemetry from identity providers, endpoints, cloud environments, or network infrastructure. This means AI-related incidents can be detected as part of broader attack chains rather than isolated anomalies. For instance, a spike in failed magic link logins could be correlated with unusual activity in an identity provider, potentially signaling a brute-force attack. Similarly, an MCP server connection could be cross-referenced with network logs to determine if it originated from an unexpected or high-risk location.
By embedding Claude monitoring into existing security infrastructure, the integration ensures that AI activity is not siloed. Instead, it becomes part of a unified detection and response strategy, where threats involving Claude can be identified and addressed alongside traditional security events.
Operational efficiency and compliance readiness
For security leaders, the integration closes a critical visibility gap. AI tool adoption often outpaces governance, leaving organizations exposed to undetected risks. Elastic’s approach embeds Claude monitoring into existing security operations, eliminating the need for separate tools or teams. This is particularly important for enterprises where AI usage spans multiple departments, each with different access levels and configurations.
Specialists benefit from the integration’s alignment with ECS, as existing queries and detections can be applied to Claude data immediately. This means teams can leverage their current investments in Elastic Security without modification, accelerating the deployment of monitoring for Claude. Founders and executives scaling AI usage will find value in the prebuilt dashboards and AI-assisted rule creation, which reduce the operational burden of compliance. While the announcement does not specify which frameworks the integration supports, the comprehensive audit trails and visibility into configuration changes, access controls, and data exports are likely to assist with adherence to standards such as SOC 2, ISO 27001, and GDPR.
Elastic Workflows further enhances operational efficiency by enabling automated responses to detected risks. Teams can trigger investigations, add case context, or send notifications without relying on a separate SOAR platform. This streamlines incident response, ensuring that AI-related risks are addressed promptly and consistently. For example, a detected spike in failed logins could automatically create a case in Elastic Security, assign it to the appropriate analyst, and notify the team via Slack or email.
Unanswered questions and deployment considerations
The announcement leaves several practical details unresolved. Pricing for the integration is not disclosed, nor are the deployment requirements—whether it is cloud-only, on-premise, or hybrid. Retention limits for Claude audit data are also unspecified, a potential concern for organizations with long-term compliance obligations. Additionally, runtime telemetry from Claude Code and Cowork requires a separate OpenTelemetry setup, which may introduce complexity for teams seeking a fully integrated solution.
Another open question is the specific nature of the risks associated with MCP server connections. While the integration can detect these connections, the announcement does not clarify what constitutes a high-risk MCP server or how security teams should prioritize their response. Similarly, while the AI-powered rule creation is a standout feature, its real-world accuracy and efficiency compared to manually written ES|QL queries remain to be tested.
Despite these uncertainties, the integration represents a significant step toward embedding AI tool monitoring into enterprise security operations. As organizations continue to adopt Claude and other AI platforms at scale, the ability to track, analyze, and correlate this activity with broader security telemetry will be essential for maintaining governance and mitigating risks. Elastic’s approach—leveraging existing infrastructure and offering AI-assisted capabilities—could serve as a model for how other AI vendors and security providers collaborate to address the challenges of AI adoption in the enterprise.
Sources
Written by an AI editorial process from the sources above. Errors may occur.
Newsletter
Get the AI news that matters
One short brief with the day's most important AI stories — written for professionals.
No spam. Unsubscribe anytime.
Read next
OpenAI Launches ChatGPT Work Super App to Rival Anthropic
ChatGPT Work consolidates AI tools into a unified professional platform, powered by cost-efficient GPT-5.6, as competition with Anthropic heats up.
12 Jul 2026
Cloudflare Expands HTTP Headers and Adds Developer Tools
Five major updates target operational pain points, including a 4x header size increase and new debugging dashboards.
10 Jul 2026
Claude 3 Haiku Joins Vercel AI Gateway with Cost-Optimized Pricing
Anthropic’s fast, affordable model is now available via Vercel, offering streamlined integration and low-latency performance for high-throughput tasks.
10 Jul 2026