Anthropic Compliance Logs (Beta)

Panther supports pulling logs directly from Anthropic

Overview

Anthropic Compliance log ingestion is in open beta starting with Panther version 1.123, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther has the ability to fetch Anthropic compliance activity logs by querying the Anthropic Compliance API. Panther continuously polls the Compliance API to capture administrative and security-related events across your Anthropic organization, including API key management, user and organization changes, and authentication events.

In order for Panther to access the API, you need to create a Compliance Access Key in your Anthropic organization settings.

How to onboard Anthropic Compliance logs to Panther

Prerequisites

Your Anthropic organization is on an Enterprise plan.
The Compliance API has been enabled on your account. If it has not been enabled, contact Anthropic support to request access.
You are logged into Anthropic as a Primary Owner of the organization. This is required to generate a Compliance Access Key.
- If Compliance access keys are not visible in your organization settings, you are not logged in as a Primary Owner.

Step 1: Create a new Anthropic Compliance Access Key

Compliance Access Keys are separate from other Anthropic API keys (such as those used for the Claude API) and cannot be used interchangeably. You must generate a Compliance Access Key specifically for accessing the Compliance API.

In your Anthropic organization settings, navigate to the Compliance API section.
Click Create Compliance Access Key.
Enter a descriptive name for the key, e.g., Panther Compliance Log Access.
Copy the API key value and store it in a secure location. You will need it in the next step.
- Anthropic will not display this value again.

Step 2: Create a new Anthropic source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Anthropic," then click its tile.
Click Start Setup.
On the Configuration page, enter a descriptive Name, e.g., My Anthropic Compliance Logs.
Click Setup.
On the Credentials page, fill in the API Key field with the Compliance Access Key you generated in Step 1.
- Optionally, enter one or more Organization IDs to filter activities to specific organizations. Leave empty to ingest activities from all organizations the key has access to.
Click Setup.
- You will be directed to a verification screen that confirms Panther can successfully connect to the Anthropic Compliance API.
  - You can optionally enable one or more Detection Packs.
  - The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Anthropic.Activity

Anthropic compliance activity logs provide visibility into administrative and security-relevant events within your Anthropic organization. These logs help track API key management, user access, and authentication events.

Reference: Anthropic Compliance API Documentation

schema: Anthropic.Activity
description: |
    Compliance activity log from the Anthropic API. Provides visibility into administrative actions, authentication events, and security-relevant activity within your Anthropic organization.
referenceURL: https://support.claude.com/en/articles/9970975-access-audit-logs
fields:
    - name: id
      required: true
      description: Unique identifier for the activity
      type: string
    - name: created_at
      required: true
      description: When the activity occurred (RFC 3339)
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: organization_id
      description: Organization ID where the activity occurred (null when not tied to an organization)
      type: string
    - name: organization_uuid
      description: Organization UUID where the activity occurred (null when not tied to an organization)
      type: string
    - name: actor
      required: true
      description: Actor who performed the activity
      type: object
      fields:
        - name: type
          required: true
          description: Type of actor (user_actor, api_actor, unauthenticated_user_actor, anthropic_actor)
          type: string
        - name: email_address
          description: Email address of actor (for user_actor and anthropic_actor)
          type: string
          indicators:
            - email
        - name: user_id
          description: User ID (for user_actor)
          type: string
          indicators:
            - actor_id
        - name: ip_address
          description: Originating IP address of the activity
          type: string
          indicators:
            - ip
        - name: user_agent
          description: Originating user agent of the activity
          type: string
        - name: api_key_id
          description: ID of the API key used (for api_actor)
          type: string
        - name: unauthenticated_email_address
          description: Email address provided by unauthenticated user
          type: string
          indicators:
            - email
    - name: type
      required: true
      description: Type of activity that occurred
      type: string

Previous1Password Logs NextApache Logs

Last updated 1 month ago

Was this helpful?

schema: Anthropic.Activity
description: |
    Compliance activity log from the Anthropic API. Provides visibility into administrative actions, authentication events, and security-relevant activity within your Anthropic organization.
referenceURL: https://support.claude.com/en/articles/9970975-access-audit-logs
fields:
    - name: id
      required: true
      description: Unique identifier for the activity
      type: string
    - name: created_at
      required: true
      description: When the activity occurred (RFC 3339)
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: organization_id
      description: Organization ID where the activity occurred (null when not tied to an organization)
      type: string
    - name: organization_uuid
      description: Organization UUID where the activity occurred (null when not tied to an organization)
      type: string
    - name: actor
      required: true
      description: Actor who performed the activity
      type: object
      fields:
        - name: type
          required: true
          description: Type of actor (user_actor, api_actor, unauthenticated_user_actor, anthropic_actor)
          type: string
        - name: email_address
          description: Email address of actor (for user_actor and anthropic_actor)
          type: string
          indicators:
            - email
        - name: user_id
          description: User ID (for user_actor)
          type: string
          indicators:
            - actor_id
        - name: ip_address
          description: Originating IP address of the activity
          type: string
          indicators:
            - ip
        - name: user_agent
          description: Originating user agent of the activity
          type: string
        - name: api_key_id
          description: ID of the API key used (for api_actor)
          type: string
        - name: unauthenticated_email_address
          description: Email address provided by unauthenticated user
          type: string
          indicators:
            - email
    - name: type
      required: true
      description: Type of activity that occurred
      type: string