# Anthropic Compliance Logs (Beta) ## Overview {% hint style="info" %} Anthropic Compliance log ingestion is in open beta starting with Panther version 1.123, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} Panther has the ability to fetch [Anthropic](https://www.anthropic.com/) compliance activity logs by querying the [Anthropic Compliance API](https://support.claude.com/en/articles/9970975-access-audit-logs). Panther continuously polls the Compliance API to capture administrative and security-related events across your Anthropic organization, including API key management, user and organization changes, and authentication events. In order for Panther to access the API, you need to create a Compliance Access Key in your Anthropic organization settings. ## How to onboard Anthropic Compliance logs to Panther ### Prerequisites * Your Anthropic organization is on an **Enterprise** plan. * The **Compliance API** has been enabled on your account. If it has not been enabled, contact Anthropic support to request access. * You are logged into Anthropic as a **Primary Owner** of the organization. This is required to generate a Compliance Access Key. * If **Compliance access keys** are not visible in your organization settings, you are not logged in as a Primary Owner. ### Step 1: Create a new Anthropic Compliance Access Key {% hint style="info" %} Compliance Access Keys are separate from other Anthropic API keys (such as those used for the Claude API) and cannot be used interchangeably. You must generate a Compliance Access Key specifically for accessing the Compliance API. {% endhint %} 1. In your Anthropic organization settings, navigate to the **Compliance API** section. 2. Click **Create Compliance Access Key**. 3. Enter a descriptive name for the key, e.g., `Panther Compliance Log Access`. 4. Copy the **API key value** and store it in a secure location. You will need it in the next step. * Anthropic will not display this value again. ### Step 2: Create a new Anthropic source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for "Anthropic," then click its tile. 4. Click **Start Setup**. 5. On the **Configuration** page, enter a descriptive **Name**, e.g., `My Anthropic Compliance Logs`. 6. Click **Setup**. 7. On the **Credentials** page, fill in the **API Key** field with the Compliance Access Key you generated in Step 1. * Optionally, enter one or more **Organization IDs** to filter activities to specific organizations. Leave empty to ingest activities from all organizations the key has access to. 8. Click **Setup**. * You will be directed to a verification screen that confirms Panther can successfully connect to the Anthropic Compliance API. * You can optionally enable one or more Detection Packs. * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours. ## Supported log types ### Anthropic.Activity Anthropic compliance activity logs provide visibility into administrative and security-relevant events within your Anthropic organization. These logs help track API key management, user access, and authentication events. Reference: [Anthropic Compliance API Documentation](https://support.claude.com/en/articles/9970975-access-audit-logs) ```yaml schema: Anthropic.Activity description: | Compliance activity log from the Anthropic API. Provides visibility into administrative actions, authentication events, and security-relevant activity within your Anthropic organization. referenceURL: https://support.claude.com/en/articles/9970975-access-audit-logs fields: - name: id required: true description: Unique identifier for the activity type: string - name: created_at required: true description: When the activity occurred (RFC 3339) type: timestamp timeFormats: - rfc3339 isEventTime: true - name: organization_id description: Organization ID where the activity occurred (null when not tied to an organization) type: string - name: organization_uuid description: Organization UUID where the activity occurred (null when not tied to an organization) type: string - name: actor required: true description: Actor who performed the activity type: object fields: - name: type required: true description: Type of actor (user_actor, api_actor, unauthenticated_user_actor, anthropic_actor) type: string - name: email_address description: Email address of actor (for user_actor and anthropic_actor) type: string indicators: - email - name: user_id description: User ID (for user_actor) type: string indicators: - actor_id - name: ip_address description: Originating IP address of the activity type: string indicators: - ip - name: user_agent description: Originating user agent of the activity type: string - name: api_key_id description: ID of the API key used (for api_actor) type: string - name: unauthenticated_email_address description: Email address provided by unauthenticated user type: string indicators: - email - name: type required: true description: Type of activity that occurred type: string ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/anthropic-compliance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.