Skip to content

[New Integration] Anthropic audit logs#19174

Open
P1llus wants to merge 12 commits into
elastic:mainfrom
P1llus:anthropic_integration
Open

[New Integration] Anthropic audit logs#19174
P1llus wants to merge 12 commits into
elastic:mainfrom
P1llus:anthropic_integration

Conversation

@P1llus
Copy link
Copy Markdown
Member

@P1llus P1llus commented May 22, 2026
edited
Loading

Proposed commit message

This PR adds initial Anthropic Integration for their Compliance API. Includes support for their 300+ event types as defined in their API documentation: https://platform.claude.com/docs/en/api/compliance/activities/list

Initial audit log overview dashboard has been created and added as part of the integration as well.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Screenshots

anthropic-overview1 anthropic-overview2

@P1llus P1llus added New Integration Issue or pull request for creating a new integration package. Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] Integration:anthropic [Integration not found in source] labels May 22, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 22, 2026
edited
Loading

Vale Linting Results

Summary: 16 warnings, 15 suggestions found

⚠️ Warnings (16)
File Line Rule Message
packages/anthropic/docs/README.md 143 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/anthropic/docs/README.md 308 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/anthropic/docs/README.md 308 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/anthropic/docs/README.md 309 Elastic.DirectionalLanguage Don't use directional language. Use 'earlier on this page' instead of 'noted above'.
packages/anthropic/docs/README.md 310 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/anthropic/docs/README.md 315 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/anthropic/docs/README.md 318 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/anthropic/docs/README.md 319 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/anthropic/docs/README.md 319 Elastic.DontUse Don't use 'please'.
packages/anthropic/docs/README.md 321 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/anthropic/docs/README.md 347 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/anthropic/docs/README.md 347 Elastic.DontUse Don't use 'and/or'.
packages/anthropic/docs/README.md 350 Elastic.DontUse Don't use 'just'.
packages/anthropic/docs/README.md 352 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/anthropic/docs/README.md 353 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/anthropic/docs/README.md 354 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
💡 Suggestions (15)
File Line Rule Message
packages/anthropic/docs/README.md 311 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 317 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/anthropic/docs/README.md 317 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 317 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 319 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 319 Elastic.WordChoice Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI.
packages/anthropic/docs/README.md 320 Elastic.WordChoice Consider using 'efficiently' instead of 'simply', unless the term is in the UI.
packages/anthropic/docs/README.md 320 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 321 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 324 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 333 Elastic.Wordiness Consider using 'all' instead of 'All of '.
packages/anthropic/docs/README.md 347 Elastic.Wordiness Consider using 'sometimes' instead of 'In some cases'.
packages/anthropic/docs/README.md 347 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 350 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/anthropic/docs/README.md 509 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. and removed Integration:anthropic [Integration not found in source] labels May 22, 2026
@github-actions github-actions Bot mentioned this pull request May 25, 2026
Open
@P1llus P1llus marked this pull request as ready for review May 26, 2026 10:54
@P1llus P1llus requested review from a team as code owners May 26, 2026 10:54
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 27, 2026

TL;DR

The Buildkite failure is a generated docs drift issue in Check integrations anthropic: the package docs README is out of date after changes to the audit sample event. Regenerate package docs and commit the updated packages/anthropic/docs/README.md.

Remediation

  • Run: elastic-package build -v -c packages/anthropic (or the repo’s standard package build command) and commit regenerated docs.
  • Re-run CI for Check integrations anthropic to confirm the README up-to-date check passes.
Investigation details

Root Cause

run_tests_package failed on the README consistency check, not on ingest pipeline/runtime logic. The failing step reports:

  • README.md is outdated. Rebuild the package with 'elastic-package build'
  • Error: checking package failed: checking readme files are up-to-date failed: files do not match

The referenced commit (7b76470f9542bdaa4d4cd93770e9b40025cfd0e3) changes packages/anthropic/data_stream/audit/sample_event.json only, which is consistent with generated doc snippets drifting when docs are not regenerated.

Evidence

  • Build: https://buildkite.com/elastic/integrations/builds/43595
  • Job/step: Check integrations anthropic
  • Key log excerpt:
    • README.md is outdated. Rebuild the package with 'elastic-package build'
    • Diff includes regenerated event/sample fields (agent IDs/version, event.ingested, geo.location, etc.)
    • Error: checking package failed: checking readme files are up-to-date failed: files do not match

Verification

  • Not run in this environment against the PR branch (local checkout is main), so findings are based on Buildkite logs + commit metadata.

Follow-up

If this recurs, consider adding a local pre-commit/check target for package doc regeneration before pushing.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

  • [New Integration] Anthropic audit logs #19174 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • #19174 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 27, 2026

💚 Build Succeeded

History

ishleenk17
ishleenk17 reviewed May 27, 2026
View reviewed changes
Comment thread packages/anthropic/manifest.yml
version: "0.1.0"
source:
license: "Elastic-2.0"
description: Collect compliance activity audit logs from Anthropic with Elastic Agent.
Copy link
Copy Markdown
Member

@ishleenk17 ishleenk17 May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this integration is going to focus only on compliance API.
Shall we name the package/description accordingly

Copy link
Copy Markdown
Member Author

@P1llus P1llus May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit unsure what you mean, do you mean having separate integrations for compliance API and metrics later?

Comment thread packages/anthropic/manifest.yml
default:
enabled: true
agentless:
enabled: true
Copy link
Copy Markdown
Member

@ishleenk17 ishleenk17 May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Has this been tested in agentless mode ?
Or since this is cel based we are assuming it would work well within limits in agentless ?

Copy link
Copy Markdown
Member Author

@P1llus P1llus May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah based on it being CEL we usually default to this being available. The API itself is not expected to return a massive amount of information compared to other sources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ishleenk17 ishleenk17 ishleenk17 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package. Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@P1llus @elasticmachine @ishleenk17 @andrewkroh