SourcesSource TypesAnthropic Compliance

Anthropic Compliance Activity Logs

The Anthropic Compliance API provides comprehensive activity logging for Enterprise organizations using Claude. These logs capture authentication events, chat and project interactions, file uploads, API key management, user administration, and SSO/SCIM directory sync actions. They help security and compliance teams maintain audit trails, meet regulatory requirements, and monitor user activity across Claude.ai, Claude Console, and the Claude API.

Ingest Methods

Setup the ingestion of this source using one of the following guides.

API Polling

Anthropic Compliance supports API polling to collect activity log events from your organization via the Compliance API.

Setup

  1. Go to Sources in RunReveal
  2. Click the Anthropic Compliance source tile
  3. Give it a name and click Connect Source
  4. Fill in the required field with your Compliance Access Key

Anthropic Compliance Access Key Configuration

To generate a Compliance Access Key for RunReveal:

Prerequisites:

  • You must be the Primary Owner of an Enterprise organization
  • The Compliance API must be enabled under Organization Settings → Data and Privacy

Enabling the Compliance API:

  1. Sign in to claude.ai as the Primary Owner
  2. Navigate to Organization Settings → Data and Privacy
  3. Click “Enable” under Compliance API

Creating the Compliance Access Key:

  1. In Organization Settings → Data and Privacy, find the Compliance access keys section
  2. Click “Create key”
  3. Provide a name (e.g., “RunReveal Integration”)
  4. Select the read:compliance_activities scope
  5. Important: Copy the key immediately — it will only be displayed once
⚠️

Compliance API Required: The Compliance API is available to Enterprise plans only and must be explicitly enabled by the Primary Owner. If you do not see the Compliance access keys section, either the Compliance API has not been enabled or you are not the Primary Owner.

Console / API Users: If your organization uses Claude Console or the Claude API (rather than Claude.ai), use an Admin key instead of a Compliance Access Key. Admin keys automatically carry the read:compliance_activities scope when the Compliance API is enabled.

Anthropic Activity Types

The Anthropic Compliance integration collects a wide range of activity events from your organization. These events provide visibility into user behavior, platform operations, and security-relevant actions.

Event Categories Collected

Authentication

  • SSO Login — SSO login initiated, succeeded, or failed
  • Magic Link Login — Magic link login initiated, succeeded, or failed
  • Social Login — Social provider login events
  • Session Revoked — User session revocations

User & Organization Management

  • User Invited / Joined — Org invitations sent, accepted, or rejected
  • Account Deleted — Self-service account deletion
  • Domain Capture — Domain verification and capture events
  • Organization Icon — Organization icon updates and deletions

API & Admin Key Management

  • API Key Created / Deleted / Updated — Scoped API key lifecycle events
  • Admin API Key Created / Deleted / Updated — Admin key lifecycle events

Chat & Project Activity

  • Chat Created / Viewed / Deleted — User chat lifecycle events
  • Chat Settings Updated — Chat configuration changes
  • Project Created / Viewed / Deleted — Project lifecycle events
  • Project Document Created / Deleted — Project knowledge base changes

File Activity

  • File Uploaded / Viewed / Deleted — File lifecycle events

Claude Code

  • Code Review Config Updated — Claude Code Review configuration changes
  • Repository Added / Removed / Updated — Claude Code Review repository changes

Administrative

  • SSO Connection Activated / Deactivated / Deleted — SSO connection lifecycle
  • SCIM Directory Sync — IdP-initiated user and group sync events
  • Compliance API Accessed — Audit of Compliance API requests themselves

Event Data Structure

Each activity event includes:

  • Activity ID and Type — Unique identifier and event category
  • Timestamp — When the activity occurred (RFC 3339)
  • Organization Context — Organization ID where the activity occurred
  • Actor Information — Actor type, email, user ID, IP address, and user agent
  • Event-specific Fields — Additional fields depending on the activity type

Data Collection

  • Collection Method: API polling every 60 seconds
  • Event Format: JSON with normalized fields for consistent querying
  • Data Retention: Anthropic retains activity feed data for 6 years
  • Delay: Activities are queryable after a short delay of up to 1 minute

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: anthropic_logs (46 columns)

ColumnType
workspaceIDString
sourceIDString
sourceTypeString
sourceTTLUInt32
receivedAtDateTime
idString
eventTimeDateTime
eventNameString
eventIDString
srcIPString
srcASCountryCodeString
srcASNumberUInt32
srcASOrganizationString
srcCityString
srcConnectionTypeString
srcISPString
srcLatitudeFloat64
srcLongitudeFloat64
srcUserTypeString
dstIPString
dstASCountryCodeString
dstASNumberUInt32
dstASOrganizationString
ColumnType
dstCityString
dstConnectionTypeString
dstISPString
dstLatitudeFloat64
dstLongitudeFloat64
dstUserTypeString
actorMap(String, String)
tagsMap(String, String)
resourcesArray(String)
serviceNameString
enrichmentsArray(Tuple(data Map(String, String), name String, provider String, type String, value String))
readOnlyBool
rawLogString
activityIDString
activityTypeString
organizationIDString
actorTypeString
actorEmailString
actorUserIDString
actorIPAddressString
actorUserAgentString
actorAPIKeyIDString
actorAdminAPIKeyIDString

Helpful Links

ZendeskKeycloak