Elastic’s InfoSec team implemented an OpenTelemetry-based monitoring pipeline to ingest Claude Code and Claude Cowork telemetry into Elasticsearch for real-time observability, detection, and incident response. The pipeline includes self-managed EDOT collector and Elastic Cloud Managed OTLP options, custom mappings and ingest pipelines to parse tool parameters, and enables use cases like tool-invocation auditing, session reconstruction, permission analysis, and EDR correlation. #ClaudeCode #ClaudeCowork
Keypoints
- Elastic instrumented Claude Code (CLI) and Cowork (desktop) using OpenTelemetry to export identity, session context, tool invocation details, cost/token metrics, and errors for ingestion into Elasticsearch.
- Telemetry emits five standardized event types: api_request, tool_result, tool_decision, user_prompt, and api_error, each including user and session metadata.
- Two ingestion paths: a self-managed EDOT OTel Gateway deployed in Kubernetes using bearer-token auth, or Elastic Cloud’s Managed OTLP endpoint that accepts OTLP directly and routes to dedicated data streams.
- Custom Elasticsearch component and index templates plus an ingest pipeline convert OTel attributes to correct numeric/boolean types and parse JSON-encoded tool_parameters/tool_input into flattened fields for querying and aggregation.
- Security use cases enabled include tool invocation auditing, full session reconstruction via session.id/event.sequence, permission decision analysis, cost anomaly detection, EDR correlation for intent vs impact, and MCP server access monitoring.
- Claude enterprise audit logs from the Compliance API should be collected in addition to OTel telemetry to capture web interface and admin/audit events for complete visibility.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – Agents can execute shell/CLI commands on endpoints; (‘When those agents can execute shell commands, read files, call APIs, and interact with internal systems via MCP connectors, you need real-time observability’).
- [T1005 ] Data from Local System – Agents can read local files on developer machines, enabling access to sensitive local data; (‘When those agents can execute shell commands, read files, call APIs, and interact with internal systems via MCP connectors…’).
- [T1102 ] Web Service – Agents call external/web APIs and search the web as part of their operations, requiring monitoring of outbound API activity; (‘It can read files, execute code in a sandbox, search the web, and interact with connected services like Slack, GitHub, Jira, and Google Calendar through MCP connectors.’).
- [T1078 ] Valid Accounts – Agents interact with internal services (Slack, GitHub, Jira, Google Calendar) via MCP connectors which use authorized service connections, making access via legitimate accounts a monitoring concern; (‘interact with connected services like Slack, GitHub, Jira, and Google Calendar through MCP connectors’).
Indicators of Compromise
- [Domain/Endpoint ] OTLP and Elasticsearch endpoints used for telemetry ingestion – https://your-elasticsearch:9200, https://.
- [File path / config file ] Local and managed configuration locations for Claude Code telemetry – ~/.claude/settings.json, managed settings JSON delivered via MDM or server-managed settings.
- [Data stream / Index pattern ] Dedicated OTel data streams and index patterns used to route telemetry – logs-claude_code.otel-*, logs-claude_cowork.otel-*.
- [Tool / MCP names ] Tool and connector identifiers observable in telemetry that can act as contextual IOCs – examples: slack_send_message, github/search_issues (and other MCP tool names surfaced in tool_parameters_flattened).
- [Environment variables / tokens ] Telemetry configuration and auth artifacts referenced in deployment – OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_GATEWAY_TOKEN (used for bearer token auth) and other OTEL_* variables.
Read more: https://www.elastic.co/security-labs/claude-code-cowork-monitoring-otel-elastic