Skip to content
.ca
sign in
Work being done in the backend.
4 mininfo

Monitoring Claude Code/Cowork at scale with OTel in Elastic

Elastic's InfoSec team details a scalable architecture for monitoring AI coding assistants, specifically Claude Code and Cowork, using OpenTelemetry and Elasticsearch. The solution provides security teams with critical visibility into AI agent activities, including shell command execution, file access, and internal API interactions, enabling advanced threat detection, incident response, and EDR correlation.

Conf:highAnalyzed:2026-04-24reports

Authors: Elastic InfoSec Team

OpenTelemetryMonitoringElasticClaudeAI Security

Source:Elastic Security Labs

Key Takeaways

  • Claude Code and Cowork natively export telemetry via OpenTelemetry (OTel), including API requests, tool results, tool decisions, and user prompts.
  • Elastic's InfoSec team ingests this data using either a self-managed EDOT OTel Gateway or the Elastic Cloud Managed OTLP Endpoint.
  • Custom Elasticsearch mappings (using the 'flattened' type) and ingest pipelines are necessary to properly parse and query nested JSON tool parameters.
  • Security teams can use this telemetry for tool invocation auditing, session reconstruction, permission decision analysis, and cost anomaly detection.
  • Correlating Claude's OTel telemetry (intent) with EDR process events (impact) provides comprehensive visibility into AI agent actions on endpoints.

Affected Systems

  • Claude Code
  • Claude Cowork
  • Developer Endpoints

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Elasticsearch

The article provides Elasticsearch component templates, index templates, and ingest pipelines to structure OTel telemetry, along with a sample Lucene/KQL query snippet for monitoring MCP tool invocations.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions like Elastic Defend capture the actual host impact (child processes, file writes, network connections) which can be directly correlated with the AI agent's OTel telemetry. Network Visibility: Medium — Network visibility is required to ensure OTel telemetry reaches the gateway, especially for sandboxed environments like Cowork which require explicit outbound allowlisting. Detection Difficulty: Moderate — Requires setting up OTel ingestion pipelines, custom Elasticsearch mappings for nested JSON, and correlating AI intent logs with EDR impact logs.

Required Log Sources

  • OpenTelemetry logs (Claude Code/Cowork)
  • EDR process events
  • Claude enterprise audit logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
AI agents executing unauthorized or unusual shell commands on developer endpoints.OTel tool_result events correlated with EDR process creation logs.ExecutionHigh, as developers frequently use AI assistants to generate and run legitimate build or diagnostic commands.
Users auto-approving risky tool categories or bypassing manual review for sensitive MCP server interactions.OTel tool_decision events checking for config or user_permanent on sensitive tools.ExecutionMedium, depends on organizational policy for AI tool auto-approval.
Unauthorized or anomalous access to internal systems via MCP connectors.OTel logs filtering on tool_parameters_flattened.mcp_server_name and tool_parameters_flattened.mcp_tool_name.CollectionLow to Medium, assuming baselines for normal developer MCP usage are established.

Control Gaps

  • Lack of visibility into AI agent intent without native OTel integration.
  • Sandboxed environments blocking telemetry export if the OTel gateway is not explicitly allowlisted.

Key Behavioral Indicators

  • attributes.event.name: tool_decision
  • attributes.tool_name
  • tool_parameters_flattened.mcp_server_name
  • cost_usd anomalies

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Enable OTel telemetry export for Claude Code and Cowork across the organization.
  • Deploy managed settings files via MDM (e.g., Jamf, Intune) to enforce telemetry collection.

Infrastructure Hardening

  • Deploy an EDOT OTel Gateway or use Elastic Cloud Managed OTLP Endpoint to ingest telemetry.
  • Allowlist the OTel gateway endpoint for outbound network access from Cowork sandbox environments.
  • Implement custom Elasticsearch mappings (flattened types) and ingest pipelines to parse JSON string fields in OTel telemetry.

User Protection

  • Correlate AI agent telemetry with EDR process and file events to monitor endpoint impact.

Security Awareness

  • Collect Claude enterprise audit logs from the Compliance API for full visibility into web interface and admin activity.

MITRE ATT&CK Mapping

  • T1059.004 - Command and Scripting Interpreter: Unix Shell

Related