AI assistants like Claude Cowork are often framed as chat interfaces: You ask a question, get an answer, and move on. But in practice, we’re seeing AI assistants move well beyond simple chat experiences.
They call tools and connectors, read and modify files, and take actions on behalf of your users, and that’s exactly where things get interesting for security, compliance, and operations teams.
Once AI can initiate actions, organizations need a way to see those actions alongside the rest of their telemetry. The core questions tend to be simple:
Who did what?
Which systems or data were involved?
What approvals or policies shaped that action?
Anthropic now exposes this activity through two complementary data streams, Claude Cowork OpenTelemetry (OTel) telemetry and the Claude Compliance API, that when used together, make those questions much easier to answer in the tools you already rely on. Cribl helps you bring those streams together once, shape them into your schema and policies, and route them into SIEMs, data lakes, observability backends, BI tools, or wherever your teams already analyze risk and behavior.
Two streams, two perspectives
Anthropic provides two distinct but related views into Claude Cowork activity:
The Cowork OTLP stream gives you the runtime view of the assistant. It is the high-cardinality, per-action stream for understanding what happened in a session: which tools and connectors Cowork called, which files it read or modified, which skills it used, and whether an action was auto-approved or manually approved by a human, tied to stable user or account identifiers.
The Claude Compliance API gives you the formal audit view of the organization. It adds activity around workspaces, policies, apps, memberships, and other admin-level events that are useful for governance, corroboration, and longer-term reporting.
Used together, the two streams give visibility into both the action-level detail and the organizational context around it. That makes Anthropic activity much easier to interpret alongside the rest of your telemetry.
Why the OTel piece matters
By emitting OTLP, Anthropic gives teams an open, vendor-neutral starting point for Claude Cowork telemetry. That means organizations can work with the tools and pipelines that fit their environment, whether that includes Cribl Stream, Cribl Edge, an OTel Collector, or another OTLP-compatible service.
That flexibility matters.
In this blog post you’ll see you do not need a deep OTel background to start getting value from Claude Cowork telemetry with Cribl. And for teams already investing in OTel, that makes Claude Cowork activity that much easier to bring into the same broader strategy you’re already building, instead of becoming a one‑off integration.
Where Cribl fits
Cribl Stream is the live pipeline and policy engine. You can ingest OTLP from Claude Cowork and HTTPS events from the Claude Compliance API, normalize the fields you care about (user, workspace, tool, file, approval mode, policy or action types), enrich records with identity or business context, apply masking or transformation rules, and route the resulting events into whichever systems of analysis you already use - SIEMs, data lakes, observability backends, or BI platforms.
Cribl Search helps you land Claude Cowork and Claude Compliance API data alongside identity, SaaS admin, and infrastructure telemetry in object storage, then query it on demand to support investigations, audit trails, and usage/exposure reporting. You can store data once in cost‑efficient object storage and run KQL‑style queries across Anthropic and surrounding datasets when you need them.
The value is straightforward: you onboard Anthropic data streams once, apply your schema and policies in one place, and use the shaped, governed telemetry wherever your teams already work.
How to get data flowing
To get started with the Claude Compliance integration, make sure your Claude Enterprise org has the Compliance API enabled, store your Claude Compliance API key as a secret, and allow HTTPS connectivity from your Cribl Workers to Claude. From there, the Source uses Claude’s underlying Compliance REST API, pages through activity records, and tracks state between runs so collection stays smooth. For more details on configuration options, check out our Compliance API Source docs, and please reach out if you have any questions as you get started.
To get started with monitoring Claude, check out our guide (How to Send Claude CoWork Monitoring data to Cribl Stream). It covers the basic configuration needed to get data flowing.
You don’t need to become an OTel expert to start making sense of this data. But teams will usually want to make a couple of intentional choices when configuring their Source. Namely, to “extract” or not?
If you’re sending Claude Cowork OTLP as is to an OTLP-aware destination that will handle its own parsing, you may decide to keep Extract off and let Cribl act as a smart broker for routing, TLS, and backpressure.
If you want to enrich, mask, redact, or convert that data before it lands downstream, turning Extract on shapes the batches of OTLP data in a much more useful way for these operations in Cribl pipelines. Cribl can also re-batch OTLP after extraction for better throughput to OTLP-native destinations. For more details, check out this Overview of Extract and Batch for OpenTelemetry in Cribl.
A shared foundation for both teams
Once both Anthropic streams are coming through Cribl, it helps to establish a shared foundation before you build dashboards or detections.
A practical pattern is to bring both streams into Stream and normalize core fields that you know you will want everywhere: user identifiers, workspace identifiers, tool names, file references, approval state, policy or admin action type, and a clean event timestamp. This is also the right place to enrich with identity or business context, apply masking or redaction where needed, and align field naming so both Claude Cowork OTLP and Claude Compliance API data feel consistent to downstream tools.
With that foundation in place, it becomes much easier to build the views that security, compliance, and operations teams ask for first.
Three practical views teams usually want first
1. Security and access control
This is usually the first view teams want, because it answers the most immediate operational questions. It focuses on who did what, where, and under which approval or policy change.
To set up the pattern mentioned above, when you’re in Cribl Stream make sure the records line up on a few key fields: user, workspace, approval mode, policy-related activity, tool name, and file or connector context where available.
That gives you a clean way to build views around questions like:
Which user triggered the activity?
Which assistant action ran?
Was it auto-approved or manually approved?
Was there a nearby policy, workspace, or admin change that adds context?
In practice, this is the view that helps teams track AI-initiated actions in the same operational surfaces they already use for detections, triage, and review.
You can then route the normalized events (as re-batched OTLP, or converted to another format) into your SIEM, Cribl Search, or both.
2. Usage and exposure
The second view is usually less about investigation and more about understanding patterns and risk exposure.
Start by keeping the Claude Cowork stream front and center, because it gives you the runtime detail needed to see which users, workspaces, tools, and actions are most active. Stream is useful here for shaping the data before it lands anywhere expensive or highly structured. For example, you can standardize names, add department or environment context, attach data sensitivity labels when you have them, and choose which attributes should stay high-cardinality versus which ones should be flattened into simpler reporting fields.
From there, you can route the shaped data into Search, a lake, or an analytics platform and build views such as:
Top tools or connectors used by workspace
Approval patterns by user or team
File access or modification activity by workspace
Activity touching higher-sensitivity systems or data categories
This is where Cribl helps keep the view useful over time, because you can be intentional about schema and volume before the data fans out to downstream systems.
3. Forensic reconstruction and audit context
The third view is where the combined value of both Anthropic streams really shows up.
For this one, begin with landing both the Claude Cowork and Claude Compliance API data in object storage through Cribl so they can sit alongside identity, SaaS admin, and infrastructure telemetry for longer-term retention and investigation. From there, you can also “extract” the Claude Cowork logs at the OTel Source configuration to make event-level searches simpler.
The important part is not just storing the data. It is storing it with a consistent enough model that you can pivot across it later without re-learning field names every time.
That makes it much easier to investigate timelines like:
A user session included a sensitive file action
A tool call happened shortly before or after a workspace or policy change
An auditor wants a 30-to-90-day history for a user, workspace, or class of activity
Cribl Search is especially useful here because it lets teams move from a single Anthropic event to the surrounding context in identity, SaaS, and infrastructure data without needing a separate workflow for each dataset.
Closing thought
Anthropic is providing two genuinely useful telemetry streams for understanding how Cluade Cowork behaves in real environments. OTel keeps the runtime telemetry open and portable through OTLP, and the Claude Compliance API adds the formal audit trail admins and auditors need. Cribl helps teams operationalize both streams in a way that is flexible, governed, and practical for real-world environments.
If your team is already thinking about how to monitor and govern AI assistant activity, this is a strong model to consider: onboard Anthropic data once, shape it to your needs, and put it to use wherever your teams already analyze risk, operations, and behavior.
