Data Source
BlueVoyant connector ingests compliance activity events from the Anthropic Claude Compliance API (https://api.anthropic.com/v1/compliance/activities) - the audit log surface for enterprise Claude usage. Events cover actor actions, artifact/chat/file/project identifiers, HTTP request metadata (method, URL, status code, request body), and organisation-level identifiers.
Ingestion Mechanism
- Framework: CCF (Codeless Connector Framework) using RestApiPoller
- Auth: APIKey via x-api-key header; requires the read:compliance_activities scope
- Poll interval: 10-minute query windows; created_at.gte / created_at.lt time-range parameters
- Paging: cursor-based via NextPageToken (last_id to after_id), page size 5,000 records
- Rate limit: 10 QPS, 60-second timeout, 3 retries
- DCR transform: source | project-rename id_CF = [id], type_CF = [type] (reserved-name conflict workaround)
- Destination table: BV_ClaudeCompliance_ComplianceActivities_CL
Key DCR-declared fields:
| Field | Type | Notes |
|---|---|---|
| actor | dynamic | Who performed the action |
| claude_artifact_id / claude_chat_id / claude_file_id / claude_project_id | string | Scope identifiers |
| request_body | string | Full API request payload |
| request_method / url / status_code | string / int | HTTP audit trail |
| organization_id / organization_uuid | string | Tenant-level attribution |
| id_CF / type_CF | string | Renamed due to reserved-name collision |
Detection Surface Unlocked
Visibility into how users and service accounts interact with the Claude API at an enterprise compliance level. Potential detections (no bundled rules included in this PR):
- Anomalous actor activity - unusual volume or type of compliance events from a principal
- Access pattern monitoring - which Claude projects/artifacts are being accessed and by whom
- Exfiltration indicators - monitoring filename and request_body for sensitive data references
- Failed API calls - status_code filtering to surface auth failures or rate-limit abuse (4xx/5xx)
No bundled Analytic Rules, Hunting Queries, or Workbooks are included in this initial release. Detection engineering for this data source will require custom KQL against BV_ClaudeCompliance_ComplianceActivities_CL.
MITRE Coverage
No MITRE techniques determinable - no detection content included in this PR.
Affected Files
Logos/BlueVoyant.svg
Solutions/BlueVoyant Anthropic ClaudeCompliance/Data Connectors/BlueVoyantAnthropicClaudeCompliance_CCF/BlueVoyantAnthropicClaudeCompliance_ConnectorDefinition.json
Solutions/BlueVoyant Anthropic ClaudeCompliance/Data Connectors/BlueVoyantAnthropicClaudeCompliance_CCF/BlueVoyantAnthropicClaudeCompliance_DCR.json
Solutions/BlueVoyant Anthropic ClaudeCompliance/Data Connectors/BlueVoyantAnthropicClaudeCompliance_CCF/BlueVoyantAnthropicClaudeCompliance_PollerConfig.json
Solutions/BlueVoyant Anthropic ClaudeCompliance/Data Connectors/BlueVoyantAnthropicClaudeCompliance_CCF/BlueVoyantAnthropicClaudeCompliance_Table.json
Solutions/BlueVoyant Anthropic ClaudeCompliance/Package/testParameters.json
Solutions/BlueVoyant Anthropic ClaudeCompliance/README.md
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_BlueVoyantAnthropicClaudeCompliance.json, createUiDefinition.json, mainTemplate.json)