Elastic's InfoSec team has developed a robust monitoring pipeline for AI coding assistants like Claude Code and Cowork to address the visibility challenges posed by autonomous agents in engineering workflows. By leveraging native OpenTelemetry (OTel) capabilities, security teams can monitor agent actions—such as shell command execution and API calls—in real-time to support threat detection, compliance, and incident response.
The article outlines two primary architectural approaches for ingesting OTel data into Elasticsearch: using a self-managed Elastic Distribution of the OpenTelemetry Collector (EDOT) or utilizing Elastic Cloud's Managed OTLP endpoint. It further details the use of custom Elasticsearch mappings and ingest pipelines to structure telemetry data, enabling advanced security use cases like tool invocation auditing, session reconstruction, and cost anomaly detection.