Listen to this Post
Introduction:
The rapid adoption of AI-powered coding assistants like Anthropic’s Code introduces a new frontier of security risks, as these agents operate with broad permissions, executing bash commands, reading files, and making network connections directly within development environments. To address these challenges, organizations must move beyond simple permission prompts and implement systematic detection engineering, leveraging OpenTelemetry (OTLP) telemetry to monitor agent activities, establish baselines, and identify malicious or unauthorized behaviors in real-time—transforming AI coding tools from potential liabilities into observable, governable assets.
Learning Objectives:
- Understand the threat landscape for AI coding agents and how to instrument Code to emit structured OpenTelemetry telemetry.
- Learn to configure a detection pipeline (using Monad) to ingest, flatten, and route OTLP data to a SIEM or data lake.
- Implement sample detection rules to identify suspicious outbound network calls, sensitive file access, command rejections, unknown MCP servers, and prompt injection patterns.
You Should Know:
1. Telemetry-Driven Detection Engineering for Code
Code, Anthropic’s specialized agentic coding tool, operates directly in developer environments and can chain together actions such as reading files, executing bash commands, and making network requests. While the tool includes a permission model, relying solely on user approvals is insufficient for enterprise security. The key is to enable and export its built-in OpenTelemetry (OTLP) telemetry, which provides detailed events for user prompts, tool invocations (e.g., Bash, Read, Write), and outcomes.
The Monad platform offers a streamlined approach to ingest raw OTLP payloads, flatten the deeply nested structures into analyst-friendly flat records, and route them to a SIEM or data lake. The flat record for a Bash tool execution includes critical fields: `tool_name` (e.g., “Bash”), `tool_parameters.full_command` (the actual command), `decision_type` (accept/reject), `decision_source` (user_temporary, etc.), and `success` (true/false), providing intent, decision, and outcome in a single event. This telemetry forms the foundation for detection rules that can identify malicious activity, such as a `curl` or `wget` command pointing to an external host coupled with a prior file read, indicating potential data exfiltration.
Step-by-Step Setup Guide:
Prerequisites: Code installed, a Monad account (or similar OTLP-compatible platform), and about 15–20 minutes.
Step 1: Create a Monad pipeline with an OTel input. Create a new pipeline in Monad, add an OTel input component, and copy the pipeline ID from the left-hand panel.
Step 2: Create a least-privilege API key. Create a custom role with only the `pipeline:data:write` permission, then generate an organization API key assigned to that role. This key can write telemetry and nothing else.
Step 3: Configure Code. Add the following `env` block to `~/./settings.json` (for centrally managed environments, use MDM or admin console settings):
{
"env": {
"CLAUDE_CODE_ENABLE_TELEMETRY": "1",
"OTEL_METRICS_EXPORTER": "otlp",
"OTEL_LOGS_EXPORTER": "otlp",
"OTEL_EXPORTER_OTLP_PROTOCOL": "grpc",
"OTEL_EXPORTER_OTLP_ENDPOINT": "https://app.monad.com:4317",
"OTEL_EXPORTER_OTLP_HEADERS": "Authorization=ApiKey YOUR_API_KEY,Monad-Pipeline-Id=YOUR_PIPELINE_ID"
}
}
Optional: To capture full prompt text and MCP tool details (use with caution), add:
"OTEL_LOG_USER_PROMPTS": "1", "OTEL_LOG_TOOL_DETAILS": "1"
Restart Code after saving the file.
Step 4: Tag telemetry by team. Add `OTEL_RESOURCE_ATTRIBUTES` to attach organizational context to every event for team-specific dashboards and cost attribution:
"OTEL_RESOURCE_ATTRIBUTES": "department=engineering,team.id=platform,cost_center=eng-123"
Step 5: Add the community transform. Use the published community transform to flatten raw OTLP into one clean record per event without manual configuration.
Important Security Consideration: By default, `tool_result` events for Bash include the full command string. If a developer unknowingly passes a secret as a command-line argument, that secret appears in telemetry. Use Monad’s pipeline transforms to redact sensitive fields (e.g., tool_parameters) before routing to your destination. Prompt logging is off by default—think through data retention and employee notice requirements before enabling it.
2. Sample Detection Rules for AI Agents
Once telemetry flows into your SIEM, implement these sample detection rules (tune thresholds and field values to your environment). These are starting points, not production-ready rules.
Suspicious Outbound Network Call from a Code Session
- Trigger: A Bash tool invocation where `full_command` contains `curl` or `wget` pointing to an external host, correlated with a prior file read in the same session.
- Rule Logic (pseudocode):
event.name = "tool_result" AND tool_name = "Bash" AND (tool_parameters.full_command CONTAINS "curl" OR tool_parameters.full_command CONTAINS "wget") AND tool_parameters.full_command NOT CONTAINS "internal.yourdomain.com" GROUP BY session.id HAVING COUNT(DISTINCT tool_parameters.full_command) > 1 AND ANY(tool_parameters.full_command CONTAINS "cat" OR tool_parameters.full_command CONTAINS "read")
Sensitive File Access
- Trigger: A Bash tool invocation where `full_command` reads a known sensitive path.
- Rule Logic:
event.name = "tool_result" AND tool_name = "Bash" AND (tool_parameters.full_command CONTAINS ".aws/credentials" OR tool_parameters.full_command CONTAINS ".env" OR tool_parameters.full_command CONTAINS "id_rsa" OR tool_parameters.full_command CONTAINS "/etc/passwd")
Command Rejected by User or Policy (High Signal)
- Trigger: A `tool_decision` event where the command was rejected. This event fires at decision time rather than after execution, making it higher signal and lower latency than keying off
tool_result. - Rule Logic:
event.name = "tool_decision" AND decision_type = "reject"
Unknown MCP Server Invocation
- Trigger: A `tool_result` event where `mcp_server_name` is not in your approved list. Requires
OTEL_LOG_TOOL_DETAILS=1. - Rule Logic:
event.name = "tool_result" AND mcp_server_name IS NOT NULL AND mcp_server_name NOT IN ("approved-server-1", "approved-server-2")
Prompt Injection Pattern in User Input
- Trigger: A `user_prompt` event containing known injection strings. Requires
OTEL_LOG_USER_PROMPTS=1. - Rule Logic:
event.name = "user_prompt" AND (prompt CONTAINS "ignore previous instructions" OR prompt CONTAINS "output your system prompt" OR prompt MATCHES "[A-Za-z0-9+/]{40,}={0,2}")
- Hardening AI Coding Agents: Sandboxing, Least Privilege, and Supply Chain Vigilance
Detection engineering is only one layer; proactive hardening is equally critical. Anthropic has introduced built-in sandboxing for Code, which reduces permission prompts by up to 84% while ensuring that even a successful prompt injection is fully isolated, preventing exfiltration of SSH keys or other sensitive data. Running Code within a Docker container provides system-level isolation, while the sandbox adds fine-grained security controls that restrict file and network access.
Beyond sandboxing, enterprises should adopt the principle of least privilege. Use the `–allowedTools` flag to restrict which tools (e.g., Bash, Read, Write) the agent can invoke, and consider implementing runtime safety governance tools like @pmatrix/-code-monitor, which blocks dangerous tool calls before execution and continuously measures agent risk with a live Trust Grade (A–E). For third-party MCP servers, governing access is crucial to prevent accidental wide context export of sensitive code and secrets exposure via implicit context.
The AI coding assistant supply chain is also under active attack. In February 2026, the Cline CLI experienced a supply chain attack when an attacker, using a compromised npm token, published a malicious version (2.3.0) that installed the OpenClaw autonomous AI agent on approximately 4,000 developer machines during an eight-hour window. This incident underscores the need for rigorous validation of AI tool dependencies and the use of tools like Socket.dev or similar to monitor npm packages for malicious behavior.
- Building a Comprehensive Observability Stack for AI Agents
To achieve full visibility, combine multiple monitoring approaches. For real-time observability, tools like LLMBoard provide a dashboard that watches agents, tool calls, tokens, commands, and security anomalies in a web browser at localhost:3456. For runtime process monitoring, tools like Forgeterm scan /proc every 5 seconds to discover AI coding tool processes by matching command-line patterns, detecting `npm postinstall` scripts, piped curl commands, and credential file reads that happen in the background with no visibility.
For enterprise-wide monitoring, OpenAI’s internal approach is instructive. They run a private monitoring system across all standard internal coding agent deployments, viewing the full conversation history, including chains of thought, all user and assistant messages, along with tool calls and outputs. This allows them to detect misaligned behavior that only emerges in real, tool-intensive automation workflows and long sessions.
Integrate detection engineering with broader AI security frameworks like MITRE ATLAS. The atlas-detect tool (GitHub: akav-labs/atlas-detect) provides 97 detection rules covering 16 MITRE ATLAS tactics, including prompt injection, jailbreaks, credential exfiltration, model extraction, RAG poisoning, and reverse shells—using a single-pass regex scan. Combining such frameworks with your SIEM-based detection rules creates a comprehensive defense.
What Undercode Say:
- AI coding agents are the new insider threat. Their broad permissions and autonomous nature require security teams to shift from trust-based permission prompts to continuous, telemetry-driven monitoring. The same bash command a developer might run manually becomes much riskier when executed by an LLM that could be manipulated.
- Detection engineering for AI is not theoretical—it is operational today. The Cline CLI supply chain attack (impacting ~4,000 developers) and Anthropic’s own sandboxing announcements prove that organizations must instrument, monitor, and govern AI coding assistants with the same rigor as any other production service.
Prediction:
By 2027, AI coding agents will be responsible for more than 15% of all code commits in large enterprises, making them a primary attack vector for supply chain compromises, data exfiltration, and credential theft. Security teams will adopt AI-specific SIEM modules and runtime security agents as standard components of their development pipelines. The convergence of detection engineering, least-privilege sandboxing, and real-time behavioral analysis will become a prerequisite for any organization deploying LLM-based coding tools, shifting the industry from reactive permission prompts to proactive, continuous governance.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mthomasson The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
