Configure Policies for Claude Enterprise

Create a Detection & Response policy for Claude

1. Go to Detection & Response, then Policies, then New Policy.

2. Set Channel = Claude (Compliance API).

3. Pick detection rules from your existing library: PII, PHI, PCI, secrets, source code, custom regex, or custom named-entity detectors.

4. Optional: scope by Claude user email or Claude project ID. Empty scope means all users and all projects in the connected Claude organization.

5. Configure actions:

• Alert admin: Slack, email, webhook, SIEM destinations (same set as your other connectors).

  • Notify end user: optional.

  • Tag for review: optional.

  • Block is not available on this channel. The UI explains why and links to the Nightfall endpoint agent for inline blocking on Claude Desktop, Claude Code, and the Claude browser tab.

1. Save the policy. It begins matching against newly ingested Claude content within one polling cycle.