Skip to main content

Integrations

The Integrations view in the Telemetry section connects Alerts to your security tooling. Once a destination is connected, every new alert is rendered as an Detection Finding and delivered to it in near real time.
This forwards alert findings derived from TrustGuard and TrustGate telemetry — the security detections raised in Alerts. To forward the tenant audit trail (authentication, user management, configuration changes) instead, see Audit Logs.

Supported destinations

DestinationTransport
Microsoft SentinelAzure Monitor HTTP Data Collector API
DatadogLogs intake API
SplunkHTTP Event Collector (HEC)
ElasticElasticsearch index / data stream
IBM QRadarLEEF 2.0 over syslog (TLS)
WebhookGeneric HTTP POST (optional header auth + HMAC signature)
You can connect more than one destination — each new alert fans out to every connected integration whose filters match.

How forwarding works

1

A new alert is raised

Forwarding fires only for brand-new alerts. Repeated occurrences that dedupe into an existing alert do not re-forward, so a sustained attack won’t flood your SIEM.
2

The alert is rendered as OCSF

The alert is serialized into an OCSF Detection Finding — a vendor-neutral security event schema — carrying severity, source, entity, rule, and timestamps.
3

Filters decide the recipients

The finding is delivered to every connected destination whose filters match (see Delivery filters).
4

Delivery is retried on failure

Transient failures are retried with exponential backoff; permanently failed deliveries land in a dead-letter list you can inspect and requeue.

Connect a destination

Open Telemetry → Integrations, choose a provider, and fill in its connection fields. Connections are validated on save — malformed settings are rejected before any alert is forwarded — and every secret is encrypted at rest.
Streams findings to a Log Analytics workspace via the Azure Monitor HTTP Data Collector API.
FieldRequiredDescription
Workspace IDYesLog Analytics workspace ID (GUID).
Shared KeyYesWorkspace primary or secondary key (base64).
Log TypeNoCustom log table name (default NeuralTrustAlert).
Find both values in the Azure portal under Log Analytics workspace → Agents → Log Analytics agent instructions.
Forwards findings to the Datadog logs intake.
FieldRequiredDescription
API KeyYesCreated under Organization Settings → API Keys; sent as the DD-API-KEY header.
RegionNoYour Datadog site (e.g. US1-datadoghq.com). Must match your account region.
Service TagNoOptional service tag attached to all events.
SourceNoSource tag attached to events (e.g. neuraltrust).
Posts findings to a Splunk HTTP Event Collector (HEC).
FieldRequiredDescription
HEC URLYesHEC base URL (e.g. https://splunk.example:8088).
HEC TokenYesHTTP Event Collector token.
IndexNoTarget index.
Source TypeNoEvent source type (e.g. neuraltrust:alert).
Indexes findings into an Elasticsearch index or data stream. Authenticate with an API key or basic auth.
FieldRequiredDescription
URLYesElasticsearch base URL (e.g. https://es.example:9200).
IndexYesTarget index or data stream.
API KeyNoBase64 Elasticsearch API key.
Username / PasswordNoHTTP basic auth (alternative to the API key).
Sends LEEF 2.0 events to a QRadar event collector over syslog.
FieldRequiredDescription
HostYesQRadar event collector hostname or IP.
PortNoCollector port (default 514).
Use TLSNoSend over a TLS connection.
Skip TLS verificationNoAccept self-signed collector certificates.
POSTs the raw OCSF finding to any HTTP endpoint.
FieldRequiredDescription
URLYesDestination URL.
Header Name / Header ValueNoAn optional static request header for auth.
HMAC SecretNoIf set, adds an X-NeuralTrust-Signature signature over the request body so the receiver can verify authenticity.
Use Test connection after saving to send a synthetic finding through the destination and confirm connectivity before real alerts depend on it.

Delivery filters

A connected destination forwards all matching alerts by default. Filters only narrow that stream:
FilterEffect
Minimum severityForward only alerts at or above a severity floor (e.g. High sends High and Critical).
SourcesRestrict to specific products (TrustGuard, TrustGate, Cross). Empty = all.
SeveritiesAn explicit severity allow-list, when you want an exact set rather than a floor. Empty = all.
You can also pause a destination to stop forwarding without deleting its configuration.

Delivery health & troubleshooting

Each integration tracks a rolling 24-hour delivery health — the count of forwarded and failed events and the time of the last successful delivery.
IssueWhat to check
Events not arrivingVerify the endpoint URL, credentials, and that the destination isn’t paused.
Authentication failedRegenerate the API key / token and re-save (settings are re-validated on save).
Deliveries failingInspect the failed-delivery (dead-letter) list and requeue once the destination is healthy.
Nothing forwarded at allConfirm the alert’s severity/source passes the destination’s filters.

Alerts

The detection use cases and alerts that produce the findings forwarded here.

Audit Logs

The tenant audit trail for authentication, user management, and configuration events.