Audit Logs
Audit Logs provide a comprehensive record of all security-related actions in your NeuralTrust team. Use them for compliance reporting, security monitoring, and incident investigation.Benefits
- SOC2 Compliance: 1-year log retention meets compliance requirements
- Security Monitoring: Track who accessed what and when
- Incident Investigation: Detailed records for security investigations
- SIEM Integration: Forward events to your centralized security platform
Prerequisites
- Owner or Admin role in NeuralTrust
What’s Logged
Authentication Events
User Management Events
SSO Security Events
API Key Events
Viewing Audit Logs
Step 1: Open Audit Logs
- Log in to NeuralTrust as Owner or Admin
- Go to Settings → Audit Logs
Step 2: Apply Filters
Use the available filters to find specific events:Step 3: View Event Details
- Click on any row to expand details
- Review the full event information:
SIEM Integration
Forward audit logs to your SIEM platform for centralized security monitoring. Choose one of the supported platforms below.Supported Platforms
Configure Your SIEM
Go to Settings → SIEM, select your provider, and enter the required credentials. Expand the guide for your platform below.Splunk
Splunk
Step 1: Get your Splunk HEC Token
- Log in to your Splunk instance
- Go to Settings → Data Inputs → HTTP Event Collector
- Click New Token or use an existing one
- Copy the Token Value and your HEC endpoint URL
- Go to Settings → SIEM
- Select Splunk as the provider
- Enter your Endpoint URL, HEC Token, and Index
- Click Save
Elastic (ELK Stack)
Elastic (ELK Stack)
Step 1: Get your Elastic API Key
- Log in to Elastic Cloud or your self-hosted Kibana
- Go to Stack Management → API Keys
- Click Create API Key and copy it (only shown once!)
- Note your Elasticsearch endpoint
- Go to Settings → SIEM
- Select Elastic as the provider
- Enter your Endpoint URL, API Key, and Index
- Click Save
IBM QRadar
IBM QRadar
Step 1: Get your QRadar SEC Token
- Log in to QRadar Console
- Go to Admin → Authorized Services
- Create a new authorized service and copy the SEC Token
- Go to Settings → SIEM
- Select IBM QRadar as the provider
- Enter your Endpoint URL, SEC Token, and Log Source
- Click Save
Microsoft Sentinel
Microsoft Sentinel
Step 1: Create an App Registration in Azure
- Go to Azure Portal → Microsoft Entra ID → App registrations
- Create a new registration and copy Client ID and Tenant ID
- Create a Client Secret (copy immediately!)
- Go to Azure Monitor → Data Collection Rules
- Create a rule and note the DCR Immutable ID and Stream Name
- Grant Monitoring Metrics Publisher role to your App Registration
- Go to Settings → SIEM
- Select Microsoft Sentinel as the provider
- Enter Tenant ID, Client ID, Client Secret, DCR Immutable ID, and Stream Name
- Click Save
Datadog
Datadog
Step 1: Get your Datadog API Key
- Log in to Datadog
- Go to Organization Settings → API Keys
- Create or copy an existing API key
- Go to Settings → SIEM
- Select Datadog as the provider
- Enter your Endpoint URL (e.g.,
https://http-intake.logs.datadoghq.com/api/v2/logs), API Key, and Service name - Click Save
Select Event Categories
After connecting your SIEM, choose which events to forward:- In Settings → Audit Logs, click the SIEM Integration button
- Toggle the categories you want to send (Authentication, User Management, SSO Security, etc.)
- Click Save
Event Format
Events are sent as JSON with this structure:Understanding Login Failures
When investigating failed login attempts, check the failure reason:Investigating Suspicious Activity
Signs of potential security issues:- Multiple failed logins from the same IP with different accounts
- Successful login after failures may indicate brute force success
- Logins from unusual locations (check IP addresses)
- Off-hours access for users who normally work business hours
- Rapid role changes may indicate compromised admin account
Log Retention
Audit logs follow the same retention policy as your SIEM integration. Events are stored for compliance and can be forwarded to your SIEM for extended retention.
Access Permissions
Members cannot view audit logs to maintain separation of duties. If a member needs access for compliance purposes, an Owner must elevate their role.
Troubleshooting
Best Practices
- Review regularly — Check for unusual patterns weekly
- Set up SIEM alerts — Monitor for
auth.login.failureevents - Correlate events — Combine with firewall and VPN logs in your SIEM
- Document investigations — Keep records of security reviews
- Train team leads — Ensure Admins know how to use audit logs
Related Documentation
- Integrations — Forward alert findings to Splunk, Elastic, Sentinel, and more
- Configure SSO — Set up single sign-on for authentication logging
- SCIM Provisioning — Understand provisioning events in logs
- Break the Glass — Emergency access events are logged
- Security Overview — NeuralTrust security architecture