Audit Logs
Audit Logs provide a comprehensive record of all security-related actions in your NeuralTrust team. Use them for compliance reporting, security monitoring, and incident investigation.Benefits
- SOC2 Compliance: 1-year log retention meets compliance requirements
- Security Monitoring: Track who accessed what and when
- Incident Investigation: Detailed records for security investigations
- SIEM Integration: Forward events to your centralized security platform
Prerequisites
- Owner or Admin role in NeuralTrust
What’s Logged
Authentication Events
| Event | Description | Details Captured |
|---|---|---|
login.success | User successfully signed in | Provider (Microsoft, GitHub, password), IP address |
login.failure | Failed login attempt | Failure reason, IP address |
logout | User signed out | Session duration |
session.created | New session started | Device info, IP address |
session.expired | Session timed out | Session duration |
User Management Events
| Event | Description | Details Captured |
|---|---|---|
user.created | New user account created | Creation method (SSO, SCIM, manual) |
user.role_changed | User’s role updated | Previous role, new role, changed by |
user.joined_team | User joined the team | Join method |
user.removed | User removed from team | Removed by, reason |
user.deactivated | User account deactivated | Deactivation method |
SSO Security Events
| Event | Description | Details Captured |
|---|---|---|
sso.configured | SSO settings created/updated | Configuration changes |
sso.deleted | SSO configuration removed | Deleted by |
sso.domain_added | Email domain added | Domain name |
sso.domain_verified | Domain verification completed | Verification method |
sso.enforced | SSO-only mode enabled | Enabled by |
scim.token_generated | SCIM token created | Token expiration |
scim.token_revoked | SCIM token revoked | Revoked by |
scim.user_provisioned | User created via SCIM | Source system |
scim.user_deprovisioned | User removed via SCIM | Source system |
API Key Events
| Event | Description | Details Captured |
|---|---|---|
apikey.created | API key generated | Key name, expiration |
apikey.used | API key used for authentication | Endpoint accessed |
apikey.revoked | API key revoked | Revoked by |
Viewing Audit Logs
Step 1: Open Audit Logs
- Log in to NeuralTrust as Owner or Admin
- Go to Settings → Audit Logs
Step 2: Apply Filters
Use the available filters to find specific events:| Filter | Options | Use Case |
|---|---|---|
| Date range | Start and end dates | Investigation timeframe |
| Category | Authentication, User Management, SSO Security | Event type grouping |
| Event type | Specific events (e.g., login.success) | Targeted investigation |
| Status | Success, Failure | Finding failed operations |
| Search | Free text search | Find by email or description |
Step 3: View Event Details
- Click on any row to expand details
- Review the full event information:
| Field | Description |
|---|---|
| Timestamp | Exact time of the event (UTC) |
| Actor | User who performed the action |
| Event | Type of event |
| Target | Resource affected (if applicable) |
| IP Address | Source IP of the request |
| Status | Success or Failure |
| Metadata | Additional context (varies by event) |
SIEM Integration
Forward audit logs to your SIEM platform for centralized security monitoring. Choose one of the supported platforms below.Supported Platforms
| Platform | Authentication |
|---|---|
| Splunk | HEC Token |
| Elastic (ELK Stack) | API Key |
| IBM QRadar | SEC Token |
| Microsoft Sentinel | Entra ID (OAuth) |
| Datadog | API Key |
Configure Your SIEM
Go to Settings → SIEM, select your provider, and enter the required credentials. Expand the guide for your platform below.Splunk
Splunk
Step 1: Get your Splunk HEC Token
- Log in to your Splunk instance
- Go to Settings → Data Inputs → HTTP Event Collector
- Click New Token or use an existing one
- Copy the Token Value and your HEC endpoint URL
- Go to Settings → SIEM
- Select Splunk as the provider
- Enter your Endpoint URL, HEC Token, and Index
- Click Save
Elastic (ELK Stack)
Elastic (ELK Stack)
Step 1: Get your Elastic API Key
- Log in to Elastic Cloud or your self-hosted Kibana
- Go to Stack Management → API Keys
- Click Create API Key and copy it (only shown once!)
- Note your Elasticsearch endpoint
- Go to Settings → SIEM
- Select Elastic as the provider
- Enter your Endpoint URL, API Key, and Index
- Click Save
IBM QRadar
IBM QRadar
Step 1: Get your QRadar SEC Token
- Log in to QRadar Console
- Go to Admin → Authorized Services
- Create a new authorized service and copy the SEC Token
- Go to Settings → SIEM
- Select IBM QRadar as the provider
- Enter your Endpoint URL, SEC Token, and Log Source
- Click Save
Microsoft Sentinel
Microsoft Sentinel
Step 1: Create an App Registration in Azure
- Go to Azure Portal → Microsoft Entra ID → App registrations
- Create a new registration and copy Client ID and Tenant ID
- Create a Client Secret (copy immediately!)
- Go to Azure Monitor → Data Collection Rules
- Create a rule and note the DCR Immutable ID and Stream Name
- Grant Monitoring Metrics Publisher role to your App Registration
- Go to Settings → SIEM
- Select Microsoft Sentinel as the provider
- Enter Tenant ID, Client ID, Client Secret, DCR Immutable ID, and Stream Name
- Click Save
Datadog
Datadog
Step 1: Get your Datadog API Key
- Log in to Datadog
- Go to Organization Settings → API Keys
- Create or copy an existing API key
- Go to Settings → SIEM
- Select Datadog as the provider
- Enter your Endpoint URL (e.g.,
https://http-intake.logs.datadoghq.com/api/v2/logs), API Key, and Service name - Click Save
Select Event Categories
After connecting your SIEM, choose which events to forward:- In Settings → Audit Logs, click the SIEM Integration button
- Toggle the categories you want to send (Authentication, User Management, SSO Security, etc.)
- Click Save
Event Format
Events are sent as JSON with this structure:Understanding Login Failures
When investigating failed login attempts, check the failure reason:| Reason | Description | Action Required |
|---|---|---|
invalid_credentials | Wrong password entered | User may need password reset |
sso_enforced | Password login blocked (SSO required) | User should use “Sign in with Microsoft” |
rate_limited | Too many failed attempts | Temporary block, investigate if persistent |
account_disabled | User account is deactivated | Verify if intentional or re-enable |
unauthorized_team_access | Email domain not authorized | Add/verify domain in SSO settings |
mfa_required | MFA verification needed | User must complete MFA |
session_expired | Session timeout | Normal behavior, user should re-login |
Investigating Suspicious Activity
Signs of potential security issues:- Multiple failed logins from the same IP with different accounts
- Successful login after failures may indicate brute force success
- Logins from unusual locations (check IP addresses)
- Off-hours access for users who normally work business hours
- Rapid role changes may indicate compromised admin account
Log Retention
Audit logs follow the same retention policy as your SIEM integration. Events are stored for compliance and can be forwarded to your SIEM for extended retention.
Access Permissions
| Role | View Logs | Configure SIEM |
|---|---|---|
| Owner | ✓ | ✓ |
| Admin | ✓ | ✓ |
| Member | ✗ | ✗ |
Members cannot view audit logs to maintain separation of duties. If a member needs access for compliance purposes, an Owner must elevate their role.
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| Can’t see audit logs | Insufficient permissions | Request Owner/Admin role |
| Logs missing for date | Outside retention period | Contact support if needed |
| Search returns nothing | Wrong search terms | Try partial matches or different filters |
| SIEM not receiving events | Wrong credentials | Verify API key/token and endpoint URL |
| SIEM connection failed | Firewall blocking | Ensure NeuralTrust IPs are whitelisted |
Best Practices
- Review regularly — Check for unusual patterns weekly
- Set up SIEM alerts — Monitor for
auth.login.failureevents - Correlate events — Combine with firewall and VPN logs in your SIEM
- Document investigations — Keep records of security reviews
- Train team leads — Ensure Admins know how to use audit logs
Related Documentation
- SIEM Integration — Forward events to Splunk, Elastic, Sentinel, and more
- Configure SSO — Set up single sign-on for authentication logging
- SCIM Provisioning — Understand provisioning events in logs
- Break the Glass — Emergency access events are logged
- Security Overview — NeuralTrust security architecture