Skip to main content

Audit Logs

Audit Logs provide a comprehensive record of all security-related actions in your NeuralTrust team. Use them for compliance reporting, security monitoring, and incident investigation.

Benefits

  • SOC2 Compliance: 1-year log retention meets compliance requirements
  • Security Monitoring: Track who accessed what and when
  • Incident Investigation: Detailed records for security investigations
  • SIEM Integration: Forward events to your centralized security platform

Prerequisites

  • Owner or Admin role in NeuralTrust

What’s Logged

Authentication Events

User Management Events

SSO Security Events

API Key Events


Viewing Audit Logs

Step 1: Open Audit Logs

  1. Log in to NeuralTrust as Owner or Admin
  2. Go to SettingsAudit Logs

Step 2: Apply Filters

Use the available filters to find specific events:

Step 3: View Event Details

  1. Click on any row to expand details
  2. Review the full event information:

SIEM Integration

Forward audit logs to your SIEM platform for centralized security monitoring. Choose one of the supported platforms below.

Supported Platforms

Configure Your SIEM

Go to SettingsSIEM, select your provider, and enter the required credentials. Expand the guide for your platform below.
Step 1: Get your Splunk HEC Token
  1. Log in to your Splunk instance
  2. Go to SettingsData InputsHTTP Event Collector
  3. Click New Token or use an existing one
  4. Copy the Token Value and your HEC endpoint URL
Step 2: Configure in NeuralTrust
  1. Go to SettingsSIEM
  2. Select Splunk as the provider
  3. Enter your Endpoint URL, HEC Token, and Index
  4. Click Save
Step 1: Get your Elastic API Key
  1. Log in to Elastic Cloud or your self-hosted Kibana
  2. Go to Stack ManagementAPI Keys
  3. Click Create API Key and copy it (only shown once!)
  4. Note your Elasticsearch endpoint
Step 2: Configure in NeuralTrust
  1. Go to SettingsSIEM
  2. Select Elastic as the provider
  3. Enter your Endpoint URL, API Key, and Index
  4. Click Save
Step 1: Get your QRadar SEC Token
  1. Log in to QRadar Console
  2. Go to AdminAuthorized Services
  3. Create a new authorized service and copy the SEC Token
Step 2: Configure in NeuralTrust
  1. Go to SettingsSIEM
  2. Select IBM QRadar as the provider
  3. Enter your Endpoint URL, SEC Token, and Log Source
  4. Click Save
Step 1: Create an App Registration in Azure
  1. Go to Azure Portal → Microsoft Entra IDApp registrations
  2. Create a new registration and copy Client ID and Tenant ID
  3. Create a Client Secret (copy immediately!)
Step 2: Create a Data Collection Rule (DCR)
  1. Go to Azure MonitorData Collection Rules
  2. Create a rule and note the DCR Immutable ID and Stream Name
  3. Grant Monitoring Metrics Publisher role to your App Registration
Step 3: Configure in NeuralTrust
  1. Go to SettingsSIEM
  2. Select Microsoft Sentinel as the provider
  3. Enter Tenant ID, Client ID, Client Secret, DCR Immutable ID, and Stream Name
  4. Click Save
Step 1: Get your Datadog API Key
  1. Log in to Datadog
  2. Go to Organization SettingsAPI Keys
  3. Create or copy an existing API key
Step 2: Configure in NeuralTrust
  1. Go to SettingsSIEM
  2. Select Datadog as the provider
  3. Enter your Endpoint URL (e.g., https://http-intake.logs.datadoghq.com/api/v2/logs), API Key, and Service name
  4. Click Save

Select Event Categories

After connecting your SIEM, choose which events to forward:
  1. In SettingsAudit Logs, click the SIEM Integration button
  2. Toggle the categories you want to send (Authentication, User Management, SSO Security, etc.)
  3. Click Save

Event Format

Events are sent as JSON with this structure:

Understanding Login Failures

When investigating failed login attempts, check the failure reason:

Investigating Suspicious Activity

Signs of potential security issues:
  1. Multiple failed logins from the same IP with different accounts
  2. Successful login after failures may indicate brute force success
  3. Logins from unusual locations (check IP addresses)
  4. Off-hours access for users who normally work business hours
  5. Rapid role changes may indicate compromised admin account

Log Retention

Audit logs follow the same retention policy as your SIEM integration. Events are stored for compliance and can be forwarded to your SIEM for extended retention.

Access Permissions

Members cannot view audit logs to maintain separation of duties. If a member needs access for compliance purposes, an Owner must elevate their role.

Troubleshooting


Best Practices

  1. Review regularly — Check for unusual patterns weekly
  2. Set up SIEM alerts — Monitor for auth.login.failure events
  3. Correlate events — Combine with firewall and VPN logs in your SIEM
  4. Document investigations — Keep records of security reviews
  5. Train team leads — Ensure Admins know how to use audit logs