> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Audit Logs

> View and monitor security audit logs in NeuralTrust. Track authentication events, user management, and SSO activities. Integrate with your SIEM platform.

# Audit Logs

Audit Logs provide a comprehensive record of all security-related actions in your NeuralTrust team. Use them for compliance reporting, security monitoring, and incident investigation.

## Benefits

* **SOC2 Compliance**: 1-year log retention meets compliance requirements
* **Security Monitoring**: Track who accessed what and when
* **Incident Investigation**: Detailed records for security investigations
* **SIEM Integration**: Forward events to your centralized security platform

## Prerequisites

* Owner or Admin role in NeuralTrust

***

## What's Logged

### Authentication Events

| Event             | Description                 | Details Captured                                   |
| ----------------- | --------------------------- | -------------------------------------------------- |
| `login.success`   | User successfully signed in | Provider (Microsoft, GitHub, password), IP address |
| `login.failure`   | Failed login attempt        | Failure reason, IP address                         |
| `logout`          | User signed out             | Session duration                                   |
| `session.created` | New session started         | Device info, IP address                            |
| `session.expired` | Session timed out           | Session duration                                   |

### User Management Events

| Event               | Description              | Details Captured                    |
| ------------------- | ------------------------ | ----------------------------------- |
| `user.created`      | New user account created | Creation method (SSO, SCIM, manual) |
| `user.role_changed` | User's role updated      | Previous role, new role, changed by |
| `user.joined_team`  | User joined the team     | Join method                         |
| `user.removed`      | User removed from team   | Removed by, reason                  |
| `user.deactivated`  | User account deactivated | Deactivation method                 |

### SSO Security Events

| Event                     | Description                   | Details Captured      |
| ------------------------- | ----------------------------- | --------------------- |
| `sso.configured`          | SSO settings created/updated  | Configuration changes |
| `sso.deleted`             | SSO configuration removed     | Deleted by            |
| `sso.domain_added`        | Email domain added            | Domain name           |
| `sso.domain_verified`     | Domain verification completed | Verification method   |
| `sso.enforced`            | SSO-only mode enabled         | Enabled by            |
| `scim.token_generated`    | SCIM token created            | Token expiration      |
| `scim.token_revoked`      | SCIM token revoked            | Revoked by            |
| `scim.user_provisioned`   | User created via SCIM         | Source system         |
| `scim.user_deprovisioned` | User removed via SCIM         | Source system         |

### API Key Events

| Event            | Description                     | Details Captured     |
| ---------------- | ------------------------------- | -------------------- |
| `apikey.created` | API key generated               | Key name, expiration |
| `apikey.used`    | API key used for authentication | Endpoint accessed    |
| `apikey.revoked` | API key revoked                 | Revoked by           |

***

## Viewing Audit Logs

### Step 1: Open Audit Logs

1. Log in to <a href="https://app.neuraltrust.ai" target="_blank">NeuralTrust</a> as Owner or Admin
2. Go to <a href="https://app.neuraltrust.ai/settings/audit-logs" target="_blank">**Settings** → **Audit Logs**</a>

### Step 2: Apply Filters

Use the available filters to find specific events:

| Filter         | Options                                       | Use Case                     |
| -------------- | --------------------------------------------- | ---------------------------- |
| **Date range** | Start and end dates                           | Investigation timeframe      |
| **Category**   | Authentication, User Management, SSO Security | Event type grouping          |
| **Event type** | Specific events (e.g., login.success)         | Targeted investigation       |
| **Status**     | Success, Failure                              | Finding failed operations    |
| **Search**     | Free text search                              | Find by email or description |

### Step 3: View Event Details

1. Click on any row to expand details
2. Review the full event information:

| Field          | Description                          |
| -------------- | ------------------------------------ |
| **Timestamp**  | Exact time of the event (UTC)        |
| **Actor**      | User who performed the action        |
| **Event**      | Type of event                        |
| **Target**     | Resource affected (if applicable)    |
| **IP Address** | Source IP of the request             |
| **Status**     | Success or Failure                   |
| **Metadata**   | Additional context (varies by event) |

***

## SIEM Integration

Forward audit logs to your SIEM platform for centralized security monitoring. Choose one of the supported platforms below.

### Supported Platforms

| Platform            | Authentication   |
| ------------------- | ---------------- |
| Splunk              | HEC Token        |
| Elastic (ELK Stack) | API Key          |
| IBM QRadar          | SEC Token        |
| Microsoft Sentinel  | Entra ID (OAuth) |
| Datadog             | API Key          |

### Configure Your SIEM

Go to <a href="https://app.neuraltrust.ai/settings/siem" target="_blank">**Settings** → **SIEM**</a>, select your provider, and enter the required credentials. Expand the guide for your platform below.

<AccordionGroup>
  <Accordion title="Splunk">
    **Step 1: Get your Splunk HEC Token**

    1. Log in to your Splunk instance
    2. Go to **Settings** → **Data Inputs** → **HTTP Event Collector**
    3. Click **New Token** or use an existing one
    4. Copy the **Token Value** and your HEC endpoint URL

    **Step 2: Configure in NeuralTrust**

    1. Go to **Settings** → **SIEM**
    2. Select **Splunk** as the provider
    3. Enter your **Endpoint URL**, **HEC Token**, and **Index**
    4. Click **Save**
  </Accordion>

  <Accordion title="Elastic (ELK Stack)">
    **Step 1: Get your Elastic API Key**

    1. Log in to Elastic Cloud or your self-hosted Kibana
    2. Go to **Stack Management** → **API Keys**
    3. Click **Create API Key** and copy it (only shown once!)
    4. Note your Elasticsearch endpoint

    **Step 2: Configure in NeuralTrust**

    1. Go to **Settings** → **SIEM**
    2. Select **Elastic** as the provider
    3. Enter your **Endpoint URL**, **API Key**, and **Index**
    4. Click **Save**
  </Accordion>

  <Accordion title="IBM QRadar">
    **Step 1: Get your QRadar SEC Token**

    1. Log in to QRadar Console
    2. Go to **Admin** → **Authorized Services**
    3. Create a new authorized service and copy the **SEC Token**

    **Step 2: Configure in NeuralTrust**

    1. Go to **Settings** → **SIEM**
    2. Select **IBM QRadar** as the provider
    3. Enter your **Endpoint URL**, **SEC Token**, and **Log Source**
    4. Click **Save**
  </Accordion>

  <Accordion title="Microsoft Sentinel">
    **Step 1: Create an App Registration in Azure**

    1. Go to Azure Portal → **Microsoft Entra ID** → **App registrations**
    2. Create a new registration and copy **Client ID** and **Tenant ID**
    3. Create a **Client Secret** (copy immediately!)

    **Step 2: Create a Data Collection Rule (DCR)**

    1. Go to **Azure Monitor** → **Data Collection Rules**
    2. Create a rule and note the **DCR Immutable ID** and **Stream Name**
    3. Grant **Monitoring Metrics Publisher** role to your App Registration

    **Step 3: Configure in NeuralTrust**

    1. Go to **Settings** → **SIEM**
    2. Select **Microsoft Sentinel** as the provider
    3. Enter **Tenant ID**, **Client ID**, **Client Secret**, **DCR Immutable ID**, and **Stream Name**
    4. Click **Save**
  </Accordion>

  <Accordion title="Datadog">
    **Step 1: Get your Datadog API Key**

    1. Log in to Datadog
    2. Go to **Organization Settings** → **API Keys**
    3. Create or copy an existing API key

    **Step 2: Configure in NeuralTrust**

    1. Go to **Settings** → **SIEM**
    2. Select **Datadog** as the provider
    3. Enter your **Endpoint URL** (e.g., `https://http-intake.logs.datadoghq.com/api/v2/logs`), **API Key**, and **Service** name
    4. Click **Save**
  </Accordion>
</AccordionGroup>

### Select Event Categories

After connecting your SIEM, choose which events to forward:

1. In **Settings** → **Audit Logs**, click the **SIEM Integration** button
2. Toggle the categories you want to send (Authentication, User Management, SSO Security, etc.)
3. Click **Save**

### Event Format

Events are sent as JSON with this structure:

```json theme={null}
{
  "timestamp": "2026-01-15T10:30:00.000Z",
  "eventType": "auth.login.success",
  "eventCategory": "authentication",
  "status": "success",
  "actor": { "id": "user-uuid", "email": "user@company.com" },
  "context": { "ipAddress": "192.168.1.100", "teamId": "team-uuid" }
}
```

***

## Understanding Login Failures

When investigating failed login attempts, check the failure reason:

| Reason                     | Description                           | Action Required                            |
| -------------------------- | ------------------------------------- | ------------------------------------------ |
| `invalid_credentials`      | Wrong password entered                | User may need password reset               |
| `sso_enforced`             | Password login blocked (SSO required) | User should use "Sign in with Microsoft"   |
| `rate_limited`             | Too many failed attempts              | Temporary block, investigate if persistent |
| `account_disabled`         | User account is deactivated           | Verify if intentional or re-enable         |
| `unauthorized_team_access` | Email domain not authorized           | Add/verify domain in SSO settings          |
| `mfa_required`             | MFA verification needed               | User must complete MFA                     |
| `session_expired`          | Session timeout                       | Normal behavior, user should re-login      |

### Investigating Suspicious Activity

Signs of potential security issues:

1. **Multiple failed logins** from the same IP with different accounts
2. **Successful login after failures** may indicate brute force success
3. **Logins from unusual locations** (check IP addresses)
4. **Off-hours access** for users who normally work business hours
5. **Rapid role changes** may indicate compromised admin account

***

## Log Retention

<Note>
  Audit logs follow the same retention policy as your SIEM integration. Events are stored for compliance and can be forwarded to your SIEM for extended retention.
</Note>

***

## Access Permissions

| Role       | View Logs | Configure SIEM |
| ---------- | --------- | -------------- |
| **Owner**  | ✓         | ✓              |
| **Admin**  | ✓         | ✓              |
| **Member** | ✗         | ✗              |

<Note>
  Members cannot view audit logs to maintain separation of duties. If a member needs access for compliance purposes, an Owner must elevate their role.
</Note>

***

## Troubleshooting

| Issue                     | Cause                    | Solution                                 |
| ------------------------- | ------------------------ | ---------------------------------------- |
| Can't see audit logs      | Insufficient permissions | Request Owner/Admin role                 |
| Logs missing for date     | Outside retention period | Contact support if needed                |
| Search returns nothing    | Wrong search terms       | Try partial matches or different filters |
| SIEM not receiving events | Wrong credentials        | Verify API key/token and endpoint URL    |
| SIEM connection failed    | Firewall blocking        | Ensure NeuralTrust IPs are whitelisted   |

***

## Best Practices

1. **Review regularly** — Check for unusual patterns weekly
2. **Set up SIEM alerts** — Monitor for `auth.login.failure` events
3. **Correlate events** — Combine with firewall and VPN logs in your SIEM
4. **Document investigations** — Keep records of security reviews
5. **Train team leads** — Ensure Admins know how to use audit logs

## Related Documentation

* [Integrations](/platform/alert-integrations) — Forward alert findings to Splunk, Elastic, Sentinel, and more
* [Configure SSO](/platform/sso) — Set up single sign-on for authentication logging
* [SCIM Provisioning](/platform/scim) — Understand provisioning events in logs
* [Break the Glass](/platform/break-glass) — Emergency access events are logged
* [Security Overview](/neuraltrust/security/overview) — NeuralTrust security architecture
