Skip to main content

Use Cases

The Use Cases view in Telemetry holds the rule catalog that drives Alerts. Each use case is a detection rule evaluated on a schedule by the AlertEngine over metadata events in the NeuralTrust telemetry store.
  • Predefined templates (nt-uc-NNN) ship with the platform. They are read-only — enable or disable them per team, or copy to custom to change thresholds or scope.
  • Custom use cases are team-owned. Create them from scratch or by copying a predefined template, then edit logic in the create/edit side panel.
Open Telemetry → Use Cases → Create use case (or edit an existing custom rule) to use the rule builder described below.

Rule builder tabs

The create/edit side panel has three tabs. Changes in Scope and Conditions compile live into the Rule preview tab.
1

General (Scope)

Set the rule name and description, choose which products are in scope (TrustGate and/or TrustGuard), and pick the gateways or collectors the rule applies to. Use Select all to apply the rule to every gateway/collector for a product, or pick individual targets.
2

Conditions

Build match predicates (event attributes) and optional detection predicates (TrustGuard detector chain). Combine rows with And / Or connectors, optionally enable a time window, and set severity plus a default assignee.
3

Rule preview

Read-only YAML — exactly what AlertEngine stores and evaluates. Use this to verify the compiled rule before saving.

Products and condition fields

Each custom rule compiles to a single source in the rule YAML: trustgate or trustguard. The condition field picker shows only fields valid for that product. On the General tab, select which products participate in scope (gateways, collectors). The active product for conditions is determined by your product selection:
  • If only TrustGate or only TrustGuard is selected, conditions use that product’s fields.
  • If both are selected, click the product row you want to author conditions for. Clicking an already-selected (inactive) product switches the condition field set without removing it from scope; click again to deselect it.
Cross-product rules (source: cross) are not exposed in the custom builder yet. Use predefined template nt-uc-401 (Coverage Gap) or author cross rules directly in YAML outside the UI.

Conditions

AND / OR logic

Each condition row is a predicate: field · operator · value.
  • And between rows keeps predicates in the same group (all must match).
  • Or starts a new group. The compiler emits YAML any: — disjunctive normal form (OR of AND-groups).
Click the And / Or pill between rows to toggle the connector. Use And + or Or + under a row to insert a new condition with that connector.

Operators

OperatorMeaningTypical value types
is (eq)Equalsstring, number, boolean, enum
inOne of (comma-separated list)string, number, enum
containsSubstring matchstring (e.g. security tags)
>, , <, Numeric comparisonnumber
Boolean fields use True / False. Enum fields (status outcome, detection type, direction, protocol, kind) show allowed values in the picker.

Field picker

Fields are grouped in the dropdown for readability. Each option includes a short description. Groups:
GroupContents
Outcome & statusStatus code, status outcome, flagged, security tags
RequestProduct-specific request metadata (route, model, provider, gateway/collector, policy, direction, protocol, …)
IdentityConsumer, consumer name, session, trace ID
Latency & usageLatency breakdown, token usage, cost (TrustGate); detector/overhead latency (TrustGuard)
MCPMCP method, tool, server name (TrustGate only)
DetectionDetection type, action, confidence, enforced (TrustGuard only)
See Event schema for how each logical field maps to stored events.

TrustGate condition fields (24)

FieldDescription
status.codeHTTP status code (e.g. 200, 403, 500)
status.outcomePolicy outcome: block, transform, report, allow
modelLLM model name
is_flaggedTrue when any detector fired or outcome ≠ allow
securitySecurity tag labels (contains)
sessionSession identifier
consumerConsumer (entity) ID
consumer.nameConsumer display name
trace_idTrace correlation ID
http_methodHTTP verb (GET, POST, …)
total_msTotal request latency (ms)
providerUpstream LLM provider
routeHTTP URL path
gateway_idTrustGate gateway ID
kindRequest kind: llm, mcp, a2a
latency.provider_msProvider latency (ms)
latency.gateway_msGateway latency (ms)
usage.total_tokensTotal tokens
usage.input_tokensInput tokens
usage.output_tokensOutput tokens
cost.total_usdEstimated cost (USD)
mcp.methodMCP JSON-RPC method
mcp.toolMCP tool name
mcp.server_nameMCP server name

TrustGuard condition fields (22)

Includes all Outcome, Identity, and shared fields above, plus:
FieldDescription
collector_idTrustGuard collector instance ID
collector_nameCollector display name
directioninput (prompt) or output (response)
protocolllm, mcp, or a2a
policy_idRuntime policy ID
policy_nameRuntime policy name
latency.detectors_msDetector execution time (ms)
latency.overhead_msProcessing overhead (ms)
detection.typeNormalized detection category (e.g. prompt_injection, pii, secrets)
detection.actionDetector action: block, transform, allow
detection.confidenceConfidence score 0–1
detection.enforcedTrue when action is block or transform
TrustGuard detection.* fields compile into a separate detection: block in the rule YAML (matched over the normalized detector chain). All other fields compile into match:.
IP address is not a supported field. There is no ip column in the metadata store. Group by session or consumer instead of IP for surge and anomaly rules.

Time window

Enable Time window to require a minimum number of matching events within a rolling period before the rule fires (windowed count) instead of alerting on every single match. When enabled, configure:
ControlDescription
Amount + unitWindow length (minutes or hours)
Per (group by)Entity bucket: Consumer (default), Session, App (gateway or collector), or Route (TrustGate only)
The UI focuses on window duration and group-by. The compiled rule uses sensible defaults for measure (count) and threshold; inspect Rule preview for the exact window, group_by, and threshold values.

Alert output

SettingDescription
SeverityDefault severity for alerts from this rule: Low, Medium, High, Critical
Default assigneeOptional team member pre-assigned when the alert is raised
Gateway/collector scope from the General tab is compiled as an additional gateway_id or collector_id predicate when specific targets are selected (not when Select all is on).

Example compiled rules

Per-event TrustGuard detection (similar to nt-uc-101)

Windowed TrustGate auth anomaly (similar to nt-uc-201)

OR groups (401 or 403 per event)


Rule kinds (evaluation models)

kindFires whenYAML extras
per_eventAny single matching event
windowedEvent count ≥ threshold per group_by within windowwindow, group_by, threshold
aggregateMetric (ratio, p95, avg, sum, count_distinct) crosses thresholdmetric: block
crossTrustGate ⋈ TrustGuard on correlate_ongate:, guard: selections
The custom builder today covers per_event and windowed rules. Aggregate and cross rules are available in predefined templates or by editing YAML directly.

Alerts

The raised findings, triage workflow, and predefined catalog.

Event schema

Event schema, detection normalization, and field mapping for rule authors.

Integrations

Forward findings to Splunk and other SIEMs as OCSF events.