Skip to main content

Integrations

Core Log Sources — Included
#

Every Hal deployment includes ingestion and analysis for these sources:

Microsoft 365
#

Audit logs from Exchange, SharePoint, OneDrive, Teams, and Azure AD. Detects mailbox rule changes, forwarding rules, file sharing anomalies, admin operations, and OAuth app consents.

Google Workspace
#

Reports API audit logs plus Alert Center security alerts. Detects suspicious logins, forwarding rules, Drive sharing changes, admin operations, and phishing alerts.

Microsoft Entra ID
#

Sign-in logs, risk detections, and directory audits via Graph API. Detects credential attacks, impossible travel, risky sign-ins, MFA changes, and service principal activity. P1 license required for sign-in logs; P2 for risk detections.

Windows Servers
#

Event logs collected via Sidecar and Winlogbeat — no kernel agent. Detects failed logons, privilege escalation, service installation, scheduled task creation, and security log clearing.

Network Devices
#

FreeBSD router syslog over encrypted Tailscale tunnels — no public ports exposed. Detects firewall blocks, VPN connections, interface changes, and routing anomalies.

Meraki WAN IP Correlation
#

Hourly polling of corporate WAN IPs from the Meraki Dashboard API. Hal automatically tags known client IPs in investigations — distinguishing office traffic from external threats.

Paid Add-On Integrations #

NinjaOne RMM
#

Real-time device intelligence during investigations:

  • Device lookup by hostname, IP, serial number, or username
  • Patch status: pending OS and software updates
  • Software inventory: full list of installed applications
  • Active alerts: disk space, SMART failures, offline devices, AV issues
  • Organization device listing with counts by type

When Hal sees a suspicious sign-in, it verifies the device is managed and belongs to the expected client.

Hudu Documentation
#

Human-written context that logs don’t contain:

  • Company contacts: names, titles, phone, email
  • Asset documentation: servers, workstations, network devices, VLANs
  • Knowledge base articles
  • Network information: WAN circuits, Active Directory domains, DNS

When Hal investigates an alert, it checks who works at the company, what their network looks like, and whether there’s a known change window — context that transforms a raw alert into an informed assessment.

There are no articles to list here yet.