Skip to main content

Integrations

Core Log Sources — Included
#

Every Hal deployment includes ingestion and analysis for these sources:

Microsoft 365
#

Audit logs from Exchange, SharePoint, OneDrive, Teams, and Azure AD. Detects mailbox rule changes, forwarding rules, file sharing anomalies, admin operations, and OAuth app consents.

Google Workspace
#

Reports API audit logs plus Alert Center security alerts. Detects suspicious logins, forwarding rules, Drive sharing changes, admin operations, and phishing alerts.

Microsoft Entra ID
#

Sign-in logs, risk detections, and directory audits via Graph API. Detects credential attacks, impossible travel, risky sign-ins, MFA changes, and service principal activity. P1 license required for sign-in logs; P2 for risk detections.

Windows Servers
#

Event logs collected via Sidecar and Winlogbeat — no kernel agent. Detects failed logons, privilege escalation, service installation, scheduled task creation, and security log clearing.

Network Devices
#

FreeBSD router syslog over encrypted Tailscale tunnels — no public ports exposed. Detects firewall blocks, VPN connections, interface changes, and routing anomalies.

Paid Add-On Integrations #

Slack Integration
#

Automated alerts posted to your team channel with severity levels. Plain English conversations, threaded investigations, client notes, and proactive watches (“check this user again in 20 minutes”). For teams that live in Slack.

Meraki Dashboard
#

Full Meraki network visibility during investigations — not just WAN IP tagging. 15 live tools covering MX appliances, switches, and wireless APs:

  • Device status, VPN peers, and uplink performance
  • Switch port details and PoE status
  • Wireless client health and signal quality
  • Security events and configuration changes
  • Automatic WAN IP correlation — tags known client IPs to distinguish office traffic from external threats

NinjaOne RMM
#

Real-time device intelligence during investigations:

  • Device lookup by hostname, IP, serial number, or username
  • Patch status: pending OS and software updates
  • Software inventory: full list of installed applications
  • Active alerts: disk space, SMART failures, offline devices, AV issues
  • Organization device listing with counts by type

When Hal sees a suspicious sign-in, it verifies the device is managed and belongs to the expected client.

Hudu Documentation
#

Human-written context that logs don’t contain:

  • Company contacts: names, titles, phone, email
  • Asset documentation: servers, workstations, network devices, VLANs
  • Knowledge base articles
  • Network information: WAN circuits, Active Directory domains, DNS

When Hal investigates an alert, it checks who works at the company, what their network looks like, and whether there’s a known change window — context that transforms a raw alert into an informed assessment.

There are no articles to list here yet.