Skip to content

Sign-in & Audit Feeds

Sign-in & audit feeds

Hal ingests the rich audit logs that Microsoft and Google publish for every tenant. Every authentication attempt, every admin action, every risky sign-in, every DLP event — Hal sees it within minutes.

Microsoft 365:

  • Unified Audit Log content types: Audit.AzureActiveDirectory, Audit.Exchange, Audit.SharePoint, Audit.General, DLP.All, plus the ServiceHealth feed.
  • Sign-in logs and risk detections (with Entra ID P1 / P2).

Google Workspace:

  • All Admin Reports applications (login, admin, drive, token, groups, mobile, calendar, chat, meet, etc.)

For the full list of content types and how to verify they’re flowing, see Audit Logging Prerequisites.

These feeds are what Hal reasons over — every escalation is built from them and arrives with the analysis and the fix:

A Hal alert built from sign-in and audit data, expanded to show the analysis and numbered remediation steps