Security

Threat Intelligence DashboardProfessional+

Monitor security events in real time, track attack patterns, and maintain a continuous security posture score. All data is PII-free metadata only.

What Gets Monitored

NeuronEdge tracks the following security event types. Only PII-free metadata is stored—no request content is retained.

  • guardrail_violation — Policy enforcement triggers (banned topics, content filters, custom rules)
  • pii_anomaly — Unexpected PII patterns or volume spikes
  • injection_attempt — Prompt injection, jailbreak, or adversarial input detection
  • rate_limit_breach — API key or IP-based rate limit violations
  • suspicious_pattern — Anomalous behavior flagged by ML models

Security Events

Retrieve security events with filtering and pagination. All events follow a common schema:

Event Schema
json
{
  "id": "evt_01JB5X8KQMZ3YPTC6NF2WH7E9K",
  "type": "guardrail_violation",
  "category": "policy_enforcement",
  "action_taken": "blocked",
  "severity": "high",
  "timestamp": "2026-03-10T14:32:18.742Z",
  "request_id": "req_01JB5X8KQM9YPTC6NF2WH7E8J",
  "metadata": {
    "policy_id": "pol_threat_keywords",
    "matched_rule": "banned_topics",
    "confidence": 0.94
  }
}
GET/api/security/events

List security events with filtering

Response

json
{
  "events": [
    {
      "id": "evt_01JB5X8KQMZ3YPTC6NF2WH7E9K",
      "type": "guardrail_violation",
      "category": "policy_enforcement",
      "action_taken": "blocked",
      "severity": "high",
      "timestamp": "2026-03-10T14:32:18.742Z",
      "request_id": "req_01JB5X8KQM9YPTC6NF2WH7E8J",
      "metadata": {
        "policy_id": "pol_threat_keywords",
        "matched_rule": "banned_topics"
      }
    },
    {
      "id": "evt_01JB5X7MKQZ3YPTC6NF2WH7E8J",
      "type": "injection_attempt",
      "category": "attack",
      "action_taken": "blocked",
      "severity": "critical",
      "timestamp": "2026-03-10T14:28:42.123Z",
      "request_id": "req_01JB5X7MKQZ3YPTC6NF2WH7E7K",
      "metadata": {
        "attack_type": "prompt_injection",
        "confidence": 0.98
      }
    }
  ],
  "pagination": {
    "total": 1247,
    "limit": 50,
    "offset": 0,
    "has_more": true
  }
}

Query Parameters

  • type — Filter by event type (comma-separated for multiple)
  • category — Filter by category: policy_enforcement, attack, anomaly
  • severity — Filter by severity: critical, high, medium, low
  • action — Filter by action taken: blocked, flagged, logged
  • from — Start timestamp (ISO 8601)
  • to — End timestamp (ISO 8601)
  • limit — Results per page (default: 50, max: 100)
  • offset — Pagination offset

Event Timeline

Retrieve event counts aggregated by time interval for trend analysis and incident investigation.

GET/api/security/events/timeline

Get event counts over time

Response

json
{
  "timeline": [
    {
      "timestamp": "2026-03-10T14:00:00Z",
      "count": 23,
      "breakdown_by_category": {
        "policy_enforcement": 12,
        "attack": 8,
        "anomaly": 3
      }
    },
    {
      "timestamp": "2026-03-10T13:00:00Z",
      "count": 18,
      "breakdown_by_category": {
        "policy_enforcement": 10,
        "attack": 5,
        "anomaly": 3
      }
    }
  ],
  "interval": "hour",
  "period": {
    "from": "2026-03-10T00:00:00Z",
    "to": "2026-03-10T23:59:59Z"
  }
}

Query Parameters

  • interval — Time bucket: hour or day (default: hour)
  • from — Start timestamp (ISO 8601)
  • to — End timestamp (ISO 8601)

Event Statistics

Get aggregated statistics for security events over a time period.

GET/api/security/events/stats

Get aggregated event statistics

Response

json
{
  "total_events": 1247,
  "events_by_type": {
    "guardrail_violation": 542,
    "pii_anomaly": 234,
    "injection_attempt": 187,
    "rate_limit_breach": 156,
    "suspicious_pattern": 128
  },
  "events_by_severity": {
    "critical": 187,
    "high": 423,
    "medium": 512,
    "low": 125
  },
  "events_by_action": {
    "blocked": 892,
    "flagged": 267,
    "logged": 88
  },
  "period": {
    "from": "2026-03-03T00:00:00Z",
    "to": "2026-03-10T23:59:59Z"
  }
}

Query Parameters

  • from — Start timestamp (ISO 8601, default: 7 days ago)
  • to — End timestamp (ISO 8601, default: now)

Top Attack Patterns

Identify the most frequently observed attack patterns and anomalies.

GET/api/security/events/top-patterns

Get most common attack patterns

Response

json
{
  "patterns": [
    {
      "pattern": "prompt_injection_ignore_previous",
      "category": "attack",
      "count": 87,
      "last_seen": "2026-03-10T14:32:18.742Z",
      "trend": "increasing"
    },
    {
      "pattern": "pii_email_burst",
      "category": "anomaly",
      "count": 64,
      "last_seen": "2026-03-10T14:28:42.123Z",
      "trend": "stable"
    },
    {
      "pattern": "banned_topic_medical",
      "category": "policy_enforcement",
      "count": 52,
      "last_seen": "2026-03-10T14:15:33.456Z",
      "trend": "decreasing"
    }
  ],
  "limit": 10,
  "total_unique_patterns": 143
}

Query Parameters

  • limit — Number of patterns to return (default: 10, max: 50)
  • from — Start timestamp (ISO 8601, default: 7 days ago)
  • to — End timestamp (ISO 8601, default: now)

Security Posture Score

NeuronEdge calculates a continuous security posture score (0-100) based on your organization's security event history and response effectiveness.

How Scoring Works

  • Base Score: Starts at 100 (perfect security posture)
  • Deductions: Unblocked threats, high-severity events, slow remediation times
  • Improvements: High block rates, active guardrail coverage, quick incident response
GET/api/security/events/posture

Get security posture score

Response

json
{
  "score": 87,
  "grade": "B",
  "trend": "improving",
  "factors": [
    {
      "name": "Attack Prevention Rate",
      "impact": "+15",
      "recommendation": "98% of injection attempts blocked. Excellent coverage."
    },
    {
      "name": "Unblocked Anomalies",
      "impact": "-8",
      "recommendation": "23 PII anomalies flagged but not blocked. Review detection policies."
    },
    {
      "name": "Policy Coverage",
      "impact": "+5",
      "recommendation": "Active guardrails cover 94% of known attack patterns."
    },
    {
      "name": "Response Time",
      "impact": "-5",
      "recommendation": "Average remediation time 4.2 hours. Consider automated webhooks."
    }
  ],
  "period": {
    "from": "2026-03-03T00:00:00Z",
    "to": "2026-03-10T23:59:59Z"
  }
}

Query Parameters

  • from — Start timestamp (ISO 8601, default: 7 days ago)
  • to — End timestamp (ISO 8601, default: now)

Grade Breakdown

  • A (90-100): Excellent security posture, minimal unblocked threats
  • B (80-89): Good coverage with minor gaps
  • C (70-79): Adequate but needs improvement
  • D (60-69): Significant vulnerabilities present
  • F (<60): Critical security gaps requiring immediate attention

SIEM Integration

Forward security events to your existing SIEM or security monitoring platform using webhooks or real-time streaming.

1. Webhooks (Professional+)

Configure a webhook URL to receive security events as they occur. All payloads are HMAC-signed for verification.

Webhook Configuration
json
{
  "webhook_url": "https://siem.example.com/webhooks/neuronedge",
  "events": [
    "guardrail_violation",
    "injection_attempt",
    "pii_anomaly"
  ],
  "severity_filter": ["critical", "high"],
  "action_filter": ["blocked"],
  "signing_secret": "whsec_..."
}
Webhook Payload Example
http
POST https://siem.example.com/webhooks/neuronedge
Headers:
  X-NeuronEdge-Signature: sha256=...
  X-NeuronEdge-Timestamp: 1709996000
  Content-Type: application/json

Body:
{
  "event": {
    "id": "evt_01JB5X8KQMZ3YPTC6NF2WH7E9K",
    "type": "injection_attempt",
    "category": "attack",
    "action_taken": "blocked",
    "severity": "critical",
    "timestamp": "2026-03-10T14:32:18.742Z",
    "request_id": "req_01JB5X8KQM9YPTC6NF2WH7E8J",
    "metadata": {
      "attack_type": "prompt_injection",
      "confidence": 0.98
    }
  }
}

Signature Verification: Verify the X-NeuronEdge-Signature header using HMAC-SHA256 with your signing secret. Reject requests with timestamps older than 5 minutes.

2. SSE Stream (Enterprise)

Stream security events in real time using Server-Sent Events (SSE). Ideal for live dashboards and monitoring tools.

GET/api/security/events/stream

Real-time security event stream (SSE)

SSE Stream Example
bash
curl -N -H "Authorization: Bearer ne_prod_..." \
  https://api.neuronedge.ai/api/security/events/stream

# Response (Server-Sent Events):
event: security_event
data: {"id":"evt_...","type":"injection_attempt","severity":"critical",...}

event: security_event
data: {"id":"evt_...","type":"guardrail_violation","severity":"high",...}

event: heartbeat
data: {"timestamp":"2026-03-10T14:35:00.000Z"}

Connection Management: The stream sends heartbeat events every 30 seconds. Reconnect with exponential backoff if disconnected. Use the Last-Event-ID header to resume from the last received event.

Best Practices

  • Weekly Posture Reviews: Monitor your security posture score trend and act on recommendations to maintain a grade of B or higher.
  • Webhook Alerts: Configure webhooks for blocked events with critical or high severity to enable immediate incident response.
  • Pattern Correlation: Cross-reference top attack patterns with your guardrail configuration to identify gaps in coverage.
  • Timeline Investigation: Use the event timeline to investigate incidents and correlate security events with application behavior.
  • SIEM Export: Forward events to your SIEM platform for long-term retention and compliance auditing (NeuronEdge retains events for 90 days).

Related Documentation