Files.com integrates with various Security Information and Event Management (SIEM) platforms, such as Splunk, Microsoft Sentinel, Sumo Logic, Datadog, New Relic, and others. You can also use our SIEM (Any Provider) connector to integrate with any SIEM platform of your choice, enhancing your security and monitoring capabilities.

Integrating Files.com with your preferred SIEM solution streamlines log management and provides real-time insights into system activities, enhancing visibility and compliance efforts. This integration allows you to efficiently monitor, analyze, and respond to security events and operational data, ensuring a proactive approach to maintaining system integrity.

Files.com can be configured to transmit logs to multiple remote log collection endpoints, including your organization's SIEM system. It integrates with most SIEM platforms that accept data in JSON format via HTTP, ensuring compatibility with various monitoring and analytics tools to strengthen the security of your organization's environment.

Configuring Files.com for SIEM Integration

To integrate Files.com with your SIEM solution, first create or identify an HTTP destination or endpoint in your SIEM that can receive JSON data, and configure HTTP headers if required by your system. Then, in Files.com, set up the integration to include this destination and any necessary headers, enabling the required log types.

Once the configuration is complete, Files.com audit logs are automatically and in real-time forwarded to the designated SIEM endpoint, allowing you to leverage advanced analytics, reporting, and search capabilities. This ensures that all event data is centralized for further analysis, helping you streamline security operations and maintain continuous oversight.

Types of Logs

The following log types can be enabled for forwarding to SIEM platforms.

Sample Log Data

Some SIEM platforms, such as Microsoft Sentinel, may require you to upload sample log files to generate custom log tables as part of the schema and transformation process.

To obtain the sample log files for each log type, refer to the Log Types table and look for the links in the Links for API and Sample Log column corresponding to the specific log type you need. On the landing page, you will find an Example LogType Object on the right side. For instance, sample SFTP logs can be found under the Example SftpActionLog Object section in this link.

Copy the content of the example to your clipboard and save it locally as a file with a .json or .log extension. By doing this, you will have the necessary sample log files to upload and use for configuring custom log types in Microsoft Sentinel or other SIEM platforms.

Log Sizes, Interval and Retries

Logs are transmitted in batches of up to 100 entries. When sending 100 logs at a time, the total size is typically below 100 KB, which is well within the acceptable size for any SIEM provider. If fewer than 100 logs are pending, all available logs are sent. For more than 100 logs, they are sent in batches of 100.

Logs are not held until a full batch is ready; instead, your site will forward all collected logs every 60 seconds. We do not currently compress logs but may offer this feature in the future.

When logs cannot be delivered, the site will try again every 60 seconds for five minutes. After the first 5 minutes, the site will try to connect every 15 minutes. This approach ensures that issues are promptly addressed while managing retries efficiently.

Log Retention

We retain logs for the past 7 days for SIEM integrations. If the integration is paused, either manually or due to a connection failure, we will send the logs from the last 7 days in batches once the connection is restored or the integration is resumed manually. This allows you to pause the integration to perform maintenance on the receiving application without losing audit data.

Some SIEM platforms, such as Datadog, Sumo Logic, and others, only accept logs from the past 18 hours. For example, if you pause an integration to a Datadog endpoint for more than 18 hours, you risk losing logs that Datadog will not accept once the integration is resumed.

Additional SIEM Platforms

Files.com supports native integration with Splunk, Microsoft Sentinel, Sumo Logic, Datadog, and New Relic. We aim to natively support many of the common SIEM systems used by our customers and will continue to add more platforms over time. However, we cannot support all commercial and open-source SIEM or logging servers currently available.

If your SIEM platform is not in our list of natively supported platforms, you can use the Generic SIEM Connector, listed as the SIEM (Any Provider) Connector in our SIEM integration catalog. This versatile solution is designed to integrate with a wide range of SIEM systems or logging servers.

Our Generic SIEM Connector supports any SIEM platforms that can receive data in JSON format via HTTP, ensuring compatibility across various security environments, whether cloud-based or on-premises. This provides a unified approach to monitoring and analyzing event and log data, regardless of the SIEM platform you use.

Example Dashboards and Alerts

Below are a few examples of how you can use your SIEM platform with logs and event data from Files.com to monitor security, optimize workflows, and ensure compliance. These dashboards and alerts need to be set up within your SIEM platform using Files.com logs. Your SIEM platform may also offer pre-built templates for some of these use cases, simplifying setup. For configuration and customization, refer to your SIEM platform’s documentation.

Tracking User Authentication and Access

Monitoring user logins and access patterns is crucial for security. By using API Request Logs, FTP, SFTP, and WebDAV Action Logs, you can create dashboards that track login attempts, successful logins, and access trends. If a login occurs from an unapproved IP address, an alert from your SIEM platform can notify the security team. A dashboard displaying login trends by region helps detect access attempts from unauthorized geographic regions. If an inactive user, who hasn’t logged in for 90 days, suddenly logs in and downloads multiple files, an alert can flag potential account compromise.

Monitoring File Transfers and Failures

Keeping track of file transfers ensures smooth operations. Using FTP, SFTP, and WebDAV Action Logs, dashboards can visualize uploads, downloads, deletions, and renames. If file transfer failures exceed 5% within 30 minutes, an alert from your SIEM platform can help IT teams identify issues quickly. Dashboards tracking the source and destination IPs for failed transfers can highlight recurring problems or external vendor-related failures.

Detecting Suspicious Login Locations

Unusual login locations can indicate security threats. API Request Logs allow the creation of dashboards that map user login activity by region, helping security teams detect unauthorized access. If a user logs in from a new country, an alert from your SIEM platform can prompt verification. A dashboard showing login activity by country provides insights into access trends, while another alert can detect simultaneous logins from different locations, which may indicate credential theft or VPN-based attacks.

Identifying Unusual File Download Behavior

Abnormal file download patterns can be a sign of data theft. API Request Logs, FTP, SFTP, WebDAV, Public Hosting Logs can help track and detect users downloading an unusually high volume of files in a short time. If a user downloads more than 500 files within 10 minutes, an alert from your SIEM platform can flag potential data exfiltration. Dashboards displaying download activity by user and file size help quickly identify risks. Another alert can detect large file downloads from external IP addresses, signaling potential unauthorized data exports.

Monitoring High-Activity Users and Folders

Tracking user activity can help detect unauthorized actions. API Request Logs, FTP, SFTP, and WebDAV Logs can generate dashboards highlighting the most active users and frequently accessed folders. If a restricted folder is accessed for the first time, an alert from your SIEM platform can notify security teams. A user activity heatmap can visualize usage trends, and a report on the highest file transfer users can help security teams review potentially risky behavior.

Analyzing File Transfer Trends Over Time

Monitoring long-term file transfer patterns helps identify anomalies. FTP, SFTP, and WebDAV Logs can be used to track peak usage times and detect unusual data movement. If file transfer volume drops by 80% compared to the same time last week, an alert from your SIEM platform can indicate a system failure or workflow issue. A historical dashboard showing normal versus abnormal file transfer trends can provide insights, and an unusually high file transfer volume alert can help detect mass file movements, possibly indicating a data breach.

Monitoring Remote Server Connections

Keeping an eye on remote server connectivity helps prevent disruptions. Outbound Connection Logs can generate dashboards showing connection success rates, failure patterns, and latency issues. If a remote connection fails more than three times within 5 minutes, an alert from your SIEM platform can notify IT teams for immediate action. Dashboards tracking connection response times help proactively identify outages, while another alert can notify administrators if a vendor system remains offline for too long.

Monitoring Automations Status

Tracking automation logs in SIEM platforms ensures that scheduled tasks are running smoothly. Dashboards display real-time execution statuses, highlighting successes, failures, and delays. If automations fail repeatedly or remain pending, an alert from your SIEM platform can notify your IT teams for quick action.

These dashboards and alerts provide real-time visibility into security, access, and operational risks, helping your organization proactively monitor, detect, and respond to potential threats.