SIEM
Files.com integrates with various Security Information and Event Management (SIEM) platforms, such as Splunk, Microsoft Sentinel, Sumo Logic, Datadog, New Relic, and others. You can also use our SIEM (Any Provider) connector to integrate with any SIEM platform of your choice, enhancing your security and monitoring capabilities.
Integrating Files.com with your preferred SIEM solution streamlines log management and provides real-time insights into system activities, enhancing visibility and compliance efforts. This integration allows you to efficiently monitor, analyze, and respond to security events and operational data, ensuring a proactive approach to maintaining system integrity.
Files.com can be configured to transmit logs to multiple remote log collection endpoints, including your organization's SIEM system. It integrates with most SIEM platforms that accept data in JSON format via HTTP, ensuring compatibility with various monitoring and analytics tools to strengthen the security of your organization's environment.
Configuring Files.com for SIEM Integration
To integrate Files.com with your SIEM solution, first create or identify an HTTP destination or endpoint in your SIEM that can receive JSON data, and configure HTTP headers if required by your system. Then, in Files.com, set up the integration to include this destination and any necessary headers, enabling the required log types.
Once the configuration is complete, Files.com audit logs are automatically and in real-time forwarded to the designated SIEM endpoint, allowing you to leverage advanced analytics, reporting, and search capabilities. This ensures that all event data is centralized for further analysis, helping you streamline security operations and maintain continuous oversight.
Types of Logs
The following log types can be enabled for forwarding to SIEM platforms.
| Log Type | Details | Links for API and Sample Logs |
|---|---|---|
| File Transfer Services | FTP, SFTP, and WebDAV file transfer activity. | |
| Integrations | Audit log of actions performed to your Remote Servers, Remote Server Syncs, and Files.com on-premise Agents. | |
| Automations logs | Actions performed by your automations and their results. | Automations logs |
| API Requests logs | Audit log of API requests made to your site. | API Requests logs |
| Outbound Emails logs | Audit log of email notifications sent by the server. | Outbound Emails logs |
| Public Hosting logs | Audit log of all requests to access your publicly served folders. | Public Hosting logs |
| ExaVault API Requests logs (Legacy) | Audit log of ExaVault API requests made to your site. | ExaVault API Requests logs |
Sample Log Data
Some SIEM platforms, such as Microsoft Sentinel, may require you to upload sample log files to generate custom log tables as part of the schema and transformation process.
To obtain the sample log files for each log type, refer to the Log Types table and look for the links in the Links for API and Sample Log column corresponding to the specific log type you need. On the landing page, you will find an Example LogType Object on the right side. For instance, sample SFTP logs can be found under the Example SftpActionLog Object section in this link.
Copy the content of the example to your clipboard and save it locally as a file with a .json or .log extension. By doing this, you will have the necessary sample log files to upload and use for configuring custom log types in Microsoft Sentinel or other SIEM platforms.
Log Sizes, Interval and Retries
Logs are transmitted in batches of up to 100 entries. When sending 100 logs at a time, the total size is typically below 100 KB, which is well within the acceptable size for any SIEM provider. If fewer than 100 logs are pending, all available logs are sent. For more than 100 logs, they are sent in batches of 100.
Logs are not held until a full batch is ready; instead, your site will forward all collected logs every 60 seconds. We do not currently compress logs but may offer this feature in the future.
When logs cannot be delivered, the site will try again every 60 seconds for five minutes. After the first 5 minutes, the site will try to connect every 15 minutes. This approach ensures that issues are promptly addressed while managing retries efficiently.
Log Retention
We retain logs for the past 7 days for SIEM integrations. If the integration is paused, either manually or due to a connection failure, we will send the logs from the last 7 days in batches once the connection is restored or the integration is resumed manually. This allows you to pause the integration to perform maintenance on the receiving application without losing audit data.
Some SIEM platforms, such as Datadog, Sumo Logic, and others, only accept logs from the past 18 hours. For example, if you pause an integration to a Datadog endpoint for more than 18 hours, you risk losing logs that Datadog will not accept once the integration is resumed.
Additional SIEM Platforms
Files.com supports native integration with Splunk, Microsoft Sentinel, Sumo Logic, Datadog, and New Relic. We aim to natively support many of the common SIEM systems used by our customers and will continue to add more platforms over time. However, we cannot support all commercial and open-source SIEM or logging servers currently available.
If your SIEM platform is not in our list of natively supported platforms, you can use the Generic SIEM Connector, listed as the SIEM (Any Provider) Connector in our SIEM integration catalog. This versatile solution is designed to integrate with a wide range of SIEM systems or logging servers.
Our Generic SIEM Connector supports any SIEM platforms that can receive data in JSON format via HTTP, ensuring compatibility across various security environments, whether cloud-based or on-premises. This provides a unified approach to monitoring and analyzing event and log data, regardless of the SIEM platform you use.