Microsoft Sentinel
The Files.com integration with Microsoft Sentinel uses Sentinel's Logs Ingestion API in Azure Monitor to efficiently transfer Files.com logs into your Sentinel environment. The forwarded logs are stored by default in Azure Monitor's Log Analytics, which serves as the foundation of the Microsoft Sentinel workspace. From there, you can access the logs and use Kusto Query Language (KQL) to execute queries for threat detection and network activity monitoring.
This integration ensures that your data is consistently updated for real-time analysis. You have the flexibility to configure the integration to send various types of log data to Sentinel, enhancing your capability to monitor, analyze, and respond to security events with greater accuracy and speed.
Getting Started with Microsoft Sentinel Integration
To configure the Files.com SIEM integration with Microsoft Sentinel, you need the Destination URL, Stream name, DCR Immutable ID, Tenant ID, Client ID, and Secret from your Azure environment. To obtain these, follow the steps from the Microsoft Azure Sentinel tutorial provided below.
Start by configuring the Azure application registration to authenticate against the API by following the instructions. Note the Application (client) ID, Directory (tenant) ID, and Secret Value to use in Files.com.
Next, create a Data Collection Endpoint (DCE). Note the Logs ingestion URL, which will be used as the Destination URL in Files.com.
Add a custom log table by following the instructions. Avoid using the sample data or transform code provided in the Microsoft article. Instead, follow the steps outlined below.
Obtain the sample log data for each log type from the Developers.files.com documentation. For example, sample SFTP logs can be found at this link under Example SftpActionLog Object on the right side. Save the copied sample log locally as a file with a .json
or .log
extension.
After saving the file locally, upload it by selecting New custom log (DCR-based) to create a custom log table in the Log Analytics workspace.
After upload, you may need to use the Transformation Editor to resolve warnings related to timestamp conversion for the TimeGenerated
column, as all log tables within Azure Monitor Logs must have a TimeGenerated column populated with the event's timestamp.
Run the KQL query below in the Transformation Editor to add the TimeGenerated
column to the output, and then click Apply to save the transformation.
After generating the custom log table, follow these instructions to collect information from a Data Collection Rule (DCR). Note down the Stream name, DCR Immutable ID to use in Files.com.
Lastly, assign permissions to the DCR by following these instructions.
Configuring Files.com for Microsoft Sentinel Integration
After configuring the Log Ingestion API in Azure Monitor by following the steps outlined in the previous section, set up the integration in Files.com as detailed in the table below.
Field | Details |
---|---|
Name | Integration name for your records |
Destination URL | Logs ingestion URL collected from Data Collection Endpoint |
Stream name | Custom Log Table Name |
DCR Immutable ID | DCR ID |
Azure OAuth Client Credentials Tenant ID | Tenant ID |
Azure OAuth Client Credentials Client ID | Client ID |
Azure OAuth Client Credentials Client Secret | Secret Value |
You can configure additional headers by specifying the Header Name and Header Value in the Key and Value fields, respectively, if you need to pass extra headers to your SIEM setup.
Choosing Log Types to Forward to Microsoft Sentinel
Since Azure Sentinel only accepts one log type per custom log table, you need to create a custom table in Azure Sentinel for each log type. Ensure that only the log type corresponding to the custom log table name or stream name in your environment is selected. As a result, you will need to create multiple integrations, each configured to forward logs of a specific log type to its corresponding custom log table in the desired instance.
Select which type of log is forwarded to your specific Microsoft Sentinel instance. By default, all log types are enabled, but you must enable only one log type for each instance. Refer to the Log Types section to review the available options for forwarding logs to your Microsoft Sentinel platform.
Troubleshooting
If you encounter any issues with forwarding or receiving logs in Microsoft Sentinel, start by verifying that all configuration steps are performed according to Microsoft's documentation and that all values collected in the Files.com from are accurate.
If you are still experiencing issues, check for network connectivity issues or firewall rules that may be blocking the communication between Files.com and your Microsoft Sentinel environment. For additional insights, review any SIEM-related logs under External Logs by selecting "SIEM" as the Event Type. These logs may help identify any issues with the log forwarding process. If the problem persists, refer to Microsoft's troubleshooting documentation for further troubleshooting steps.