If your SIEM platform is not among our natively supported options, you can utilize our Generic SIEM Connector, listed as the SIEM (Any Provider) Connector in our SIEM integration catalog. This versatile solution is designed to integrate with a wide range of SIEM systems or logging servers that can receive data in JSON format via HTTP. It ensures compatibility across various security environments, whether cloud-based or on premises, providing a unified approach to monitoring and analyzing event and log data.

By leveraging standard JSON over HTTP protocols, the Generic SIEM Connector simplifies data ingestion into your SIEM or logging server of choice, enhancing detection, correlation, and incident response. This flexibility supports real-time monitoring and analysis, ensuring your security operations remain proactive and effective, regardless of the specific SIEM platform in use.

Getting Started with SIEM (Any Provider) Integration

To use the SIEM (any provider) generic connector to forward the logs, first configure your chosen SIEM platform or log collector to support HTTP-based data ingestion in JSON format.

Enable HTTP data ingestion and generate an API token or the necessary authentication credentials for secure communication. Note down the data ingestion URL or endpoint URL and the generated token, as these details will be needed to configure the integration with Files.com.

Configuring Files.com to Integrate with your SIEM Provider

When setting up the SIEM (Any Provider) connector in Files.com, begin by entering a name for the integration to help keep it organized. Then, provide the Destination URL, which should be the data ingestion URL or endpoint URI from your SIEM or log collector's configuration. For authentication, include the token either directly in the Destination URL (if your SIEM provider accepts that format) or as an additional HTTP header.

Generic Payload Type

The SIEM (Any Provider) integration sends log records in batches of up to 100 entries, with each entry formatted as a JSON object. Each JSON object for a specific log type follows a consistent set of key-value pairs, ensuring uniformity and making it easier for the SIEM or log collector to parse the data accurately.

When configuring the integration and selecting the Generic Payload Type in the form, you have two options for payload formats: Newline and Array. These formats determine how multiple JSON objects are combined into a single payload. The choice of format should be based on the requirements of the SIEM system receiving the logs, as most systems require one of these specific formats.

The Newline format places each JSON object on a separate line, separated by a newline character. The Array format uses standard JSON array syntax, starting with [, listing each JSON object separated by a comma ,, and ending with ].

Example of Newline:

{ "key" : "value" }
{ "key" : "another value" }

Example of Array:

[{ "key" : "value" }, { "key" : "another value" }]

Additional Headers

Passing additional HTTP headers is optional but can be useful for purposes such as providing authentication tokens, specifying content types, enabling custom behaviors, enhancing security, or supporting request tracing.

If extra headers are needed for your SIEM setup, you can configure them by specifying the Header Name and Header Value in the respective Key and Value fields. This flexibility allows you to tailor the integration to meet the specific requirements of your SIEM or log collector.

Choosing Log Types to Forward to your SIEM Platform

When configuring the SIEM integration with Files.com, you can select which types of logs are forwarded to your specific instances. By default, all log types are enabled, but you can customize the log types collected for different instances as needed. Refer to the Log Types section to review the available options for forwarding logs to your SIEM platform.

Troubleshooting

If you encounter any issues with sending logs to your SIEM platform, start by verifying that your endpoint URL and token are correctly configured in Files.com. Ensure that the endpoint URL is accurate and that the token matches the one provided by your SIEM instance setup.

Check for network connectivity issues or firewall rules that may be blocking the data transfer. For additional insights, review any SIEM-related logs under External Logs by selecting "SIEM" as the Event Type. These logs may help identify any issues with the log forwarding process. If the problem persists, refer to the corresponding SIEM platform's documentation.