SIEM Integrations
Files.com integrates with Security Information and Event Management (SIEM) platforms, including Splunk, Microsoft Sentinel, Sumo Logic, Datadog, and New Relic. The SIEM (Any Provider) connector covers other SIEM platforms.
Files.com transmits logs to remote log collection endpoints, including your organization's SIEM system, over HTTP in JSON format. Files.com also supports Log File Streaming, which writes the same audit and activity logs to files at a configured interval for file-based access, processing, and retention.
Configuring Files.com for SIEM Integration
To integrate Files.com with your SIEM solution, first create or identify an HTTP destination or endpoint in your SIEM that can receive JSON data, and configure HTTP headers if required by your system. Then, in Files.com, set up the integration to include this destination and any necessary headers, and enable the required log types.
Once the configuration is complete, Files.com audit logs are forwarded to the designated SIEM endpoint in real-time.
Types of Logs
The following log types can be enabled for forwarding to SIEM platforms.
| Log Type | Details | Links for API and Sample Logs |
|---|---|---|
| Settings Changes | Audit logs of changes made to site-wide settings and folder configurations by your Site Administrators. | Settings Changes Logs |
| History Logs | Audit logs of changes made to site files, users, groups, logins, permissions, and API keys. | History Logs |
| File Transfer Services | FTP, SFTP, and WebDAV file transfer activity. | |
| Integrations | Audit log of actions performed to your Remote Servers, Syncs, and Files.com on-premise Agents. | |
| Automations logs | Actions performed by your automations and their results. | Automations logs |
| API Requests logs | Audit log of API requests made to your site. | API Requests logs |
| Outbound Emails logs | Audit log of email notifications sent by the server. | Outbound Emails logs |
| Public Hosting logs | Audit log of all requests to access your publicly served folders. | Public Hosting logs |
| ExaVault API Requests logs (Legacy) | Audit log of ExaVault API requests made to your site. | ExaVault API Requests logs |
Sample Log Data
Some SIEM platforms, such as Microsoft Sentinel, may require you to upload sample log files to generate custom log tables as part of the schema and transformation process.
To obtain the sample log files for each log type, refer to the Log Types table and look for the links in the Links for API and Sample Logs column corresponding to the specific log type you need. On the landing page, you will find an Example LogType Object on the right side when REST API is the selected language. For instance, sample SFTP logs can be found under the Example SftpActionLog Object section in this link.
Copy the content of the example to your clipboard and save it locally as a file with a .json or .log extension. The resulting file is the sample log file used to configure custom log types in Microsoft Sentinel or other SIEM platforms.
Log Sizes, Interval, and Retries
Logs are transmitted in batches of up to 100 entries. When sending 100 logs at a time, the total size is typically below 100 KB, which is within the acceptable size for any SIEM provider. If fewer than 100 logs are pending, all available logs are sent. For more than 100 logs, they are sent in batches of 100.
Logs are not held until a full batch is ready; your site forwards all collected logs every 60 seconds. Files.com does not currently compress logs.
When logs cannot be delivered, the site retries every 60 seconds for five minutes. After the first 5 minutes, the site retries every 15 minutes.
Log Retention
Files.com retains logs for the past 7 days for SIEM integrations. If the integration is paused, either manually or due to a connection failure, the logs from the last 7 days are sent in batches once the connection is restored or the integration is resumed manually. This allows you to pause the integration to perform maintenance on the receiving application without losing audit data.
Some SIEM platforms, such as Datadog and Sumo Logic, only accept logs from the past 18 hours. For example, if you pause an integration to a Datadog endpoint for more than 18 hours, you risk losing logs that Datadog will not accept once the integration is resumed.
Additional SIEM Platforms
Files.com natively integrates with Splunk, Microsoft Sentinel, Sumo Logic, Datadog, and New Relic, and continues to add platforms over time. Files.com does not natively support every commercial and open-source SIEM or logging server.
If your SIEM platform is not in the list of natively supported platforms, use the Generic SIEM Connector, listed as the SIEM (Any Provider) Connector in the SIEM integration catalog. The Generic SIEM Connector supports any SIEM platform or logging server that receives data in JSON format over HTTP, in cloud-based or on-premises environments.
Example Dashboards and Alerts
The patterns below illustrate ways to use your SIEM platform with logs and event data from Files.com. These dashboards and alerts are set up within your SIEM platform using Files.com logs. Your SIEM platform may also offer pre-built templates for some of these use cases. For configuration and customization, refer to your SIEM platform's documentation.
Tracking User Authentication and Access
Use API Request Logs and FTP, SFTP, and WebDAV Action Logs to build dashboards that track login attempts, successful logins, and access trends. An alert can notify the security team when a login occurs from an unapproved IP address. A dashboard displaying login trends by region helps detect access attempts from unauthorized geographic regions. An alert can also flag potential account compromise when an inactive user who has not logged in for 90 days suddenly logs in and downloads multiple files.
Monitoring File Transfers and Failures
Use FTP, SFTP, and WebDAV Action Logs to build dashboards that visualize uploads, downloads, deletions, and renames. An alert can notify IT when file transfer failures exceed 5% within 30 minutes. Dashboards tracking the source and destination IPs for failed transfers can highlight recurring problems or external vendor-related failures.
Detecting Suspicious Login Locations
Use API Request Logs to build dashboards that map user login activity by region. An alert can prompt verification when a user logs in from a new country. A dashboard showing login activity by country surfaces access trends, and a separate alert can detect simultaneous logins from different locations, which may indicate credential theft or VPN-based attacks.
Identifying Unusual File Download Behavior
Use API Request Logs along with FTP, SFTP, WebDAV, and Public Hosting Logs to track users downloading an unusually high volume of files in a short time. An alert can flag potential data exfiltration when a user downloads more than 500 files within 10 minutes. Dashboards displaying download activity by user and file size help identify risks. A separate alert can detect large file downloads from external IP addresses, which may signal unauthorized data exports.
Monitoring High-Activity Users and Folders
Use API Request Logs and FTP, SFTP, and WebDAV Logs to build dashboards that highlight the most active users and frequently accessed folders. An alert can notify security teams when a restricted folder is accessed for the first time. A user activity heatmap visualizes usage trends, and a report on the highest file transfer users helps security teams review potentially risky behavior.
Analyzing File Transfer Trends Over Time
Use FTP, SFTP, and WebDAV Logs to track peak usage times and detect unusual data movement. An alert can indicate a system failure or workflow issue when file transfer volume drops by 80% compared to the same time last week. A historical dashboard showing normal versus abnormal file transfer trends provides context, and an unusually high file transfer volume alert can help detect mass file movements, which may indicate a data breach.
Monitoring Remote Server Connections
Use Outbound Connection Logs to build dashboards that show connection success rates, failure patterns, and latency. An alert can notify IT when a remote connection fails more than three times within 5 minutes. Dashboards tracking connection response times help identify outages, and a separate alert can notify administrators if a vendor system remains offline for too long.
Monitoring Automations Status
Tracking automation logs in your SIEM platform confirms that scheduled tasks are running. Dashboards display real-time execution status, including successes, failures, and delays. An alert can notify IT when automations fail repeatedly or remain pending.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes