July 9, 2026

    How to Integrate Sharetru Audit Logs with Your SIEM for Compliance

    If you're responsible for security or compliance at your organization, you already know the problem: your file transfer platform is handling sensitive data every day — uploads, downloads, logins, share links — and that activity needs to be visible inside your SIEM, not buried in a portal you check manually.

    We hear this question from customers regularly. A recent support inquiry put it plainly: "We are looking to ingest GovFTP logs into our SIEM. Do we have this capability?"

    The short answer is yes — but it depends on the age of your Sharetru plan. Sharetru supports SIEM integration, and customers are already running it successfully with platforms like Microsoft Sentinel. In this post, I'll walk you through what it looks like, what events get captured, and what you can do with that data once it's flowing into your SIEM.

    Why File Transfer Activity Belongs in Your SIEM

    Your SIEM is your security nerve center — it correlates events across systems to surface anomalies, trigger alerts, and provide an auditable chain of evidence for compliance reviews. But it only works if the right data sources are feeding it.

    File transfer platforms are often overlooked. That's a problem, because they sit at the edge of your environment where external parties — vendors, partners, government clients — are exchanging sensitive files. A single unauthorized access event, a suspicious login from an unrecognized IP, or an MFA bypass attempt on a shared account could be a serious incident — and you'd never see it without log visibility.

    For organizations operating under FedRAMP, CMMC, HIPAA, or SOC 2 (and others), this isn't optional. These frameworks explicitly require audit log retention, monitoring of authentication events, and the ability to reconstruct timelines during incidents. Sharetru's SIEM integration exists precisely to help you meet those requirements.

    sharetru-siem-alerts-infographic

    What Events Sharetru Sends to Your SIEM

    When SIEM integration is configured, Sharetru streams log events in real time. Here's a short list of key items (but not even close to exhaustive) that are captured:

    Authentication Events

    • MFA Verification — Every time multi-factor authentication is successfully verified, a log event fires. This lets you detect anomalies like a user suddenly completing MFA from an unfamiliar location.
    • MFA Method Used — The specific method chosen (TOTP authenticator app, SMS, or email) is recorded. This is particularly useful for FedRAMP environments where TOTP is the only permitted method for guest users.
    • MFA Failures — an attempted login where the MFA method fails
    • SFTP / FTPS Login Events (Successes and Failures)
    • SSO Usage — Which single sign-on provider was used for each login.
    • Username Entry (HTTPS) — When a username is entered via the HTTPS portal.
    • Guest User Authentication — every step of the login process

    File Share Activity

    • Share Accessed — When a share link is opened, including the timestamp, the recipient's email address, and the IP address used to access it.
    • File Uploads and Downloads — Transfer events logged with user, filename, and timestamp.
    • File Deletions — self explanatory
    • File Renames — self explanatory
    • Copy / Paste events — self explantory

    Administrative Events

    • Account modifications, user provisioning, and permission changes relevant to your audit trail.

    Note for FedRAMP customers: Because Sharetru Federal operates under NIST 800-53 rev 5 (FedRAMP Moderate), log retention and audit trail requirements are built into the platform by design — not bolted on.

     

    sharetru-siem-pipeline-infographic

    How Sharetru's Logging Maps to Compliance Controls

    Sharetru's event logging isn't just operational telemetry — it's designed to produce the audit evidence that regulators and auditors require. Below is how the events above map to specific controls across the major frameworks.

    NIST 800-53 rev 5 (FedRAMP)

    • AU-2 (Event Logging) — Sharetru's defined set of authentication, file-transfer, and administrative events satisfies the requirement to identify and log security-relevant event types.
    • AU-3 (Content of Audit Records) — Each event captures the who, what, when, and where (user, action, timestamp, source IP) required for a complete audit record.
    • AU-6 (Audit Record Review, Analysis & Reporting) — Real-time streaming into your SIEM enables the continuous review and correlation this control expects.
    • AU-11 (Audit Record Retention) — Because Sharetru Federal operates under FedRAMP Moderate, retention requirements are built into the platform by design, not bolted on.
    • AU-12 (Audit Record Generation) — Logging is generated at the platform level across all in-scope components.
    • AC-7 / IA-2 (Unsuccessful Logon Attempts / MFA) — MFA verification and method-used events provide evidence of identification and authentication enforcement.

    HIPAA Security Rule

    • §164.312(b) (Audit Controls) — File upload/download and share-access events record activity involving systems that contain ePHI.
    • §164.308(a)(1)(ii)(D) (Information System Activity Review) — Streaming logs support the regular review of access and activity records this administrative safeguard requires.
    • §164.312(a)(2)(i) (Unique User Identification) — Every logged event ties an action to a specific user identity.

    SOC 2 (Trust Services Criteria)

    • CC6.1 / CC6.6 (Logical Access Controls) — SSO, MFA, and username-entry events evidence access control enforcement.
    • CC7.2 (System Monitoring) — Real-time SIEM feed supports detection of anomalies and security events.
    • CC7.3 (Evaluation of Security Events) — Structured event data enables the evaluation and response process auditors assess.

    ISO/IEC 27001:2022 (Annex A)

    • A.8.15 (Logging) — Event logs record user activities, exceptions, and security events.
    • A.8.16 (Monitoring Activities) — Continuous SIEM ingestion supports anomaly monitoring.
    • A.8.5 (Secure Authentication) — MFA and SSO events evidence authentication control operation.

    Note for FedRAMP customers: Because Sharetru Federal operates under NIST 800-53 rev 5 (FedRAMP Moderate), log retention and audit trail requirements are built into the platform by design — not bolted on.

    Connecting Sharetru to Your SIEM

    Sharetru integrates with a wide range of SIEM platforms through its REST API integration. Supported platforms include Splunk, IBM QRadar, Sumo Logic, CrowdStrike, Arctic Wolf, Microsoft Sentinel, and many others.

    We've chosen Microsoft Sentinel for the walkthrough below simply because it's a common platform among Sharetru customers, but the same general approach applies across platforms. Here's the setup path:

    1. Navigate to SIEM settings in Sharetru — Inside your admin dashboard, locate the SIEM integration settings panel.
    2. Configure the connection — Input your Sentinel workspace credentials. Sharetru provides a test connection button so you can verify the data is flowing before going live.
    3. Run the test — Once the test succeeds, you'll begin seeing Sharetru events appear in your Sentinel logs.
    4. Build your alerts — In Sentinel, configure alert rules based on Sharetru log events. A common starting point: alert when the log source stops reporting data for more than a set interval (e.g., 5 days), which signals either a connectivity issue or that activity has unexpectedly stopped.

    Important: Not every user action generates a log event — only meaningful security and authentication events do. If you're seeing gaps in data, check whether the activity you're expecting (such as a simple file browse without a download) is actually a logged event type.

    Using a different SIEM? If it can ingest logs via the Sharetru REST API integration, it can receive your event stream. Contact our support team for platform-specific configuration guidance.

     

    What to Do With the Data: Five Practical Alert Scenarios

    Once logs are flowing, the real value is in what you build on top of them. Here are five alert scenarios compliance and security teams find immediately useful:

    1. MFA Bypass or Failure Spike

    Set an alert if MFA verifications fail repeatedly for a single account within a short window. This pattern can indicate a credential stuffing attempt or a compromised account where an attacker is trying different second factors.

    2. Unusual Access Geography

    If a share link is accessed from an IP address in a country or region that doesn't match your expected user base, trigger an alert for review. Sharetru logs the IP address of every share access event, giving you the raw data to make this call.

    3. Departing Employee Data Exfiltration

    Because Sharetru logs downloads with user, filename, and timestamp, you can watch for high-risk behavior tied to a specific individual. A common example: a user submits their two weeks' notice, so you configure a SIEM watchlist for that account and alert on any mass-download activity before their last day. This turns your audit feed into an early warning system for insider risk.

    4. Access Attempt After Offboarding

    Set an alert for any authentication event — MFA verification, SSO usage, or username entry — tied to an account that should have been deprovisioned. If someone who has left the business attempts to log in after their last day, you'll know immediately, and it doubles as a check that your offboarding process actually revoked access.

    5. Log Source Goes Silent

    This is often the first alert teams configure: a notification when Sharetru stops sending log data for more than five days. In a compliance environment, a gap in your audit log feed isn't just an IT issue — it's a finding. Catching it quickly means you can remediate before it becomes a problem in your next audit cycle.

    Audit Log Retention and Incident Documentation

    A question we hear from compliance officers: "If we have an incident, can we get the audit logs to support our investigation?"

    Yes — and in most cases, you already have them. Your audit logs are available directly in your Sharetru site's log history folder. If an incident occurs, you can pull the records you need yourself, without contacting us or waiting on a request. That means immediate access to the data behind your incident timelines, root cause documentation, and corrective action evidence — exactly the kind of records your SOC 2 auditors, CMMC assessors, or FedRAMP reviewers will ask for.

    Retention is aligned to the standard your environment operates under, and it's built into the platform:

    • Sharetru Federal provides 12 months of log retention in your site, meeting the FedRAMP requirement.
    • Sharetru's HIPAA environment provides 7 years of log retention in your site, meeting the HIPAA/HITECH requirement.

    If you have a specific retention requirement beyond what your environment provides, contact our support team to confirm alignment with your needs.

    Getting Started

    If you're already a Sharetru customer and want to enable SIEM integration:

    • Log into your admin dashboard and look for the SIEM settings panel
    • Reach out to our support team if you need help with the initial configuration or platform-specific guidance
    • Ask about log event types if you want to validate which events map to specific controls in your compliance framework

    If you're evaluating Sharetru and SIEM integration is a requirement, bring it up during your demo. It's a first-class feature, not an add-on, and our team can walk you through how it aligns with your specific framework — FedRAMP, CMMC, HIPAA, or SOC 2.

    Chris Merriman

    Chris, Sharetru's VP of Engineering, is a lifelong learner and meticulous researcher who has crafted and shipped every Sharetru release since 2008

    Other posts you might be interested in

    View All Posts