Skip to main content

Integrating TitanFile Audit Logs with SIEM Tools – Microsoft Sentinel

Updated

Security and IT teams can integrate TitanFile’s audit logs directly into their Security Information and Event Management (SIEM) system to centralize security monitoring and automate alerting. 

This guide walks you through the setup process for Microsoft Sentinel. It explains how the integration works, and how to validate that logs are flowing into your environment. This guide is meant to be a reference – any customizations or specific use cases may require you to make changes to the code below.

 

Overview

TitanFile provides REST API access to detailed audit logs, including user activity, authentication events, file actions, IP metadata, and more. Using the TitanFile-Sentinel integration script, you can automatically pull these logs into your Azure Log Analytics workspace on a scheduled basis for use in Sentinel dashboards, queries, and alerts.

This integration supports:

  • Centralized SIEM visibility
  • Automated ingestion of new TitanFile events
  • Custom Sentinel alerting
  • Forensic and compliance reporting

      

Prerequisites

Before you begin, ensure you have:

  • A TitanFile Enterprise plan with API Access (refer TitanFile API Documentation for more details)
  • Python 3.8+
  • Access to your Azure Log Analytics Workspace and Workspace ID/Shared Key
  • Git installed on your machine 
  • (Optional) Azure Sentinel already enabled in your workspace
     

1. Clone the Integration Repository

Begin by downloading the TitanFile SIEM integration package:

git clone https://github.com/TitanFile/tf-audit-logs-siem-integrations.git

cd tf-audit-logs-siem-integrations/sentinel

The sentinel directory contains:

  • titanfile_to_sentinel.py - The main ingestion sample script
  • .env.example - Environment variable template
  • run_titanfile_sentinel_sync.sh - Optional helper script
  • logs/ - Auto-created log directory
     

2. (Optional) Create a Virtual Environment

A virtual environment keeps dependencies isolated:

python -m venv venv

source venv/bin/activate     # macOS/Linux

# Windows: venv\Scripts\activate

 

3. Install Dependencies

Install the required Python package:

pip install requests

 

4. Configure Environment Variables

Copy the environment template:

cp .env.example .env

Open .env and fill in your:

  • TitanFile API credentials
  • Log Analytics Workspace ID
  • Shared Key
  • API endpoint URL
  • Polling configuration (if applicable)
     

Alternatively, you may export these values directly in your terminal session.

 

Running the Integration

There are two supported methods for running the script:

  1. Running directly with Python
  2. Running using the provided shell script

     

Method 1: Run Directly via Python

python titanfile_to_sentinel.py

This immediately fetches new audit logs from TitanFile and forwards them to your Sentinel workspace.

 

Method 2: Run via Shell Script (.sh)

The repository includes a helper script that:

  • Loads environment variables from .env
  • Executes the Python integration script
  • Creates a logs/ directory if needed
  • Logs all output to ./logs/sync.log
     

Usage:

chmod +x run_titanfile_sentinel_sync.sh

./run_titanfile_sentinel_sync.sh

This approach is ideal for:

  • Git Bash on Windows
  • WSL environments
  • Automation via Task Scheduler or cron
     

How Checkpointing Works

To prevent duplicate ingestion, the script stores the last successful fetch timestamp in a local file:

titanfile_checkpoint.json

This ensures each run only pulls new audit logs.

If needed, you can delete the file to force the system to fetch the previous hour of logs again.
 

Modifying the Sample Script (If Needed)

The sample Sentinel integration script provided in our GitHub repository is intended as a reference implementation. You may need to modify or adjust the script in your own working copy to align with your specific environment, configuration, or ingestion requirements.

Please note that we do not provide support for custom modifications. Any adjustments should be made by your team based on your setup and operational needs.

Viewing Logs in Microsoft Sentinel

Once logs begin flowing, you can query them in your Azure Log Analytics workspace.

TitanFile audit logs appear under the custom table:

TF_AuditLogs4_CL

Each record contains:

  • Action (e.g., login, file upload, channel access)
  • User ID and email address
  • Channel metadata
  • IP address 
  • Raw JSON event payload 
  • Timestamp
     

These fields allow SOC teams to build custom dashboards, alerts, and correlation rules-such as monitoring suspicious logins or high-volume file access.

 

Scheduling Automated Log Ingestion

You can automate ingestion on a regular interval using:

Linux/macOS (cron)

*/5 * * * * /path/to/run_titanfile_sentinel_sync.sh

Windows Task Scheduler

Create a task that triggers the .sh script via Git Bash or runs the Python command directly.

This ensures continuous, near-real-time log delivery into Sentinel.

 

Troubleshooting

No logs appearing in Sentinel

  • Verify Workspace ID and shared key
  • Ensure the TitanFile API credentials are valid 
  • Check for errors inside logs/sync.log
     

Duplicate logs

  • Confirm titanfile_checkpoint.json is not being deleted between runs
  • Ensure your automation environment preserves write permissions
     

Permission errors

  • Confirm your TitanFile API user has access to audit logs
  • Check authentication settings in .env
     

Next Steps

Once your audit logs are streaming into Sentinel, you can:

  • Build custom dashboards
  • Configure anomaly alerts
  • Run KQL queries for investigations 
  • Integrate TitanFile data with broader security workflows
     

If you need assistance or would like to explore advanced reporting options, please reach out to TitanFile Support via support@titanfile.com

Related to

Related articles