Files.com keeps a record of everything that happens to your files: every login, upload, download, and permission change. This integration sends that record into Sentinel, sorted into its own tables, so your security team can search and alert on file activity in KQL right alongside the rest of their Microsoft data.
A Microsoft shop already pipes Entra ID sign-ins, Defender alerts, and Azure logs into Sentinel. The missing piece is file movement: who moved which regulated file, when, and how. Files.com fills it by sending every file event into Log Analytics, so file activity becomes a table your security team can search and alert on like any other.
Files.com sends its events into Log Analytics, the data behind Sentinel, so your security team can search and alert on file activity with the same KQL queries they already use for the rest of their Microsoft tools.
Files.com sorts events by type on the way in. SFTP sessions go to one table, settings changes to another. So when you go looking, everything is already in the right place.
The connection uses an Entra app registration and a rule you control in Azure. It is the same way the rest of your Azure data gets in, so there is nothing new for your team to learn.
The events come from the Files.com audit log, which can't be edited and is kept for 7+ years. Sentinel does the searching and alerting; Files.com holds the original, trustworthy record.
If Sentinel is your security team's home base, Files.com drops file activity right into the Log Analytics workspace you already have. There is no custom collector to build.
Sentinel reads the events. It doesn't decide who can touch which files or keep the record of what they did. Files.com does that part: access folder by folder, every action written to a record that can't be changed, and identity tied to Entra ID so the person in a KQL query is the account your directory controls.
Hand each team, project, or person the exact folders they need. The person you see in a Sentinel query is the same account Entra ID controls through SSO, SAML, and SCIM.
Every login, upload, download, and permission change is written to a record that can’t be altered and is kept for 7+ years. It is the same record each event sent to Sentinel traces back to.
People sign in to Files.com through Entra ID, and the Sentinel feed itself signs in with an Entra app registration you control. One identity system, end to end.
Events flow in through a rule you set up in Azure with permissions you assign. Files.com also logs the act of sending, so if a delivery fails you can see it and look into it.
The main way most teams use this. Files.com sends each event into Log Analytics as it happens, ready for KQL searches and alerts in Sentinel. This is an Enterprise-plan feature; it isn't on Starter or Power.
Instead of a live stream, Files.com can write log files to a folder on a schedule you set, from every 5 minutes up to every 6 hours. This is useful for batch ingest, a long-term archive, or a locked-down network, and you can run it alongside the live feed.
A questionable Entra sign-in is followed by a burst of downloads. With Files.com download events in Log Analytics, your team connects the two in a single KQL query instead of jumping between tools.
Set up a rule on the Files.com SFTP table that opens an incident when one account suddenly pulls far more files than usual over SFTP.
After a breach, your team searches every Files.com event the account touched directly in Sentinel: uploads, downloads, links it opened, permissions it changed. It all comes from the tamper-proof record.
Setting changes flow into their own Files.com table in Sentinel; a rule alerts you when MFA or a permission setting changes when it shouldn't have.
The 7+ year record that can't be altered. It is the trustworthy source every event sent to Sentinel comes from.
Learn More
Connect your Azure storage and send its file activity into the same Sentinel workspace, so the data and the record of who touched it land in one place.
Learn More
Connect file access to Entra ID, so the person in a Sentinel query result is the same account your directory controls.
Learn MoreEvery automation run is an event you can search in Sentinel, so a job that breaks shows up as an incident instead of failing quietly.
Learn MoreNovember 17–20, 2026 · San Francisco, CA
Files.com builds deeply on SharePoint, OneDrive, Azure, and Microsoft Entra ID, so of course we’ll be on the floor at Microsoft Ignite telling our File Orchestration story. The legacy MFT vendors won’t be there.
See Files.com At Microsoft Ignite
What buyers ask about how Files.com connects to Sentinel, what it costs, and what the integration actually does.
Start a free 7-day trial. Set up the connection, send a test event, and watch file activity land as a searchable table in Log Analytics. No credit card required.
No credit card required • 7-day free trial • Setup in minutes