diff --git a/salt/sensoroni/defaults.yaml b/salt/sensoroni/defaults.yaml
index 4e726817e..2c821ed6c 100644
--- a/salt/sensoroni/defaults.yaml
+++ b/salt/sensoroni/defaults.yaml
@@ -16,6 +16,21 @@ sensoroni:
     soc_host:
     suripcap:
       pcapMaxCount: 100000
+    fileanalyze:
+      enabled: False
+      watchDirs:
+        - /nsm/zeek/extracted/complete
+      processedDir: /nsm/strelka/processed
+      historyDir: /nsm/strelka/history
+      logFile: /var/log/strelka/strelka.log
+      concurrency: 8
+      maxDepth: 15
+      recycleSeconds: 300
+      dedupMaxEntries: 100000
+      dedupTTLSeconds: 3600
+      yaraRulesPath: /opt/so/conf/strelka/rules/compiled/rules.compiled
+      passwordsPath: /etc/strelka/passwords.dat
+      scannerTimeout: 150
   analyzers:
       echotrail:
         base_url: https://api.echotrail.io/insights/
diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json
index 2e7ab0860..f42c0274f 100644
--- a/salt/sensoroni/files/sensoroni.json
+++ b/salt/sensoroni/files/sensoroni.json
@@ -14,7 +14,7 @@
     "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents",
     "verifyCert": false,
     "modules": {
-{%- if SENSORONIMERGED.config.analyze.enabled %} 
+{%- if SENSORONIMERGED.config.analyze.enabled %}
       "analyze": {
         "timeoutMs": {{ SENSORONIMERGED.config.analyze.timeout_ms }},
         "parallelLimit": {{ SENSORONIMERGED.config.analyze.parallel_limit }}
@@ -31,11 +31,27 @@
       "statickeyauth": {
         "apiKey": "{{ GLOBALS.sensoroni_key }}"
 {%  if GLOBALS.is_sensor %}
-      },     
+      },
       "suriquery": {
         "pcapInputPath": "/nsm/suripcap",
         "pcapOutputPath": "/nsm/pcapout",
         "pcapMaxCount": {{ SENSORONIMERGED.config.suripcap.pcapMaxCount }}
+{%- endif %}
+{%- if SENSORONIMERGED.config.fileanalyze.enabled %}
+      },
+      "fileanalyze": {
+        "watchDirs": {{ SENSORONIMERGED.config.fileanalyze.watchDirs | tojson }},
+        "processedDir": "{{ SENSORONIMERGED.config.fileanalyze.processedDir }}",
+        "historyDir": "{{ SENSORONIMERGED.config.fileanalyze.historyDir }}",
+        "logFile": "{{ SENSORONIMERGED.config.fileanalyze.logFile }}",
+        "concurrency": {{ SENSORONIMERGED.config.fileanalyze.concurrency }},
+        "maxDepth": {{ SENSORONIMERGED.config.fileanalyze.maxDepth }},
+        "recycleSeconds": {{ SENSORONIMERGED.config.fileanalyze.recycleSeconds }},
+        "dedupMaxEntries": {{ SENSORONIMERGED.config.fileanalyze.dedupMaxEntries }},
+        "dedupTTLSeconds": {{ SENSORONIMERGED.config.fileanalyze.dedupTTLSeconds }},
+        "yaraRulesPath": "{{ SENSORONIMERGED.config.fileanalyze.yaraRulesPath }}",
+        "passwordsPath": "{{ SENSORONIMERGED.config.fileanalyze.passwordsPath }}",
+        "scannerTimeout": {{ SENSORONIMERGED.config.fileanalyze.scannerTimeout }}
 {%- endif %}
       }
     }
diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml
index 73920e9b7..225f4153e 100644
--- a/salt/sensoroni/soc_sensoroni.yaml
+++ b/salt/sensoroni/soc_sensoroni.yaml
@@ -65,6 +65,60 @@ sensoroni:
         description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
         helpLink: pcap
         advanced: True
+    fileanalyze:
+      enabled:
+        description: Enable or disable the file analysis module. When enabled, this replaces Strelka for file scanning on sensor nodes.
+        forcedType: bool
+        advanced: False
+        helpLink: strelka
+      watchDirs:
+        description: Directories to watch for new files to analyze. Typically the Zeek or Suricata extracted file directories.
+        advanced: True
+        helpLink: strelka
+      processedDir:
+        description: Directory to move files to after scanning is complete.
+        advanced: True
+        helpLink: strelka
+      historyDir:
+        description: Directory for on-disk deduplication history. Each scanned file hash is recorded here to survive restarts.
+        advanced: True
+        helpLink: strelka
+      logFile:
+        description: Path to the JSON log file where scan results are written. This file is picked up by the existing filebeat pipeline.
+        advanced: True
+        helpLink: strelka
+      concurrency:
+        description: Maximum number of files to scan concurrently.
+        advanced: True
+        helpLink: strelka
+      maxDepth:
+        description: Maximum recursive extraction depth for nested archives.
+        advanced: True
+        helpLink: strelka
+      recycleSeconds:
+        description: Interval in seconds to recycle the file watcher to pick up new subdirectories.
+        advanced: True
+        helpLink: strelka
+      dedupMaxEntries:
+        description: Maximum number of entries in the in-memory deduplication cache.
+        advanced: True
+        helpLink: strelka
+      dedupTTLSeconds:
+        description: Time-to-live in seconds for deduplication cache entries.
+        advanced: True
+        helpLink: strelka
+      yaraRulesPath:
+        description: Path to compiled YARA rules file.
+        advanced: True
+        helpLink: strelka
+      passwordsPath:
+        description: Path to password dictionary for encrypted file cracking attempts.
+        advanced: True
+        helpLink: strelka
+      scannerTimeout:
+        description: Timeout in seconds for individual scanner execution.
+        advanced: True
+        helpLink: strelka
   analyzers:
     echotrail:
       api_key: