With the proliferation of cyberattacks continuing to grow every day, it’s essential to stay ahead of the challenges and mitigate risk. It is important for security teams to research trends to protect their environment from persistent and ever-growing threats, phishing campaigns, and other forms of cyberattacks.
DocuSign allows organizations to manage electronic agreements. As part of the DocuSign Agreement Cloud, DocuSign offers eSignature, a way to sign documents electronically on different devices. As your DocuSign use cases continue to grow, the DocuSign Monitor API can be a powerful tool to bolster your systems' integrity, reinforce company policies, and help assure your customers that their sensitive data is in good hands.
This blog will cover integrating Microsoft Sentinel with critical DocuSign to stay on top of signs of intrusion or suspicious activity. The steps below demonstrate the process of collecting DocuSign telemetry, using an Azure Function to pull DocuSign security events through the DocuSign Monitor API & DocuSign Account Users and ingesting them into an Azure Log Analytics workspace.
Deploying the DocuSign connector
This section explains how to use the ARM template to deploy the data connector to ingest DocuSign security events into Azure Log Analytics Workspace.
To access the ARM template, navigate to https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/DocuSign-SecurityEvents
- Click the Deploy to Azure Button
- Enter values for the following parameters
- "Function Name": Function App Name
- "DocuSign Integration Key": DocuSign Integration Key
- "DocuSign Admin User GUID": DocuSign Admin User GUID
- "DocuSign Account API ID": "DocuSign Account API ID
- "Workspace Id": Azure Log Analytics Workspace Id
- "Workspace Key": Azure Log Analytics Workspace Key
Note: DocuSign Integration Key, DocuSign Admin User GUID, DocuSign Account API ID and Workspace Key values will be placed as "Secrets" in the <<FunctionAppName>><<uniqueid>>kv Azure KeyVault
For complete instructions, please refer to README.md.
Security events that can be collected from DocuSign Monitor API
Once it has been deployed, the data connector will be able to collect the following events from your DocuSign organization, for example:
- Account administrator added.
- Account password rules updated.
- Account user deleted.
The complete list of all events that can be collected from DocuSign can be found here.
Example analytics rules using DocuSign event data
Once DocuSign security events are ingested into your Microsoft Sentinel Workspace, you can create a custom analytics rule with a scheduled query to help you discover threats and anomalous behaviors that may be present in your organization.
Below are some examples of analytics rules you could run against your ingested DocuSign data:
Rule #1:
Description: User fails six or more login attempts in an hour.
DocuSignSecurityEvents_CL
| where TimeGenerated > ago(1h)
| where object_s == 'User'
| where action_s == 'Login'
| where field_s == 'Status'
| where result_s == 'Failed'
| summarize Attempts = count() by userId_s, accountId_g
| where Attempts >= 6
Rule #2:
Description: Admin initiates a bulk account export.
DocuSignSecurityEvents_CL
| where TimeGenerated > ago(1h)
| where object_s == 'Organization'
| where action_s == 'Initiated'
| where property_s == 'BulkAccountsExport'
Rule #3:
Description: When a bulk user settings export is initiated
DocuSignSecurityEvents_CL
| where TimeGenerated > ago(1h)
| where object_s == 'Organization'
| where action_s == 'Initiated'
| where property_s == 'BulkUsersExport'
Summary
This post outlines the key components necessary to ingest DocuSign security events to Azure Log Analytics using DocuSign Monitor API. The DocuSign security events data connector helps to protect your organization’s electronic agreements with round-the-clock activity tracking. It provides near real-time visibility across your DocuSign organization operations which helps security teams to detect potential threats, investigate incidents and respond decisively. Try it out, and let us know what you think!
We will continue developing and adding custom analytics rules and hunting queries for DocuSign security event data over time, so make sure you keep an eye on the Microsoft Sentinel GitHub repo. As always, if you have your own ideas for queries or detections, please feel free to contribute to the Microsoft Sentinel community.
Thanks to @Sarah_Young, @Cristhofer Munoz, @Chi Nguyen, and @Ofer_Shezaf for their input into this blog post.