This article is contributed. See the original author and article here.

With the proliferation of cyberattacks continuing to grow every day, it’s essential to stay ahead of the challenges and mitigate risk. It is important for security teams to research trends, so that they can protect their environment from the persistent and ever-growing threats, phishing campaigns and other forms of cyberattacks.

DocuSign allows organizations to manage electronic agreements. As part of the DocuSign Agreement Cloud, DocuSign offers eSignature, a way to sign documents electronically on different devices. As your DocuSign use cases continue to grow, the DocuSign Monitor API can be a powerful tool to bolster the integrity of your systems, reinforce company policies and help assure your customers that their sensitive data is in good hands.

In this blog, we will cover the process to integrate Azure Sentinel with critical DocuSign security events to stay on top of signs of intrusion or suspicious activity. The steps below will demonstrate the process to collect for Azure Sentinel which uses an Azure Function to pull DocuSign security events using the DocuSign Monitor API and ingests them into an Azure Log Analytics workspace.


Collecting events from the DocuSign Monitor API

This section explains how to get the activity tracking information for your organization by calling the DocuSign Monitor API endpoint.


You can get the activity tracking information for your organization by calling the DocuSign Monitor API endpoint:








A string query parameter that specifies the place in your monitoring data from which the request will begin gathering records. Your app can use cursor to keep its place while sifting through monitoring records in a way like how you might use a bookmark to keep your place while reading chapters of a book.
Whenever you successfully call the monitor API endpoint, the response will include an endCursor value which you can use to create the cursor for your next request, enabling you to chunk your downloads as you examine large numbers of event and alert records.
Calls that do not specify a cursor will begin retrieving records from the first event recorded.
Not required. Defaults to 0.


An Int32 query parameter that specifies the maximum number of records (up to 2000) to be returned in the response.
Not required. Defaults to 1000.

When you call the above endpoint, you can supply two parameters, cursorValue and queryLimit, that determine the subset of the monitoring data that will be returned in response JSON.

After a successful call, a set of JSON event and alert records is returned, including an endCursor metadata property. 

API response example:




    "endCursor": "aa_637383858077494473_637383857323373872_1",
    "data": [
            "timestamp": "2020-10-15T19:08:52.3373872Z",
            "eventId": "8a977c98-xxxx-xxxx-xxxx-44b8149a905d",
            "site": "DEMO",
            "accountId": "692934c6-xxxx-xxxx-xxxx-5b0741b5dd7f",
            "organizationId": "",
            "userId": "524faa2d-xxxx-xxxx-xxxx-072d88c7effc",
            "integratorKey": "QTES-f79957b2-xxxx-xxxx-xxxx-80e57adfbb8e",
            "userAgent": "Faraday v0.15.3",
            "userAgentClientInfo": {
                "browser": {
                    "family": "Other",
                    "version": {}
                "device": {
                    "family": "Other",
                    "brand": "",
                    "model": ""
                "os": {
                    "family": "Other",
                    "version": {}
            "ipAddress": "",
            "ipAddressLocation": {
                "latitude": xx.74,
                "longitude": -xx.99,
                "country": "US",
                "state": "Colorado",
                "city": "Denver"
            "object": "Account",
            "action": "Updated",
            "property": "SecurityPolicy",
            "field": "RecipientAuthenticationSettings",
            "result": "Optional",
            "data": {}









A string value that specifies the place in your monitoring data from which your next request can begin to continue getting records data from the place this request ended.
Use the value of endCursor to begin your next query from this spot in your records.


Deploying the DocuSign connector

This section explains how to use the ARM template to deploy the data connector to ingest DocuSign security events into Azure Log Analytics Workspace

To access the ARM template, navigate to

  1. Click the Deploy to Azure Button

  2. Enter values for the following parameters

    • “DocuSignOAuthAccessToken”: This is the DocuSign OAuth Token

    • “Workspace Id”: Azure Log Analytics Workspace Id​

    • “Workspace Key”: Azure Log Analytics Workspace Key

    • “CustomLogTableName”: Azure Log Analytics Custom Log Table Name

    • “Function Schedule”: The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. The default **Time Interval** is set to pull the last ten (10) minutes of data.

Note: DocuSignOAuthAccessToken and Workspace Key values will be placed as “Secrets” in the docusignkv<<uniqueid>> Azure KeyVault




For complete instructions, please refer to

Security events that can be collected from DocuSign Monitor API

Once it has been deployed, the data connector will be able to collect the following events from your DocuSign organization:


  • Account administrator added.

  • Account password rules updated.

  • Account user deleted.


The complete list of all events that can be collected from DocuSign can be found here

Example analytics rules using DocuSign event data

Once DocuSign security events are ingested into your Azure Sentinel Workspace, you can create a custom analytics rule with a scheduled query to help you discover threats and anomalous behaviors that may be present in your organization.

Below are some examples of analytics rules you could run against your ingested DocuSign data:

Rule #1:

Description: User fails six or more login attempts in an hour




| where TimeGenerated > ago(1h)
| where object_s == 'User'
| where action_s == 'Login'
| where field_s == 'Status'
| where result_s == 'Failed'
| summarize Attempts = count() by userId_s, accountId_g
| where Attempts >= 6





Rule #2:

Description: Admin initiates a bulk account export




| where TimeGenerated > ago(1h)
| where object_s == 'Organization'
| where action_s == 'Initiated'
| where property_s == 'BulkAccountsExport'





Rule #3:

Description: When a bulk user settings export is initiated





| where TimeGenerated > ago(1h)
| where object_s == 'Organization'
| where action_s == 'Initiated'
| where property_s == 'BulkUsersExport'







This post outline the key components that are necessary to ingest DocuSign security events to Azure Log Analytics using DocuSign Monitor API. The DocuSign security events data connector helps to protect your organization’s electronic agreements with round-the-clock activity tracking and provides near real-time visibility across your DocuSign organization operations which helps security teams to detect potential threats, investigate incidents and respond decisively. Try it out, and let us know what you think!

We will be continuing to develop and add custom analytics rules and hunting queries for DocuSign security event data over time so make sure you keep an eye on Azure Sentinel GitHub repo.  As always if you have your own ideas for queries or detections please feel free to contribute to the Azure Sentinel community.


With thanks to @Sarah_Young@Cristhofer Munoz and @Chi_Nguyen for their input into this blog post.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: