This article is contributed. See the original author and article here.
With the proliferation of cyberattacks continuing to grow every day, it’s essential to stay ahead of the challenges and mitigate risk. It is important for security teams to research trends, so that they can protect their environment from the persistent and ever-growing threats, phishing campaigns and other forms of cyberattacks.
DocuSign allows organizations to manage electronic agreements. As part of the DocuSign Agreement Cloud, DocuSign offers eSignature, a way to sign documents electronically on different devices. As your DocuSign use cases continue to grow, the DocuSign Monitor API can be a powerful tool to bolster the integrity of your systems, reinforce company policies and help assure your customers that their sensitive data is in good hands.
In this blog, we will cover the process to integrate Azure Sentinel with critical DocuSign security events to stay on top of signs of intrusion or suspicious activity. The steps below will demonstrate the process to collect for Azure Sentinel which uses an Azure Function to pull DocuSign security events using the DocuSign Monitor API and ingests them into an Azure Log Analytics workspace.
Collecting events from the DocuSign Monitor API
This section explains how to get the activity tracking information for your organization by calling the DocuSign Monitor API endpoint.
You can get the activity tracking information for your organization by calling the DocuSign Monitor API endpoint:
Ex:
https://lens.docusign.net/api/v2.0/datasets/monitor/stream?cursor==&limit=1000
Name | Description |
cursor | A string query parameter that specifies the place in your monitoring data from which the request will begin gathering records. Your app can use cursor to keep its place while sifting through monitoring records in a way like how you might use a bookmark to keep your place while reading chapters of a book. |
limit | An Int32 query parameter that specifies the maximum number of records (up to 2000) to be returned in the response. |
When you call the above endpoint, you can supply two parameters, cursorValue and queryLimit, that determine the subset of the monitoring data that will be returned in response JSON.
After a successful call, a set of JSON event and alert records is returned, including an endCursor metadata property.
API response example:
{
"endCursor": "aa_637383858077494473_637383857323373872_1",
"data": [
{
"timestamp": "2020-10-15T19:08:52.3373872Z",
"eventId": "8a977c98-xxxx-xxxx-xxxx-44b8149a905d",
"site": "DEMO",
"accountId": "692934c6-xxxx-xxxx-xxxx-5b0741b5dd7f",
"organizationId": "",
"userId": "524faa2d-xxxx-xxxx-xxxx-072d88c7effc",
"integratorKey": "QTES-f79957b2-xxxx-xxxx-xxxx-80e57adfbb8e",
"userAgent": "Faraday v0.15.3",
"userAgentClientInfo": {
"browser": {
"family": "Other",
"version": {}
},
"device": {
"family": "Other",
"brand": "",
"model": ""
},
"os": {
"family": "Other",
"version": {}
}
},
"ipAddress": "162.xxx.xx.1",
"ipAddressLocation": {
"latitude": xx.74,
"longitude": -xx.99,
"country": "US",
"state": "Colorado",
"city": "Denver"
},
"object": "Account",
"action": "Updated",
"property": "SecurityPolicy",
"field": "RecipientAuthenticationSettings",
"result": "Optional",
"data": {}
}
]
}
Name | Description |
endCursor | A string value that specifies the place in your monitoring data from which your next request can begin to continue getting records data from the place this request ended. |
Deploying the DocuSign connector
This section explains how to use the ARM template to deploy the data connector to ingest DocuSign security events into Azure Log Analytics Workspace
To access the ARM template, navigate to https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/DocuSign-SecurityEvents
- Click the Deploy to Azure Button
- Enter values for the following parameters
- “DocuSignOAuthAccessToken”: This is the DocuSign OAuth Token
- “Workspace Id”: Azure Log Analytics Workspace Id
- “Workspace Key”: Azure Log Analytics Workspace Key
- “CustomLogTableName”: Azure Log Analytics Custom Log Table Name
- “Function Schedule”: The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. The default **Time Interval** is set to pull the last ten (10) minutes of data.
Note: DocuSignOAuthAccessToken and Workspace Key values will be placed as “Secrets” in the docusignkv<<uniqueid>> Azure KeyVault
For complete instructions, please refer to README.md
Security events that can be collected from DocuSign Monitor API
Once it has been deployed, the data connector will be able to collect the following events from your DocuSign organization:
Ex:
- Account administrator added.
- Account password rules updated.
- Account user deleted.
The complete list of all events that can be collected from DocuSign can be found here
Example analytics rules using DocuSign event data
Once DocuSign security events are ingested into your Azure Sentinel Workspace, you can create a custom analytics rule with a scheduled query to help you discover threats and anomalous behaviors that may be present in your organization.
Below are some examples of analytics rules you could run against your ingested DocuSign data:
Rule #1:
Description: User fails six or more login attempts in an hour
DocuSignSecurityEvents_CL
| where TimeGenerated > ago(1h)
| where object_s == 'User'
| where action_s == 'Login'
| where field_s == 'Status'
| where result_s == 'Failed'
| summarize Attempts = count() by userId_s, accountId_g
| where Attempts >= 6
Rule #2:
Description: Admin initiates a bulk account export
DocuSignSecurityEvents_CL
| where TimeGenerated > ago(1h)
| where object_s == 'Organization'
| where action_s == 'Initiated'
| where property_s == 'BulkAccountsExport'
Rule #3:
Description: When a bulk user settings export is initiated
DocuSignSecurityEvents_CL
| where TimeGenerated > ago(1h)
| where object_s == 'Organization'
| where action_s == 'Initiated'
| where property_s == 'BulkUsersExport'
Summary
This post outline the key components that are necessary to ingest DocuSign security events to Azure Log Analytics using DocuSign Monitor API. The DocuSign security events data connector helps to protect your organization’s electronic agreements with round-the-clock activity tracking and provides near real-time visibility across your DocuSign organization operations which helps security teams to detect potential threats, investigate incidents and respond decisively. Try it out, and let us know what you think!
We will be continuing to develop and add custom analytics rules and hunting queries for DocuSign security event data over time so make sure you keep an eye on Azure Sentinel GitHub repo. As always if you have your own ideas for queries or detections please feel free to contribute to the Azure Sentinel community.
With thanks to @Sarah_Young, @Cristhofer Munoz and @Chi_Nguyen for their input into this blog post.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments