DocuSign Monitor Solution for Microsoft Sentinel

The DocuSign Monitor solution for Microsoft Sentinel is a a SaaS-application domain solution that enables organizations to gain better visibility into their DocuSign organization and accounts and to receive security alerts via DocuSign Monitor.

Inspiration

DocuSign is a pioneer of e-signature technology and currently one of the most widely used solutions, touting over 1 billion users (https://investor.docusign.com/investors/home/default.aspx) and most of the top Fortune 500 companies as of 2021. DocuSign Monitor is a new solution that helps organizations gain visibility into their DocuSign organization and accounts to better protect their agreements.

Since DocuSign Monitor enables previously unavailable visibility into something so widely used for a basic business function, I felt that it would be a good candidate to develop a solution to bring this data into Microsoft Sentinel.

What's included

A custom data connector ingests data from the DocuSign Monitor API. The connector pulls in all events currently made available through Monitor.
A workbook which helps visualize usage of the DocuSign organization and accounts, as well as alert history
Analytics rules which fire based on pre-defined alerts within DocuSign Monitor
A Hunting Query that can help identify anomalous activity

How I built it

The data connector was created using Python and follows a typical approach to ingesting data into a Log Analytics workspace custom table
The connector follows the required JSON Web Token Grant authentication flow, as per DocuSign Monitor documentation (https://developers.docusign.com/docs/monitor-api/monitor101/auth/)
Analytics rules were created to generate Sentinel incidents based on DocuSign Monitor alerts
I created custom workbook that visualized metric data, such as alerts per day, document downloads based on GeoIP information, etc.

Challenges I ran into

This was the first time I've developed a full Sentinel solution. Having worked with Sentinel for about 1 full year, getting familiar with setting up my local environment for development and working with ARM templates was a bit challenging.

What I learned

Overall I feel I have a better grasp on how to build a full solution for Sentinel and prepare it for wider deployment. This was my first time putting together a full ARM template, and I now feel I much more confident in creating new templates going forward.