Docusign Logs (Beta)

Panther supports ingesting Docusign Connect webhook events

Overview

The Docusign logs integration is in open beta starting with Panther version 1.115, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Docusign Connect webhook events through HTTP. Docusign Connect allows you to configure webhooks that notify external applications like Panther when specific events in your eSignature workflows occur.

Docusign Connect webhooks can provide real-time notifications about various entities, e.g. envelopes (being sent, delivered, completed, or voided), recipients, templates, indentity verifications, and more. See a full list of available event triggers here.

You can the Docusign logs integration in Panther to:

Detect unauthorized access and fraud: Track failed authentication attempts, suspicious recipient behavior, unusual signing patterns, and unexpected envelope modifications
Monitor template security: Monitor creation, modification, or deletion of document templates
Monitor account activity: Track administrative actions and configuration changes

Docusign event triggers commonly used for security monitoring

The following event triggers are commonly used for security monitoring:

recipient-authentication-failure: Authentication failures
envelope-voided: Envelope cancellations (potential fraud)
envelope-corrected: Document corrections (potential tampering)
template-created, template-modified, template-deleted: Template changes
recipient-declined: Document refusals

How to onboard Docusign logs to Panther

Prerequisite

To configure Docusign Connect webhooks, you must have administrative privileges in your Docusign account. See the Docusign Connect documentation for more information.

Step 1: Create a new Docusign source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Docusign," then click its tile.
Click Start Setup.\
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- During setup, for the Auth method, you will be required to use either Basic Authentication or HMAC.
  - If you select HMAC, for Header Name, enter X-Docusign-Signature-1. Learn more about using HMAC for Connect webhooks here.
- Save the authentication details you configure, as you'll need them in the next step, when setting up the webhook in Docusign.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure a Docusign Connect webhook

Configure a Docusign Connect webhook by following the steps below. If you need extra support during this process, please see the Docusign Create a Connect Configuration documentation.

Log in to your Docusign account as an administrator.
In the navigation bar, click Integrations > Connect.
Click Add Configuration > Custom.
Configure the webhook Connect fields:
- Name: Enter a descriptive name, e.g., Panther Security Integration.
- URL to Publish: Enter the HTTP Source URL you generated in Panther in Step 1.
- Trigger Events: Select the event triggers you want to monitor.
  - Include Data: For each category, select the fields you'd like to be included in the events sent to Panther. Learn about these fields in this Docusign documentation.

For Envelope and Recipient events, it's recommended to leave Documents and Attachments unchecked. This helps to reduce payload size, which can prevent potential event delivery delays. Learn more about how to retrieve documents via the eSignature API instead here.

Include HMAC Signature: Check this if you used HMAC authentication in Panther in Step 1.
- In the 1. field, enter the HMAC Header Name you entered in Panther in Step 1. Docusign will send this value associated to the X-Docusign-Signature-1 header.
- Learn more in the Docusign Using HMAC Security with Docusign Connect documentation.
- Include Basic Authentication Header: Check this if you used basic authentication in Panther in Step 1.
User Name: Enter the Username you entered in Panther in Step 1.
Password: Enter the Password you entered in Panther in Step 1.

Click Add configuration.

Supported log types

Docusign.Connect

Docusign Connect webhook events that notify about envelope status changes, recipient actions, document workflow updates, and more.

Reference: Docusign Connect JSON SIM Event Model

schema: Docusign.Connect
description: Docusign Connect webhook events that notify about envelope status changes, recipient actions, and document workflow updates
referenceURL: https://developers.docusign.com/platform/webhooks/connect/json-sim-event-model
fields:
  - name: event
    required: true
    description: The type of event that triggered the webhook (e.g., recipient-sent, envelope-completed).
    type: string
  - name: uri
    description: The REST API URI for the envelope resource.
    type: string
  - name: retryCount
    description: Number of retry attempts for this webhook delivery.
    type: string
  - name: configurationId
    description: The Connect configuration ID that generated this webhook.
    type: string
  - name: apiVersion
    description: The Docusign API version used for this event.
    type: string
  - name: generatedDateTime
    required: true
    description: When the event was generated by Docusign.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: data
    required: true
    description: The main event data containing event information.
    type: object
    fields:
      - name: accountId
        description: Identifies the sender's account or, for Recipient Connect, identifies the recipient's account.
        type: string
        indicators:
          - trace_id
      - name: userId
        description: The related User ID with the event
        type: string
        indicators:
          - trace_id
      - name: recipientId
        description: The recipient id related to this event
        type: string
        indicators:
          - trace_id
      - name: envelopeId
        description: Identifies the envelope involved in the event.
        type: string
        indicators:
          - trace_id
      - name: name
        description: The name of the related template event or the name of the person who the envelope is reassigned to.
        type: string
      - name: email
        description: The email address of the person who the envelope is reassigned to.
        type: string
        indicators:
          - email
      - name: routingOrder
        description: The routing order of the person who the envelope is reassigned to.
        type: string
      - name: created
        description: The UTC date and time when the template was created/edited/deleted.
        type: timestamp
        timeFormats:
          - rfc3339
      - name: templateId
        description: The template ID that was created/edited/deleted.
        type: string
        indicators:
          - trace_id
      - name: clickwrapId
        description: Identifies the elastic template that was agreed or declined.
        type: string
        indicators:
          - trace_id
      - name: agreementId
        description: Identifies the agreement within the elastic template.
        type: string
        indicators:
          - trace_id

Custom detection patterns

When writing custom detections for Docusign, you can use these common patterns:

# Check for specific event types
event_type = event.get('event')

# Monitor for authentication failures
if event_type == 'recipient-authentication-failure':
    return True
    
# Monitor for envelope voiding (potential fraud indicator)  
if event_type == 'envelope-voided':
    return True

# Access envelope and sender/recipient data
envelope_id = deep_get(event, 'data', 'envelopeId')
account_id = deep_get(event, 'data', 'accountId')

Querying Docusign logs

To query Docusign logs in Data Explorer:

-- View recent Docusign events
SELECT event, generatedDateTime, data:envelopeId, data:email
FROM panther_logs.docusign_connect
WHERE p_occurs_since('1 day')
ORDER BY p_event_time DESC;

-- Monitor authentication failures
SELECT *
FROM panther_logs.docusign_connect  
WHERE event = 'recipient-authentication-failure'
  AND p_occurs_since('7 days')
ORDER BY p_event_time DESC;

-- Track envelope status changes
SELECT event, data:envelopeId, data:accountId, generatedDateTime
FROM panther_logs.docusign_connect
WHERE event LIKE 'envelope-%'
  AND p_occurs_since('1 day')
ORDER BY generatedDateTime DESC;

PreviousDocker Logs NextDropbox Logs

Last updated 1 month ago

Was this helpful?