Audit logging associated with user activity on the DekkoSecure platform can be automatically fed to Log Analytics in Azure monitor for analysis, and by extension, Microsoft Sentinel. Integration is per-Tenancy, so if you are using more than one, connectivity with each needs to be established.
Example of a query of DekkoSecure activity in Log Analytics
Options for Sentinel Integration
Logging data scope
The event types fed to Log Analytics are similar to those displayed by in-app logging, with some additional events such as Tenancy policy updates and user authentication:
Functional feature | Event(s) | Notes |
File sharing | File uploaded
File shared
File sharing stopped
File viewed
File downloaded
File signature request
File signed
File status updated
File renamed
File deleted | Includes file names in extended logging (see below) |
Mail | Message sent
Message read
Message revoked
Message deleted | |
Chat | Message sent
Message read
Message deleted | |
Hubs | Hub created
Hub admin updated
Hub deleted | |
Tenancy | Tenancy admin updated
Tenancy policy updated
Tenancy setting updated | |
Users | User login (incl. IP address)
User logout
User authentication failure (incl. IP address)
User added to Hub
User password changed
User removed from Hub | User authentication events are for non-SSO users only. Correlate DekkoSecure logs with your AAD/Entra ID logs for SSO users. |
Standard
The standard logging option sends user activity metadata to Log Analytics via a validation utility. File names are not included.
Extended
The extended logging option includes file names in audit logs, which is combined with user activity metadata, to Log Analytics via a validation utility. The query screenshot at the beginning of this article is an example of extended logging.
The path to integration
Ultimately, connectivity and authentication information needs to be entered in to the Microsoft Sentinel section under the Integrations tab in the Tenancy Manager:
LogsIngestionUri: Your Log Analytics Workspace URL.
TenantId: Your Azure Tenant ID.
AppId: Your Entra app ID.
ProxyUri: We’ll send this to you during the set up phase.
appSecret: Obtained during the set up phase. You can update this later (using the Setup appSecret button) if the secret changes.
Stream Rule Pairs: Obtained during the set up phase.
Here’s an example of how an integration exercise will typically run:
- The DekkoSecure account team will work with you to determine whether you require standard or extended logging. If you choose extended, we’ll do some extra steps to prepare our infrastructure for the integration before proceeding.
- Log Analytics Workspace preparation in your development environment.
- We’ll send you two scripts -
i) sets up the integration with the development LAW and prints useful reference information for later ii) generates the development Stream Rule Pairs
- Send the outputs of each development environment script to us. We’ll review to make sure everything is as-expected.
- Connectivity and authentication for the dev LAW information entered in to your Tenancy Manager dashboard(s).
- Testing.
- Testing sign off.
- Log Analytics Workspace preparation in your production environment.
- Re-run the scripts -
i) set up the integration with the production LAW and prints useful reference information for later ii) generate the production Stream Rule Pairs
- Send the outputs of each production environment script to us. We’ll review to make sure everything is as-expected.
- Connectivity and authentication for the dev LAW information entered in to your Tenancy Manager dashboard(s).
- Testing.
- Final sign off.
FAQ
Can we do a test integration with a dev tenant before going to production?
Yes, this is a preferred strategy. DekkoSecure also recommends only transacting dummy data in-app during the testing phase.
Our org has multiple DekkoSecure Tenancies and/or multiple LAW tenancies… can everything be separate/combined?
Yes -
- For multiple DekkoSecure Tenancies feeding to one workspace, the setup scripts are run once, and the same integration information is entered in to each of your Tenancies.
- Note - log events contain the Tenancy ID the log belongs to, so LAW queries can include filters per-tenancy.
- For multiple DekkoSecure Tenancies feeding to multiple workspaces, the setup scripts are run once for each workspace. The unique integration information for each integration is entered in to each of your Tenancies.
Can data be sent to Log Analytics using a Private Link?
Yes. In this case, we will provide the requisite information required to construct the link. Please note that the use of a Private Link may incur additional costs on your Azure subscription. Depending on how your infrastructure is configured, we might need to spend some extra time working with you to understand your network(s) and customisation to ensure compatibility.
Can we restrict IP addresses/ranges for ingest?
Yes, but please note that the Azure-based DekkoSecure infrastructure is triple-redundant, meaning IP addresses are subject to change without notice as a result of a failover event or if Microsoft makes an adjustment to networking (which is beyond our control).
What do we do if the app secret renews?
Press the Setup AppSecret button, enter the new secret, and then press Save.
How can we send sensitive information about our systems to you?
Via the DekkoSecure application, of course! If setup takes place before we roll the service out to your organisation, we can send you an invite for any preliminary information sharing that is of a sensitive nature.
My organisation’s security policies are very restrictive - can you work with us to make an integration work?
Yes, the DekkoSecure team has extensive experience working with all kinds of weird and wonderful system restrictions, controls and configurations.