Microsoft Sentinel integration is available for organizations with Password Management or Credential Protection.
With our Microsoft Sentinel integration, you can track how your team members use Dashlane. When you turn on the integration for your team, we send your activity logs automatically to Microsoft Sentinel.
Microsoft Sentinel is a security information and event management (SIEM) tool that allows you to monitor team activity in real time. You can search and filter events like added devices, login sharing, and invitations to your Dashlane plan. You can also set up alerts for specific events, like when someone shares a login.
Set up the Microsoft Sentinel integration
Process overview
Step 1: Create the App registration
- Log in to Azure portal and go to Microsoft Entra ID, Manage, App registrations, New registration.
- Select the name of your app (Like Dashlane_Sentinel). Copy your Tenant ID and Client ID (Overview tab).
- After this, access Manage, Certificates & secrets, select New Client Secret, and give it a name. Copy the Client Secret value.
-
Open the Admin Console in Dashlane. Select Integrations, then Events Reporting, and select Set up in the Microsoft Sentinel section. Paste the values you copied there. The Tenant ID, Client ID, and Client secret.
Step 2: Create the App registration
- In the Azure portal, select Monitor, Settings, Data Collection Endpoints, Create.
- Insert Endpoint Name, and use the same naming convention for consistency (Dashlane_Sentinel).
- Choose the Resource Group and for the Region, select the region, and ensure you choose the same region for the other steps.
- In Overview, copy the Logs Ingestion value and paste it in the respective field in the Admin Console.
Step 3: Create your workspace in the same zone as your DCE
- In Azure, go to Log Analytics workspaces and create your workspace in the same zone as your DCE (Data Collection Endpoints).
Step 4: Create your Data Collection Rule (DCR)
-
In the Log Analytics workspaces, open your workspace and go to Settings, Tables and select Create.
- When creating the custom log, insert the Table name, it must include the
Custom-prefix and end with the_CLsuffix. After this select Analytics. - For the Data collection endpoint, select the DCE previously created and ensure it's in the same zone.
-
Select create a new data collection rule, and use the same naming convention.
-
Select Next, and copy and paste your script.
We recommend selecting the OCSF script to immediately standardize logs in Microsoft Sentinel:
Dashlane OCSF event script
[ { "category_uid": 3, "category_name": "Identity & Access Management", "class_uid": 3002, "class_name": "Authentication", "activity_id": 1, "activity_name": "Logon", "type_uid": 300201, "time": 1717920000000, "severity_id": 1, "severity": "Informational", "status_id": 1, "status": "Success", "message": "john.doe@example.com: Successful login", "metadata": { "version": "1.7.0", "log_name": "Dashlane Audit Log", "tenant_uid": "00000000-0000-0000-0000-000000000000", "product": { "name": "Dashlane", "vendor_name": "Dashlane", "version": "6.24.0" } }, "observables": [ { "type": "IP Address", "type_id": 1, "value": "192.168.1.50", "name": "src_endpoint.ip" }, { "type": "Email Address", "type_id": 3, "value": "john.doe@example.com", "name": "user.email_addr" } ], "actor": { "user": { "email_addr": "john.doe@example.com", "type_id": 1, "type": "User" } }, "src_endpoint": { "ip": "192.168.1.50", "type": "Laptop", "type_id": 1, "uid": "dev-123", "name": "John's MacBook", "os": { "name": "macOS", "type": "macOS", "type_id": 100, "version": "14.0" }, "location": { "city": "Paris", "country": "FR", "region": "Ile-de-France", "lat": 48.8566, "long": 2.3522 } }, "unmapped": { "dashlane": { "ref": { "uuid": "123e4567-e89b-12d3-a456-426614174000", "log_type": "login", "category": "authentication", "schema_version": "1.0" }, "device": { "device_name": "John's MacBook", "device_platform": "macOS" } } } } ]Dashlane event script
{ "team_uuid": "<string: team_uuid>", "schema_version": "1.0.0", "uuid": "<string: log_unique_uuid>", "log_type": "nitro_siem_edited", "date_time": 1700000000000, "category": "team_settings_siem", "author_client": { "platform": "<string: client_platform_name>", "version": "<string: client_version_number>" }, "device": { "uid": "<string: device_hardware_uid>", "name": "<string: device_name>", "type": "<string: device_form_factor>", "type_id": 0, "ip": "<string: ipv4_or_ipv6_address>", "os": { "name": "<string: operating_system_name>", "type": "<string: operating_system_family>", "type_id": 0, "version": "<string: os_version_number>" }, "location": { "city": "<string: city_name>", "country": "<string: iso_country_code>", "region": "<string: region_or_state_code>", "lat": 0.0, "long": 0.0 } }, "autonomous_system": { "number": 0 }, "observables": [ { "name": "http_request.user_agent", "type": "HTTP User-Agent", "type_id": 16, "value": "<string: full_browser_user_agent>" } ], "properties": { "author_login": "<string: actor_email_address>" } } - Select Transformation editor.
-
If you selected the OCSF script, add the following transformation and run it. If there is no error, select Apply.
source| extend TimeGenerated = todatetime(datetime(1970-01-01) + ['time'] * 1ms)| project-rename event_time = ['time']If you selected the Dashlane event script, add the following transformation and run it. If there is no error, select Apply.
source| extend TimeGenerated = todatetime(datetime(1970-01-01) + ['date_time'] * 1ms)
-
Select Next and Create.
- Go to Monitor, Settings, Data Collection Rules, and select the DCR you created to copy the Immutable ID.
- Paste the DCR Immutable ID in the corresponding field of the Admin Console.
-
After this, select JSON view.
- Copy the stream name under: StreamDeclarations:
- The name has a prefix+table name which ends in _CL
- Paste the value in the corresponding field of the Admin Console = Stream name
-
Before saving, if you previously uploaded the OCSF event script, please toggle on the Enable OCSF mapping for Microsoft Sentinel beta option to immediately standardize logs in Sentinel, without having to manually map fields.
- Select Save to enable the connection.
- The name has a prefix+table name which ends in _CL
Step 5: Assign permissions to your DCR
-
In Azure, go to Monitor, Settings, and Data Collection Rules.
-
Go to Access control (IAM) and Add role assignment.
-
Add the role Monitoring Metrics Publisher, after this select the role you just added and next.
-
Assign access to:
- User, group, or service principal
- Select Select members
- Search for your registered app and select it
- Continue with Select
-
Select Next, and Review + assign.
Allow up to 30 minutes for the role assignment to propagate. If you send data before the role assignment takes effect, you receive an HTTP 403 Forbidden response.
Step 6: Connect your Dashlane app to Sentinel
Go to Microsoft Sentinel and select Create, select your Workspace and Add to finish the process.
Step 7: View your logs in Sentinel
-
Access your workspace in Microsoft Sentinel
-
Run your logs for Dashlane, by going to Logs, in Tables select Custom Logs, then select Your Table and Run.
-
View your logs:
After setting up your integration, you can use Microsoft Sentinel to track the events listed in the Activity Log in your Dashlane Admin Console.
Note: Your Microsoft Sentinel integration won't log any previous events. Only new events will be tracked after the setup.