Checkmarx Audit Log Ingestion Playbook: Security Event Monitoring Integration

What Changed

New standalone playbook AS-Checkmarx-Audit-Ingestion that creates unidirectional integration between Checkmarx One audit logs and Microsoft Sentinel for security event monitoring and compliance tracking.

Data Source

Checkmarx audit log integration pulls audit events from Checkmarx One platform via REST API, ingesting administrative and user activity data into custom log table CheckmarxAuditEvents_CL.

API authentication: Supports both OAuth client_credentials (recommended) and refresh_token grant types with configurable regional endpoints (US, EU, DEU, ANZ, IND). Shares authentication infrastructure with the complementary SAST ingestion playbook.

Ingestion Mechanism

DCR-based ingestion using Data Collection Rules (DCR), Data Collection Endpoints (DCE), and custom log tables. Logic App runs daily to collect audit events from the previous 24 hours.

Shared infrastructure: Designed to use the same DCE and Key Vault secret as the AS-Checkmarx-SAST-Ingestion playbook, minimizing resource overhead for combined deployments.

Detection Surface Unlocked

Administrative activity monitoring: Enables tracking of user authentication events, login failures, account changes, and administrative actions within the Checkmarx platform for insider threat detection and compliance auditing.

Security event correlation: KQL queries for login activity analysis, failed authentication tracking, user behavior monitoring, and IP address-based activity analysis to identify suspicious patterns.

Affected Files

Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployAuditDCR.json
Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployAuditTable.json
Playbooks/AS-Checkmarx-Audit-Ingestion/AzureDeployDCE.json
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Custom_Logs_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_3.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_DCR_Access_4.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Demo_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_3.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_DCR_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_DCR_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_Audit_Table_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_DCE_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Deploy_DCE_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_3.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_4.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_5.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_6.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_7.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Key_Vault_Access_8.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Log_Analytics_Workspace_1.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Log_Analytics_Workspace_2.png
Playbooks/AS-Checkmarx-Audit-Ingestion/Images/Checkmarx_Audit_Integration_Log_Analytics_Workspace_3.png
Playbooks/AS-Checkmarx-Audit-Ingestion/README.md
Playbooks/AS-Checkmarx-Audit-Ingestion/azuredeploy.json