LastPass

The Sumo Logic app for LastPass enables security analysts to monitor critical LastPass activities, providing visibility into both user and admin actions that are vital for maintaining account security. The app offers dashboards that track key events such as user logins, password resets, and multi-factor authentication (MFA) changes, helping to detect unusual patterns or potential threats.

Analysts can monitor user activities like sharing keys, provisioning, de-provisioning, and policy changes, while also monitoring account creation and deletion trends. In addition, geo-location insights highlight the origins of risky activities and failed login attempts, assisting in identifying suspicious behavior across different regions. With real-time visualizations of event trends, analysts can quickly detect spikes in activity, allowing for proactive responses to potential security incidents.

info

This app includes built-in monitors. For details on creating custom monitors, refer to Create monitors for LastPass app.

Log types

This app uses Sumo Logic’s LastPass Source to collect audit events from LastPass platform.

Sample log messages

Audit Event Log

{
  "Time": "2024-10-14 08:00:32",
  "Username": "thomas@sumo.com",
  "IP_Address": "137.80.288.60",
  "Action": "Log in",
  "Data": "LastPass via Chrome v4.134.0"
}

Sample queries

Top 10 Active Users

_sourceCategory="lastpass_event" Action Username
| json "Time","Username", "Action","IP_Address", "Data" as time, user, action, ip_address, data nodrop

// Global filters
| where action matches "{{action}}"

| count as frequency by user
| sort by user
| limit 10

Set up collection

To set up the LastPass Source for the LastPass app, follow the instructions provided. These instructions will guide you through the process of creating a source using the LastPass Source category, which you will need to use when installing the app. By following these steps, you can ensure that your LastPass app is properly integrated and configured to collect and analyze your LastPass data.

Installing the LastPass app​

To install the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Install App.
   note

   Sometimes this button says Add Integration.

4. Click Next in the Setup Data section.
5. In the Configure section of your respective app, complete the following fields.
   1. Key. Select either of these options for the data source.
      • Choose Source Category and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
6. Click Next. You will be redirected to the Preview & Done section.

Post-installation

Once your app is installed, it will appear in your Installed Apps folder, and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, but will update with full graphs and charts over time.

Viewing LastPass dashboards​​

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

• You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
• You can use template variables to drill down and examine the data on a granular level. For more information, see Filtering Dashboards with Template Variables.
• Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.

Activity and Risk Monitoring

The LastPass - Activity and Risk Monitoring dashboard provides a detailed view of user actions and event trends, helping security analysts track critical activity. It displays total event counts, new account creations, and top users and actions, allowing for quick identification of frequent behaviors. The event timeline highlights spikes in activity that may indicate potential risks. Additionally, the geo-location maps of events and risky actions offer insights into the geographic distribution of LastPass activities, helping analysts identify regional anomalies or suspicious login patterns. This dashboard is designed to support proactive threat detection and response.

Security Overview

The LastPass - Security Overview provides a detailed view of key authentication events to help security analysts monitor user activity and detect potential threats. It tracks logins to the admin console, encryption key rotations, and SAML login events, offering insight into critical security operations. The dashboard also highlights recent master password changes, MFA modifications, and both successful and failed authentication attempts. By focusing on these events, analysts can quickly identify suspicious behavior, such as unusual login patterns or password resets, and take action to secure the LastPass environment.

Admin and User Activity

The LastPass - User and Admin Activity dashboard offers a comprehensive overview of admin and user activities within LastPass, enabling security analysts to detect and respond to unusual behavior. It tracks admin actions such as user provisioning, de-provisioning, and role changes, alongside critical policy modifications and group updates. Additionally, it highlights user actions such as data imports, exports, and shared folder activities. By analyzing trends in these events, security analysts can quickly identify potential risks, such as unauthorized access or sensitive data deletions, ensuring enhanced protection for the LastPass environment.

Create monitors for LastPass app

From your App Catalog:

1. From the Sumo Logic navigation, select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. Make sure the app is installed.
4. Navigate to What's Included tab and scroll down to the Monitors section.
5. Click Create next to the pre-configured monitors. In the create monitors window, adjust the trigger conditions and notifications settings based on your requirements.
6. Scroll down to Monitor Details.
7. Under Location click on New Folder.
   note

   By default, monitor will be saved in the root folder. So to make the maintenance easier, create a new folder in the location of your choice.

8. Enter Folder Name. Folder Description is optional.
   tip

   Using app version in the folder name will be helpful to determine the versioning for future updates.

9. Click Create. Once the folder is created, click on Save.

LastPass monitors

Name	Description	Trigger Type (Critical / Warning / MissingData)	Alert Condition
Failed login attempt	This alert notifies you when there is a failed login attempt. Multiple failed login attempts may indicate a brute force attack or an unauthorized user attempting to gain access to the LastPass environment.	Critical	Count > 2
Login exceeds set parameters	This alert is triggered when login attempts or user sessions exceed defined security parameters. This could involve accessing unauthorized devices, exceeding allowed session lengths, or violating other security policies.	Critical	Count > 1
Events from Risky Locations	This alert is activated when user activities or login attempts are detected from geographical locations deemed high-risk. These events could signal unauthorized access attempts and may require investigation to ensure the legitimacy of the user’s actions.	Critical	Count > 0
Changes in MFA	This alert is triggered when changes are made to Multi-Factor Authentication (MFA) settings. This could include enabling, disabling, or modifying MFA methods, which are critical to account security and require close monitoring to prevent unauthorized access.	Critical	Count > 0
Master Password & Encryption Key Events	This alert tracks events related to changes or activities involving master passwords or encryption keys. Since these are crucial elements for accessing sensitive data, any changes should be closely monitored for potential security breaches.	Critical	Count > 0
Changes in Provisional Credentials	This alert monitors changes made to provisional or temporary credentials. These changes could include issuing new credentials, modifications, or revocation, and should be carefully reviewed to ensure compliance with security policies.	Critical	Count > 0
Role, Policy, and Access Control Changes	This alert tracks modifications to user roles, security policies, or access control settings within LastPass. Such changes could impact how resources are accessed and managed, so it's critical to ensure that only authorized personnel are making these adjustments.	Critical	Count > 0

Upgrading the LastPass app (Optional)

To update the app, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
   Optionally, you can identify apps that can be upgraded in the Upgrade available section.
3. To upgrade the app, select Upgrade from the Manage dropdown.
   1. If the upgrade does not have any configuration or property changes, you will be redirected to the Preview & Done section.
   2. If the upgrade has any configuration or property changes, you will be redirected to Setup Data page.
      1. In the Configure section of your respective app, complete the following fields.
         • Key. Select either of these options for the data source.
           • Choose Source Category and select a source category from the list for Default Value.
           • Choose Custom and enter a custom metadata field. Insert its value in Default Value.
      2. Click Next. You will be redirected to the Preview & Done section.

Post-update

Your upgraded app will be installed in the Installed Apps folder, and dashboard panels will start to fill automatically.

note

See our Release Notes changelog for new updates in the app.

To revert the app to a previous version, do the following:

1. Select App Catalog.
2. In the Search Apps field, search for and then select your app.
3. To version down the app, select Revert to < previous version of your app > from the Manage dropdown.

Uninstalling the LastPass app (Optional)

To uninstall the app, do the following:

1. Select App Catalog.
2. In the 🔎 Search Apps field, run a search for your desired app, then select it.
3. Click Uninstall.