From 26fc11f87105d1f463aca9b74c56384961ed98b3 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Thu, 24 Oct 2024 17:25:23 +0530 Subject: [PATCH 1/2] LastPass app docs --- blog-service/2024-10-28-apps.md | 16 +++ cid-redirects.json | 1 + .../product-list/product-list-a-l.md | 2 +- docs/integrations/saas-cloud/index.md | 6 + docs/integrations/saas-cloud/lastpass.md | 105 ++++++++++++++++++ sidebars.ts | 1 + 6 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 blog-service/2024-10-28-apps.md create mode 100644 docs/integrations/saas-cloud/lastpass.md diff --git a/blog-service/2024-10-28-apps.md b/blog-service/2024-10-28-apps.md new file mode 100644 index 0000000000..20c12ba2d6 --- /dev/null +++ b/blog-service/2024-10-28-apps.md @@ -0,0 +1,16 @@ +--- +title: LastPass (Apps) +image: https://help.sumologic.com/img/sumo-square.png +keywords: + - lastpass + - apps +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +icon + +We're excited to introduce the new LastPass app for Sumo Logic. This app leverages the Sumo Logic Cloud-to-Cloud LastPass source to collect audit logs, providing security analysts with critical visibility into their LastPass environment. + +Explore our technical documentation [here](/docs/integrations/saas-cloud/lastpass/) to learn how to set up and use the LastPass app for Sumo Logic. \ No newline at end of file diff --git a/cid-redirects.json b/cid-redirects.json index 11b5e5b389..871a52ccb2 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -1976,6 +1976,7 @@ "/cid/22674": "/docs/integrations/google/cloud-functions", "/cid/22675": "/docs/integrations/google/cloud-sql", "/cid/2323": "/docs/integrations/saas-cloud/zoom", + "/cid/23239": "/docs/integrations/saas-cloud/lastpass", "/cid/2324": "/docs/integrations/saas-cloud/workday", "/cid/23433": "/docs/search/search-query-language/search-operators/topk", "/cid/24000": "/docs/send-data/installed-collectors/sources/preconfigure-machine-collect-remote-windows-events", diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index a69deb5943..37b8a09f75 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -329,7 +329,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [Lacework](https://www.lacework.com/) | Automation integration: [Lacework](/docs/platform-services/automation-service/app-central/integrations/lacework/)
Cloud SIEM integration: [Lacework](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/b5ad3497-214f-4952-9191-e98262709251.md)
Partner integration: [Lacework](https://docs.lacework.net/onboarding/sumo-logic) | | Thumbnail icon | [LambdaTest](https://www.lambdatest.com/) | Partner integration: [LambdaTest](https://www.lambdatest.com/support/docs/sumo-logic-integration/) | | Thumbnail icon | [Lansweeper](https://www.lansweeper.com/) | Automation integration: [Lansweeper](/docs/platform-services/automation-service/app-central/integrations/lansweeper/) | -| Thumbnail icon | [LastPass](https://www.lastpass.com/) | Cloud SIEM integration: [LastPass](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/4a2f39e3-f76b-4d23-b601-c12f3f36de87.md)
Collector: [LastPass Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/lastpass-source) | +| Thumbnail icon | [LastPass](https://www.lastpass.com/) | App: [LastPass](/docs/integrations/saas-cloud/lastpass/)
Cloud SIEM integration: [LastPass](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/4a2f39e3-f76b-4d23-b601-c12f3f36de87.md)
Collector: [LastPass Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/lastpass-source) | | Thumbnail icon | [Laurel](https://github.com/threathunters-io/laurel?tab=readme-ov-file) | Cloud SIEM integration: [Laurel](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/182b829a-46b7-4723-b9ef-7373900dc31b.md) | | Thumbnail icon | [Libraesva](https://www.libraesva.com/) | Automation integrations:
- [Libraesva Email Security V4](/docs/platform-services/automation-service/app-central/integrations/libraesva-email-security-v4/)
- [Libraesva Email Security V5](/docs/platform-services/automation-service/app-central/integrations/libraesva-email-security-v5/)
Cloud SIEM integration: [Libraesva](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e8ac6d6d-eb75-4e7a-84cd-7156212ec048.md) | | Thumbnail icon | [Linux](https://www.linux.org/) | Apps:
- [Linux](/docs/integrations/hosts-operating-systems/linux/)
- [Linux - OpenTelemetry](/docs/integrations/hosts-operating-systems/opentelemetry/linux-opentelemetry/)
- [Linux - Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/linux/)
- [Linux - Cloud Security Monitoring and Analytics - OpenTelemetry](/docs/integrations/cloud-security-monitoring-analytics/opentelemetry/linux-opentelemetry/)
- [PCI Compliance for Linux](/docs/integrations/pci-compliance/linux/)
- [PCI Compliance for Linux - OpenTelemetry](/docs/integrations/pci-compliance/opentelemetry/linux-opentelemetry/)
Cloud SIEM integration: [Linux](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/e5727c72-15dd-4cc8-ab4e-0b65ff196f10.md)
Collectors:
- [Add a Collector to a Linux Machine Image](/docs/send-data/installed-collectors/collector-installation-reference/add-collector-linux-machine-image/)
- [Install a Collector on Linux](/docs/send-data/installed-collectors/linux/)
- [Install OpenTelemetry Collector on Linux](/docs/send-data/opentelemetry-collector/install-collector/linux/)
- [Linux OS Syslog - Cloud SIEM](/docs/cse/ingestion/ingestion-sources-for-cloud-siem/linux-os-syslog/) | diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md index 193285d418..9bb8ffc355 100644 --- a/docs/integrations/saas-cloud/index.md +++ b/docs/integrations/saas-cloud/index.md @@ -147,6 +147,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.

Monitor and analyze KnowBe4 Phishing Security logs.

+
+
+ icon

LastPass

 +

Identify security threats by analyzing audit events.

+
+
icon

Microsoft Azure AD Inventory

 diff --git a/docs/integrations/saas-cloud/lastpass.md b/docs/integrations/saas-cloud/lastpass.md new file mode 100644 index 0000000000..fc5cd01f59 --- /dev/null +++ b/docs/integrations/saas-cloud/lastpass.md @@ -0,0 +1,105 @@ +--- +id: lastpass +title: LastPass +sidebar_label: LastPass +description: The LastPass app for Sumo Logic provides security analysts with critical visibility into their LastPass environment. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +thumbnail icon + +The Sumo Logic app for LastPass enables security analysts to monitor critical LastPass activities, providing visibility into both user and admin actions that are vital for maintaining account security. The app offers dashboards that track key events such as user logins, password resets, and multi-factor authentication (MFA) changes, helping to detect unusual patterns or potential threats. + +Analysts can monitor user activities like sharing keys, provisioning, de-provisioning, and policy changes, while also monitoring account creation and deletion trends. In addition, geo-location insights highlight the origins of risky activities and failed login attempts, assisting in identifying suspicious behavior across different regions. With real-time visualizations of event trends, analysts can quickly detect spikes in activity, allowing for proactive responses to potential security incidents. + +:::info +This app includes [built-in monitors](#lastpass-monitors). For details on creating custom monitors, refer to [Create monitors for LastPass app](#create-monitors-for-lastpass-app). +::: + +## Log types + +This app uses Sumo Logic’s LastPass Source to collect [audit events](https://support.lastpass.com/s/document-item?bundleId=lastpass&topicId=LastPass/api_event_reporting.html&_LANG=enus) from LastPass platform. + +## Sample log messages + +```json title="Audit Event Log" +{ + "Time": "2024-10-14 08:00:32", + "Username": "thomas@sumo.com", + "IP_Address": "137.80.288.60", + "Action": "Log in", + "Data": "LastPass via Chrome v4.134.0" +} +``` +## Sample queries + +```sql title="Top 10 Active Users" +_sourceCategory="lastpass_event" Action Username +| json "Time","Username", "Action","IP_Address", "Data" as time, user, action, ip_address, data nodrop + +// Global filters +| where action matches "{{action}}" + +| count as frequency by user +| sort by user +| limit 10 +``` + +## Set up collection + +To set up [Cloud-to-Cloud Integration LastPass Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/lastpass-source) for the LastPass app, follow the instructions provided. These instructions will guide you through the process of creating a source using the LastPass Source category, which you will need to use when installing the app. By following these steps, you can ensure that your LastPass app is properly integrated and configured to collect and analyze your LastPass data. + +## Installing the LastPass app​ + +import AppInstall2 from '../../reuse/apps/app-install-v2.md'; + + + +## Viewing LastPass dashboards​​ + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Activity and Risk Monitoring + +The **LastPass - Activity and Risk Monitoring** dashboard provides a detailed view of user actions and event trends, helping security analysts track critical activity. It displays total event counts, new account creations, and top users and actions, allowing for quick identification of frequent behaviors. The event timeline highlights spikes in activity that may indicate potential risks. Additionally, the geo-location maps of events and risky actions offer insights into the geographic distribution of LastPass activities, helping analysts identify regional anomalies or suspicious login patterns. This dashboard is designed to support proactive threat detection and response.
LastPass-Activity-and-Risk-Monitoring + +### Security Overview + +The **LastPass - Security Overview** provides a detailed view of key authentication events to help security analysts monitor user activity and detect potential threats. It tracks logins to the admin console, encryption key rotations, and SAML login events, offering insight into critical security operations. The dashboard also highlights recent master password changes, MFA modifications, and both successful and failed authentication attempts. By focusing on these events, analysts can quickly identify suspicious behavior, such as unusual login patterns or password resets, and take action to secure the LastPass environment.
LastPass-Security-Overview + +### Admin and User Activity + +The **LastPass - User and Admin Activity** dashboard offers a comprehensive overview of admin and user activities within LastPass, enabling security analysts to detect and respond to unusual behavior. It tracks admin actions such as user provisioning, de-provisioning, and role changes, alongside critical policy modifications and group updates. Additionally, it highlights user actions such as data imports, exports, and shared folder activities. By analyzing trends in these events, security analysts can quickly identify potential risks, such as unauthorized access or sensitive data deletions, ensuring enhanced protection for the LastPass environment.
LastPass-Admin-and-User-Activity + +## Create monitors for LastPass app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### LastPass monitors + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Failed login attempt` | This alert notifies you when there is a failed login attempt. Multiple failed login attempts may indicate a brute force attack or an unauthorized user attempting to gain access to the LastPass environment. | Critical | Count > 2 | +| `Login exceeds set parameters` | This alert is triggered when login attempts or user sessions exceed defined security parameters. This could involve accessing unauthorized devices, exceeding allowed session lengths, or violating other security policies. | Critical | Count > 1| +| `Events from Risky Locations` | This alert is activated when user activities or login attempts are detected from geographical locations deemed high-risk. These events could signal unauthorized access attempts and may require investigation to ensure the legitimacy of the user’s actions. | Critical | Count > 0| +| `Changes in MFA` | This alert is triggered when changes are made to Multi-Factor Authentication (MFA) settings. This could include enabling, disabling, or modifying MFA methods, which are critical to account security and require close monitoring to prevent unauthorized access. | Critical | Count > 0| +| `Master Password & Encryption Key Events` | This alert tracks events related to changes or activities involving master passwords or encryption keys. Since these are crucial elements for accessing sensitive data, any changes should be closely monitored for potential security breaches. | Critical | Count > 0| +| `Changes in Provisional Credentials` | This alert monitors changes made to provisional or temporary credentials. These changes could include issuing new credentials, modifications, or revocation, and should be carefully reviewed to ensure compliance with security policies. | Critical | Count > 0| +| `Role, Policy, and Access Control Changes` | This alert tracks modifications to user roles, security policies, or access control settings within LastPass. Such changes could impact how resources are accessed and managed, so it's critical to ensure that only authorized personnel are making these adjustments. | Critical | Count > 0| + +## Upgrading the LastPass app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the LastPass app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + \ No newline at end of file diff --git a/sidebars.ts b/sidebars.ts index 51b1ddee9a..1b0b982f59 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2458,6 +2458,7 @@ integrations: [ 'integrations/saas-cloud/gmail-tracelogs', 'integrations/saas-cloud/istio', 'integrations/saas-cloud/knowbe4', + 'integrations/saas-cloud/lastpass', 'integrations/saas-cloud/microsoft-azure-ad-inventory', 'integrations/saas-cloud/microsoft-exchange-trace-logs', 'integrations/saas-cloud/microsoft-graph-security-v1', From a95fced55038297de472e51e2a7b039b72243006 Mon Sep 17 00:00:00 2001 From: Jagadisha V <129049263+JV0812@users.noreply.github.com> Date: Fri, 25 Oct 2024 10:33:18 +0530 Subject: [PATCH 2/2] Update docs/integrations/saas-cloud/lastpass.md Co-authored-by: John Pipkin (Sumo Logic) --- docs/integrations/saas-cloud/lastpass.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/saas-cloud/lastpass.md b/docs/integrations/saas-cloud/lastpass.md index fc5cd01f59..d145b61782 100644 --- a/docs/integrations/saas-cloud/lastpass.md +++ b/docs/integrations/saas-cloud/lastpass.md @@ -48,7 +48,7 @@ _sourceCategory="lastpass_event" Action Username ## Set up collection -To set up [Cloud-to-Cloud Integration LastPass Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/lastpass-source) for the LastPass app, follow the instructions provided. These instructions will guide you through the process of creating a source using the LastPass Source category, which you will need to use when installing the app. By following these steps, you can ensure that your LastPass app is properly integrated and configured to collect and analyze your LastPass data. +To set up the [LastPass Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/lastpass-source) for the LastPass app, follow the instructions provided. These instructions will guide you through the process of creating a source using the LastPass Source category, which you will need to use when installing the app. By following these steps, you can ensure that your LastPass app is properly integrated and configured to collect and analyze your LastPass data. ## Installing the LastPass app​