This repository contains all resources for the LastPass Azure Sentinel Solution. The LastPass Solution is built in order to easily integrate LastPass with Azure Sentinel.
By deploying this solution, you'll be able to monitor activity within LastPass and be alerted when potential security events arise. The solution consists out of the following resources:
- A data connector using an Azure App Service to go out to the LastPass API.
- One workbook to visualize some of the activity within LastPass
- Hunting Queries to look into potential security events
- Analytic Rules to generate alerts and incidents when potential malicious events happen
The data connector will retrieve the LastPass Activity data through the LastPass Enterprise API.
Authentication is done through a LastPass Provisioning Hash API key which can be generated by a LastPass administrator by following the steps in the following How To Article.
An ARM template is provided to easily deploy all of the components for the data connector, this includes:
- The Key Vault used to store the credentials for both the Log Analytics workspace and the LastPass API key
- An App Configuration which contains the configuration variables.
- An App Services which contains one C# Azure Functions which pulls data from the LastPass API.
- Click on the "Deploy to Azure" button below. When prompted, log in to your Azure subscription.
-
Select a subscription and resource group, we recommend creating a new resource group.
-
Fill in the required fields:
-
Serviceplan Name: the name of the serviceplan.
-
Key Vault Name: the name of the keyvault, where we will store the secrets.
-
Storage Name: The name of the bot.
-
App Config Name: The name of the app-configuration, where we will store the connector settings.
-
Connector Name: The name of the dataconnector.
-
Shared Key: The sharedKey from the LastPass API.
-
Prov Hash: The Provisioning Hash from the LastPass API.
-
Cid: The Provisioning Hash from the LastPass API.
-
Wk Space Id: The Log analytics workspace ID.
-
when the deployment is done, we need to do some manual configurations.
-
Add Access Policies:
-
Go to the Created KeyVault.
-
Select Access policies, which can be found under the Settings blade.
-
Click + Add Access Policy
-
Set Secret permissions:
-
Get
-
List
-
Select principal: select the dataconnector.
-
report steps 3-5 and select the app configuration as principal.
-
Click Save
-
-
Add App config access
- Go to the created app configuration
- Select Access keys, which can be found under the Settings blade.
- Click the copy button from the connection string value under the Primary key section.
- Navigate to the dataconnector that was created.
- Select Configuration, which can be found under the Settings blade.
- Click on the Application Setting AppConfigurationUri
- Paste the Access key inside the value input field.
- Press OK followed by Save
-
-
Restart the dataconnector
If All succeeded you should see a custom table LastPass_Data_CL inside of the Log Analytics Workspace. Note: It can take a couple of minutes before the data is visible.
The workbook contains visualizations about the activity within LastPass and provides an overview of the user activity. This allows you to identify user with a high amount of activity.
Besides user activity, the sign-ins logs are correlated to point out sign-ins which were done from previously unknown IPs and admin activity is surfaced.
The workbook can be deployed by creating an empty workbook and adding the data from the Gallery template.
- Login into LastPass from a previously unknown IP.
- Failed sign-ins into LastPass due to MFA.
- Password moved to shared folders
The solution currently includes five analytic rules:
- TI map IP entity to LastPass data
- Highly Sensitive Password Accessed
- Failed sign-ins into LastPass due to MFA
- Employee account deleted
- Unusual Volume of Password Updated or Removed