Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Solutions/LastPass
История
v-rucdu 422e84b16d Updated API version in watchlists 2022-10-13 15:21:55 +05:30
..
Analytic Rules solution update for last pass 2022-07-28 10:51:17 +05:30
Data Lastpass solution package 2.0.1 (#6101) 2022-09-07 16:02:27 +05:30
Data Connectors solution update for last pass 2022-07-28 10:51:17 +05:30
Hunting Queries Update Table Names 2022-03-08 07:39:28 +01:00
Package V ntripathi/lastpass solution2.0.1 (#6110) 2022-09-08 15:37:24 +05:30
Watchlists Updated API version in watchlists 2022-10-13 15:21:55 +05:30
Workbooks Update Table Names 2022-03-08 07:39:28 +01:00
README.md solution update for last pass 2022-07-28 10:51:17 +05:30
SolutionMetadata.json Lastpass solution package 2.0.1 2022-09-07 17:02:15 +05:30

README.md

LastPass Solution for Microsoft Sentinel

This repository contains all resources for the LastPass Microsoft Sentinel Solution. The LastPass Solution is built in order to easily integrate LastPass with Microsoft Sentinel.

By deploying this solution, you'll be able to monitor activity within LastPass and be alerted when potential security events arise. The solution consists out of the following resources:

  • A codeless API connector to ingest data into Sentinel.
  • One workbook to visualize some of the activity within LastPass
  • Hunting Queries to look into potential security events
  • Analytic Rules to generate alerts and incidents when potential malicious events happen

Data Connector Deployment

The data connector will retrieve the LastPass Activity data through the LastPass Enterprise API.

Authentication is done through a LastPass Provisioning Hash API key which can be generated by a LastPass administrator by following the steps in the following How To Article.

This is a codeless API connector. After the deployment of the ARM template, the connector will be available in the list to connect. Input the API key and Microsoft Sentinel will start to pull in data.

Workbook

The workbook contains visualizations about the activity within LastPass and provides an overview of the user activity. This allows you to identify user with a high amount of activity.

Besides user activity, the sign-ins logs are correlated to point out sign-ins which were done from previously unknown IPs and admin activity is surfaced.

The workbook can be deployed by creating an empty workbook and adding the data from the Gallery template.

Hunting

  • Login into LastPass from a previously unknown IP.
  • Failed sign-ins into LastPass due to MFA.
  • Password moved to shared folders

Analytic Rules

The solution currently includes five analytic rules:

  • TI map IP entity to LastPass data
  • Highly Sensitive Password Accessed
  • Failed sign-ins into LastPass due to MFA
  • Employee account deleted
  • Unusual Volume of Password Updated or Removed