Integrating LastPass Logs With Blumira

LastPass is a password manager that stores encrypted passwords online, as well as enterprise single sign-on (SSO) and adaptive multi-factor authentication (MFA).

 

Once configured and integrated with LastPass, Blumira’s modern SIEM platform ingests and parses log data in order to provide advanced threat detection and automated, actionable response.

LastPass Log Collection Configuration

Blumira can be configured to ingest a stream of LastPass event data through the LastPass Enterprise API. If you have a LastPass Enterprise account, follow these steps to forward that account’s log stream to Blumira.

Configuring LastPass

To configure LastPass, you will need to obtain a “Provisioning Hash” or API key, that provides Blumira access to your data through the LastPass Enterprise API[1]. You will also need to obtain your Customer ID, or “cid” from Lastpass. To do this, follow these steps:

  1. Log in to Lastpass.
  2. Under Advanced Options, select Enterprise API.
  3. Click on Create Your Provisioning Hash and note the resulting value. This is your Lastpass API Secret.
  4. To obtain your Customer ID, or “cid”, return to the Enterprise API page. Under Authentication Parameters, your “cid” will be listed as an authentication parameter. Take note of this numeric value – the quotation marks are not part of the value.

Configuring Blumira

Next, you will need to enable your Blumira sensor to connect to LastPass, using the API Secret and cid you obtained. This connection is managed through the LastPass module, which you will install on one of your Blumira sensors.

Here’s how to add the LastPass module:

    1. Once you have chosen or installed a sensor you’d like to add LastPass log collection to, access that sensor’s detail page through the sensor UI (Infrastructure > Sensors > {click on your chosen sensor}).
    2. In the Modules section for your sensor, click on the Add Module button. In the Module dropdown menu, find the LastPass Module, and select the latest available version.
    3. Fill in the Module Configuration section, shown here:

  1. The LastPass CID and LastPass API Secret should be filled out with the values you obtained in the Configuring LastPass step. The Log Source Name is an optional text value which you can use to identify your LastPass log source in the Blumira platform.
  2. You can leave Log Source Name empty, or, optionally, set it to a short, alphanumeric string, without spaces, that will help identify this instance of the LastPass integration, in case you later have multiple (e.g. “main” or “primary”).
  3. Press Install and wait a few seconds for the system to process your request.

The “Add New Module” window should close, and, back in your sensor detail page view, you should now see the LastPass Module listed in the table of modules.

Within minutes of completing these steps, the LastPass module will be operational, and will ingest up to 90 days of historical logs into the Blumira platform. The module will then continuously monitor the LastPass service for the latest available logs.

[1] (Requires being logged into your LastPass enterprise account) https://lastpass.com/company/#!/settings/enterprise-api