LastPass Add-on for Splunk
Collect LastPass data into Splunk via installation onto a Splunk UF or SplunkCloud IDM.
Overview
This Add-on has been crafted for the appropriate CIM Data Models to correlate this data against your web access logs, for example.
Utilizing the Splunk Add-on Builder, several inputs are designed to collect enterprise account event reporting, user, group, and folder inventory information from LastPass.
Requirements
You will need the following to collect reporting event data from LastPass:
-
LastPass Enterprise account with admin access
-
LastPass CustomerID
-
Provisioning hash
-
Index name to store data
Deploy this TA through either of two effective methods:
- Install locally to server
- Transfer tarball to host server. Change ownership/permissions as necessary.
- Install locally to Splunk instance using either method:
- Splunk install CLI: Use
splunk install app <app tarball>
- Note: requires local account + role permissions to install app
- Splunk restart: Unpack app tarball into
$SPLUNK_HOME/etc/apps
- Validate full ownership of unpacked files for splunk user
- Restart Splunk instance
- Splunk install CLI: Use
- Install using Splunk Web UI
- Within Splunk Web UI, navigate to the Manage Apps page and install by file
- Note: there may be upload restrictions or failed uploads depending on environment settings
- Within Splunk Web UI, navigate to the Manage Apps page and install by file
Setup
Not covered: configuration to forward data to Splunk deployment
-
Navigate to the Configuration page withiin the TA lastpass namespace.
-
Click button for Create New Input and select among the following inputs for data collection:
-
Event Reporting
-
User inventory
-
Shared Folder inventory
-
-
Complete the setup form.
-
Name - label for your input
-
Interval - how often you want to collect? (Recommended: every 60 seconds or minute)
-
Index - Splunk index
-
LastPass API URL - default is already set, but if you have a separate URL, please fill-in
-
Collection Start Time - timestamp for collection. Support backfill and PST is only supported timezone (per vendor documentation, may vary depending on account)
-
Various CIM Data Models have been mapped to the various event and inventory data. Feel free to consider installing this TA onto both SH and HWF/UFs.
LastPass is a trademark of LastPass. Use of their API is subject to their terms of service. https://lastpass.com/terms-of-service
Use of their copyright logos and icons is with their publicly posted permission. See https://lastpass.com/press-room for all information.
Use Cases
-
Monitor user access to shared folders
-
Monitor service-level access and changes
-
Assess access control for all users per shared folder
Credits
Henry Canivel