While passwordless is the buzzword of 2021, most of the organizations aren't ready to ban passwords all together. Legacy applications and a large number of SaaS applications still require the users to have multiple passwords. During the last last year, we have seen more and more organizations embracing password managers and providing an account to end-users. This allows an organization to stop password reuse and ensure password are stored in a safe place.
While this is a great way to help secure your organization, it's of paramount importance to also monitor the activity within your password manager.
What it does
The LastPass solution for Azure Sentinel is a community project which will monitor the activity within the password manager and provide meaningful insights. The solution consists of:
- A data connector using the LastPass API
- Analytic Rules to receive alerts and incidents for critical events
- Hunting Queries to proactively look into LastPass data
- A Workbook to visualize activity within the password manager
How to use it
In order to implement this solution, you'll need to deploy the Azure Sentinel solution to your environment. After setting up the data connector, data will start flowing in. By using the LastPass API, we have full visibility in all of the activity within LastPass. This allows you to deploy the preconfigured hunting queries, analytic rules and workbook to get insights into the data.
By using a custom data connector, we ensure that the data is formatted before it is ingested into Azure Sentinel. This allows you to easily expand the current Azure Sentinel resources and create additional queries and rules if you desire.
How to use it
The solution starts by deploying the data connector to your own environment, detailed instructions are available on GitHub.
After deploying the data connector, activity data will start flowing into Azure Sentinel, this allows you to investigate the data and see what events are happening within your environment.
By using the provides Azure Sentinel Resources (Workbooks, Hunting Rules and Analytic Rules), we provide a headstart on some tips and tricks on how you can monitor your LastPass environment.
What makes this unique?
This is an integration built into a third party product using public documentation. It provides an idea on how easy it is to integrate third party applications into Azure Sentinel. By combining the power of other Azure resources (Key Vault, App Services, Function Apps...) we can easily (and in a secure manner) ingest data into Azure Sentinel. Because we are using a C# Function App, we can format the data we retrieve from the API and push it into a structured way into Azure Sentinel, this removes the need for a custom parser.
This solution shows how easy it is to integrate other products into Azure Sentinel and provide meaningful insights. The goal is to expand this solution to other (cloud) password managers as well in order to increase the visibility organizations have on the passwords which are used throughout the environment.