LastPass vault content export attempt

This rule is part of a beta feature. To learn more, contact Support.
lastpass

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

Set up the lastpass integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a LastPass user attempts to modify a vault item.

Strategy

This rule monitors LastPass account logs to determine when a vault item is modified. This could indicate an attempt to modify an item.

Triage and response

  1. Investigate the user: {{@usr.name}} who triggered the event {{@evt.name}} involving vault item {{@VID}} within the vault.
  2. If this action was unintended by the user:
    • Rotate the user’s LastPass master password
    • Identify all the items that were modified and rotate the necessary authentication credentials