---
title: LastPass activity from a potentially malicious IP address
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > LastPass activity from a potentially
  malicious IP address
---

# LastPass activity from a potentially malicious IP address
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detect LastPass activity observed from a threat enriched IP.

## Strategy{% #strategy %}

Monitor LastPass event logs from an IP address with associated threat intelligence. Datadog enriches all ingested logs with [expert-curated threat intelligence](https://docs.datadoghq.com/security/cloud_siem/ingest_and_enrich/threat_intelligence/) in real-time.

## Triage and response{% #triage-and-response %}

1. Determine if the user: `{{@usr.name}}` from IP address: `{{@network.client.ip}}` should have performed activity: `{{@evt.name}}`.
1. Investigate the user's recent activity and login history to identify potential anomalies.
1. If the activity is deemed suspicious, consider escalating the incident to the security team for further investigation and potential remediation.