---
title: LastPass activity from a Tor client IP address
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > LastPass activity from a Tor client IP
  address
---

# LastPass activity from a Tor client IP address
Classification:attackTactic:[TA0001-initial-access](https://attack.mitre.org/tactics/TA0001)Technique:[T1090-proxy](https://attack.mitre.org/techniques/T1090) 
## Goal{% #goal %}

Detect LastPass activity observed from a Tor exit node.

## Strategy{% #strategy %}

Monitor LastPass event logs and IP address associated with it to determine whether activity is observed from a Tor client. Datadog enriches all ingested logs with [expert-curated threat intelligence](https://docs.datadoghq.com/security/cloud_siem/ingest_and_enrich/threat_intelligence/) in real-time.

## Triage and response{% #triage-and-response %}

1. Determine if the user: `{{@usr.name}}` from IP address: `{{@network.client.ip}}` should have performed activity: `{{@evt.name}}`.
1. Investigate the user's recent activity and login history to identify potential anomalies.
1. If the activity is deemed suspicious, consider escalating the incident to the security team for further investigation and potential remediation.