A LastPass shared folder was deleted. Shared folders contain credentials for shared resources, usually used by multiple members and teams. Impact Once a shared folder is deleted, users will lose access to the stored credentials, this can impact business operations and access to important resources. Mitigation Validate the legitimacy of this activity. MITRE Tactic: TA0006 MITRE Technique: T1555 MITRE Sub-Technique: 005

A user was removed from a shared folder. Shared folders contain credentials for shared resources, usually used by multiple members and teams. Impact The user might lose access to credentials that are required for his day-to-day work. Mitigation Validate the legitimacy of this activity. If needed re-add the user to the relevant folder. MITRE Tactic: TA0006 MITRE Technique: T1555 MITRE Sub-Technique: 005

A user was added to a shared folder. Impact In case of a misconfiguration or malicious action, the user will have access to credentials that he should not have. Mitigation Validate the legitimacy of this activity with the adding user / admin. If needed remove the user from the relevant folder. MITRE Tactic: TA0006 MITRE Technique: T1555 MITRE Sub-Technique: 005

A new shared folder was created. Shared folders contain credentials for shared resources, usually used by multiple members and teams. Impact A new shared folder can share credentials between different team members and users. Usually a benign action, but should be verified as it can expose sensitive credentials with different users. Mitigation Validate the legitimacy of this activity with the creating user / admin. If needed remove the folder. MITRE Tactic: TA0006 MITRE Technique: T1555 MITRE Sub-Technique: 005

Connection from multiple IP addresses by the same user was observed. This means a single user authenticated to LastPass from multiple IP addresses over a short period of time. This can indicate one of a few possibilities: 1. The user is traveling 2. The user credentials were compromised and an attacker is connecting from a different location than the user. Impact In case the user credentials were compromised the malicious actor can get access to sensitive data and credentials. Mitigation Validate with the user if this activity was legitimate. If needed temporarily block the relevant user and enforce a password change. Further investigate the actions of the user to discover any traces of malicious activity. MITRE Tactic: TA0043 MITRE Technique: T1589 MITRE Sub-Technique: 001

Connection from multiple IP addresses to the admin console by the same admin was observed. This means a single admin authenticated to LastPass from multiple IP addresses over a short period of time. This can indicate one of a few possibilities: 1. The admin is traveling 2. The admin credentials were compromised and an attacker is connecting from a different location. Impact A compromised admin credential is a worst-case scenario and in the case of LastPass can greatly damage the company as it contains credentials for many operational systems. This could severely cripple the organization's ability to function. Mitigation Validate with the admin if this activity was legitimate. If needed temporarily block the relevant admin and enforce a password change. Investigate the actions of the admin to discover any traces of additional malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1078

A new admin that was added should be inspected and verified as legitimate. Impact An adversary will want to add himself as an organizational admin to get full access to the LastPass credentials and effectively control the organization. Therefore it's recommended to inspect and verify any new admin added. Mitigation Investigate the actions of the admin to discover any traces of additional malicious activity. MITRE Tactic: TA0004 MITRE Technique: T1078 MITRE Sub-Technique: 004

Description A removed admin should be inspected and verified as legitimate. Impact An adversary will want to remove an organization admin to revoke access and disrupt normal operations. Mitigation Verify that the remove operation and the admin performing it were legitimate. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert detects Login attempts that originated from multiple different IPs in a specific time frame (3 IPs in 2 hours in this alert). This alert can be fine-tuned according to the user alerting needs and organizational policy. Impact Multiple login attempts from different IPs might indicate malicious activity of an attacker connecting in parallel to a legitimate user from a different location. Mitigation Inspect the IP ranges and location of the different IPs and validate with the user if he is actually connecting in parallel. Advanced users might use VPNs or connect to their account from cloud machines, so this needs to be considered while investigating. If the user is not familiar with the second connection, investigate further as it might indicate malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert detects Login attempts that originated from multiple different users in a specific time frame from a single IP address. This alert should be fine-tuned according to user alerting needs and organizational policy. Impact Multiple login attempts of different users from the same IP address might indicate malicious activity of an attacker. Mitigation Validate that there are no successful login attempt from those users. If there is a suspicion of a compromised user/s temporarily suspend the relevant user until further investigation is conducted. MITRE Tactic: TA0001 MITRE Technique: T1078

This rule detects if there are no logs in the last 36 hours for LastPass in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562