Generate LastPass Enterprise Reports
LastPass Enterprise offers extensive reporting to help you safeguard your organization’s data and build compliance. Available in the Admin Console, the Reports feature offers admins an audit trail that can also be exported to be shared with key stakeholders as needed.
User Activity report
While logged in to the Admin Console, select Reports from the left menu, where the User Activity tab provides a comprehensive log (up to 2 years of history) of every login event, passwords or username update, attempted or completed Form Fills, and deleted Sites by your LastPass Enterprise users. The logs include attempted (e.g., failed login attempts) and successful actions. The reports can be filtered by date range or user, and can be exported to Excel for back up or sharing with others.
- Use the drop-down menu to select a specific event type, or leave as-is to select All event types.
- Click the More icon then select Export report to generate a report (CSV format) with your selected filters.
- Click the More icon then select Events list to view a key explaining what each action designation means.
By default, reporting events for individual Sites will only show the Site’s domain (e.g. https://login.salesforce.com will only show as salesforce.com). When reporting events for a Secure Note, the log will only show “Secure Note”. By default, additional details such as the username are never sent to LastPass in an unencrypted format.
However, if your company needs additional levels of detail, the following policies can be enabled in the Policies tab in the Admin Console:
- Log Full URL in reporting will show the entire URL in reports
- Log item name in reporting will show the name of the item
- Log username in reporting will show the username listed for the item
- If the item is in a Shared Folder, reporting will indicate which Shared Folder it is located in by adding "from Shared Folder."
If all 3 polices are enabled, the output would look like the following:
login.salesforce.com/ (firstname.lastname@example.org) (Customer Support Salesforce login) from Support Logins
- login.salesforce.com/is the Full URL
- email@example.com is the username
- Customer Support SalesForce Login is the name of the item
- Support Logins is the name of the Shared Folder
Admin Activity report
The Admin Activity report provides a detailed breakdown of all administrative actions taken via the Admin Console, including the following:
- Create, delete, disable, or reactivate an employee account
- Reset a user's Master Password
- Add admin permissions to a user
- Remove a user from the company
- Add, delete, or edit policies
- Add, edit or delete User Groups
- Update policy users
A complete list of all actions and their designations can be found here. Please note that you must be actively logged in with a LastPass Enterprise or LastPass Identity account in order to view the full list of actions available.
Select Reports from the left menu, then click Security report for a summary of various critical user statuses, around which additional education or training may be warranted (e.g., Reused Master Passwords, Weak Security Challenge Scores, More than three duplicate passwords, etc.). The goal of this view-only report is to help optimize the use of LastPass among your end users to help improve the security of your company’s digital assets.
Additionally, you can set up to receive email notifications for these security statuses by navigating to Settings > Email Notifications > Add Notification > Configure.
Splunk Integration report
Take advantage of your existing Splunk account with the LastPass integration. With the Splunk integration in LastPass Enterprise it’s even easier for your IT team to collect data and manage reports in one central location — your Splunk Cloud account. To take advantage of this integration, you need a running Splunk Cloud instance with a configured Data Input as HTTP Event Collector.
You can set up the integration between LastPass and Splunk by configuring your Advanced Enterprise Options. Once your Splunk settings are configured, all available reporting events (e.g., login events, password changes, Form Fill attempts, etc.) will be passed to the Splunk Cloud, where you can then create custom User Activity reports using that data. This allows you to use the advanced functionality of Splunk to access and report on your LastPass Enterprise activity.