HELP FILE

Which event types are available for user activity in general reports in the new Admin Console?

LastPass admins can create user activity reports in the new Admin Console that includes various event types, and additional information.

User activity event types

  • Add to shared folder
  • Created LastPass account
  • Created shared folder
  • Data export
  • Data import
  • Data printed
  • Delete shared folder
  • Deleted sites
  • Disabled Google Authenticator
  • Disabled Grid
  • Disabled Microsoft Authenticated
  • Disabled Multifactor Authentication
  • Disabled Toopher
  • Disabled YubiKey
  • Edit secure note
  • Failed login attempt
  • Form filled
  • History cleared
  • Iterations changed
  • Log in
  • Login verification email sent
  • Master Password changed
  • Master Password reverted
  • Move from shared folder
  • Move to shared folder
  • Multifactor enabled
  • Open secure note
  • Password changed
  • Permanently deleted shared folder
  • Renamed shared folder
  • Restored shared folder
  • SAML login
  • Site added
  • Site deleted
  • Username changed

Additional information

By default, reporting events for individual sites password entries will only show the site’s domain (e.g. https://login.salesforce.com will only show as salesforce.com). When reporting events for a secure note, the log will only show “Secure Note”. By default, additional details such as the username are never sent to LastPass in an unencrypted format.

However, if your company needs additional levels of detail, the following policies can be enabled under Policies > General policies:

  • Log Full URL in reporting will show the entire URL in reports
  • Log item name in reporting will show the name of the item
  • Log username in reporting will show the username listed for the item
  • If the item is in a shared folder, reporting will indicate which shared folder it is located in by adding "from Shared Folder."
Example:

Using a stored site (https://login.salesforce.com) in a shared folder with all three polices listed above being enabled, the output would look like the following:

login.salesforce.com/ (john.smith@email.com) (Customer Support Salesforce login) from Support Logins

where:

  • login.salesforce.com/ is the Full URL
  • john.smith@email.com is the username
  • Customer Support SalesForce Login is the name of the item
  • Support Logins is the name of the shared folder