Bitwarden (#5368)

amee-sumo · JV0812 · ankitgoelcmu · web-flow · commit 037dcb065f57 · 2025-05-13T16:38:34.000Z
* Bitwarden (Apps)

* Delete 2025-05-12-apps.md

* Update bitwarden.md

* minor fix

* minor fix

* Update bitwarden.md

---------

Co-authored-by: Jagadisha V &lt;129049263+JV0812@users.noreply.github.com&gt;
Co-authored-by: Ankit Goel &lt;ankitgoelcmu@users.noreply.github.com&gt;
diff --git a/blog-service/2025-05-13-apps.md b/blog-service/2025-05-13-apps.md
@@ -0,0 +1,12 @@
+---
+title: Bitwarden (Apps)
+image: https://help.sumologic.com/img/sumo-square.png
+keywords:
+  - apps
+  - bitwarden
+hide_table_of_contents: true    
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+We're excited to introduce the new Bitwarden app for Sumo Logic. This app enables threat detection and identification of high-risk events such as vault exports or SSO deactivation, supporting continuous monitoring and accelerating incident response for credential and secret management workflows. [Learn more](/docs/integrations/saas-cloud/bitwarden).
diff --git a/cid-redirects.json b/cid-redirects.json
@@ -1637,6 +1637,7 @@
   "/cid/6025": "/docs/integrations/saas-cloud/cisco-vulnerability-management",
   "/cid/6026": "/docs/integrations/saas-cloud/sumo-collection",
   "/cid/6027": "/docs/integrations/saas-cloud/sysdig-secure",
+  "/cid/6028": "/docs/integrations/saas-cloud/bitwarden",
   "/cid/10112": "/docs/integrations/app-development/jfrog-xray",
   "/cid/10113": "/docs/observability/root-cause-explorer",
   "/cid/10116": "/docs/manage/fields",
diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md
@@ -129,7 +129,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [
 |  <img src={useBaseUrl('img/integrations/security-threat-detection/barracuda.png')} alt="Thumbnail icon" width="100"/>   | [Barracuda WAF](https://www.barracuda.com/products/application-protection/web-application-firewall)  | 	App: [Barracuda WAF](/docs/integrations/security-threat-detection/barracuda-waf/)	<br/>Partner integration: [Barracuda CloudGen Firewall](https://campus.barracuda.com/product/cloudgenfirewall/doc/91132156/sumo-logic-integration/) |
 |  <img src={useBaseUrl('img/integrations/misc/bettercloud-logo.png')} alt="Thumbnail icon" width="75"/>   | [BetterCloud](https://www.bettercloud.com/)  | Partner integration:	[BetterCloud](https://support.bettercloud.com/s/article/Integrating-Sumo-Logic-with-BetterCloud-bc45575)	 |
 |  <img src={useBaseUrl('img/integrations/app-development/bitbucket.png')} alt="Thumbnail icon" width="50"/>   | [Bitbucket](https://bitbucket.org/product)  | App:	[Bitbucket](/docs/integrations/app-development/bitbucket/)	 |
-| <img src={useBaseUrl('img/integrations/security-threat-detection/bitwarden.png')} alt="Thumbnail icon" width="100"/>  | [Bitwarden](https://bitwarden.com/) | Collector: [Bitwarden Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/bitwarden-source) |
+| <img src={useBaseUrl('img/integrations/security-threat-detection/bitwarden.png')} alt="Thumbnail icon" width="100"/>  | [Bitwarden](https://bitwarden.com/) | App: [Bitwarden](/docs/integrations/saas-cloud/bitwarden/) <br/>Collector: [Bitwarden Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/bitwarden-source) |
 |  <img src={useBaseUrl('img/integrations/misc/bitdefender-logo.png')} alt="Thumbnail icon" width="75"/>   | [Bitdefender](https://www.bitdefender.com/)  | Automation integration: [Bitdefender GravityZone](/docs/platform-services/automation-service/app-central/integrations/bitdefender-gravityzone/) <br/>Cloud SIEM integration: [Bitdefender](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/04de471f-70b0-4ffb-89a9-f094ef242248.md) <br/>Partner integration:	[Bitdefender](https://www.bitdefender.com/business/support/en/77209-158570-sumo-logic.html) |
 | <img src={useBaseUrl('img/platform-services/automation-service/app-central/logos/bitsight-security-performance-management.png')} alt="Thumbnail icon" width="75"/> | [BitSight](https://www.bitsight.com/) | Automation integration: [BitSight Security Performance Management](/docs/platform-services/automation-service/app-central/integrations/bitsight-security-performance-management/) |
 | <img src={useBaseUrl('img/integrations/misc/blackberry-logo.png')} alt="Thumbnail icon" width="100"/> | [Blackberry](https://www.blackberry.com/us/en) | App: [Cylance](/docs/integrations/security-threat-detection/cylance/) <br/>Automation integration: [Cylance Protect](/docs/platform-services/automation-service/app-central/integrations/cylanceprotect/) <br/>Cloud SIEM integrations: <br/>- [Blackberry](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/ac6a961b-590c-4dd4-8402-56f4a4cddd98.md) <br/>- [Cylance](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/vendors/c57feda1-8da4-464d-b6cf-2c9982b71e57.md) |
diff --git a/docs/integrations/saas-cloud/bitwarden.md b/docs/integrations/saas-cloud/bitwarden.md
@@ -0,0 +1,126 @@
+---
+id: bitwarden
+title: Bitwarden
+sidebar_label: Bitwarden
+description: The Bitwarden app for Sumo Logic helps monitor and accelerate incident response in credential and secret management workflows.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/security-threat-detection/bitwarden.png')} alt="thumbnail icon" width="125"/>
+
+The Sumo Logic app for Bitwarden provides comprehensive visibility into user activity, security events, and administrative changes within your Bitwarden environment. It enables security analysts to track key actions such as user logins, failed two-step verifications, master password resets, and decryption key migrations. The app includes contextual data—like IP addresses, device types, and geolocation—to help detect suspicious behavior and potential threats. Visualizations such as event trends and geo heatmaps reveal usage patterns and regional access anomalies.
+
+A major strength of the app is its ability to highlight high-risk activities through event summaries and filtered views of critical actions, such as vault exports or SSO deactivation. It also includes preconfigured alerts to proactively detect security threats like data exfiltration, account compromise, or policy violations.
+
+:::info
+This app includes [built-in monitors](#bitwarden-monitors). For details on creating custom monitors, refer to the [Create monitors for Bitwarden app](#create-monitors-for-bitwarden-app).
+:::
+
+## Log types
+
+This app uses Sumo Logic’s [Bitwarden Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/bitwarden-source/) to collect the [event logs](https://bitwarden.com/help/event-logs/) from the Bitwarden platform.
+
+### Sample log messages
+
+```json title="Event Log"
+{
+  "actingUserEmail": "frank@acoojoravi.com",
+  "actingUserId": "9aaa2aeb-6cf1-48a0-8e2e-b28e015b71d6",
+  "actingUserName": "frank",
+  "date": "2025-04-23T22:42:44-0700226Z",
+  "device": 9,
+  "deviceName": "ChromeBrowser",
+  "groupId": null,
+  "groupName": "",
+  "installationId": null,
+  "ipAddress": "103.149.48.189",
+  "itemId": null,
+  "memberId": null,
+  "object": "event",
+  "policyId": null,
+  "secretId": null,
+  "serviceAccountId": null,
+  "type": 1009,
+  "typeName": "Created_item_item-identifier"
+}
+```
+
+### Sample queries
+
+```sql title="Event Breakdown"
+_sourceCategory=Labs/bitwarden
+| json "actingUserName", "date", "object", "type", "typeName", "ipAddress","deviceName","actingUserEmail" as user_name, date, object, event_code, event_name, ip, device_name, user_email
+| lookup event_name from https://sumologic-app-data.s3.us-east-1.amazonaws.com/bitwarden_events.csv on event_code=event_code
+| lookup latitude, longitude,country_name, country_code from geo://location on ip = ip
+
+
+| count by event_name 
+| sort by _count
+```
+
+## Collection configuration and app installation
+
+import CollectionConfiguration from '../../reuse/apps/collection-configuration.md';
+
+<CollectionConfiguration/>
+
+:::important
+Use the [Cloud-to-Cloud Integration for Bitwarden](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/bitwarden-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Bitwarden app is properly integrated and configured to collect and analyze your Bitwarden data.
+:::
+
+### Create a new collector and install the app
+
+import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md';
+
+<AppCollectionOPtion1/>
+
+### Use an existing collector and install the app
+
+import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md';
+
+<AppCollectionOPtion2/>
+
+### Use an existing source and install the app
+
+import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md';
+
+<AppCollectionOPtion3/>
+
+## Viewing the Bitwarden dashboards​​
+
+import ViewDashboards from '../../reuse/apps/view-dashboards.md';
+
+<ViewDashboards/>
+
+### Security
+
+The **Bitwarden - Security** dashboard offers security analysts a centralized view of critical user and system activity. It highlights high-risk events such as SSO disablement, master password resets, failed two-step verifications, and decryption key migrations. Visual tools like event timelines and geographic heatmaps help quickly identify anomalies. The dashboard also enforces security policies by flagging access from embargoed regions and tracking users who disable two-step login.
+
+Detailed login and invitation data supports monitoring of access patterns and potential insider threats. Each panel is optimized for real-time investigation and auditing, enhancing the ability to detect and respond to suspicious behavior. The dashboard improves visibility, accountability, and response time for security incidents in the Bitwarden.<br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/Bitwarden/Bitwarden+-+Security.png' alt="Bitwarden-Security" />
+
+## Create monitors for Bitwarden app
+
+import CreateMonitors from '../../reuse/apps/create-monitors.md';
+
+<CreateMonitors/>
+
+### Bitwarden monitors
+
+| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | 
+|:--|:--|:--|:--|
+| `Events from Embargoed Geo Location` | This alert is triggered when a Bitwarden event is detected originating from a geo-location that is on an embargo list. This alert helps security teams detect potential violations of compliance policies or identify suspicious access attempts from high-risk regions. | Critical | Count > 0 |
+| `Exported Organization Vault` | This alert is triggered when a user exports the entire organization's vault data. This is a high-risk activity that could indicate potential data exfiltration or insider threat behavior and should be reviewed immediately by security personnel. | Critical | Count > 0 |
+| `Organization Disabled SSO` | This alert is triggered when the Single Sign-On (SSO) is disabled for the organization, which could reduce the security posture and increase the risk of unauthorized access. This alert ensures that administrators are immediately aware of any change that affects the organization’s authentication method. | Critical | Count > 0 |
+
+## Upgrading the Bitwarden app (Optional)
+
+import AppUpdate from '../../reuse/apps/app-update.md';
+
+<AppUpdate/>
+
+## Uninstalling the Bitwarden app (Optional)
+
+import AppUninstall from '../../reuse/apps/app-uninstall.md';
+
+<AppUninstall/>
diff --git a/docs/integrations/saas-cloud/index.md b/docs/integrations/saas-cloud/index.md
@@ -69,6 +69,12 @@ Learn about the Sumo Logic apps for SaaS and Cloud applications.
   <p>Gain insights into Automox events and audit data to enhance security monitoring, streamline endpoint management, and boost operational resilience.</p>
   </div>
 </div>
+<div className="box smallbox card">
+  <div className="container">
+  <a href="/docs/integrations/saas-cloud/bitwarden"><img src={useBaseUrl('img/integrations/security-threat-detection/bitwarden.png')} alt="bitwarden-icon.png" width="100" /><h4>Bitwarden</h4></a>
+  <p>Gain insights into user activity, security events, and administrative changes within your Bitwarden environment.</p>
+  </div>
+</div>
 <div className="box smallbox card">
   <div className="container">
   <a href="/docs/integrations/saas-cloud/box"><img src={useBaseUrl('img/integrations/saas-cloud/box.png')} alt="icon" width="80"/><h4>Box</h4></a>
diff --git a/sidebars.ts b/sidebars.ts
@@ -2526,6 +2526,7 @@ integrations: [
           'integrations/saas-cloud/asana',
           'integrations/saas-cloud/atlassian',
           'integrations/saas-cloud/automox',
+          'integrations/saas-cloud/bitwarden',
           'integrations/saas-cloud/box',
           'integrations/saas-cloud/cato-networks',
           'integrations/saas-cloud/cisco-amp',
