topic Re: What is event id in last pass data? in All Apps and Add-ons

What is event id in last pass data?

tprz — Wed, 29 Jan 2020 17:29:41 GMT

I'm seeing "event_id" fields in my last pass data that appears to be a random field.

I'm getting event_id values of Event1 through Event18 across data that is otherwise identical.
Neither of the lookups enrich this data. I'm wondering if anyone knows what this field is used for?

Re: What is event id in last pass data?

DalJeanis — Wed, 30 Sep 2020 04:01:06 GMT

Look at the input data, specifically the _raw field, and see if the values you are ending up with in Event_id are in the actual data or not. If you can give more detailed examples, without showing us anything proprietary, then we can help you more.

Re: What is event id in last pass data?

tprz — Wed, 30 Sep 2020 03:59:37 GMT

Example event

Action: Log in
Data: whatever.com
IP_Address: 10.10.10.10
Time: 2050-12-06 18:44:72
Username: user@spaghetti.com
event_id: Event5

Re: What is event id in last pass data?

tprz — Mon, 03 Feb 2020 19:11:12 GMT

in the raw json

"event_id": "Event5"

Re: What is event id in last pass data?

hcanivel_splunk — Wed, 01 Jul 2020 22:44:52 GMT

Hello @tprz!

Unfortunately, LastPass doesn't do a great job of providing much information in their API spec doc. The event id, from what I've surmised is effectively a basic, iterated sequential count-based id generated from the reporting command API call, based on whatever parameters you've provided in the request.

The pros/cons from my perspective developing against the API, given the current restraints:

+ You can easily identify a missing event in the sequence (from 0 .. N, where N is the length of the "Data" field in the response)

+ Should be easy to identify how many events per call (once you apply some decent SPL to extract the count number)

- This Event id has no relation whatsoever to the actual payload

- Unfortunately, this event id isn't truly unique (in other data sources, this should be either a UUID or some sort of derivative hash of the event)

Take it for what's worth though. I didn't feel I should fix/customize for a better event id in the event the vendor updates their event API (and my code would break). I figured get the data out efficiently for those who prefer a TA option.

Hope this explanation helps!

Re: What is event id in last pass data?

lewisk03 — Wed, 27 Apr 2022 20:56:10 GMT

I know this is an older thread, is it possible to look into fix/customize of the TA for LastPass to drop duplicate events like this? We see the same issue and for example, 253 event logs for one single event. Apparently because the event id is different for each log, that is why there are multiple logs, but we only need to see one of these.

Re: What is event id in last pass data?

lewisk03 — Mon, 02 May 2022 17:25:28 GMT

@hcanivel_splunk

Re: What is event id in last pass data?

hcanivel_splunk — Tue, 10 May 2022 20:17:10 GMT

Hi @lewisk03 !

Feel free to PR into the project. I've cleared it internally for open-source contributions: https://github.com/splunk/TA-lastpass

Basically, the eventid isn't really an eventid at all; it's more of an event or queue item counter from the event query REST call based off of the time parameter in your query.

I've struggled with this when I first designed and developed the original code, but I've never come to grips on how to best capture these events and the "meta" data and minimizing transforming the raw data set itself. My happy compromise is to introduce critical fields I think are missing or reformat values that may break analysis but to not change the original, fundamental data set.

I would highly recommend you reach out to LastPass and encourage them to update their API resources (data set) to improve data quality.

I don't think these are the ideal responses you're looking for, but hopefully you can take value in what I'm sharing back. Cheers!