[LastPass] Change the default timezone to ET

[bhapas]

What does this PR do?

This PR adds the default timezone to America/New-York as the LastPass API Doc mentions that All times should be represented in this time zone: US/Eastern.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Related issues

• Closes [LastPass] @Timestamp is always picked as UTC when the default timezone is ET #5913

Screenshots

lastpass.event.record.time reported as per ET time in event.original

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-04-18T21:39:59.824+0000

• Duration: 16 min 44 sec

Test stats 🧪

Test	Results
Failed	0
Passed	20
Skipped	0
Total	20

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (3/3)	💚
Classes	100.0% (3/3)	💚
Methods	100.0% (38/38)	💚
Lines	93.962% (638/679)	👎 -1.222
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Package lastpass - 1.1.1 containing this change is available at https://epr.elastic.co/search?package=lastpass

[LANopop]

@bhapas fyi lastpass are sending us the logs with CET timezone. No idea why, but i had to use a custom ingest pipeline to change that so maybe it would be great to add an advanced option in the lastpass integration to make it easy to configure the timezone. cheers

[bhapas]

@LANopop That's strange as the API docs clearly says that the time is always in US/Eastern. Do you have example logs from you LastPass Integration . Curious to understand how and why this happens

[LANopop]

here some example logs we received, i know the timestamp is CET, because

• i checked the logs in the lastpass admin interface and there they show the exact same thing.
• in elastic i could see that i am receiving logs from the future, because i guess you considered the logs before as UTC and the @timestamp field tried to show CET, which is +2 hours currently
• compare the @timestamp field and the event.ingested and event.created field

tried to talk with lastpass support, but no luck there

{
  "_index": ".ds-logs-lastpass.event_report-lastpass-2023.03.31-000003",
  "_id": "xxx",
  "_version": 1,
  "_score": 0,
  "_source": {
    "elastic_agent": {
      "id": "xxx",
      "version": "8.6.2",
      "snapshot": false
    },
    "lastpass": {
      "event_report": {
        "data": {
          "original": "xxx",
          "login_site": "xxx"
        }
      }
    },
    "source": {
      
      "ip": "x.x.x.x"
    },
    "tags": [
      "preserve_original_event",
      "forwarded",
      "lastpass-event_report"
    ],
    "input": {
      "type": "httpjson"
    },
    "@timestamp": "2023-04-12T12:20:04.000Z",
    "ecs": {
      "version": "8.7.0"
    },
    "related": {
      "ip": [
        "xxx"
      ],
      "user": [
        "xxx"
      ]
    },
    "data_stream": {
      "namespace": "lastpass",
      "type": "logs",
      "dataset": "lastpass.event_report"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2023-04-12T10:30:36Z",
      "original": "{\"Action\":\"Log in\",\"Data\":\"xxx\",\"IP_Address\":\"x.x.x.x\",\"Time\":\"2023-04-12 12:20:04\",\"Username\":\"xxx\",\"id\":\"Event35\"}",
      "created": "2023-04-12T10:30:35.644Z",
      "kind": "event",
      "action": "log in",
      "category": [
        "authentication"
      ],
      "type": [
        "access"
      ],
      "dataset": "lastpass.event_report",
      "outcome": "success"
    },
    "user": {
      "email": [
        "xxx"
      ]
    }
  },
  "fields": {
    "event.category": [
      "authentication"
    ],
    "elastic_agent.version": [
      "8.6.2"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "lastpass"
    ],
    "related.ip": [
      "x.x.x.x"
    ],
    "user.email": [
      "xxx"
    ],
    "source.ip": [
      "x.x.x.x"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "lastpass.event_report.data.original": [
      "xxx"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "lastpass.event_report.data.login_site": [
      "xxx"
    ],
    "event.original": [
      "{\"Action\":\"Log in\",\"Data\":\"xxx\",\"IP_Address\":\"x.x.x.x\",\"Time\":\"2023-04-12 12:20:04\",\"Username\":\"xxx\",\"id\":\"Event35\"}"
    ],
    "data_stream.namespace": [
      "lastpass"
    ],
    "source.geo.continent_name": [
      "Europe"
    ],
    "input.type": [
      "httpjson"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "forwarded",
      "lastpass-event_report"
    ],
    "related.user": [
      "xxx"
    ],
    "event.ingested": [
      "2023-04-12T10:30:36.000Z"
    ],
    "event.action": [
      "log in"
    ],
    "@timestamp": [
      "2023-04-12T12:20:04.000Z"
    ],
    "ecs.version": [
      "8.7.0"
    ],
    "data_stream.dataset": [
      "lastpass.event_report"
    ],
    "event.type": [
      "access"
    ],
    "event.created": [
      "2023-04-12T10:30:35.644Z"
    ],
    "agent.version": [
      "8.6.2"
    ],
    "event.dataset": [
      "lastpass.event_report"
    ]
  }
}

[bhapas]

@LANopop This is very strange. Could you get in touch with Lastpass to understand this behaviour?

[LANopop]

yeah, i contacted them, but they went silent after a few back and forth and i said its fine from my side, because i fixed it in Elastic

[LANopop]

sorry to comment on this again, but i am not sure how to best report another issue for lastpass logs
since 29.06. i am seeing
event.kind:pipeline_error
error.message:Text '2023-07-10T08:35:07.605Z' could not be parsed at index 8
event.original:{"Action":"Log in","Data":"xxx","IP_Address":"1.2.3.4","Time":"2023-07-10 10:34:36","Username":"xxx@example.com","id":"Event2"}

also the timestamp is off by multiple hours

as mentioned before our timestamp is sent in CET format not in UTC..