From 9eb595bd1a0a0e87beaa0922857c7aca2ad582ff Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Thu, 23 Jun 2022 12:21:19 +0930 Subject: [PATCH] wintest: new package to provide support for winlogbeat ingest node pipeline testing (#31833) - powershell: fix regexp constraints in event 800 parameter detail processing - security: fix documentation - security: fix sidlist processing - security: fix access mask and access list processing --- CHANGELOG.next.asciidoc | 2 + NOTICE.txt | 422 + go.mod | 2 + go.sum | 4 + winlogbeat/_meta/fields.common.yml | 42 + winlogbeat/beater/winlogbeat.go | 6 +- winlogbeat/docs/fields.asciidoc | 74 + winlogbeat/include/fields.go | 2 +- winlogbeat/module/pipeline.go | 29 +- x-pack/winlogbeat/cmd/root.go | 5 +- x-pack/winlogbeat/magefile.go | 72 +- x-pack/winlogbeat/module/.gitignore | 1 + x-pack/winlogbeat/module/pipeline.go | 2 +- .../module/powershell/ingest/powershell.yml | 2 +- .../powershell/test/powershell_ingest_test.go | 29 + .../test/testdata/ingest/400.golden.json | 230 + .../test/testdata/ingest/403.golden.json | 234 + .../test/testdata/ingest/4103.golden.json | 240 + .../test/testdata/ingest/4104.golden.json | 119 + .../test/testdata/ingest/4105.golden.json | 56 + .../test/testdata/ingest/4106.golden.json | 56 + .../test/testdata/ingest/600.golden.json | 171 + .../test/testdata/ingest/800.golden.json | 375 + .../module/security/ingest/security.yml | 111 +- .../security/test/security_ingest_test.go | 29 + .../test/testdata/ingest/1100.golden.json | 50 + .../test/testdata/ingest/1102.golden.json | 71 + .../test/testdata/ingest/1104.golden.json | 50 + .../test/testdata/ingest/1105.golden.json | 55 + .../ingest/4670_WindowsSrv2016.golden.json | 87 + .../ingest/4706_WindowsSrv2016.golden.json | 79 + .../ingest/4707_WindowsSrv2016.golden.json | 71 + .../ingest/4713_WindowsSrv2016.golden.json | 71 + .../ingest/4716_WindowsSrv2016.golden.json | 79 + .../ingest/4717_WindowsSrv2016.golden.json | 74 + .../ingest/4718_WindowsSrv2016.golden.json | 74 + .../test/testdata/ingest/4719.golden.json | 82 + .../ingest/4719_WindowsSrv2016.golden.json | 81 + .../ingest/4739_WindowsSrv2016.golden.json | 78 + .../test/testdata/ingest/4741.golden.json | 109 + .../test/testdata/ingest/4742.golden.json | 107 + .../test/testdata/ingest/4743.golden.json | 81 + .../test/testdata/ingest/4744.golden.json | 81 + .../test/testdata/ingest/4745.golden.json | 81 + .../test/testdata/ingest/4746.golden.json | 91 + .../test/testdata/ingest/4747.golden.json | 91 + .../test/testdata/ingest/4748.golden.json | 79 + .../test/testdata/ingest/4749.golden.json | 81 + .../test/testdata/ingest/4750.golden.json | 81 + .../test/testdata/ingest/4751.golden.json | 91 + .../test/testdata/ingest/4752.golden.json | 91 + .../test/testdata/ingest/4753.golden.json | 79 + .../test/testdata/ingest/4759.golden.json | 81 + .../test/testdata/ingest/4760.golden.json | 81 + .../test/testdata/ingest/4761.golden.json | 91 + .../test/testdata/ingest/4762.golden.json | 91 + .../test/testdata/ingest/4763.golden.json | 79 + .../ingest/4817_WindowsSrv2016.golden.json | 79 + .../ingest/4902_WindowsSrv2016.golden.json | 56 + .../ingest/4904_WindowsSrv2016.golden.json | 79 + .../ingest/4905_WindowsSrv2016.golden.json | 79 + .../ingest/4906_WindowsSrv2016.golden.json | 55 + .../ingest/4907_WindowsSrv2016.golden.json | 82 + .../ingest/4908_WindowsSrv2016.golden.json | 62 + .../security-windows2012_4673.golden.json | 79 + .../security-windows2012_4674.golden.json | 89 + .../security-windows2012_4697.golden.json | 81 + .../security-windows2012_4698.golden.json | 73 + .../security-windows2012_4699.golden.json | 73 + .../security-windows2012_4700.golden.json | 73 + .../security-windows2012_4701.golden.json | 73 + .../security-windows2012_4702.golden.json | 73 + .../security-windows2012_4768.golden.json | 89 + .../security-windows2012_4769.golden.json | 87 + .../security-windows2012_4770.golden.json | 82 + .../security-windows2012_4771.golden.json | 84 + .../security-windows2012_4776.golden.json | 69 + .../security-windows2012_4778.golden.json | 78 + .../security-windows2012_4779.golden.json | 78 + .../security-windows2012r2-logon.golden.json | 1623 ++ .../security-windows2016-4672.golden.json | 81 + .../security-windows2016-logoff.golden.json | 140 + ...ndows2016_4720_Account_Created.golden.json | 212 + ...ndows2016_4722_Account_Enabled.golden.json | 158 + ...ndows2016_4723_Password_Change.golden.json | 158 + ...indows2016_4724_Password_Reset.golden.json | 158 + ...dows2016_4725_Account_Disabled.golden.json | 158 + ...ndows2016_4726_Account_Deleted.golden.json | 160 + .../security-windows2016_4727.golden.json | 81 + .../security-windows2016_4728.golden.json | 90 + .../security-windows2016_4729.golden.json | 90 + .../security-windows2016_4730.golden.json | 79 + .../security-windows2016_4731.golden.json | 81 + .../security-windows2016_4732.golden.json | 90 + .../security-windows2016_4733.golden.json | 90 + .../security-windows2016_4734.golden.json | 79 + .../security-windows2016_4735.golden.json | 81 + .../security-windows2016_4737.golden.json | 81 + ...ndows2016_4738_Account_Changed.golden.json | 210 + ...ws2016_4740_Account_Locked_Out.golden.json | 80 + .../security-windows2016_4754.golden.json | 81 + .../security-windows2016_4755.golden.json | 81 + .../security-windows2016_4756.golden.json | 90 + .../security-windows2016_4757.golden.json | 90 + .../security-windows2016_4758.golden.json | 79 + .../security-windows2016_4764.golden.json | 80 + ...dows2016_4767_Account_Unlocked.golden.json | 80 + ...ndows2016_4781_Account_Renamed.golden.json | 166 + .../security-windows2016_4798.golden.json | 82 + .../security-windows2016_4799.golden.json | 81 + .../security-windows2016_4964.golden.json | 154 + ...ndows2019_4688_Process_Created.golden.json | 97 + ...indows2019_4689_Process_Exited.golden.json | 221 + .../module/sysmon/test/sysmon_ingest_test.go | 37 + .../ingest/sysmon-10.2-dns.golden.json | 19511 ++++++++++++++++ .../ingest/sysmon-11-filedelete.golden.json | 251 + .../sysmon-11-filedeletedetected.golden.json | 164 + .../ingest/sysmon-11-registry.golden.json | 367 + .../ingest/sysmon-12-loadimage.golden.json | 100 + .../sysmon-12-processcreate.golden.json | 106 + .../sysmon-13-clipboardchange.golden.json | 73 + .../sysmon-13-processtampering.golden.json | 60 + .../testdata/ingest/sysmon-9.01.golden.json | 2473 ++ x-pack/winlogbeat/module/testing.go | 334 + x-pack/winlogbeat/module/testing_windows.go | 160 +- x-pack/winlogbeat/module/wintest/doc.go | 6 + x-pack/winlogbeat/module/wintest/docker.go | 153 + .../winlogbeat/module/wintest/docker_test.go | 127 + x-pack/winlogbeat/module/wintest/simulate.go | 282 + .../module/wintest/simulate_test.go | 156 + .../module/wintest/testdata/400.evtx.json | 138 + .../module/wintest/testdata/403.evtx.json | 138 + .../module/wintest/testdata/600.evtx.json | 104 + .../winlogbeat/module/wintest/testdata/README | 3 + 134 files changed, 36447 insertions(+), 214 deletions(-) create mode 100644 x-pack/winlogbeat/module/.gitignore create mode 100644 x-pack/winlogbeat/module/powershell/test/powershell_ingest_test.go create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json create mode 100644 x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/security_ingest_test.go create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json create mode 100644 x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/sysmon_ingest_test.go create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json create mode 100644 x-pack/winlogbeat/module/testing.go create mode 100644 x-pack/winlogbeat/module/wintest/doc.go create mode 100644 x-pack/winlogbeat/module/wintest/docker.go create mode 100644 x-pack/winlogbeat/module/wintest/docker_test.go create mode 100644 x-pack/winlogbeat/module/wintest/simulate.go create mode 100644 x-pack/winlogbeat/module/wintest/simulate_test.go create mode 100644 x-pack/winlogbeat/module/wintest/testdata/400.evtx.json create mode 100644 x-pack/winlogbeat/module/wintest/testdata/403.evtx.json create mode 100644 x-pack/winlogbeat/module/wintest/testdata/600.evtx.json create mode 100644 x-pack/winlogbeat/module/wintest/testdata/README diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 38bea40ef795..6d131e80660f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -71,6 +71,8 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] *Winlogbeat* - Sysmon: Drop fields with "-" value (unset) {pull}31556[31556] +- Powershell: Fix processing of parameter details. {pull}31833[31833] +- Security: Fix processing of sidlist, access list and access mask. {pull}31833[31833] *Functionbeat* diff --git a/NOTICE.txt b/NOTICE.txt index 4b6001ac9c76..3445d8e37620 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -6912,6 +6912,217 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.2 limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/elastic/go-elasticsearch/v8 +Version: v8.2.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-elasticsearch/v8@v8.2.0/LICENSE: + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2018 Elasticsearch BV + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-libaudit/v2 Version: v2.3.1-0.20220523121157-87f0a814a1c0 @@ -25104,6 +25315,217 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +-------------------------------------------------------------------------------- +Dependency : github.com/elastic/elastic-transport-go/v8 +Version: v8.1.0 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-transport-go/v8@v8.1.0/LICENSE: + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-windows Version: v1.0.1 diff --git a/go.mod b/go.mod index 78c1ffcc30cf..c1c980f46924 100644 --- a/go.mod +++ b/go.mod @@ -163,6 +163,7 @@ require ( github.com/elastic/elastic-agent-autodiscover v0.1.1 github.com/elastic/elastic-agent-libs v0.2.5 github.com/elastic/elastic-agent-system-metrics v0.4.1 + github.com/elastic/go-elasticsearch/v8 v8.2.0 github.com/shirou/gopsutil/v3 v3.21.12 go.elastic.co/apm/module/apmelasticsearch/v2 v2.0.0 go.elastic.co/apm/module/apmhttp/v2 v2.0.0 @@ -208,6 +209,7 @@ require ( github.com/docker/go-metrics v0.0.1 // indirect github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect github.com/eapache/queue v1.1.0 // indirect + github.com/elastic/elastic-transport-go/v8 v8.1.0 // indirect github.com/envoyproxy/go-control-plane v0.10.1 // indirect github.com/envoyproxy/protoc-gen-validate v0.6.2 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect diff --git a/go.sum b/go.sum index 5e912a00ae56..43ad46db8d1c 100644 --- a/go.sum +++ b/go.sum @@ -544,11 +544,15 @@ github.com/elastic/elastic-agent-libs v0.2.5 h1:8+sYCW/kkWQe5KegGLMYYT3ELXUwibMc github.com/elastic/elastic-agent-libs v0.2.5/go.mod h1:chO3rtcLyGlKi9S0iGVZhYCzDfdDsAQYBc+ui588AFE= github.com/elastic/elastic-agent-system-metrics v0.4.1 h1:1bKgU0Y2F4PBLSCX2LmJbRd4wWoq5DOvXc9ysuXBVpI= github.com/elastic/elastic-agent-system-metrics v0.4.1/go.mod h1:tF/f9Off38nfzTZHIVQ++FkXrDm9keFhFpJ+3pQ00iI= +github.com/elastic/elastic-transport-go/v8 v8.1.0 h1:NeqEz1ty4RQz+TVbUrpSU7pZ48XkzGWQj02k5koahIE= +github.com/elastic/elastic-transport-go/v8 v8.1.0/go.mod h1:87Tcz8IVNe6rVSLdBux1o/PEItLtyabHU3naC7IoqKI= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= github.com/elastic/go-concert v0.2.0 h1:GAQrhRVXprnNjtvTP9pWJ1d4ToEA4cU5ci7TwTa20xg= github.com/elastic/go-concert v0.2.0/go.mod h1:HWjpO3IAEJUxOeaJOWXWEp7imKd27foxz9V5vegC/38= +github.com/elastic/go-elasticsearch/v8 v8.2.0 h1:oagGcb1gqxT7yWpQ3E7wMP3NhGRamsKVd7kRdbuI+/Y= +github.com/elastic/go-elasticsearch/v8 v8.2.0/go.mod h1:yY52i2Vj0unLz+N3Nwx1gM5LXwoj3h2dgptNGBYkMLA= github.com/elastic/go-libaudit/v2 v2.3.1-0.20220523121157-87f0a814a1c0 h1:UaX9gwFak4RyXlTCEOXONNvmZxBk0MAcXA0kCvlSxy4= github.com/elastic/go-libaudit/v2 v2.3.1-0.20220523121157-87f0a814a1c0/go.mod h1:GOkMRbzKV7ePrMOy+k6gGF0QvulQ16Cr38b60oirv8U= github.com/elastic/go-licenser v0.4.0 h1:jLq6A5SilDS/Iz1ABRkO6BHy91B9jBora8FwGRsDqUI= diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml index fe6a19510270..ed8b560a07b3 100644 --- a/winlogbeat/_meta/fields.common.yml +++ b/winlogbeat/_meta/fields.common.yml @@ -45,6 +45,24 @@ The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. + - name: computerObject.domain + required: false + type: keyword + description: > + The domain of the account that was added, modified or deleted in the event. + + - name: computerObject.id + required: false + type: keyword + description: > + A globally unique identifier that identifies the target device. + + - name: computerObject.name + required: false + type: keyword + description: > + The account name that was added, modified or deleted in the event. + - name: event_data type: object object_type: keyword @@ -366,6 +384,30 @@ description: > The event creation time. + - name: trustAttribute + required: false + type: keyword + description: > + The decimal value of attributes for new trust created to a domain. + + - name: trustDirection + required: false + type: keyword + description: > + The direction of new trust created to a domain. + + Possible values are `TRUST_DIRECTION_DISABLED`, `TRUST_DIRECTION_INBOUND`, + `TRUST_DIRECTION_OUTBOUND` and `TRUST_DIRECTION_BIDIRECTIONAL` + + - name: trustType + required: false + type: keyword + description: > + The account name that was added, modified or deleted in the event. + + Possible values are `TRUST_TYPE_DOWNLEVEL`, `TRUST_TYPE_UPLEVEL`, + `TRUST_TYPE_MIT` and `TRUST_TYPE_DCE` + - name: process.thread.id type: long required: false diff --git a/winlogbeat/beater/winlogbeat.go b/winlogbeat/beater/winlogbeat.go index 223e436c1a10..fb0b6666063b 100644 --- a/winlogbeat/beater/winlogbeat.go +++ b/winlogbeat/beater/winlogbeat.go @@ -109,7 +109,8 @@ func (eb *Winlogbeat) init(b *beat.Beat) error { if err != nil { return err } - return module.UploadPipelines(b.Info, esClient, overwritePipelines) + _, err = module.UploadPipelines(b.Info, esClient, overwritePipelines) + return err } return nil } @@ -137,7 +138,8 @@ func (eb *Winlogbeat) Run(b *beat.Beat) error { if b.Config.Output.Name() == "elasticsearch" { callback := func(esClient *eslegclient.Connection) error { - return module.UploadPipelines(b.Info, esClient, eb.config.OverwritePipelines) + _, err := module.UploadPipelines(b.Info, esClient, eb.config.OverwritePipelines) + return err } _, err := elasticsearch.RegisterConnectCallback(callback) if err != nil { diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 138eda821cc6..58612bb61b17 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -16313,6 +16313,42 @@ required: True -- +*`winlog.computerObject.domain`*:: ++ +-- +The domain of the account that was added, modified or deleted in the event. + + +type: keyword + +required: False + +-- + +*`winlog.computerObject.id`*:: ++ +-- +A globally unique identifier that identifies the target device. + + +type: keyword + +required: False + +-- + +*`winlog.computerObject.name`*:: ++ +-- +The account name that was added, modified or deleted in the event. + + +type: keyword + +required: False + +-- + *`winlog.event_data`*:: + -- @@ -17241,6 +17277,44 @@ required: False -- +*`winlog.trustAttribute`*:: ++ +-- +The decimal value of attributes for new trust created to a domain. + + +type: keyword + +required: False + +-- + +*`winlog.trustDirection`*:: ++ +-- +The direction of new trust created to a domain. +Possible values are `TRUST_DIRECTION_DISABLED`, `TRUST_DIRECTION_INBOUND`, `TRUST_DIRECTION_OUTBOUND` and `TRUST_DIRECTION_BIDIRECTIONAL` + + +type: keyword + +required: False + +-- + +*`winlog.trustType`*:: ++ +-- +The account name that was added, modified or deleted in the event. +Possible values are `TRUST_TYPE_DOWNLEVEL`, `TRUST_TYPE_UPLEVEL`, `TRUST_TYPE_MIT` and `TRUST_TYPE_DCE` + + +type: keyword + +required: False + +-- + *`winlog.process.thread.id`*:: + -- diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index 37e1c249eb8a..e82b450b7b30 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded zlib format compressed contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "eJzsvft7GzeyKPh7/gqsZr+VlEO2SL0sa+/sXkWSE33HD40lT+Yknk8Eu0ESoybQAdCSmbPnf98PVQAa/ZBMyaJjZ3xvjociu4GqQqFQVajHX8jPR29fn73+8f8gJ5IIaQjLuCFmxjWZ8JyRjCuWmnzRI9yQW6rJlAmmqGEZGS+ImTFyenxBCiX/xVLT++4vZEw1y4gU8P0NU5pLQQ6SQTLoZ+wm+e4v5DxnVDNywzU3ZGZMoQ+3tqbczMpxksr5FsupNjzdYqkmRhJdTqdMG5LOqJgy+MoOPeEsz3Ty3Xd9cs0Wh4Sl+jtCDDc5O7QPfEdIxnSqeGG4FPAVeeHeIe7tw+8I6RNB5+yQrP9vw+dMGzov1r8jhJCc3bD8kKRSMfhbsd9Krlh2SIwq8SuzKNghyajBP2vzrZ9Qw7bsmOR2xgSQit0wYYhUfMqFJWHyHbxHyKWlN9fwUBbeYx+Moqkl9UTJeTVCz07MU5rnC6JYoZhmwnAxhYnciNV0nYumZalSFuY/m0Qv4G9kRjUR0kObk0CeHrLHDc1LBkAHYApZlLmdxg3rJptwpQ283wBLsZTxmwqqghcs56KC662jOa4XmUhFaJ7jCDrBdWIf6Lywi76+PRju9wd7/e2dy8HB4WDvcGc3Odjb+WXdrc6Elrm5gqHCIvrlz+mY5bpz4XGV5dhyOHyBH6/w+2u2uJUq62CA41IbObcPbCGtCsqVDrgdU0HGjJR2uxhJaJaROTOUcDGRak7tIPZ7hyu5mMkyz2CLplIYygURTNslRXCAre3/O8pzXBtNqGJEG2kJSLWHNABw6gk3ymR6zdSIUJGR0fWBHjlytCj832u0KHKeAnRrh2RtImV/TNVaj6wxcWO/KZTMyhR+/59lCD9nWtMpu4fyc2rS2ZUU+eLKsA+mg9IvpCK5nDpaASu5YR3jOIrhT/ZJ93OPyMLwOf89sKxlsRvObu124oJQeNp+wVQgnJ1OG1WmprSkzeVUk1tuZrI0hIpqx9Rg6BFpZkw5yUNSXP1UipQaJqJNY6QFYk4omZVzKvqK0YyOc0Z0OZ9TtSAy2qzxDp6XueFFHnDXhH3g2kqLGVtUE87HXLCMcGEkkSI83Vzrn1ieS/KzVHm2xCoaOr1v88SbhE+FVOyKjuUNOyTDwfZue0Vfcm0snu49HXaJoVPCaDrz2NfZ89eY+5Alt9f+uQwX0ikTyFnuBDkKX0yVLItDst3Bd5czhm+GVXU708lxSujYMgVK3Im5tRvSympjz9OJWzoqFnaNqN3YeW63co9kzOAHqYgca6Zu7HIie0vLljNpV1YqYug102TOqC4Vm9sH3LDhseaG14SLNC8zRn5g1IoWwFWTOV0QmmtJVCns225epRM4PAHR5HuHqhtSz6w8HrNK9MNOsPBTnmvPq0gkVQph95VEAlnYIvyUG/J2xlR8UMxoUTDLsRZZ2NkBVThELAGE496JlEZIY3nBI3tIznC61CodcoJIwz63G7dXwZdYViBO8RkzapJovx+dvwIVyB3SdYTcitOi2LKo8JQlpOKNWKBnknnSgSQHnYbwCXIL18Qe5cTMlCynM/JbyUo7vl5ow+aa5Pyakf+kk2vaI29ZxpE/CiVTpjUXU78o7nFdpjMr+F/KqTZUzwjiQS6A3I5kuEGBye/ZJ7HGVO2accnzLPHyzs3elABdMuBOKdDcYacfDBOZ1RDsVDVSThw/4Np5Hne6FIp9q1QJN4CRYXdSsegYD3YgxYVAFSgMaXdGoeQNz1jP6kS6YCmf8JTg26B7cR00REfZSDLNmVE8tTwVVOJnyX4yIBt0nu3vbvZIzsfwM3796z7d3mEHk4PJzmCyNxgMx3Rnd5ftsr3d7CB7no4PttPxcPAsDSBafAzZHmwP+oPt/mCPbO8cDgeHwwH5j8FgMCDvLo//GShcW+EJzTWrLSsrZmzOFM2veFZfVOaW4wkW1s9BeGYl4oQzhdKCa7dvNvgEDig4xfRmc4m5VYbUHBRPbxvQVEltF0Ibqqz4HJeGjJBDeDaC7Wc3XnuFDuiuJfSkRogm+k/D0+8E/81qzg/HO2hsViKhHIP3bkE1HDMCUot3MKBDL6uhZ/9dBYJO8QVxGh8ArRXUhOJTePqhhjLlNww0Xyrca/i0+3nG8mJS5lZmWgngMAwDm1tJXjj5TbjQhorUacKN40fbieEMskzitC1SaVusoAokQxibayIYy9C8vZ3xdNaeKgjyVM7tZNZyi/A+m1j54Q8aQBVPIP+VnBgmSM4mhrB5YRbtpZxIWVtFu1CrWMXLRXHP8vnDzU5AaH5LF5poY/8NtLXWhJ551sRldYYevmuVuqQijQhHdKBq9SyyuJtozKpHQGPhk9rCVyvWZIDa4s9pOrPWZpvE8Tiezk5wr4DUf3dHQp3YDZj2wYWi0u1Ya9U1lbU0Usi5LDW5AA3gI+rrkSC0egWVBrJxdLGJG9Mpow6wVArBwBdxJgxTghlyrqSRqfTn/sbZ+SZRsoTTsFBswj8wTUqRMTyn7emrZG4Hs9JNKjKXihHBzK1U10QWTFEjldVvvfuAzWg+sS9QYtWbnBGazbng2tideeN1aTtWJueoeFNDnEcEkZjPpeiRNGdU5YvqBAQbKEArc54uwL6YMVAZLILJJ+tHopyPg1573xGay6C81ZbIHRU4DqF5LlPQsR2kreVzamf4OmwEt7puoI2ji9ebpITB80V1Emm0rcKS4F45q9EjYsnh3nD/eQ1hqaZU8N9BbCbt4+VT1Aewbq9iKkci0LsFyL1Og47lq5SfBuXfRJjALC3sf5TScuTLl8fRjkxz3jAkj6tv7rEkj9ybdut57qTasSM33O4M3Ah+cdyGdJqwBw4tRMWmVGVgOVjDQArdi55Hq2HM0bXLpaA5meTyliiWWmO75ue4PD53o+I5VYHZgs1+YR+PIIPtqJkI9qJ95uK/XpOCptfMbOjNBGZB10jhBEprKnRfWkWvNqk3dBVo3kxbOJwp5qlkFBWaAjAJuZBzFoyjUqORaZiakzXvk5VqrXLDKDbxssuBIhoIatxw7mfnBMCVHbNgBIMTICKA24wWLDH1y1xNEcOPbg7HRH4Ce5aVurQEcaNW1jcXFrx/lQIXAIxxNK+9x7xjsIq+QprWkFbNwvXqwz72LsngyMTxtvw8wSUNmwcVN5plRLM5FYancBKwD8bpeOwDau89VKm8HNBB0zOS3HCLLv+dVZ4ViyhTYM9pbkrqluNsQhayVGGOCc1zz3z+fLAydCrVomcf9SqKNjzPCRO6VE4fdX5wq8ZkTBvLHpaklmATnudBjNGiULJQnBqWL57AqqZZppjWq7K8YBega8XxnJvQaUlB/MzHfFrKUucL5HJ4JwjSW0suLecM7gVIzjU4P8/Oe9aIxtNYKkLtMfOBaGn5JyHkvyqKB62x0qFwfyh662Hy+2GUuC9GSLK6LioIN5GqmZXoo8aDcpTwYmRBGSUI1qhHMlYwkTljADV5KSogwM/jVrLStZJ/u+Oc6uTf9kSPvFwLw/RH1P5oxdEnVH+tBsgP9gd09IV7PbcTHSOgIG0v0MFuDTBk55XYflbK4h6OrXgHpWPOhjWPd1xzurBbED3P8LKVB5PSHi6/WRk+4SyLxwZlhArUAOxLYVRB0YIGeuJWqObImLIGQCBguHTxd6wARZa5y9MwKBOKp7O5PVW7LOvE/ZGk7h1P6ymTScrN4mpFTpNja8d0cuUrazcx516tgSOF4YIJc5XKbBUwXd7Kfs6MYfY4zVj9rjnMvq674X599N1HNmg3Misi8OuYj/1kbaClMjNyNGeKp7QDyFIYtbjiWq6K5sc4BTm7eANEb0F4fHQnWKtiTQdS5yofU0GzNqXgZPu4t2TK5FUheVAr6peAUky5KTNUwXJq4I8WBOv/TdZyuI3uP9tJ9oe7BzuDHlnLqVk7JLt7yd5g7/nwgPzPegvIpz3OGk5ezVTfq1LRT2jEefL0iHNyoWItJ2SqqChzqrhZxDrRgqRWNwNLIhK8x17lCS5E5HCuUElOmT3snT01yaVUTmfogctsxitrpVIuELycFLOF5vaDv7FMvYzSEQivpYkiQOCelqNjaQ66zZRJj21b4o6lNlL0s7S1NoXUhuar2mXr5zA8ijWqtUx5dXeJMQIO5ArRv7uYikrbd1dQ4bopXKCOGbkW8lZY244SiwpMJBX55eycRDgRYG1QpW+oWpBbnlkNDk41t6vx4go+tun3fHewO3iImFVsyqVYpQB7CzPcJ7/6fzu+C64VSTAHU6cA+1vJxqzNf9aq+b2yCZ70WJ0xDIb6HfygkxrD9cKt7dnR66PouU7g3UG1daSmcCzTrR9KJqS+OuIqUj4/whi8+AiW4YEaHmfnwUqr64cbZ+c3u5bbz85v9jeT2lxzmq5iP786Ou4GpnFpIaQJt8dz6hTwty+OybPB7jbcv2O0IcsOyak1nmRqmCEb4BDgukcO+mNeqahWx9/Eq1+nGrlgtltJfi2LgqmUavZPMmMfaMZSPqc5yfiUG7j7sWqU8VptGNOBjxNbASJIKTSfuqAdNmUqIRdlCnf+N+5BF+uFd1YIAw0jzhbFjHVI38GgPxj0907h353+9k5tpQQ1SZMzOs/Hbu5Yv1RUaPQgnZ1brJw/BQNEXx9dBuck2WDJNHF+dyuVK5cpQU+cd8nXLoHDoRP544hRFC5qxJTkkmZkTHMqUjgDJ1yxW5rn6P9UsrRHY8PKt0gXUpmHGfne5NNG8W7LP6aGHf9roQf6/R5g/dawPse3H2XrbtfhaK3JMib43etx7tYgFhTxfPY80oYpll11WdlPpydaoTTj0xnTJprU0wjn7gEiRcEyD7Iux/hTtP4vqttw1Pei4Zy9bfWVtYaVu2bF11r8Rbdh767fM2aYmoNWWyiWcm31FVCbKPoAIUYJgnnLcc5TosvJhH8II8IzGzNjisOtLXwEn0ikmm4m5FItQCxKVLQ+cKtFopI1XhDN50W+IIZeV+uKPsOcagNiFyNXUacS0hBwfd2yPAfsL1+eVHFRa6lMyuu1tmC8ywkQyL5KbgiTANMHk+EeF4qP54tU+Dz3rAL6OmEfUlaYKuwOXqvuZlvsnsB9PCUFVYZHFw2kBQEID45z2f9zv6M2U9k1YICUdk3szCkV1U0DqfNVL6JAiNttITRmubztZvPuPVHfNzFt125vbxNGtUnmCzcCMgbuDKrNWhSlgEC4UWZUV2G3gCuoH2GaSptb0+V4O9HleFjbfL0aE1fgoUHhXNo+bq0aY62He05IK+B5DpfYTHHZEfpjEVhWEzSyuAI0PoPUY5OJPaRumJ3VMYrDfoNdvjzZ7KExFSypiu6BaCg6ev46EoSAZVnPK9EmSdoCsjlvGDYKLLKrBHzwdUtGkIp3CcVqJZYTj/B9jW9KzVSyWpaJ/Xd4cy0V3gfbyTFkZc7gPkRO7joWqSAvT47OIRAWMT4JQ8W8st7Gjs0pz1eE3DuLAUzgjZikDYCVnh0G8ld0A2PRXNfVMQBOKHpDeU7HeYdxm4+ZMuSUC22YY6waReB69Q9jO5h99XyHSK4sELcdjOrjqhE/Hy8HVz5bRU6NVa472BPhXKFLNV4JnKwNxIzq2ao4wVEKpI2dBx1zSjFr1bUi06kTS4JQIcUiTjFC+yRilXeauYjWEWDBM7yvhj8sdqOgAqRSTHCtaF6bk4qsQ6uCCMsOplpJYPMdcc1IstbuvugP+3v97WF/e7C9u737fLj97OBZf3v/+fbu9vPdwW5/e2dv+Hxv/9nBfn84GAzaSDyds/Azy8GLmbU+0V0PWShc3EsqmrA7ZaCSefNy+slY/kgpCulmwMowk7+vAL9kPRGtAfT6r2vXfEwFvYKYzbUeWVMMtG4xvbID+sSsO+lWxdTJEgEPIXX+i7sj6jDVl+DuDBEWMBQYLGKiaMjhq9BAPxrGbntnAkRwkzuziybkVZXdwXUcZk4FOT3eRovLbtAJM+mMabibiUYn3GiX0FUBaTd3PW+xllDGdQhfroPgxlWlcJliis2lCcHORJZG84xFMzUhQ5gocalMHiHPOqJ61d0r1VMscdBqIMjZcpN7h48dlusKVEewKB/aA+ei1FxYgWb5pO/SXtF6hadcClLyPYpB+MpQNWUm+Z4QI2vMPfbBApg9Z5/yMK2v64j6XrR6jF1EmZxYItRYRCpL1qm0WLhQRN0jiukC9ep8kZCf5C27YSoimWZGkw4E3KANNOalNdulcVmjE7hpC/dVSkrjQA+DE+e0hlPACwNZUaHigAg1iENKTUnzsFCO0pimh7didoE8A/vZGojYFbMiMuQ4OzLGk3kyBqJV9PSpvNInXsVRHgZDW8OatRcNw0U8bHdQdAkIW8tawXYHRdsc1QHdEwQJpnApuDrFcL3ag24uYPM4iIpnIS/XHfoLkvHJhKnYXQ23xxyyTq2qbI/avmGCCkOYuOFKinn9nqaSrUc/X4TJedbzAVog/8mbtz+SswwzZCF4qGzqH23LdX9//9mzZwcHB8+fP+8k5ypDAtoE9SoAzTnV99Ay0DDQ6NNoicZXi5oZ10VOF7EpEvuRsCxHP2M3y7qTnG3Hc24WV+3b1KdTVKJ58LaU+7BOOCnxbFUMb1yAZapTiLgozJYGU+o+o9r0h/XbYZ9TtLqtd+Zzyc5OvEgGFcIf+E1AeX+4vbNrVeXnAzpOMzYZdEO8Qu4OMMfxgm2oo2tg+LKdvPZkEL3yOkeUx3YvGc12MmcZL+s+f3egfZO3TyJvlxAaDYJ/k8hPKZE9cf9Mgnl5tL8e0f0InP544b480F+++F8eF1f77LOcDG6uWOZ2SZaaHDkP7/TI0e+lYtE3HZUqFn03ySPJ8HnktScERsUtSwKUsnUidIvW+YI8mgzWWl0mS+iTo9g9JWDCxCMfF/+it7pHqMW3R6ZpUd02S4VxaDSXKaOi7XK8XTp60CGOEZwrQtsFcD7p4fFA/Hxhn8/D3x4RXxYiLmOTcW24mJZcz/xzuuGkg+pPlbLir22wTBloKp5teoRNQRM5Pd4mN5q8pPNxRnvkx+Nz8uPxKbmpNJyjoiCnYspF2EN/f2Vfsd+7kkJdO5EWBWHuNfvZgdxzmKpS9MiEqik1rEdymL69H/H7ZZfs310k/7vL4j+ZEI6DEr8+ERuC574J0K9GgDof+Tenx+dyejQI/s3p8ZROD0/cfzOnh0P7T+X0aOL0VTg9HNB/CqeHw+XfXcNukOHfVdGuyPBn0reXR/zr1MiXx++bzv6l6+whSE5m7ErzqaCm9KXXXbSczBi5qP1yd9jc5Yxp1qxmXoszhfizMRdULTB9PkyqP71gYsanTJsrmk+l4mY2XyXPzaieQf01P1nQfC1GmKiBlbXvTvuocWWgAzb8oNhAhWvikndDohBUzApD+o4clunhSQUFaV3mSMXPSJsK3Da/6Bnd3ttfdotjeeE6hVsBtGMpc0ZFFxF/wJ8gDJoWEEbJsVKno4NF3WVFt6NDLRt8JP4zch3wqd3nKyxHbRkiClxelhN4h7nkKsH7LhlkTkU5oa5XxHhhKeRbAdwwkUmVRGOyqnK5Yjm7oZgoe1RYvvn+zQUErHVl5MwTOydLPhSpPY4/LJamraGmXFmxuaMs467EZFuKwHnOlMF0QeZA6abxpMx9zf4plB9Si8LIqaLFjKeEKSWVrsIh41FvaM6zuJyKVFYIaePnIy8ZvWGkFFEVxYlPzIdXq1e8FlKNH4a9tbazSGcsve4qAX/69u2bt1fvXl++fXdxeXpy9fbNm8ul16jEjjMrKo9xgcPXS3150R60uqogFU+VtDxMjqUqZK1I9scVC0bnK97Hdoqn3MwwnlRut7pyxH4Lu4YjUbxp5Rx52B4+/dtP//jl4NXB0d+XpqXvyLQENbOKVWsUO7FbhIqM1DtV1U/2Rg8pKOwNZ1pbrm8Ptof9gf3vcrh9OBwc7gx+WVrOwx5jyzDHPefS+oWR9hCGpYv2ecfeJemsni/8d7vhMby4ev2u93xQeirnvt5kD0k549XxXsvk9eHGlaSxp7+UuXbtJ1y4OAExgnoBCqkWuzzsBAVJ9ol07T7wMTEOrKr60X/DFOaJ0ynlIqrrZ98ICqRV8WNPYacspjXif0TQLkOYSmsGDdfJuKAwx1/eU7Q5PFgvzOtK5raaeUW9gFz/EAdkgCJE7JvQog3D5KvI8e+8wIr09BnLiygVDVIvsKpIGFm7pA6xsLaH3etPEIOeFmVShuZd9zOWTmnOsqtJLmlnsbf1c6ZSq+Yen79DGqLRy7Xr8sF/r/rEubqncgJP2zMwKn0gMsINUdgQBLAeWJYdJuQipZApb7UxqewpMhgE/tH441X847K7K+P6OlGMZklHrdAHVYiF80vavVThCGOSjSktp2wTGlQQjeV/sCbEBp1OFZtGLcRcWhHNcwBNbxLNRcqqdHDsRxOV+F/alwmo3ipu2GfA1c5jmPgD0V1lomS17XlWj47mczpdqdMl9qjBZCHDCQGyIhY7Cnla1UEzdLoiyCqZ6uCi00YyfNSp8f7po46N9/RsbHr9YVbX/rA275zNpVo8ncB7BeMRGI8UKP3sx+UFWGD/JxNkK2S5amFFqGQXpsUK1QmbQu2DpxAsd4kUKEVlz2F7IOd5KI4NFbUmNG07Zqpd8WRSxePLxeoQDr1VPeZ/JMJO51gRa73F0cmcCjpF3Z3rCo2WkYLtTiM10GpMV9ooRuexInhiFamL6uuPdIKMRvGamaHXDAvScIGF9b1pIditazVXjR9KXut0xqIrnjPR9Ur94aqQYKhWET0aHLrQ/NMTXDbLxvrMz/hVlxQ5kXkuoSvqnArB1CEZ/XeEMFxq/k+/9pX9rJlpfAvlmwqasv8ZVcoshw6WLs856pAK9lKofTCj0A5ZeWNJOQ8NodpX/anoyMDgizDRCXklVaMrh2MVrOAzkaVwWaBch87UUB0Kgw6SVG6NczndoqLPhQm9RvtG9s2M9UNsAjW0j7P2cZX6uEq/2rcdjIXU5p9hjY8EOcW3NaMqndXWIJVCc0g+rfdOGtP0GvtPZjxlGq3PcGFQZxWoVjvXtfJIjfddbV9yUjJkDtxFN0xAZdL2uBqzkqFMEzKIHYp98KypmLYSw2BrjlpFlE7eZ9rVsAgdSkfvRz0y2rL/fG//+X/tP2v2n/9l//l/7D//n/2HjMgGsFXFJpse4lFvBBdlo7+MEt99XDPcMnWiQ8cXZoUe1PConJd3MMO05BnbYsL3LMdhtsIwW2mpFBNmy1G4nypGDesDlZKZmed/afxCC94vqJn1C6roXP8ak/CfT2CzuU25hCS2TGeoMFf3aEtrlcfa7qGowaaZoaSjhsyhQ61mQjPvhnOutffh6HkfmbteeCXvRatj7UhMufiQULAH7LoXSs6ZmbES/mIig3Lio3hkZlJkvhrnAmgQ03XLwZQ22C0Svs+wF/6M3jBPMaKZiUe9ZaGFEIrd92vgIePp+7VQQ8e/C08kZISlMty3I+cVikeFGcN1EA5MNRl1yNVR8l78wBYSHE4NRo6H7DgyUmu/KU4tkiwjcLxiYYJRgA3nnlEdbYN42JgxD98LQr4nr3yJAs8Ho/4If3ktQXdBD4ewKmkkzdea53O8xg/RXGH/PxVnH2HVE1/CPYyfgPEEH4PDx3UpoiABYV9yMY2J5U6i5L14RQVUSVea0Nza8gsf7shc4XYvjLGzJ114nyJyU23LdOkBQt76e243xphpQwpLbJ4yLEnuyJkQC048JEIGdeK8By6ucA4XLCP39ihx7SyRVZz7HLokQ9eleFx70kAznvDu3cxbP0PqvBqP6dh2FJYmZlrQZir5fQ+3xkN+IuNW3ceXZdslY8GW4dj1I0HkDVOWhCB7FwWrCSLHL3H7ADyd8gWyLsviMJq1XE71GjDfGmr+ei0hPzPCPhQsxe5d9uCnWUbWjLL7Ya3mhVvTC2FmzK7rWtXXjCoyKU2pOuKP7ITL+W2jflw1hb3x9T0Ke/RopXCiU7upIDJvS9U78AXosX3ZFpZKTuquWbgiqjqpYWGdWnO3nquxbDUU76uASGPXogs50i5o1FOddja48wvbgVvUMu5jzeLwHHbN4ip3813t0KIJQE3NoBIrapea5VzUGsFizy836tg3UgMfv6hjrO+a0JOhTky/XeJ+f2dRfSrk1TC2vx50d/T1+vUAb9ySHkpfwQEpup/zVAhYYhOIQOmvqitcrdndUq3hwrbHAZ6qNVwYFlrE4U781hruW2u4f6/WcPF29DXzQTJ+ef3hYlC/NYl7erp/axL3rUnctyZx35rEfWsS961J3Lcmcd+axH2VTeJiJfHL6BQXQfStXdwX0C6OF+Awj/jkIz3SWK05WqH4jRW8J69+2exqj1ZVTv6iOsRBS7Io8NNhCuGgFW2MtItlKXHCIDXv6TFcRc+3Bxixn6/xW23fky+o+1vN3fmtBdy3FnDfWsB9awH3rQXctxZw31rAfWsB91XftHxrAfetBdy3FnDfWsB9awH3rQXcA1rAZTmeuz7O6+VL+PP+hIxlCtmAyz3nY0UVZ5pkC0Hn6ETxBJU0Q0+a9HUD4GbD/QzhnLJgyvWkAhmpMY7cSoc1PaPQz702zxoqhVVtFzBovCEw9mkJzgJgBsfTLsY02FI+JePQQ/M9OUEE+jkX126+BdkYJVmejzZJKudzSKkAB5EU5GcuMnmrq/cvENw3WBBiY5Ro2fXeO8E/9EGZbeHegqUGxiLn464B5zR9c/EEGcm1KkjJt3JCn6+cUIP0X1F1oQbk34oNra7YUJPU32oPffG1h5pL9ucpRdTA7FtloqerTNQk7Z+tUFETv291i1ZUt6hB6G9ljO6gk9U+k3m2tyLp9epkD6d4EDx6RocrAujip6Ph4yCqVNoVwLS9t/84qPbctfdKoNobbj8GKp0xtozEfhRUFyenp+cPg2pFKkfNv+ts1eYBjEdKni/InBa6q3ICGGdQf1hftzfzNVOC5TvbiXdkLIFuQc2qHJkvyjxHiO0kLdwbwB8fvnd+gvcXYOPvbL9/FEIsgdxEw9JQiXgFdWbO35F4Gt+Q2/u0LdotFD/s7z4AC3twUrFYEQKYhANxpzBNi816Pr83I9TAUzxnfajp9qT6ccGSCLBVY9sIf34Esuc0jhH/OHJ2+KsbpvRnwM5N80jM9pOd5Pn+YJAMn+0O9x6AIp8Xq7wPOcJbkFBIrJDKuBY856e408iRIA4K0u9DoAg8RiK4iP3FXaF7O2fCxZSpQnHhqo1DztoNE4RODFNEMaSYy9/07XmsvtgHPCs9TVGhg/mvscSCTKEyR9ZzKX63GGUBmbxYW8UoWlX/sNBjanRdx1MCH6amViFkwhVjCxAUWC/GzBSjpq+YKxCyPRjubg2GW0ZhBZb+nObWaOsjcfrOmQgVQjoCMdP9g8FOusueb28P7YcspXvP93cozXb2s2zyAAbxGVFXsBlWeHUXdsKnSLOL86Oz15fJ6T9OH4Cis4NXjZeb5lPwWwvi+v2Ho1PvnIfPb4KbHY/gtfsJEO5NBBp0/t7k9QX8ec+9yQu8MXEJH3bCk9cX5LeSwQaE+kJC3zJVbQT7O9z/hPRnxmEvhiBncNuKac7CWAtSKC7hhmTKDODlhnWDbowyoaGo1CE8P9okeH4v/CTx6BBO4BPx8R7U3fiYkJyM04bcfo2xL7QWV+ZgQJv2lqETBdcuZHHAOG0o8dXR5lNketcosXSFw1YxCAp3d1EBASrcGxjyQ9OZm4torOdGFDOlEtE1tb9NaHa6uJwxAjEL12zh6FUlWfuFQfpr5mat55CPF+T0+KJyR79lqVSZGwtkNEjW2HM7r9DBH/3kgtzat06PL9zwzdwju8aW97AMBgQeQ0g9w6KhtYIP9jnP4+TIkDkXfF7Oe+7LMK5HCkpgRfyGNXRGFjgoQdBCg+sq4qVnDYowJIQSpnCgcvDMWYyoJoXUmo8xiiSDghtWL4zKm/hyczJi4xagVJO01Eb6cnDNLHaHc5rTlZUZwF4vFFMvwoL4Sn1V7TXf3waOedX23p297gTdjrYqXcdX+ItFI8ae+kD2+uZgFPac9Bl0+GrBRKZ9RA1UaAFp5UkSD+hxbx3/w0Hi/+ukwiozFpuJ30bGzYkaoJOCKYjdjWhzBm4wcEPKCTl+ffTqlECNIlcvTuY3ViuLhNP6usYaP6NIxJio6IQUDKUGhOLoQloSh+uYaBDYlwk5C7JKSOOjJptj+kzx0W8l06HCwcgeOyyq6BEtC4QQ3xE17pfGmGXiB+8tmMwh2NswdQP3WlZ0A8JAgc5V8O5ems5iyc4mIJhq1TG4TqnKWJaQX5iSvhrQHNylMxf3gTK0IuC4ohpO0VGXoJtRV9gI73JWNcF7pIwB3qzBPWM0Y+pqktPp6i4tfcDNNnFZ9VZM4swEZq71mypYamplmw7J0VGPXB73yNuTHnl71CNHJz1yfNIjJ286nMy/rr09WeuRtbdHPhbnrsrXT7o0FidMM4qvw6h2oQ1O6yiUnCo6R9YLtzqVYQepBkxhDZp4IKhbWfCqfAqKBd1hWW8Ph/U2xbLoSHp9cuRd2IwUeIGFChR2BXBXQNdcQK4P6q01VZaQOdOaTlkSB5BwDaFCjnZOgBl/LYjDoGoMlIGIpnjMO2n0t3enb/+rRqMgEz+brqCcdojnBJojH1ULaqJ7lSciHIUN0OITLziLXalMn9IipOiDi8OqgnF92w3MbdnZhronFgIy3N7fjFNFpK69UQnxOLeUasJ0Sgu7p6hmZDjwOaGabLw/OTnZrBTwH2h6TXRO9cwZer+VEqrRhJHdUAm5pGPdIylVitMpc1aDKz+b86ha0oSxLB4Bqskql8f43vTIe4VvvRfAf8zdIz7sdA3r/Ifn7X3L1fuScvUCX3zmpD1ecyo4DO/LtGsJi68ot+z29rab6N8SyVAEfkske1giWcVAn8c8cFbS/ZrF0dFRvaSSN1WvPqXmwVHLQ5fn5OzcKnIMGv+OYs/GqOFi8D+OvKfP8Q6fTHha5uBAKjXrkTFLaamDV/qGKs7MwptGMafOqdHWJIyKeSfk9IOB4sEBvqgqpAfUzJhiWOBX6CQizqjSWaEMODfBmwXhbFDq18zYHKqZREOjXoAvwe+Mag5B9WHEG65LaAzl1BWr4U6k6jRzIqeJtXeqP4dNw8frwZ/DDPBzdVfBef0GAjdr0K1wU6zHuyJ49X2QVNZzFIZKfJbx6sfWQpYqKuIe3QpA8NiU3zBtH4rvE3rwRRxjhlXww7iZ0GGUCcLWvBhYFooKAO/ld3cANSAa80vhi6IWTDn8N2SBXtd8YYfQUoYTxdlquC02E3IkMkKdhyaM2arrazfV3bcT3o9vrTgnDFr8HRy+obdvWrv3OT3+2L3PK2ZoP3ZS+xZ1zgv96a2dOy/aowAexX4ruWLxMJ/EzKfHF+HWHQ62QHfsg2FkQkYs1Yl7aIR5nB6MSiqCqgSyqNQGuybDFXfuykjGDpmfZ0zgWsLCpkrqSIPzld37fec0dRcaFiAIA875dGbyRZWlUXl6Kmzg/Sg/KGcGW6VPlbvhptm/LKi+zko6Y3PaoD+pZW51sNQwGSSDmKPySY2jXr4gP4FT6iOM1ZmH9ZKL8gM5/cDSEk3fl1xcw4cXWGdp4/Tli03ooAhl8z+Z+T5D3NErms6g2HUce+SIbKnVHXd0sN9fPvRovDDsSqpsqULDj8Hhh4VhRLPfSmiBIid3A/6SG5MzcioyTpcPuC/KqxWeX8fn78LxdS/Vz4RhS0etwYnApbiKAtMfE7/utChobMlEpQSFEkkW1HVdMT05s+KCGpcAFjYuN3F7PuVDCjK42LCKm68uOKHX6Et1wSWIilR66YhL9gEiepbAepJTY1h1c1yv0ckxGh2HYxlhOZuHtEcMPV8UbHm40B2e0DFfcfzW3+thW5ajjqJsqx8w/PvMt1IjG0c/nG0+FI1VOlFRRtcvGJv7Ylk4V3i7Cp3W8CiIgHTzPhBMJoxaxPVin6xEmyNmNcGnUtQ1pVwtD6+vDT4MsSVRuNX0AFcH/9Ig6ys65isC9eN7y1McNYg3Fw+l+AqPH8cd951Ay0L52YXaA3eai/R8qnMBh3uCc8GFMS0DmGBRxtajQqd8zFRrrcNJbe3pT4mP0uW4j9psGBK8yIJRMyMjlk8Sj3Hy/Wj5rRxeSmd8mbSTDiFZ63dR18JmvK9/K10G4piOec7NAlLbFR+XMcn0A7uIBritBJbFMgH4DwL9YkaFkIK44UlK87R0EcZBTXs00KsMG7DMd+H4EXaVixR4KIwrvChtgRjXKl4eQl9v/EpOJsv1MXwSYHG2TwBX89+XoexDmoW0gAy12O1kD4d1hWdjC1Q71MMhvOHKlDS/Wr4X0oP0uxaUbr56RbbHAPz41X8EtA9c/ak9cj/XkQmT/dFHJmL8wCPTvfQAFeOxG8VRzRMrMNODYV3xhm7A+bAtDXWGrkJFpBWB6TVMV4WpKvQEaUYQKsV1hMzS8BuWT1aYWeWHJ3oxH0uXgGS30ZIWRXDgKOW6Cnq/bfhi6dpZVES5Fq7YCVxGLCBGLWzed9gNd47bHZ9zwfxFwaCXWs7IhBlsT+mvdaBAXko1urlUHIaLHntuNMsnUR1ggaM/QabFirpbAJExsK8RLI6A122pbAUQ3F3SsQMCF0z4ETC6K9514O1jE+v73dD0+gq6hC6xZW55nqU04PyZa/NdYvWKFJpr+pbUXCPpLLcWOaR6sA+mjuRnClgIy9iLg0uw1gf4+eIUNKz6HRkswQv+L3pDk5yKafK6zPNzCUHlp/7xWIjc+JsoL0TCF/cLEbeBay1IXSoVVMz4YO4ozFQ1yQd+MoqnNWFQdc23jxJoUOQ6U+pWI9FG61ToS1k1J0fhVEV8vJRBNMF9n288HioeUhMyHiBiRkyrMUjoVy4nERJuPD8U9WV+LJdBMURisYeq7L2otasLkMbAlNBOwY3p05gghiduGICt8sIgqRTCKYljZm4ZVJKL+pfSeqdTnIwLbrDXkV2qXGqL25FfiY+TG1rW+CEh/0mU2IQmJ3NGdanAz6NDZ+s2ZaPH4LrD0GsWeDgmc8weFY3nbC4hy5BpO4wfLqso7frK3vAgkQybQ1R2qVhCLhiuuWvZbk+6EaLNMYnL3Sp7LxAUfA0JWWELx4llDlIoSmSoady9ftL1ZtrO0H+6Ro84eogD8RHmruZnpLrHjcIwIzzOehPRW+TMWDYC1qgiDWZUeHqn1LCphPAOP35YdCtIRkCoPs2yUY+M3H7qw35i8JVVkvoYzZGN4r6QUYkjYYHL80VsQLhEdnREso5YolIz1S+o1paYfUw5rS/GlAlzxbOrFVe3m+IOspvL4+HCifBeUSpfrslrHyMALeFZFZSFIQRAmdAv2XWQxabXkarGoUW2v6S5qZecqjclwn49Elq8zawOknomqJdINlUzZddcOYQ1YDRbZcW5ugCKTXLoPj5jRJYmlf6ooyaAJO/q/+DqPAEZ1td1LBy5jmH17XPmly8vvJAKIzqAU6aiZtV23LOTkEg8ZVharRJo8LiVZFzrEjtkV3e69dXxnCo85V1kn6sV5StRNat72QWsjejTt6w+hPR1u6vBooehyBUGwUBDVBc9gj3Kw7BQZeGWWwO8akuGpRcaLeQr2x0qUNeitISM1goKeTJlGcORxV2HRyHKY0bknBvDGt2dO/rWH1YPjCq0+i5iMpA4YnwkEHRIidOpiBy7jLFab1jLJVFkSjXZnGsY6COTZZJpiJsNy9KYt6J1PP+982oupm5aVwNPyPb8sQS2y+uWIHa/jOwsV36Wq7uGrsECJhyytns+3uYV3YJ2h5vj7KQtW/16LWuF+1NiNScfFl50fD6RpYIorGOc03eLxnoJGKzKQ8BGLC4w/M8Fh7s1sAN54MmMM0VVOourTjWPwcoER1GzNuZTMi6h1dYaROpUI3Km6wHqkbTPDVNO4WxMcegO0RFZOH09BLgRKHDvAsbdY9W6pobfcLNwuWihoiyojXAmhcZlbka7KCNfeMWXtqRxa1Fdjj1YTQUjjO8DI928EI4O0sBCWDAVqPF7aPGvQ497HclJaixnwdKESL2Iku1gy9qR9hF/wtOd92fOlk+jtMFQlAKltD3fIGIVai9HlIua+/viB6VmQW/PmK6VFnUWvCaliDr994hiU6qyPF59UMDhaWJNydJ+kIpY9MAHDJGIqOvLG6ZA0YeaQP5I9sY117Wjy9U+QVOzU1bs7u8e1ImPyt5HZMFd4VnrbjfgIPVz3b6zVS87iqSzMm/CVVQUUjGKdZcFijmwxsYLjEsueMFyLtidPI31v1PXN+9/h7KpKDaoib+q2uk6WGv0A2hZCDm7owN6fCoLMrdWkeamxDDSnvO0m1tJwrRuo41ZR7Aqatn+zzROC6+VdvLXqmhgZSyH/HS0TeP4bZfx6+4SGopIzXKEZYFX8WyBNQnl+jPCjZMSDUjmUnAjq0oZ1RBWO5TVitk//U22keSasYKUBeqI8FK8uepUTal23oM6Ha3ijjsupXkvXtmG5tTOZtgeDPf7g73+9s7l4OBwsHe4s5sc7D37pZ7HYM/m1g3p01dMdNM0SjyIGkUwSwkSS7G2lrX0oGyDc2nlcmrJ7Y4bbO1J09o5k8tpz7ngcjnd7MWTxwWS0ZxcuOMFa0NUoi6ulG83RQw2LDrUFZuDzIa6+VZT8zHhMLw1MWtzg7ctlJuYy6zMK9bHHkfYqcFXZM+k6VV6bjxMx2FT0HTGkogWYXlLtUzz9I4rxcabXBSluQrREVRIV1LCu+BKEz9A9Sue57zzGcxVAx4ZdjLOiZu6Fn1OIKsuTFvnJJRTSHW75/FvJjLYQJjPZ6r8uVqFkC5Z5AUNzC4y742xa8pb3ZeYWKYIwl1HSgVq6zRpHiTIb/bg9N97tSoAbs8aSL+TY/DYZXXf8wovo36iekY2CqZmtNB282kD11FVhT4Iy1P01p1kBsKPKaZ4Re73uRTaKIs+eG0hZcFqjk2mH27v7O7tPzt4Puj6dPTD8UkN9VXeoJydWGy8Vyv2ezVgPqC7k73BIKtDJqasXRh8eZ3kMpwJ2ALES1WqFL9hwaJLmTCK5q4yi5GqpWGAbuE7f4AyMKoOnFgXb/ClVxfyRaiYmDhJWZ3EuZat0WvaVDzBnLmi8772Ntr69ry2AEXnuzvLNb3tdDeeCef3srsL/a7WDNO6nFuNQUhicQNrpxc0BXf2+mSvmZJC5nJa6/hjjxp57TNsuT6s0Yr8ryZy1Td+uUdLndl7yXAwXL7k/DVvCqMvzM719RAeZeiifx1z9OxAfT9K83oICr15tSH+OQaldiGhMZndvuyuUqLUNmwhANXbdb2ZVbcF7fxM3mpBeRe37aE5U8YrMrAXahcUDfeVczRN2o7PquEDpofNsNWtxsIwAEGt6GJ0wJEZFRkkhFzO2AKSzG6tqQxNf/w2VcziDPdF1ZeoZgBBlMwrrLmBUWCnz1heYEyNNpYZbmcM3H+hNFQq5+gDItRAQt20zKkKNasq01FZ5apD5bEUrLF+TadamSKLs0TV2qCKEODS1BRdnqkzH8BAQVlVFlgC17EVNFy2JjIMjRZFXk5BE2h7UqpEVwo7QXjtGfXhI1AF4fzd7Pl9gyOPGqUcaqZgdRsMNy72+bv0zBrVvex/EN3r5H1rZTf7YIKPwHKtMFyFTfbOcfmdykHMLiE+BAt+2uf8wBuunJkuco71RLmxFlrs1CmoMnrTcnK8Wbxy3yNA5YlURDFIS7/TTLc2ATzhWoxkMr2qHNBWHFjdJyRkYZE0gqV/WVZtK2tfuGR7AMQozm68tT66wtUfwb1MqRn0GMKek/KGKcUzx6w0Si72+fQe3B4pcmYtUM0YGb1AcQXJNouC6ZEX06NTq1ryFGEkb5lTmztOsgtWkOFzMjg43N4/HA7wLvX49MXh4P/6y3B79/++YGlpFw7/Ilj5eE4FnTKF3w0T9+hw4D5USq4VdboEMYTdzrWRRcEy/wL+r1bpX4eDxP7/Icm0+et2Mky2k21dmL8Ot3e2v4uI0Qj0CEvVdca6C6Uv+pi1huRjT1mH38hX+MiYkC6/MMhwPDsjdzP1CwKBBZX1THlu9bfgWiqY8gWcwkkqDHhM7JmN9ZHxhqelzL2WxhVBc73uXL1gqN1Nww2d18Oz2r5GuYk1IxsqgD21fAuW6JyrTvEGYXr2CHS+S9QOeOUdihCMQD+yh6II8HuVnGK9DTgOC1l6y5VsBNzcPQwWrkRNJQxaFf1B5dThCF6PqjFkFR0buswEPwRqFnb0SNjpUM0BjygrR2iexwu81LLexKnpbmHjchAvSgX8VJFFuCK87owDJyIU+bV6vtYydeEmuA53KF+mJoWrnhx28IoEk0bMkOUMPyvEAIdLiEOrW4168RFDxSIob3DicKhDGq6ao9u762p1NBO641B1ZK2JGFdQelUZ3OsXofZF1z5DdzrsKlRUfH2ei4V2Pri29/2lnEbe5jmqjTUVoyq44U3UkIzsjOY4JC10KLunrqPbLHAkXyz03OqpM2OKbBM86tjprBy7UAV/D93oRRpG3MB2Jb2qH0bfodj3x1X/qLRGpJhu3tW9pbaMilG9uozNtzA6uZ0t4tIVPsysLaTajueOYBw7GtDN6kE8BaXciVZLUcfgIcqnFq8Txv0ZVDAfRgBvj+oyxQ0Z5Ie7mnKvIN1GFWjV0T9bVL3ELPIh6KvRR53csjGBrpOuIpZowBMNaXdvxgR3x47V9awQDMZMOBsa4AUxWltnBBKZcjTOJQRjaG7YqINpLqGAl2tDR0oRLvnrav9H7X7F6i7MFTCbm4C8e/uS5Fxc+9Jg9/fP9HzZ5Do/CrYrhlA3nsahcyGeFgXFUWQx94LSUytBHzkJDsE8tAe1Yni6zqWA20w4csONKNCzvSq+SwcKiLhW3hbMsfWXwQB8jUsvD9fXVzrSEe/SGie5pJ1R02+5viYwAtiHikvFsTpXUxBqJ6uIljkkUuqofOc7zdztGaAG91furg91AbtzkztgvxJSLdMd+U4k1l+DL47/zjIY9iMI9TAOU6cUroADEgPLM8PBoMN/OafcNYx2jfIXsoR1r98ouRMBJQnUE9YRQLp+gWiHuHX+SGsgUedSBDSQaq6GD2hJ2OC6cUfgy6UsQb0HpXetX/g6LJiweteRDtHqjUehkhHC72/eMDuqFQfQg2tQel2vfs4+0NQQqDTjatg7nSgKCIjDATxs1R1muAlqUeuGRWb9A26t7qEUlODFAOMwQX3/1A7M+y5sfw5VzoOxEEaMq6FHtfbwKX+v5OMrYqPcSyeduEvGsvAHdxRqGlYCApbdrNz5FFIpNNcm1rsdZ8auRhMaf3e1JHA6XsBnzCyZoV/TKJfTRMPvif89SWXGRokXvv7r6niNvflVhhDmSLspWopK7VYYpdqEK3ZL88jdeHZysRmiUWtvBPXbsTXhRhN5K8KMWMzNnu9VlbYwbioLDPC9G90oTCkg3D5FntV52lC1TCLy/feEeAn50ZtCF+Ic3xVGHIF3hlVcyh2XhXaf/i7FCgsJ3m+k1lCyG6ISHHaFA0LoaHMJGA7mui6SK0Yzr5O5w9ozenXhEx2TuAE9c1TxrLFFn6aswGI0YVJfGxMq7FO7/aUA0+/sxE2+dloqWbCto7k2TGV0vhaV66bjsWI3aOP6xy8u1zbR5CQ//XQ4n1fChNPcP9Uf7B0OBmubDTHazjT6wrxUZsbVI2MeITyw7oBqhPKt6XLcx+DHNTjpe8hSGEgYnR2kUuRbAZVRTK7uESbseusoQtLJ1QwCDGTk+EKkoG5uoeySgtLpnDq+JGkzCv0zxi46vxIUTqlzTamW6T7yKMZpmg4CxobGaF4jkyDcuIDI9humDZ967OoeniWsCoEh525ovBfgop+xwsxao+OR5C79KmcP3meLOMHP1TsVYHiSIqcpu9M+ucMuqbb8J9kn80WHhQJTbO1tPxtmLBv3J3vjQX93e3jQP3g2GfR3abp78GxAdw4m7H7rxfPDhNJamdAXlH6sTqjVI0rNlE/qC5ER3Yl8k1KgNU+1yzSL0q3AXVrvRN/wOHxabm+eLXsy39Mu3HcL9ykZsPpw4wczuNgh8Kt4ZB9QXo+lZTuG60mTRsMcUXYKMr6pVic81AproZPn2R6lu326f7DX3033Jn26vT3u7+7uTg4G45003T5YFl2j+HS6lOfz7koTJ7WMuhqLueGXT+F3zzun0NVKG95UxHfTBl9Uz99h9rxpzEx6d0jUQ7FbYU7y2mWETmiv3Oap96KrT9F78T7IyveEfA+i772wn4pyrMsxfobwSFD+8W+rkSn8CGfAWpcEXVL8cRdU4MWf//uerOYjbJvdSIGFxjuteBTILtZkbM3CenC6y9K1v0Ksvs9LhZJ8KPf98fcC+oq7YifO6owuTEC/gStYf0D5xF//NxXZllQVsqQWZdtznWTC7dx4gVOe+Qt48qqKcvj1xdmrf/pOp7pK8XWCXW8m+LI7HNxdRyMNFpzE0CWAZUjNBj7hfKii0NyFzpOkymJM+CfYa+svqYtWc8FrOSZG+aE77zX9BVi1xBrDyKEFMBwgeAfXEYZKDZZOW1mZlKrrGK5HmC+2isKXrjwfaK03VC0szxQ5NZb3E/ITUxguD92N2IcZLTVcHuauFgvKgLoSa5Wl4CDncR6oq918w3pwkwq9AbIeybhiqZFqYVX3VC0KEwdWoOxhPTLjWcZED9Iy8F8p8kXPKY49cqu46bi4W/91zT+71iNr+LTvE7BMXprM2JXmU4HJ5Bmf2gOG5lalN7NlHK2P70qEnaNJmKwKjOdTNMTcBcTdDUjieLaAhfZX814Aul5twe4AczsM6RvHgjfKPqkg3MX1MKn8ZkibCtyOW9QZ3d7bfyTpMRXqI6byEupfFLDK4e7RzwDZq2iptg7tdSuJHss09hMX09WpJeuNpnnL8kmUaxEyxkCmR8Vb51SUE5qGegG0uvS9YSKTKql5JoNhHNsCR4Xlqu/fXEBniK7OMfPEzsmSD0WawIXgY0m92kT9+6/RaincBEHpJvmkxBY7uZxO7RYHsSenihYznvqKS8HhEY8Kmb6NYDqjSm38fOQlozeMlKJy0nHfLAZfrV7xRkQ1fuVtoZqUwqWpt1cMuplcvXt9+fbdxeXpydXbN28uH7tkJZZObhesfBJH2AUOXwtbgIxLFGVNxEJYATmWqpC19JqHYmYYna9409spnnLnw3hSua3tgjP8fnfaYlJt9DDoAzf86d9++scvB68Ojv7+WNJ6h/AnKH8ndj9B8mEtHzQwBx4KdiOEwBbMMYLTsn1EbA+2h/2B/e9yuH04HBzuDJbPCWjiZ/fnUqrtPSfe+oWRPpYjlhEd+x77OEdc8vd6TZC75IXr/+z7Ess5HhwQ2QJpnVEycO0WAVoE1a4SrJohZa6r0JEbli+wUgYqICjg2irep5zNIBQ/kczdmgVePU65gTqekY7hSyP44h+R/szIGGulu0SGaEE6xTqtrcVHZPYD6dSVg/0w4woMSN90A62hZe0pSH1CZqu9X7em0ijP6KnMv8picsYqVsbA6kDdBiH+Fnr2wzBuAdG0Kgu4/xvN7VQjd1XA7V5hmowAiyjUyWVlY8K9ZRNT6d/20R7RXKRhOH8L4eH2uxRqSzbyiOMaWU/e+AEGD77gejBhAKhlEmS0DqK3BlcFpR8/TkFwZlAuQXTFbeXjmnGZ4jdR8Da09HbXVdEVUgvDrZmcsy2ae8oHTO1wVzjMpyLbydwnCmx1bD1+D7b1Cy0QzP4sr7RM4SNJO9Oeojz3omAqpZrhAVC79oXDNQ+BJHGD9mWlEssnyZ+jA5TF5GvvAmVx+Co7QQHg/87doPJJ8qV2hLKw/Um6QkWofPGdoSJYv/TuUBGoX0OHqAjcr6lLVAz2V9opKkLhC+8WFUH6pXeMsqB+qV2j4j5KSwD379w5qvbiV9Y9qgb719RBqgb4F9xFqgbnF9tJqgbl19FNqhvkL7ejVA3eL7arVA3Kr6WzVCfQX253qbjf0mc6Wr/WDlO1F7+CLlM1eL/gTlMA51febcri8IV3nIqjmg0Tq7RU4YYozNIj7EOal5m/dMwZhc+ZvKfASHBpwwX/jOoofcIPrMmGD743VCXT3zd74OcOY8JsUJFRxM7skEG/sTb9fa0H3uw1HGGtI0+8cPI3RKVKdd0R1vCE8SgwhSv07yNT4LqqGVcaB6QGlg3ovxFoW/egyJe7tfFDh5ACuJJrTtQaPQzqZiEuzpbmt3ShYYGosUvrqA3T+JBjGNLagsAN0NSm2YgFTrxrDVfOEBJWx+P15YuLnq9DTaiguZzK0qWakKMcMlkMQ0fUhVGMzsnG0cnFZi/UIXbbIozqajHCo9AbJlyh/KuEMix5zjLyf54cXR4l5BcpWHJWBWRg5bG5dAnPtVx4X5vDSBc6GsrXZfJW5JJmcb1ncIoIZqDm9tHJBVyy+VoeFdXdXZtU80MyOj58X1Aze2/kewszaNdhVxxqOWdXgUlHSIFR49swsrvTq6rR+I1SVV6o3kqwbUt9wlGzwF30phVLMRStl5oPVw9APErFHWWeE4u06xyT2M+jHl6rxldRwHjdpXrjRYysw49Iy+nKQn3OFZ9TtcA4achT/PHsZPPee9X14WAwrN/+VlHWq4YwjrXqhK59G2oPqWSe7a0IvlcnezhFe1I9o8MVzXrx09HwnmmrWNgVTLy9t3/P1HvDZfw9j5x6b7h959Q6Y2xVTHhxcXJ6eh5NvcSm5WJ1jR7O7NhV+qtXa/D0qDQXnybS3MHbe/s7Bzv1PTznc7bK69ZXZ69O0ZPtAyDi6EC0NeOdTaTyR6Oc1LwRhJTQQManQd7e3iacCppINd3Cch5gcGzNWcZpH/y88efkw8zM81/Pjl4fRYfbhKec5ugV/mfPRTX4K9eE/Gw1wo669FYVwGuGcc56tfRmbJUQ6shGqId+R0uy0nx1nPTKMlJMdi6ITA3NK+6inUl/64P93UGDhT4xaKojZioEO1EoSwrRbfXNv0It+HXjsHGHfOjTWlkXvnYwRua5OKAWybyl0NTm5a1YWZwGpobZCdZB4VaxH/SeU9PqNk8H0mduzvrCa2px4FyvsXzBtOuIyqqZb1kU7fSwqKytu1a8YJ8j1uj4/F09zshQNWWmSsPsjDVaPtCogIzzgopVhdShYQLV22GalvrX8+mDEMvowlr6GA/awOuTwu8LlkSArRrb6NtHIntOq7iFZZCzw684diBgd1O/J34gZvvJTvJ8fzBIhs92h3sPQJHPixV6xtaP0BnmkHK32FDfnJyf4k6z1rWDgvT70BEPHovbchD7S6O4e9RDA4O4OcMyFIRODCSJI8VcKQvlWi2mMmNYIb+SZooKHbKLNBZX9T0bfP+FW9f2gIqpr5umaHDNAPSYnVkPIVdOPaKmpphNuGJsgaUpxrmcbmGt575VLaxs2toeDHe3BsMt8FNwMe270LM+EqfvchUTq7O17elBun8w2El32fPt7aH9kKV07/n+DqXZzn6WTR7AID6i5Qo2wwrVirATPkWaXZwfnb2+TE7/cfoAFF2azarxctN8Cn5rQVy//3B06v1Z8PlNKOB6gSm3yxLg4TdgHS5lO4jd1mCQ1ByEUXAzKgnoJMJKRVyTNfvnWpuFh/s7B7s1QPGYvvqqVbBLVDVACYPSR4s5VOb5bM3wYbXA6NpA3su4goIKDpLNFs+F6gehFNJKq31AhZyzE7LxDjxuqqrcGWXdbVw03HGoyy/jlPuwN3ieUOeW5jco0lZ+q+VyIqN5XcjVxsXR680EbSowskNZgK4kUVqaGVYEpSKrpSLBko5LUzm/3WUvOTv3N+VM98jJ6wsSY0zIBnQi4XmWUpVp55Znc8rz6r02Yb9PGLY9SFK59D0t0B56OKsE4VzlgeKJ7+pIgdjdOH4NfGOBgDzgiISBuC1sXft08PKRn/h0Ro60LhUVKSMXTN0wRY6PHkeEUpiVpd5UBIBZyMbxJnYsbeL37uIxwEelDli2yoU8iSdy63jymHU8/uu7ix5581e/nmci7ZE37/5qNbKoWFiPHL/+6z1rHrbOJ619LlOat8q5Pvni+2m8vHm52VKaLHtYSfF3zm4fg4lUUypcvb0VYxNPpcnGm0/YzGci/VRkaX5VCr4qxbELZ5oTO6NF/d0jcG8w+mPw14ZCDtUVKK2rq60ejk47HxbDxvnCwXnZIxegupy3WPqY5nwileD0QSgKaa7AeFwCp7u8tZd8DtYeWo3N7G3ogAS6NJiiQvOMKSzuxdsZ7tuD7UF/8Kw/3CeDncPh3uHO8/8YDA4HgwdjhS2eVokW1sxdAqXh8/7gAFAaHu4ODrf3HoESlDBOr67ZYuWVgY5axYB8cQIs9wCQ2JFbqL69eNi5ECGVlupmVRvrEqsY3rAotIoRluf2gdT9VKEVlReCxNVw+HEdFUry9zktIgiuTbG3PXwsJdiHQgr20GyjRr4gDhEWMGPgum4sX6jTsQRW+3t7O8881ZftlPUI7D/RNof69tYyd5ZStKq6oCla7Ny01fvtwe7SpSkBZs0Up/lVLbr/qRnXtZXFqapy/bqsuLj7FIQmKKEKfLqImjNO4gbIsPbFjLp6+D3C4yBXdBD6AC8JplZutRBrL4Us7DB0OqOQpara1N3be/HDD8+Pn52c/vBi8Pxg8PxkuH18fPQwaREqXKxcAkbBVRNLyLjkUiizEUmJn1nVCRzvpANR8OieQE8vLsiPkrykYkqOoRqTC/pcJOSCseAtnXIzK8fgKJ3KnIrp1lRujXM53prKYTLc3dIq3cJyTluWMPBPMpV/ebmz86z/cmdvp0V/DNboP1Q+OyP+j7FcdTBdPRhNrDByNpnmckzzoOUJtvSFRwPJP8Iy/UTD1AP/JVimrepkzgWEff3uME0vLv9aqa498vKvF1SQF9bo5DqVkenas+ZLAobq0677F2OV1jB/FCp/tFl610atLeEnY/YF2KANRB+Gy5/ZnnR3uqtVi6IEYzup01NaXLdzP+QhZpXhZnN1nX90f95T1vlHJn3R4hS6+yi1cDHxUKaRVsFeUAHHwqoYVtSCIHEPaa11ASjjUybDK3H9R99BiGErf4zYZukMFMSqMaOF7Ozca3tSudtj1ddlUeQ8lOz6pFL53CxWVUnx2AvI9j2nFEYxWu+riC0imDBXaSsw7kngubyVfVfdKG0FWobZ13U3zK+X1rYqRFZE2Ne10pRusjbAUpkZOQJbgDYABLXlimu5KlofO83o7OINELutMBx1grQqVnTgdK7sMRW0UVXMb9uPgDJl8iouJlKX2FJMuSkzrBmZUwN/tK+i/pus5VKsHZL+s51kf7h7sDPokbWcmrVDsruX7A32ng8PyP/UrwFXmSX0zsoYn/bYiFqigTQ9X2cOm+LICZkqKsqc1lq3mxlbWJnKUJpGV+vH3jBt9IjlCqVvCp3RdA/vSHMplbOZe8HsbXcSRfDyKnkZ1dUeyDk8KeuZYVVGDLpXuLCGt5yDeI/kd/uCfyy1kaKfpbV1KaQ2NF/Vrlo/h+FRfDVTtmAtPLi1wpzQd6HRtChqqBxaoo4ZuRby1rVssajARFKRX87OYwMHWyhWVeBvecbyBR5k3iaCpj/wsU2757uD3aU9popNrRKyQmH1Fma4T1b1/3bcBdOKpJWDp1NY/a1kY1bnue6Wbk9zZLrOjuR31xYsZrJe0FTOjl4fRc91Au4Ooq0jNYUjl279UDIh9dURV+wjLXHbGUlevwtf3N+3CNOMnJpnpVFH90J4RldNCRo1DZ+2RVEm55SvLE02VhBC4Dr8hYSAJqFz5nqLxt3ba+2WBXl5cnRu9/8RNoGvimEi/HE6XEiQWVV0jfOf8ro7r0JKYoYMZsdsha4Un+vYjGkOACXf1XOZYr79yf99j2HiWzp4tq04NWo9ys0t1+654MOMW5DiidoI7YQmfsGbqbyjzo7CXHcY8upkrwcJaZsES/IwpxIk5CjLPFCT0AgGw1PdEOMFyeUtuJR9YH4dRDzxqfewYh0FbBysWUEVlCd0I9P66bWhBb3Gnmo9gs2RZ3Tnam+4vRkQrHK+q3NOMxPSk9tIw8NRWeoSOvPcBLOXEgWhs1bPYQL6zWKwIDkFFaMfrEQ3oJeN/6I7LigYKRCkMvSYy6rELgQRsnvDLeXCmZpkw+ToqS9YjyhmJ8N615tPYAR+7jTKz59B+cckT/4xeZNfSMpkEH3SVSz3os//fW+rLehr1Wy1hTfXudufVmxwoQ0VUbvj0+MLeDf53kuozi60Vl9ut6aCSaWotp/XYaAV1YwWBRMsAx8bqLpVMMGcUV0qrEV3SzU0kRQJ4OrCIuspSDOqsluqWC/U1pljBWHdIycyvcboCkO5ABPIbvz/LMeQzg9dkLNQmPFT9v3dyUpPojxWId2ujkQ8X1c15Kv9esR0WpRJqel0mSMb+slnV3d3qT9nypqUkD4FZwCuHkS0hMbv7h62artun4bu8TXLhxs8DVzvbWxdH6lRFynNLd4TarUlS6FaX/tIyzqEPygxtxLmAR7sxbe6Ff9Cp50bpujUKxqVme1e173QjXwAkA6D8aURpqsYpmVNsIzr60QxmiVxxu5jr/SNNNUFuM8CJhtTWk7ZJnTqsodnyrSelNYw36DTqWLTqLsAQbrTPAfQ9KarcB/KsmDPOJLKPH9gxT1AFXuDrR5XO49h4o9E9/PZIWgxyEkkNr2U98bIXZZIVU0ed0Yabwk7yPq6vstGCSNKRV4z88PZm4ua9QIzYaXY9tgV0NFMYUSwjlzyi+ooUv/m9eWbizfLLsWUyeQLcscDOH8Wl3wdmS/ULY9AfnGu+RisL8Q9b0H64l30Fshvbvov001v1+abq/7JXfWWrF+iuz6C68tw2VuA/vxu+7oTYEWUX//JjR1radGmOjPOwKtyCjW5nTmpOPKQjcAfaPeKYqZUQnt/Muiozjr/iKv7afBxfm7UjeMGYkc60BHNVuOLJJbwSs/KRt9nPVxjzBkVXEwnZW6l5kKWijBxw5WEckrR8Kd+yV2EvcKYc2dtjsaMGqy416RC8REq8KILT/CN8KKZpBl8kjRdFbOQV0fH8bSBAhZxIY2r2Y61q0BQvn1xTJ4Ndreh93E5nUKt4kNyStMZkalhhmy4NmY9ctAf8yqx2tp7m9jt0mm2zstwK8mvIer6n2TGPtCMpXxOc2wCqMmU33jfOaxpZcggn+PEFJq5lcK1ZObCsClTCblAk5LfuAfx2sv51l1n3jDibFHMWMfhuf7r2mDQHwz6e6fw705/e2etR1pf7voG2XffszzN8r2+d59D/JZLG4YdHu3uaFe/E/yDc0l5vQUM799KmkMpqjBmZCeC14+iBuRc/ZW/qNSW5JCuYJU7RexSZtCvyZq69eUz0j7f2ESudX/CplAT/ClcD3c5HeAKSZbg6aR57qcG1oEmKq1O3iCKnszl0EC1oOk1W6pE+HLIuvG+OHS5WN3SKpYyCCX0SH8huK56bQPefxC+UicTOuf5qsLN31wQHJ9seJ1NsWxGTY9kbMyp6JGJYmyssx65RQdZuwAGPtmCu8zzp4P6M5chad0soISuV4ILFamcb6nb9UVTS+VX8l/0prW210wJ9oRUuh8HnC2ADYadoreuUUML8t1kNxn0h8PtvruPbkL/tL6HL2OF44qMjlB3Lek/mvTwESGfaz39fG7vpkwYqXukHJfClPftV6pueWu/rrCmzvo7jdJw5OYZOW8D9Kc2bCoV/x2fkE0kuTCyUkwrY3OsJM3ApGIKKrCCHOON4kr+cc3IROa5vLUjOwOmXlSVbPh4ErZ5SHIsPj+nKVBU8A9VTuRtq+3sGYL05sJaP+vr0NMD7+fAGeNMKReHkXO8f2P19uP2iXGlw4Wr5ISc54xqKCRJSg1OGXvWyIL5PiWQ4olTnR5f9CxVCyULqRnhJvKJucL1bS0c0HzAkbTain8tPl9WYA0HyXA3GdagbXP109gJl663XsNGeCEVOc5lmYVbG3+hhBkZcJXvWvlCRaKcXzMyMtvJnGW8nI8Sy0w384rb2ldG4d6+h61pwh2Wr+AXZ4JUxnkYsctIr9sKZbFkRd67lKoLlkqR6UohmlFNxowJglFr9WXb2d6LwzmMqUVg/nR5eQ5/3x3O8cLHr4WkGfsSduyH/OYgf0qVe9mjmQlNJDxS1tJSuRcxiv1WMv0EsZh+oLHMFo9Rzz/aW+siri7XAJ/ArE2iHxw8uxtEVz15CSB9Waw/5gy/dJY1Lve9+P7E8lySW6lcs4cW3itYlUu4mtf3rc2GBRYc6NjzsuO0Hu7udC/VyuJg14+cv68ZCgtdsGq0Bse+ciGEuZxqHx0S1jLNOTQQsThqKAcF5U2hpCj1baHC03ZFeVaFSaKkw+sYIqToa0NFRlWGYCDRKn/z6B/9twhZ/+ykahQilf3l2AHKpbC/dlRU3N5hu3v7z/rs4Pm4P9zOdvp0d2+/v7u9vz/cHT7bfUBAi1+kOTMzubKFqq0FTnVfN3zFwHPFjT2PICo29HIJfXkx/LweHTH68fRyVB1JoykzvivKj+xyBI4/ax03i9t4Tat+x9Qm/Pmbi8tu6q24ucD6K+7KCga10u7HpvyPKBqipuYlhPLli3rg35hq9Bb4kzpqGBcLqIqaVvFzz4+O8YX+JejIrg0uOZbzgipvdc5jkGkY1Kp/kdIQZltf1yQe1o3qFZIZywvnuc+YYanrCaEYNZqE0GtC5lynUkz4FLpPuU3dXkk+p1O2NeVLF9D1NFZswpRaWQ7wWzd8xYrx1mnJXF9bY5zLaVwPbKsBuy6k0Oyzn+s47bIHewzk13qy34fx3Ue7x/xzn+0O2scd7g7oP1r0OTCeTvZFS/iEws+N2iH98JfHiL+arAujOuXlSWSeI6421JS6I4rh01us1vcNTtQdzLA7qMdEr9a4B7jucqwNwXivGiE5H3tsDZ7Vvrw/Jy8MEOfl+RpniqVSWcUSLhKwpi9+rM9LauY0FOhWzDWHHy+wTSyyhktrmnDFbmme94iSJbT+yCW1myOnImVqM4xabZMPYZuEsWZUZOBBouHOIZVCuOsDQs7c61TbreDGpMQqdXk0TEUCBM6PpZnQUsGtBtEFFdDicBP3dAyHv2jpIEVH2sOnW8o053RVtaYD6+AseNdRrWSV2tfrCAbzq1p5USzLzn2bI9RxgcQcdOAekaVxHxTJ5r9b6wgi0aolEXTe5cZyLy4rTVZmBlb0OjtpEqvG9hW1Ll6/Om/tH0LOTjpOvqVNqRWGOJ7Fa8Hu5oh2SyYz+wj8VaGHaSy/Xro/78lNOmmlDYFNZk+yXE6ncEKxdEYF13PLXP5LMKkt9FGNGDDKq1QlKwCr1fpoulJrOjeul6GpNRMgtHXLqtV+/iiNuW5H6oXO5TRMNGbRkQb5mWRkwcXHku9HNUT8W1VnNOn8mJA85XrE1jG06oVFgmXx+N8HW3ZcGqKoc5qSEcL8/QjSKYXzpp4eXzjyPUFCVOj/uSqtrtXCyhIcGgCA1YO0Si2zW9O/caMZNux9Pa6W6m1Vbf1JxQ3klmqxvm4wAwczTgJ8PZJJWK/QVfU+j8HWDVVbuZxuTUoBnUB04jfaEhIl7m7zpLcCb7wXxWIV4qH9MtQLOAXaOM6VMaXc7YF2BHJDKTC1oFE+u2EKAppNo+QsnN7C5SZPJSQGItvDIHjBAPvGzZtJhquCG2th364U9IUswRtXlCbebWGvW6nkgSHQ+xAVjQvc6v6nzTh3Tc6ZX0kUSaNbqsSoR0ZMKfs/HP6pdA2ad3jrmFLOPxGJ2mnTg/Bk0a5xAChO5E56exa6Vo6om/kyuaUuQQjFGyseJc2p9gFcXHDDXYpgNQPoDs5SoSQttZHz7igDqaa+3wT2R0rGUhptFC2SH/ynGrHQ4QcdvJKcN4OEHxxCY4eI4mhqjRgpF95+czwH4RKIuXM8xrlojf3SQHV3+048VpkM0eSBp8IufN9VUcBfHYdiIq7/e02yY1wguOFTg+9Vk3W/YscFmVD1o25vsMA3yb/oDe0keinSFRaPbJHcTWd3BTq7W1T+CO9wXwgypLKDmFoCfuwdfxeUTtrNmaGQsxLLcpemEp2BKD3n3MRsccOpGybc+GvGyNsXx5rs7W7vWqR3hvu7SQf8yYSmPOdmkazClbAeYegqPxM/Yet4A2zpDeU5HeexInCUWnsbdoqMsLJ2t0XrjoxkKnzAcZV2HIa0727vtBl3e+deGq1QSkSUsid1Hz1iSxOrgQekMD3rwqVQXKrlitA+bKkby+znaTP0I5eYVUNyTQ7I9xVx/iMoC0kYEY7SUMjcvq+gTwNhHwqWurt+H5BNHfc08tOfDztu+nb2usgaAHj4NvrojglK0tI7pqY6u6MFCtRDY8NIYMTaYlW5pzlxJWmASk1n1dnJxWYvVgytZtcC3u3MqbSEd/aS/3GU3Au61TPhMPN6pgVWGy5SE6mzVt+0Go8sUPHLK7hTWaBN3tAtO0FpLXmnTAgLvmrN4Y9mhjBhPVNgKSYA/+QdHBDZFX/g4kdQtNb91JkJjQjy2CfzOvrqI+WyQvx3rXAMOnLn81I4IwAtcHnDlNNQaFWlBsIR/Dhx4Rddc3f4SPfHlJnxo/sAKDdsM0mUCqcmPUGhl8oAWtU2gk76Ua3kaErsgqhueAqabYhacU6GeMmRl7wjPdBuA/l0K2PakLNz3QOHuO7FFeo1mGO3XPlWF5uNKD1U2Z2+jVwRAWm3UgXneig5EMaoucraMRkVWrq2yBE2Y+ZjOiodqSLYLRtXVLKkHME196hjpJ6LS5zQlI2lvB7FoQAjc2tVVzVqhJog+tEN4ZjFlW+MDBXbMOv4t5KpBRfT9p6lfF7jro4L3JZd/5DL23W8vcVbW2xuzJRCR/9Y2i0FJT4asUlnEzJCNsEb5RFGwFiWscaHtf3998olT/fIyO9j9xNqMbyipi7nHYfV/kGNAE64mMXVKoO+fCdq70oVkPXvkbPbAgvE4c6gmtyyPHfyL+BTKGlkKvMqjb4uGqM2QsRImffpVEht7KHoQ7uM9Lxeyf9JXg+57u4cHfVCsQyS8+nMbAXi9XkGRfQ69MHD2Zv/0K93f/qPVz/uvfqvrYPZmfrH+W/p7i9/+33w19pSBNZYgZ9p7cQP7hUDvzWNopMJT5P34q3vHMNCeBVV7PC9IO8Dcd6T7/3F5ntByPfuZhM/czGWpcjwD1ma6C/uOjG7lz74v+KRyfekFMDc78V7AUJ5TovCCh4QU9o7du2B5wyguRTcSOVLrrAPphcP2eHxrQLToCSOJlBhw1LlhrPbnqvpGDJXNXm/5hFei4eWirxfc9ivJffC60ktFSmY4nNmmGrBH4/tUbkf/hrgzWUNE9Xo0YkcLtNaj7xfC4sGf4VFW3PY+mWLCJG8F5V7qfaKczClSmqYNUBEYApoGo+hflyjGyqGFHqFYe2NhgLkjTBzK2EJNagc7tI7TJKg14vmWtaGRTArTMLktRndpuiYy+emx4P60fzFSATEZRVjH0XUu8yQSZnDt2cX5/YAj4f8+/nrcKKGeP9kre11AlrWxMhEqluqMpZdfUp2e9W6GO9gIidk9JO7FSiU/NCOnho+306GyTCpe1U5FXS1XTmgNMS5Pyxeo42/4QX57e1tYmFIpJpuUa35FPIU9JY/XvoIXPuL5MPMzPPNyhy5cMcKKCG5a3Li39Ju8WnOp8IdaKAbv2bmRS5vMWwZPrnsgjAuRDujdl+69IIunNqt8eqEFmIpEt/tf3wdUmIFU/FFL80ydwK7xB/L+V4ducmpcA/HzuJqb0H8jGBqbvns7y+PXiOH/dbnov8bfmEoXg9zTVzpgYQc5VbJi+rKITz+7tBOm/AMyAqf3SUjwB7B1LjHtbpEGBLg0Exk7tIbZAAsGgQp2p17MNhOhr8RJlJa6DJ3IRpGRmIeI2AalvAvjF33yM9cMT2j6jrZDAT/WBCGRSBx2K1oxwDN26EYtXCd1u5eOsoiwmCFzpA3zrJHZO4KurgTnQeGxqwQEagTMeU3TLhkPCwoDRlFznSo6lj5TddE50eI3P6ZT3gN7M6k9vsMni7jxmeyP8a8ce92GDjVLx0mjv8xDOmNnW4jZ7sed+hF8gr06nUXLffm4v9n7+2b28iRPOH/71MgtBcnux+yROrNliIm7mhJbitGlmVR7u7t0QYFVoEkRkWADaAksTf2uz+BxEuhWCWZIllu2c25vRlZIoHMBJDITGT+8hR95AlJjaV2H1bVdYJwwhmeEuEJiqo9dPCebxroJmHyBkIDN1KO6nOKfV2cT7t2b/B1SKxrj6YHXMgNggakzVAmFcFJYKz+08wTnjoPJZPnBqUg21dZMmkgFU8aiE7u9ps0Hk8aiKg4el2X/FQ8I76aKkPn2Gv2yjb7LNIS2DVyCBqvTiSJG2hCxyCWuoSipy5I5Xu+wn6Ey8u/sNtR4NM2Tv0p/N1T4OZBcuYswjlEA7EHMmno2yoz0XcuKsK4CQHvJu8MrUisGm58k6BisgC/OmKzaEFb71tfMQYfRRZ72/maZ5/54jDNzaCYxcRAJllWwenzhcalDH7FkcjY/AJAkg+Uni5ywGWzGOvu3UQ2ILaq/SvwlilTIpM2vGwu2q2JAH5hXAcM5UzRPLxgBza2qR02JCmYEfIMUi7B9i4NraXaufjoixb+V648/P4MXhZwmj7xsGB1uEuOpgOEma/hAKkbPqXfF9LlhJq9IXO7+wl5Axd2VJPhIWgcoY9EAkTcHxnJzMDo5OoMIPqha7n0kcaJ4IBIlod2/DC+04cgJt6RVyo6eUCi3MlRdwWvISTMmV/Mq3Nn3YJYoRE3blSefw8R+iCZ3HjQWjyAZOIvDK0VzYYADMZwCMVNEhodTF3xgws0ItQ1pQRYjAsRMD+uq7mddalmigrcuxWUFmhHeba0AAX4HiEYiCVkXuVvwb68QKJ1KcGz/aWSDH/42oISx99nsUGJoe/ZjAtZ+M6tuRJTZTje1UUkrBZ2iLzulcCHyJ7g7jEdDGUX+QsgFgRyG4t3he2RdWofFRroxEba8zvo+OPvDfThsoHOyFB/Qjt6swK9yPopjXtmmPmbs6+bGqybGqybGqybGqybGqybGqybGqybGqybGsyHwzDT06Bo5+aPgiuMZDh/v/ZQhg8sfK+xDIduvQ5mLIOLUBLiDx/NKLP8vYczHEffczyjwMMPE9BwXH3DiAZlMR+HST+LRTRypAhsRp25Lay2KkUzIIrhB/1KNOP44+9zS3KxBMA8wS+HHqu+xWvqdFNoclOmwEtq3fRmZm+ssOnN6vzioxxd4Mm1dLn78EFYHgtQYJKhFA9vPJdaWwRbC3Jsc7NhkGfv+VdO//Ko5xpDMoWH8NK+LENcDDGjf866hKcDxHgImAB5zoQkJAmh1y1dKRkoRMYTVeHItXuQNtv9ubAQ67Yc9g8vo2nDui3Hui3Hui3Hui3Hui3H99KWYyJ4ksXz4BAvGsizMzxi0MyQKLctsrvHByCC4rTeChgXGLOT2bBX0XSvrX3JqIj9m7tNI2JeKCADb+zqiYvmvLDtQdFEEPeU4ipr8pGmEyKjKrQvV/skQkx5Z/QB9Fci4X8m8D9ggMEPPE0JAISZ6Jz+KU9yq6j9LwSncnxblvA6UMJ+gYHn23Dd6RgzNRPerjy/KyHNb7Xg7syxnOIRkQrqF+C7Ltt09vdf7b9iUwGDCiJBjLPtCqV865rCrE7HjTGDXrAC4VihbOLu+OWACWivXr3YuTj1qtAU4Ht4TCzEFDmzBYdVw34j3LX7ROH2vFo+TjOpiKgzjFR4j7fTPZe8TNRlPX+5PHPEacE7UdutswzN9e6Sq9AxWUy48MA7yaPFdSw8jI+gu60+r/m+hVoefAslwimOyw7VbdYnTWMZzG2yBM57XXdsMAXCg4EBjbKxQgOr8WrAhfFymoowzFRZIyLIyVbZpMJqt6iL8/LsNOK3OsFuPquaMPCfq9awPoZI1ZzwpBkn8f3cZqfnp0Y/xfVam58XW5Q9LxM10h7eou7EG8vLVJzqYyMYAXQZxsc4gbBFyrNkwDOWiGl5x+VfeZq/R4+Zv+Bnfv8V7KNwHFc6QJjQegIsRuNUBW+yOSBRzMcTzFy0jAubuVKwNmeyPUIwJOkR/EcknQBMFBYCM2MsDGiqhQrjQDc3FxykLCEP4JQx+KALMHoycn5Wge1c2/PUl8pmXGpmSaLSZbE6cr51ECjcaS58lzu6hU3svdJufvc83Rbik8Pz9siB1Zt2NuaxvDH6XcaM1wHjrwSMv+No8fetJVYcKv6O48TrIPE6SDxXhfRLjxCHEBh4SMKb/iL41ZMXfG4tPn6/g3UoFU5TkvhCXzero+9UuREkAu0JWWqlodzX8gxRo4iCa0XSP8NRIRfZD20JMWPamtt8LEg0hS4vcWDmLRUSE/GIKhKrTNSlNOxaFaYqrfrD2/3efhF9oJ/RNKk5XrfZsWepcjVBPWkqZqM1frvkx9ztFv+bAB/EY0JpLUcV6n7omAoDZgrhCQDLuSEqACAHu4M35O1Bkuy3+62Dt2/77W1CWq1W/+Dtwf7+2/03b9qtOJn34McjEt/KrK677cgOXxKW4xA8ljsiDJRq1ZW8/7a/s32Q4IO3BztkZ7d1cBC/Sd7iZC/uH8QHu8XnmWDymjg6LlaGAH5aUTt4yj9NCPOQzIIPBR7Du0mK2TCDqCS3W0pCcuyWICnF/ZRskcGAxjSvekc55kDRszTi7MmY13bPn7IEloYN0YjfhwxDywK/orbaL5NENKEcpYGGKe/jtCQX8+sqRsg8nnKCVaXZd6UVImCAVdJXlFxKY8JkbbbRmRneNpfKY6YhZe6wB3pCm1RYGw9C2bsCZGosDDNi6OwLPkbdi+PfkJvujEqlRSBCm0NK2k9JDqEnJ8kDwOfZIeXW67Ke6UxwPCJ+4O2oVaN/UHlFBFPkO4cXDfP6+mVdYDUykiysGy1tqLD3VCbFFmz9rSOSplhsDflWO2pvRwez/YEBfb22gP0HPtYkmyiYnyx8IvGWDdivVOamiu9Wip5oQOFhdbnWZXozzXvfaINnDq6f1ZzC7ZhC093yPbK9vdP+Zs6RC02XbQFIfLT+gbNDwy1merJNJ6ThOtCpES5+xDxq5U8QEJfwYDSHSEzGDZRMbocN1BfkvoGY/sWQjBuIZfDrf2NRPvNiMvcLTb2WmFvQ4ixhN9jt6CB0Cor+wAn6AL18F/EIfjV+ILrgQumtj04eSJyZH19dnLz2rXy+C3P76OJLYRqksBgS5cPE0OWpZH7v785tPRbC97UUkjAo+oRpChkUpjWgBddNEFbwKZoS6PpXDuzQWHCt9dARFxMuilBWX2GzfqvSs5qUzctncnqBw+rsr3Cmx67ZrfKszfhNz2RrP9qJDvZbraj9Zre9Ny9/dDwZYVlbU80cGh+cmzEg4Bts+4sT24OtwxwVqNmEBqLwMRTQhfRfbM65S1wYUDYkYiIoU6hPGeBtw8M0wgNFBLSp1uLyfS5MU9KYJ6QZtrFEFujTubMSjTAUKcSZENpqN8apgSGMR/B2Buj5SmDvDgP1JsL2Vaj9+/v7aEAFIVMCePv9lA+31EgQrJqCmCaEW9ut9u5Wq72lBI5vKRs2xzjV9kjTCKepJ6RsGI3UOC1fVK14/21rJ94lB9vbbf1DEuO9g/0djJOd/SSZu9+666PRg2NQd0mcFuQyGqx70Tk9v4pOfjuZl796kyk9U1UZlc9kbsPr5+uHzom7heHn2Ye8jae5D3iPXYWyMwyCXz39pD1XpNBNUf0grY+zf5SGHozQCcCizhV7x0PPHTccoslWsBWDbrhjA3gXmcqpGzf9hCY3iA8UYUgqPJUuJm2mQlRJkg4QZn51NVcTatSM/qDxx11/AnjsMuTmceXl7JxhXRXKmx0h8NTitoPwsBhmAAjf0MIQysfrIWOpL3maKeL6IOcqckQQ8YZeoOI+4qlWyiaTwEhsIri2pqAQnCp6Vyg3r6zpAr+wT9mWlKONBtpopvq/M0mE/t92K9L/r70/W9Sl5dYDIInnOUwzkQjChspfUW7P6LEhVWI665kUCqCCLgcOKta2wdAc63/1s/iWKIQZTqeSSsQZGvF7P+RYm21+TdC99qe9UlDcrFFwlNBHuE38F8ZG/pj5EakNRxlDQmZyQmPKM+l7WpWX4BnmbEJ6kg4Zhrh0QodEqh5Oh1xQNaorRgo5NPbCQ34ybwhoegprN7NgBu1XL5hpnDbMqBwhz4VtAIF9e1dbueiL6qBJth/SVWhrVQ6fFADqbFVU3jfOyCYntyx1OcLbe/sLip48UPlVoPM+5ynBrEqm78yfwja3dIBwLpawN0HpyGp1trkg5fonyoY19mPS2yWIAs67T6j0H3VNlGY7kenjmg0wuIqmZDUPFJns+LADJ8lbEQuSkjvbhaUz0bvqp09dQMMo74uYjyM9J4keJnEEOfyLilphldV3tXztNSjoAIcMKdUidxo05aYrRiymE8WHAk9GNDbdymV+R4Wj3uGUJiGulHbbRSaVm0+b4HcEZSwH6LU9hd1X86+45OJ8fD/sPZYoY/AURCp66p9cXn667H05v7r80r06Oe5dfvp0teiSZQAHUxdsUNcMX7BEIXPHqLKVBgVmOFMEj2s+9HqKVZ58GA+e36A+BV4h8ydvY9RH+UHPr+DnHfiTzx9++/3tx7edXxYVrb6hFB5P5hDuY49Dx/o8YZaYZ3PfE8lvDnMp6INgHvT1UYIWP3Bblq+I7dZ2u9nS/3fV3j5stw53Wr8vemXA+Zzr6euJG2+zq7hrLhnqiIpzr918OgOURhPjY+Vff+x7zibT/hxcHCQx0EtqRHM7opAGA7BIBRhxbWZwnrqGXNp0I+nUvEYbA8QouLI5vczdDEpxSTFXWxaQr0yHVOG0aGOYp229mYaYMqkKLgfEdaamX1yh5X+lWseFtfiKzn6unMZjzJJeSufCbLmnaRJjr8JWkt5XlPL7LE0dVUhTZTYKuAu2mb9VdrM5m87H85NaX2/GxzNbFqdp7mwE8ofaxJIXsoQXGLqAqAk9MAXynt+8y0TSQfQNXg0+4nikRV54ObDq4OTs/SOvBm/3m/M/HGhO+lNFelwktdXRvptqy4z8kcHrJx88TvwZVSol6IQlFM9tAGge4knWq/EZ8ejiS6Ea91EGTpnyEd/5CBcEtmovuDAXuVdPHpQw9TYm88JlG/g2l5rcTZk/m7l8EuuY5kaFApXWz2iqTMI1hAuTCLLtMPM4nQN8ay4QGzI2rSR43stiLv7JA8Tq5+B8kGKlCCNJFftntrjZDEcSRAzGnanJM9cilDs/h7YRvF5GuF93heovxRcZvbvCblfvzPWU47m96rw7fb0IK4DAWBMT5q3XgDw+dk6eQ6vepTWReowVRuYtOSDUzrsAqYQpMQ3RmFeWUmGFmk+wCskaKNC6szg3Wg/tDXC4fZt0R3RuTz6LbNnDfVoTuV8/b07yZ5RlD+hTdxHJ13hF2Z3y1C31HEq/ucJb4PTZd95V3R1muBXdHa7H5BzEMRJ4naVGYfA44J6/bE2COcAGpg3HI9fQsrzuQfyB6IWyfl5enGFDr/apCgBz9dAGB8Qhh/SnSGb95kwzWkipZERb9Tchx9FPN8873v6L8YhuL6ZACzAwM4nPtCn/yGwkpY/7NKVqCiF6QftZKDZLx0LLDFcAn8yTgfMs8rsjzBhnyA6PYpzGtl1ubtotRfggxbU9C+qN2LV7E04ZTLYYnTVmBZTIDOsLn0elQ/7v8cFAkrpe/EsEm9mWJHnxlFBI9JyLUN8ZISy4eR69Nd6hJXL1UItReUeFynDas/irq7YLS5Ta+Rze63JE15Ec/CjFC+yEIYSDvtHVCpP91Ver4XiBq9V+8RnmyKIHx0rOCcxvqoXorfmQz9D6/GM+woIkvZT2BSQE1kSqs0zNdMhPZ56RIEWAyoChZ/GgSDqoMSfTDY/kdNznNnVRH6vneyVsqWok1zMkiFUj+HrVY1J7v9naa27vXLXeHrb2Dnd2o7d7O/M/KBnUlBqfHx9HGql6cyQzzR6MFjMvkdBmF15E+gHMi6mSMw3EZQgM6EflA3QPoNKF+m4o0IE+S46QZv5+9+XL6XEDdadyzJlL/kM/fzk9lnndN/QJdkm8MHMGrKZT/1Zqeqf5prLwTFrm+ogzqUQWwysatjl16dQOF0oOULJjPtZUTQSOFY2hFHBMFR2Gz/IXp8dIkEwCXP89SVMo+w0ecbGTZux3GAeERTomDYRjwaWcBbdBrs2Jlh6XquKNLd6Od/f2koPBwcHOm725S0nzx5XV7cJvjBzRmUkQLB7eIEFwRmLh886MTGhVs7/npfBdwcsVVea1upjJl7cFg22liBi7poyAYhZVNYjPjQXcN7YCjOnRO/PJ3Cm3iGhQjRhm1ur/wKNcRQlhe+fNvFtHH8BonOzVpL4+Hu+ZKcqTypHHWFz1rN0PnfYT0+bJcTVMvL23/8TUe+154h0LTr3X3n50apkQMk8Wx0JTd49PTi6CqefYd981zM2mu9JM2MB/v8vHBFJmUGxL7U3tuc2KEkjSMU2rCgBntdcEC61C1gncz0vgnqcyI5fsOsX7W6Z4W8GvM73/skzv6hX4jhK+qxlY533Xl/f9iMTX6d8vPv37kZX7cbLAqxlcJ4OvLhn8EQn/aDnhj7C5Tg2vKTW8Wt7rDPGviWudKP4dJIrb1fpx8sUDhr73tPGAle8yezyk/2+cRB6I4aXmkgck/iAp5WWOXnxmeZnkl55gXqb4e8gzL1P9PaWbV1D/nWadlzl54cnnZYJfeg56QPFLTUUPSFxnpC8qse8tMb2Khe8pP72K/hecpl5F7ovNVq8i9vtIWn+S8pebu15F9otNYa8i9nvJZH+K9peb0F6gep3XvpjEvof09iqyX3CWe0jud57sHrDy3eS8O5q/n9R3T/E6A36dAf8XZ8C7vfhSE+HryXV/jmDW2fDzS+ubJsU/k6xvlzb/fMK+YWL984n7hqn3zyXupSXnW+JeYI7+N0rDn19GE/It3vnr7iaTM/M36SuTM/zjdpjJefzRe83knK67zqy7zsyzT374/jOe079jJ5qyHIZzhSeeFQ0+zb1qyy80aQkq6mzir/Ps+kSPr73o5xpik1nqS8n6z+va6NvdlNZgd3t3+5nEgds1h3CfFbOyWaT1Ra1AQSXR6rfFFQyMTo9XIVtLZY36yZIbvih6gs3szdZziabqZcdfvN8AlM5EJvQOhN83TEjOOBK+Xg9Lv0dBZugoyG30pXuHfshB0H8co77g95IIJIkCbUaVJcJFge5J37SPhduaqXSK+ISwIIt83lXIJpry5+3uouNIYs6SogobYa3GCEPZpLRb2jvbzzXY7rnQxkAvoYLEiosVuh2r3zV6c1iCkSd4tvR3VihbIz4mWzilMZlbNj+GR/n3cSV/aB/yb+A8rr1GtPYan94gP7y7+Lf3E1+ig+iJ+/bun5v6JTl33nz7C123GRpegmPmSXqBbtcTJ+/H8cmcVP46j8tR8NL9qfm3wwqcLUedIEMqlZWF7Ud9Gf7u8YbU74FdZBpIg71lLxs/gN4Jxl2w5Bj2F2vXDAWWYXbyyi3RT65QCmZB94IqRWwb7D6WZH8XERbzRBtV+RF8z4VnXJQZbyCZxSN9CrtE/aLNv5MHKFy5JMPPGRFT+7tGEYwAWl3LidnxPE/HgmI0k6J1k056+nc3kUfQ4BNrbPYz5UyGAFmJKGf13hHhKiwAOSLPZvV1+1oPXJ783Ht3et65/E/DOUmcBVuyJ3///C7rHLU6v3x+d9XpdDrwb/Off8xrZ8ASmxvoa5BLMxX8xYU8MrAEpmpXL6M+KGZcVy/khXLhGcYSYZcsXPVNkL9dC7fQESy/pGwYpHHZz/vNAFOiV1qY3d8bINST3y4658e97u+vzbqHyT6eBqpy54YzYse1U9o6cMh6sxPCRtWjf/xydnUKc8HYbrg0Rf2cyjssKFRkpgDTZoZl2ZgIGgOv+c7VYx7/+uny2Gzck597n/W/CqQHuyzYRB4/KCExHeMUCWLzpY3P9YpEQ3Sz0d64qUhN2vzXxtHhtVD4WpCkp9Tkuk/Z9XiKJ5OIPJBnwNrBxipnF68G1UdhlmCRFNfbXKNWWzicDDnLodkS83Ixond1MNDp9wW5o7Be4Hi4KJeer3SNfPjn2cd5Cb4l0xro/UDvSBNuHXpnswT5AFLzS8R2P72/+rVzeXKdO0VOVZ9fXR8Zi8UWPl6fjrUZ856mBJ1AmqHeoJ9gUnl9T5kmVO+7ub0mrEY1sA/IInrsEDhEL1VDDwcnFHR01cJdLy0Qf8wrBHN9TPrZcBhUxn1FQiGdqxTReeA+G3BCe5eXNsh8FOfGEmi1oq2U/+pxU2kzwLeUROmrekwsMtUAx/oixoqgCb3jJktZ8IwlCKMJJYD14ejTeszdXYDxAh+ASyBEg7NxMKlNY4A/YlM0SbH+JGX6hjk56trMU3QVkmCHNhEmTYnVBeMGkgqCVO524gMAn4EpjE1g70YqAuMl9yUtNh9DN1aK0Y3npKMVZCyI8tnlWkKnF67miUgXYnMBPpYQAUnSDcT7kog7IhouVT3fEcom2TZQnFLCVAO5j+pTwojSRnQ04OIei4QkPTqJ0OkATXmG8GRCLL7O6YXT24rn1NPJTQM+qUlS2lwwQgOJYTSkd4RpFpSgdxSn6bSBGNeWvzbB7kfEb3OqYDIMgcT+NEc7DaY6bB9sR61oO2rvucqgZUzpGsO5nTQ1dweWIyLN9uBMC0q4DWctLoN35I5FA2TotUsmjbMJyHG5XO2oWuQjkk70dpJUZTYoC1LVU20KvUUkoKSNcBG5CsKwOcYpleiVQQIjggw4fENvNK1K4TL0BMyPBgLJ+zXKV49vCuB9yFr/KqhkqBb8iTlbXhzh581VQtD7z8fnsoESPsaUmTL7Bvia0lps9ld6k6cUy2fU3tN5knj9h0pcW31+elHJXDHWIGsDYXL7G/CvZhYBfle1CD43/yuy8vdMZlfJXTLu30/cMPoz9rBD2Y17A3FQbxAPsjUpplSGTb3uRNzJCw+146QJsIWOrmgH4ZQIFXDLuAF0AcZyj8puMpgiKCCyo5knEucfGFcqINzuwkOnmx1RyZhKePrShrTgqb7MlL7uZMN9VBMGp+D0uLt1etHN/zCggtzjNNUbmfTdkAHSSPCBTKQWJU02EGGJwX5JiLKFrVpVmKtNEvTq5PjyNZIQS/eFS0TFK9DQOFMjXtce1uaRPsFDzOif9oLkAk0kyRLOpmN31AwRcNThJ61huUGkIklBqcIauh3ndwxo98K+D127rsKiecZF8gw/LsaKDFcauSsebjeBFYs1Hu1QQeElsZ1t7D3lROBlou+qfNO4GrtqUXSUIuOJdr5OAwvujODbub3b2h/Yr8CDL72tw7Lb5XZyqGbyXcrjWyTIHxmRCizFSdZPaYyOz7umMu7D1dVFF22hq7MuYBPymKdy7qulrvLKjuHx9NioLypd1eA9VSNT8Y1kzA3Mj7aNh2Bmeps0j984tVm5cZ61Ydqt9rxySWlMmKzrESZ0s+xM1jI3NtTTmsGLxlStaZcIJwThO0zTygK/zgTHI4K2o7lT7mp9gCKFV1rgE0KBDkJ1vnNx9unon73j825PH4Le1Vl3Xt4EgYebuC4GNy/dBOjL5ZlePfw15PFwrf3qVt4G/q9ajHp4bdGbu9YGWA3c8+amRAmPs7xeuTgbuGv6ZG5u5vuJcZXvooZ2IkKERYxSym6BH5N2YQhMzSOWEUHf+Sb5JWeRvMAIKkcqXd4GYdE9vaUTklAccTHc0v/aWmh5tQVWG/bM+czOlUQ10ISnNJ42jMViLAJIRPS3rna34GQ/6+43Ja9jMu7nUGJ5gM4GT3sXVuX33hvra145ZdkL0f0Q1+HCZzF4GcGVIPM7wThPwWVgMB2+fh0UFWb5Wmi3Wub/zyu7etPWruAUm4y1LSTIHZWzpkOfaK5h70DUxHZyKbMWfYUnn5ABEg5dp27+myecp479nF5kB9mCpX3pgUCW/htD2DsVMWfMLs/AG+rGFUKCDLGAsKwk4LbIRvB5s/59ah5ujT4dpPwe3uVEkntS77lAV0cXdtSGhQ5zZBraYkLv8gwayqiiOEXd/zxHExzfEvVKOsREO6geMKfFPPqYveiNrtmZrIJMpyV5/K9cCzi5QKIctoNDhNL6RwjHKjO4C5JYZH8xRht+vA2tP+BWC4Z1VLAZwqWB/Ld/tt6jVd5aiytMU5lfFnZEQwpgt7OhW+B8ipAPGzLpFiYwfjVwYUcMYM7BOf13xsymgIcvE3W0364aLBct46o05ABUsF5Gk40462ofmeG3HAvFtzUTJsNJgiQZY6ZobJ6hHuCOxQyRB5Oq2CgodSohtDbIUv2xO6rZpX+S/AVaM0qEwoXYm4ubCj/HQDvUbkxmVKi7SEzg1D55SkXTFBETrjPYShAxAF87COKCwAY0Tb1uwpOJ4BNBsSK+pcNSTvfciF4LGVRwGsyVaBfMh7cLWFF43KfDjGcynZpdDt/x2h/ecaUv4k6pVHo1Ty8aCLu4HYSgM0YfkOR6/0QI/WcucZze46k0Af3iVY7vHU3uPNxE9hc3RmRF241p6yp/uk4y114BQuURndxoUm4iQ9ZNAyVkQuBVAHFrSyDOgoikvmZnEoewjAp4i4vkDlmQHDMOwmnKPZU20MEZH/NMWhVh5J7/2hNoNYgd6FWne/66BEsDScY4HuWRKSNKk+VJKm7uvfb+wSzPYXjmJWINzJ+t9CngpDpj72fOhylBZ2dHBSlUJPvMk9v5KILhO0jrASiVAIsTTqLdCEZhlxfo7W4x4ALb+SuULdxBJ4i954inQKXdnJXt11y7OhMEZRDiw2iQ6cvlD63DAdkpGNvE8Fn+fpA7UHhsn/7G2PbWyedIiKB3AQS+R5c2mk2bNkQrEX1/CT7OjVYmaDzSjlzZfRpwHtl/RLH9jpP1kPAopmpaV1OmI6qm1bvyI2dKEJyWyeFMUUZYFWbQSmi6uufN1CRrAb6Pv9hdLgnMvimr6T7vzOsAFJmpScDnhW5XdrIy0VyoEepA9hGuIDJjSkx7VPK6ZH5kpkCn3U8g9BKFR51Hyapra1qSKlf5CDOclCUFN1vJqSuRMyS8FwLnF5EHORtSlSXGBEuxgn+UY/j/jTZSzjYOUfPNTrTf3n2702qgjRSrjUO0uxfttfYO2m/R/2yWiKwxLrf5RRLRdKbUTMwaIyeeBsImimQMaz5AQ4FZlmIR9rVTIzJFMYDYaU+igClnTR5VjANSYYzkmDDzhgQVHCk3qXV9InIkMOet5MaFIS/NgXVNrLiBYqejwsTFcw4QlvqDxqkCH0TbLGOwbYaEO27LGrfPpeKsmcSltZlwqXBa1ynbvIDhjVrDUvKYFvMEPcmFVl+ZNpFza99mpfiUGn0vufjeLeP3DHI5kWbFgLEJ9PvpBQp4QrC1wZS+w2KK7mmiLTi41eyphsdT82NZfge7rd25w9BarIIMKWd1KrBLmOEp/dX8fPQYXTVpMEtTpQL7nJE+Ke8/7dX8yWe7eK3mWnXlNnp8/3DhNYLLdj3tnHeCz1USby+qrY4YwrWMt95lhHHZ61BB5n+2mnyFy+psiDwxasY+fHV6cberd/vpxd3+62JOxBjHdZznj52jamJmgvyM2wC+sSrNSbt8f4TetHa3AX00Gw4BxfkQnWjniceKKPTKhl4b6G2zT3MTVdv4r02PR2sa2afZe47+lU0mRMRYkv9CI/KAXeoxdLmTaEjvXKw1zD9EjnwzsUkGz5jtVUyZIkMiItTN4phISe/sB43rLskEC9clEPsRR9PJiFRo31ar2Wo1907gv3ea2zuFlWJYRUvkymxeCcykDUpBPV0YROljfVGcd658bNLiRVLrneaXH0cTQe+0uj3++PvrYDmLlw6o7pTjBPVxilkM116QUsEFEjzTt+GMY6/5nPC5CuieVagWCgCqhF+uCEx07xk+brFU0Xx7IY+2WLBXXoYliyit2EN1gNBs1RERJOlV+dIrbmxOhyMiVTCpk5GZuwGMTCYk8SRnffOnmTIfK75GUAICw1mvWlslGzO+7IZWUhvhLx7vnm4i14ANC7CMJKZSWyW29TlE+lJ6a8tFTf6EzAYD+uBHhM+8Gik1OdzaMh8xn4i4GL6O0JVJLVXcmFMPdOwf6/pTJOl4kk6Rwrf5uprIYIqlAuWa4j5JpbGcGFeQGmgQkDX3V2fH0t+jGzGPstuNsvp7zNX3Yq9zN/hJYNN7x+CJQInLSgsM9Twd0aQAkoeYTIxD4cMvNhWiuFXsdo8QOmXaQsVC0eA5AZUoAOVh27Tq/2//bjPXvPcCbkaW2sr4GLP8PQEV91UjkIBtiSDLDPVJyu+rt3n1mSiem1C2G/f39xHBUkXjqR3BbAxzMrBUG3kX91PbkNaMMsI5SLbh1ZQ7uWlym21DZv3tSGb9duHwNQqbOCevALBspRCMsdEwZ45xpASmqT4yEyIor2hXqxmY195TfNIDNr6B1iODAYEexXpWu1Es96/I1dnx64Zxmby/lMvdC82ojoZ7bgQloLes2yvBIYnKCnJ2Xj9sUGGsVwn2wfetGUErPqYU85WYTz3C7wv7JpNERPVumTBKl5cU+0znIIcD8cFj1yJm6Oy4c6FVVsdwfOyHCvfKZpk7MsY0rYm5L5oDmKDYRKdAgNaeK8Yu+cbvLJrNTZlfAxBqeiKdLu0TodAJZVIRu7EKEoFH1L9s25k8mtr3nWGythyix7tz2Dwhm0YEDztbLqu9YnsaOmsMnIYrYSYrE1EnDJSVFGgbqNGB8JswNVCFhENTYGXUEkOYcTYd0z+DjHQjQv/PL5IMslQfhhvggibmVRr+obm78SZAzNnArNVskiNLKqwq7fxVbaqvItKsZivZ1YIpZ093t9lu7jW3283t1vbu9u5Be/vN2zfN7f2D7d3tg93WbnN7Z699sLf/5u1+s91qtcpMrC4k+I31YHekvU9m0exTPqTsSVHhiDyqAwVPa8Ob6Lg6StjKMJN7lYDoo6X50QKKW9rHDPdwMqZso4E2BAGrmw17esCvVlWEOXMOgDFImnO/erKolbhvl1KwVPg3U0QCEYo8MzxoN32PJYp5mpIYgI/sb6+gm5odGMr9pjxDA8oScxy9ckj5UFqt4LvuuLmhHNpkIdqTOuBcMa7IIaqg376iS5IOmqapnHXj7Ocs1ln0k4HNsL806JDRTyhPfPaCMF/Q/FsMSfsln2HjEqaghDfm8PSuBZapITcwEqZoooEg986YkunU7YgP/J5ASatyjWOkiQnNQ+84084qV5pnrfu0QnNrok1r4wFyrmbkRFSeE2szfwsrb3L9ClvLdruzabDmjSdvdiNzweQk68XQasBD+hUlZocN5eYLTLjw2ZiztNmEBYPsYblySanm61G+AcvU5Wv9FfL0oKVFdDSLx6izm+RJyl5wjlvHPgWYUlx4CnVJmNRvyuJ5B70w6/oFcCjoy+VpXszn3hpe0cnd7qEJ7wr0Lzq52/8v+Odrk/wmiMki9MMCTsQrkw4nq/ogvdmOtvejVrR9uLe7MzcUNWF3VHA2JnP1oF9Ipqd5WpmpPPMzWjGHupZKJDLGihBFNqoCcGDugyJjoII8Alg4sESvLBSheRlTeEjZsIE+dxrBdXxHUj4ZQ8ETUXH0ulGiT/vuvieayTTSVy12wDWOqjziYE9ZDlJm7GSvNLUaC2o3ZRD31twFk5eXOGdp7tWdjMiYCJzW2MDvxM1RMu2CE/OKDgACiDxQqbfvzHGhCWLaVk3TqcUfla7JnCAAKChNB78bJ2BtBCecSK39y5J6i3cHe63WoCCMWqzaiv6FvkIAtnG+JU4Hszs95uOJoDIw/fnAgF0wnhCbfVFgOdcrfsuA4QCBm4TICsHar5SaD4bEWASuMb7V97pCEy4l7RuQPG+n5KEoba/ojTwmStDY2C4A8DRjvRQhI7ThBAHjOEuxAHr9kGRMFSS05gaj/9s5VzaxmhpsC0bMlS0Jyb9gT1KBDIhl84LY8/MfpHCbimnjzGKFbvT3rGelHS34p5Y+mNm4Ioia7Lwhe6Q/IC1M9uPdgzfbSZ8cDFrtN7u4vb/zpt9/u737ZrBf2I815SwUYhJus5nM9ydvLVLK2LS71J9MsPMBGMTuF5ym/N4sv+9zH2xmr/RAqiIDLAEfDweUiaKXbCwFV4/g9Cy8d+YnhPkwf3hDWNMFS+DgJMVS0dgibxROkXOYw8i5eWjMpPJJ2igICr8jWMmqQUxo1Sph6Lw58SiG/qN6IW9y196gyAz0wTBvM0Hf0orgfMhH0x634ibiCak1H83tJuy3BEw5o2eCnaDuudFF4QUZXtvMps/7v8ExDUouQ1xPSK8CQ9vAmzSCRXCse7WYp5P1XbdVP6i9TjxlDuLGjTbfXppRyQEJ5R01Q4D+rFnzoP6uuFHtHow0CXp6WWEg6UuPbW7mYQWA8rZ2O7ziAXN+tsbMqx4XjkgLABKCjueRDA4nmrJhRuXIr1p+KOFI6/sCZZPCVW/vOS41qSgMOFk8RysXBlYw5C14lVC2rSp3Ta5g3O55jZpGK3gZW6bGmJmiLUkqzAQ3X7Nl/9Muamjrya19jtX6HFasa9fjR3Y93CKvPZDniGvto6x9lJfgo8y/Y9dezNqLWdiLecY2W/s5az9n7ees1s+Z//jJAFx3pSWCBrEZwfgz0pgbmNPSWBM+OjwTO/ykZ99G8MWZtl7GLq94Ay7YK95SKDxCGk6CSU7cIp8OzCBc+DGwIDPUzZ7yRxT8vbPgbgq6++Yruv2ZC1aJ37OaNful2GrOLZl7t5/Dm7aaXnGUcn6LsL4aDR4oUebZdObFPuhu5++Qsrx2ou1o7jaLf92p8+kt5rV4HQFZbQTEinUdAfmRIyBukdcRkOeIax0BWUdAvpMIiN2x6wjIOgJSZwTEbbN1BGQdAVlHQL55BMQevxcdAbE0riMg30sExC7YOgLyNTmtd/RL2NFPIm7/TfarD8rlESJXbpT/5olqI/MpV6jj2hqVoJ6RJKbOZBCgdTuo4y0DuBIUeMhC06QAe1lvDFyEg25YvJYQwB1AL62ZEIKhGKoKRITQ2HkPv5CpAF/6K8jSIZ6NhZfOeXoMQDmYJeZM0gRQHbTMtGuRUkbCZsAGJdiO2nfQy1BTzIp8y8cmdGIoCtPt9RAp/DSodTOhJz+2izlYyAuHJGmwr11Vk3dYoIzONJOr/pyTgufSwMZ5cX9fONJW7msc6TWO9BpH+i/FkTYn0bVqz5XgCwSTNqSuwaRXL/I1mPQaTHoNJr0Gk16DSa/BpNdg0msw6e8TTNrYhy8ETBqIWYNJvxgwabs7vgKirLUyRF7y6497fOVKIOWgtxtSAkNskQ1fPLD0o+KIlpTHCwSWnt/F/Ybo0lY/oJeELm0EtUaXXqNLr9Gl1+jSa3TpNbr0Gl16jS69Rpdeo0uv0aXX6NJrdOk1uvTfBl1ajQTBRso22+sq/83j2V4b702Wjj6mKZaSDqauAAaK0FIi9I9xzEXiDCs7F1L4gTM+nl5bCq+9UaQZ/nh6dXmCOldX/+fon9cPnRM0EHhMtE0VXbNSQpjWBprfAiX5wJYOk9/kvRwqbAjAxcROj7sNdP7z+19trZ7La8co5uOx1tKW5CgfGuLLwFCkcKxoHP0UEjYmmEEjf5cIp2wswhrFrtU+4oN8TOXHtIRdb9DxBMfqeuN1VJiRxCNQCE9Pmo9sUnBuKYMoB9i4OB55fOj+1D1TKZN/aOZpwLrFMR9PUirhzSYfcshx6skkLIEXRpQQprWn9tNMwqEmfeN/oSVTtvKEgnnOo0EGrzx1xhPQMsjfoyhLtEvNhUS8/28SK2nnc6Fjm12IWVIw/gMgaYhcuyEpZ1tBBsS8/mHAY+RJmoNbQ3MVt5/gL0H64yNcV3C7HNXR3ymZaxkhvfTsr+USvBaWjLPE4rrs3Y28bvy6p9Va746whIsmI5kS8GbtKLjuCQCjv+5lEv4n0IJaD55zRrbO+P3WR5LQbLz1gQ5H1z0Z4zRP9aQMdSaQEfmAOu5q716d/oa2o3Z4wwXj/mII8tncOUUIBvfNEEz+FZYozqTiY5dvfM1OHiagzcNR7+z7uiCH1wyhnyCzoOsq+9yvGDE/nfF784PhzfysGdyYXXnzgeVWPVihmpb92KVhmKvWFkiYJGct4CSL3dtiftnOsnp6gR4i+H+QtG8aJkD+SUrviHBqtMOGKRHo5J9LqlIIXdSMUBGgKHgzzVNgn0cLIRT0ioq824XfX3xg/XjK2euS4CYjKkf/bzb+v7BgBjQlEYYXWjKPB5/kBW5F5/MMnje00Q2BdJoaLA43dGUROOMKLEr9aXO/SHRLyAQpgeNbs6v012Hc6CvG+HycKlu4XB9MiXNJQAT5fIEAOv6X9qkgz6rpT5GPYKAPRJDNTQnlm6xJHkY4kxCaceaX0UOBOaXtJ0EQsTrL5KW7pJ9DhEU8onekYdAKYF0aecyogQiLxXSiSJIH/ckDiTNFGmhEk4SwBhIEJ+a/9TXXsHZBA90LqioKYzb/teE+qx0s8+mvOlZzrWXME9KTdMiwNtOjhA6JVD2cDrmgajSua4HhPRRLsPT8ZL7ES9NjQuiCxxAm9aKcCciHBbWeCyjx1T4T7B4qkc2m8E84UMeQB1CmQUm1/qQA8A0b08+BV4xscnLL6yRHeHtv7nLX+VfF4Ih8JQjS5zwlmFWJ+535U+gEUqjEcjNoIdmElrKHr92hGraa/omyYY1YLXqTBWGqeXdX0KqogA0S4NlADfQAx5oRk3yDJB+oe603jPkWBWMSB2IgkSApubOucWei9+JPn7pQMlf1/jKO9JwkepjE0UTwh2kNq6CwyuqEm6L6x9kopi/Bi4mwFVsEGVKqV2OQmTeslA+HkI2uVSwfCjwZ0RgRIbTz6LM5w1HvcEqTMLuWC+3gS+XmQ2cE3xGUsaCObuDytOCr+VdcPnk+vh9W39MZi0ckvq3CpTi5vPx02ftyfnX5pXt1cty7/PTpqobVzMDPriuvsmuGL9SIQKarUZslS5zGgutzgY64mHCBn9VQZ26mFcHjmrWInmKVqgTG48LqClsW6xSIxb8Kep75QZ+pQU4+f/jt97cf33Z+qUHq+g5VeDxPxuBj9u6xPqCYJcbkvfeVmG5LmbtJn6whYcRkOkJ9Jtzn5Ztqu7Xdbrb0/121tw/brcOd1u813FygC+Yy9J+4kze7igvn/gX6qELHoHhUzHf5RSsm05cu//pj33POuYmdQuCqYYQ+orkRVMhEcb3qco2obSTOU4tRgm1nQQTqzlhPRpmWTdearAfQzUuuQLVZZJ6Ah1ThtGggaY8aMqLwEFMWFK5BXTRl2vWAQGwBravydsGFZfrK1bE6EWpvejkH9b22qGEcfY+DRzmvTwrFv2aLFr6/Es70SCt2vHOv04JCYFNiA/AA1a64A/OzcWEYxu4I455mE00BuhnrqW4sJhjV55JIdANcBDAS+hsQVfs36Bv3KAeOiv5oA0nKYj8cJCmwnG6fj6cltAopJySA0lh9QMyiUJhmoUEacchGyeNK8CoYc957Xbz5LJAce8r5pvYtIUKnvq7d5nkaTSTCqJapzmxY/zavTCrJZWvEx2QLp/l6LSUfTUTPTL6siCqP3zEU99ra0ydkdJUXX1FprilnD+X2PUO/UpbwezlTC2KiBjl2gK/XMNeh1lmh5GOeVpWwLfmeAPIk6SCCMJIi4ELWtO0+4ngEUB3BVO40nZy9rz5RD2/3m/tzowZ9hcn+VJEeF8ny2+YRFt9NteNI/sjgNYIPHufrjCqVEnTCEopX4YRo9uJJ1ivjJq2MuaOLLwXopEd5O2WKpKviyV7OvaSEwvasK/XkQQkM8VNQVh5B1ReJ6Bk3pb9YI3RqiLHhu9znUWAg9TOaKoO0N57Q1GrM2OEP9wka4FtjqY5xCo4UsMKFXPLZw4uGPEy4mOvZf5BipQirfvk/s4FnMxxJEEkJwDCbODaY5tMJWRnZI4ITIiLcp71KVKmV7dcZYCm9XTtBzOydMZHhHXuAY4Jedd6dvl4xl5B5UxN/H2AKk9zz2JlcERtBy/uVGyPailVYn8WABzvvarkgTIlpWO+/sgI7uxT5BDWvh8lsqfn8bG60HtobBj3awZs4fuRKLPiQI9nDfVoTJ18/9m69zijLHtCn7orXq8Zb2W69py7mFTHxzbX1apUAHa/0ujTD1X9dSltbPAfdj2f3bXYYwvCIHaa8MZshZ8pxcDxCdrLyRip4LrdkaiNvufdin+ssapokPmEwBHbrT5HM+k2Th+OHhIJARrAaoZuQ4+inm5VpGT9mPKLbi2n/Qtpe0TAe0ab8I7PB8j7u05SqaY6oXkC3jMPC45WxpW8ePpknYPAszrojzBhnyA6PYpzGWWrrDXx5dU08DVI8rMt20ju7azc7nGiYbOUs1FiYUuIgzDtcGQMOhKfHBwNJ6mpWU+LFzFYfN5L+Oc+6PAdbr8SDxy/Sk62clRotihInBqR4xQzcUaEynPbmz997lkVeYsLOVyx1rIGfxbfWAsysdmsNly8jmN/QgMn+akPDcLxaQ8OO+Qy7bdFDaoXqZOm34qpZqVnXzLCxUm0zwoIkvZT2BRa0tgRR5xOY6ZCfrlhDlPO6KvYUSQc1Fp+64ZGcjvs8NfWn+giv1MHU1NYZxYA3Yj9LA5GHOM0Sl6yQEgw/J7y6p5XPAoHHH8g0KsBv+IEleuUSuBUW0fDP1w14EfJjelQE6APg9Zl96k/Qq43hnxsNePfZMCNsVPQdnAQ3xOJCH3Bxu+Kq/plrQO+TW3gCznPuTH/HGbhDHLzK++PhhfaJmZBMI+jR6If2aU/wlD87UWl0P6idBXXsy7pBA9fLipXeEHaNYBpXlw5DWvgW80CXz+cH1t8w1SeQIlvk4/zqfbdhNAG8jOOUD3kGr/OYoU4KaFuKmIBoVwmCx+hV57j72qXHELfkflTT5MB81JR/uyfKf2dSaW8tJQn638edq06EfueMRKd50phpcDeGV8tCY6D+1L1YQuYApO3btAGJEn7PUo4dsHGxFAx1GOocd+HB3OGB5VK37+ZcjA/RzdHh9QSr0bXi15pmcF78WTqUfEx6fpPeGAnczPzWj2zf582DamguuCQXdJN/K0I35Qldeyk/ZPBNfV5CKkpfmv1w/gHImct3R5am0Fe0YT+of75pmMSK8KkXNl6AzBAc/3ARA5d9cU0wrC1T8ULQMRZTi+hweoxe/Xx6/PrJ9InNdqvVXoUlltfS1s1XmHtaydOqkh705RuNk72auPp4vAf3+yqudBhHjnC7Jlq7HzrtlRObV0rUQO723v7KCd5rzxPIXJDgvfb2igmWCSF1Hclu9/jk5GJlBFNWwiZeXUEhK0HZ56lFuaXpehzMKsjtvf2dtzurUJFjOiZ1Zot8PP14Yl6lXBpZmHFu8W8DxYm4cKYMHxTCbAhBfTEaKTWRh1tb9/f3EcUMR1wMt7CUdGi6T2+NSUJxE15fwp+jh5Eap/867fiWANoYGdCY4tS81fxXw2Z5ubSQCP2q7f6xSRHFDOxBYIZKV3jTt4BufswxlyrvMRWy7jBxVrFs9W3NjwASPijsRx4rnObbtRo1dbO1v9tayZ5cMm+2Im3W57tqp40npk3rCkj9RpBTdh1CjzVwZbWL40qXfNJoaXmcW7oa15Hfs9rS58BVhwk2wbsTlVgKq7KotPm9OkZWjyrx3vkLYQJ3Y2Y3+LBERcZuIfSQBDmtz8vY3VrtBpqQb5FsenTxpZhoahpven++Otl0JZmmEyjhn2BWV/72qUfmNtOUnJCGa8QLSfo2Q7FpyiNmWK6rKG5CvgFqhRfETIeTBeRwgcM2MEvxrf+35tQsz/hdMWvmmUzvRzvRwX6rFbXf7Lb3VsM9HU/qxEPsmCi05dfm9ADgIbo4MacadRiyVKBmE4Ci4WMooAvpv8x0ch1QNiRiIihTpn4KoI/utKIcKCKQIEaYtp2j66QZ84Q0gc9c3wrMpK8vlqZ/N4/jTAiSNCzmmGnLamp0rKUpsA9hAvUGC6JYvSWsWYpVwSAeUEHIFDTPVj/lwy0DVtLUdpvWg1vbrfbuVqu9BfE8yoZNm5bcNMJpWviDSNvKFb0a4v23rZ14lxxsb7f1D0mM9w72dzBOdvaTZLCavePSDHtwhGo0sfz5WUZzdi86p+dX0clvJ6vh3hba1s2ynWYZ1jf8rQFAhDZaDD9/mhCDCoW6BhZkBbJ5/pN6xQuQHkTrCfAsC5H5oGrH2EUmOqsHhSK2Df3PCkDq9v7O21XYC8Yy6b10c/TKGFBgkGorSk7HKWW3K3lurjEOAYsPzvgrs8sTKqB7gKW/jMakP7YCnrLaIutXDn789Bi9+gJBdYEkiTNB1TTEBXjVnYm4G+eqvrj7w17rIML2KYveGR1e+6u7hYEI5rXJuK+6nfPXkXGoIdDjAZmqIDNwpkYcRAiwxkFFNGyffqbyBzOHjJw3oSKygY7PuyjkGKFXtsFaEmORSPuUVwAMyzOF8+X4KbKd2KOYr2xZqJQZEZFhoc7L1a2LhYiFe+bV0TlsRE0EAKYE0vVyLwnCtsOHCDqg66GOlJnALCaoa5piH83d5nNu+UCzu9plY7rrvTp6DQaknGX9S3fFfAXQVCSpc/mPw4ns6h8vsvpH//jSbaBP/3C74JTFDfTpyz+gcUqOlddAR+f/eGKn+LNY146BdpU5pE9dW8ZN43Tb2euSRao3ldZKv1Byv2ImQzzWmhkNp5Lo1aclFMcpi2uUA057GaN1GexV4sAp0jNqqXxZQCwzJ2fFopEKQ3l1D/yI+iBq/b2v59Omj5vP3/pXDdQFG++idEaOcEoHXDC6CqAG4J5x1YMAwRzsPvZwcUXH4NGbyMAsbg6ViHFwbyDcwCRNoPEUgM6UFnm7td1qtt402/uotXPY3jvcOfj/Wq3D1tyNWudhuE8GfK7Y7cIcD6iQah5u2wfN1lvgtn242zrc3lstt6YnUu+WTGuHoeyUkCcdzlTYwOmWlA/2ZXdll1rAb5yJu7oOsfZhYPwgR5Ygkqb6A7H9U85xAHMJqBv+UqcyAOx0j68l+TAq1WRvu12DkMjDhDPy3JLiGWwCM4Rf9oTAY83MonsMtzkY3t/b23njFoQl5GGmMQiPeya4ONswZHWCWTJqA00J6Z8+RBXsBTnBsYnlUFX2nrZbu29XxY4kguK0Nzdi/xINbMxUDosfrlR/LKpvd2j2BApSKsLiaQ7w65qrm4xI2DGTEWYZtGtuIBrWU5gwtUvH5eDkptrw0p6qx6TxQ8cjDDgaoiz4vb33794dHL05Pnn3vnXwtnVw3N4+OuqsTDN59LPaFfFpsS9VARXUQ7AFGulXYh4HxkTLTIa98IxJMuAZA+Tmnzk6w2yIjgAw1FYKTCPUJcSH84dUjbI+RPKHPMVsuDXkW/2U97eGvB21d7ekiLcM4uiWFgz8VzTk/3G2s/Omebazt1NuewQpaM0VXhM26PLXhBOkjyc4MmYZNpUY0TDlfZx6m5eRVTzxzfD/V4QL6osWOL5eQrighMhrA336cD4aL+he/SO38Rvo7B9dzNB7gVlMZcyDeEJDe4cRRA++2W55MaGCglBWzeVfHSt4TCkUFr5Opl9AYGBGBitj82/q5Ns8i3otwQACRU9qTbPSNt5ZlikhVU8SMs/ZfNR9NyVRs3DJlCntwg1NMx5brQWOvOnCRwAseaSK3YK1V+PJm+V2E+IZ7XaztXfVfnO4vXe4+yZqtZZGUh4SHsVUTesCJz9y+recOMCZEgQviZAH9HOmqPYce3EpLXglTFzd86aFwYxLeet+9k1Zzej5ktZmkcWa1um8AB5vJyuzwoUaoQ44UEsqFcMV2HM9KnldS3dkTcbT7idYu7K5tJLVMXzUdYYsD5W76wgzvCzcruYB0FxLlkqJ/iHhvRA7rnhbcTakKkuMPkyxgn+Uddl/o42Us41D1HyzE+23d9/utBpoI8Vq4xDt7kV7rb2D9lv0PytQbXUW936RRDQd1MJM6iVGTp4NBxBt+nryARoKzLIUi7D9hRqRKYqx9qf7PAtLZo9chEKPESQrUWHqXmPCFBHSNNUfpJwLGzxp+PhH4rqa+UENeWkOzmJ8iQaKvblcLAPPC1lNdI4yaKQ4hgLmIeGO23J6UJ9LxVkzWfIFSi/mhEuF07o0xeYFDG80/Gx5Niyg47EA+Q/d8vIMcptZ7QGRx3jqoVBvGb9n0C0NaVZgIi7Q76cXoTeLkE2WsH2z7mlC0qkpM3YOMHS/hh/LAj/Ybe0uGfbXwhZkqC29GlXzJczwlGZufl4S1zlgpCbdbJmoVM2fM9InK9j32rD8k7NaLBvXTlqP7+7/XHW5xsunnfNO8LlKbq1VsNURQ7CM8Na7jDAuex0qAqyohaRA5ymZ9B96duvCPH2p2LcQ8YE/lE/0LWxH29FOtGQOZIq/qTsCEBwvzhsZY3FL2TBSaV01shtXAg8GNEZnmmV0IbjiMU8hUqqteUuBjNClC2WbR9e8K2rYLhX9hH79cHp1Yjqf/nx5cnJufux8fHdyaX68PDkutUP9dUTVkq9Nroyvh+eJsKxqy7hZw85hXh7+7vv2O0dv5DnE8Ngz29e1BKCe+B7RC2iJ3d0lIxY2L72usMtV0b7M2d+ULiW+vJyp+LOXiXSEsyU1vCDQz7G2QNqlGx99uTxDKWW3UDrIQ7ycqmZ4T25m91Rly9SDnKIt/6WtVqvV3t5Z8nbQRozU5h6A8odl4St3az45kGuYBZqfKsKMGdzHkuzvIsJinmg9nVvC77nwcDmOWMRNFQRnMjclukSB1XzyACrnkgw/Z0RM7e8axf5XMYdzxlni2/dYBCKtoOBh+Cad9PTvbvLEAD6xC9rPlNu6QWNRE8gRJOZ3RDiUWmhglqPr+bZQWqVdnvzce3d63rn8T8O5vxAqgGk+v8s6R63OL5/fXXU6nQ782/znH6vcAQYk8WvNR13GdeU6H7mScK3v9SrrA2HGddDNXmYXXh7GYDLYhlXfhOWxS+VJht0hKRumuZNjP+/3iklMf6Vl3f29ATI/+e2ic37c6/7+2gJG5QuU00BVXswGkGIwrp3StiCRJoQOE8I+1qN//HJ2dQpzwdhuOOju5Ee8w4ICKH9K2FCNzLA2gwB4zTe2HvP410+Xx2Zfn/zc+6z/VSA92ITBHvMeZkJiOi4BDaBXJBqim432xk0FEtrmvzaODq+FwteCJD2lJtd9yq7HUzyZROSBLN2PuLjvyhUqq2lhqTBLsEiK28HgZFpd47G3ZgVgdsyKmBzR2VSvlfDX6fcFuTPxBLhjXf21nq90rXz459nHFfFzS6Y1sPOB3pGmIKkpMoFSKD4AmNJyysWn91e/di5PrvNaOXdNnF9dH2VCEKbsi8/16RgPiSlVOoHm3Hr3f4JJ5fU9ZZpQvalXJJxyqdlKpPM+BzjLQQpMc3JI4WP2+qha9uul5eVVTIXcro9JPxsOl0VM8wIM2ajrMcIkb1krpLS9VsOQjDFjRPSkwnMB/z7mRUCgXhPe+WXr5PjSNpJ12L0ZNPwfZGk6RQlRpo39GKc0pjyTYb0dtEP+cnlW9iGW5NO6+cvweG48IL06dAydUkMTGQBmeF8ScUcSrbKTLLboTuBTQY/SqqyV7SVDljWWTm5c2aYiBYfQ39HGDD2aaql8As7BYKAMda9Of0PbUSsKIwblsMKhCRPgTHHGxzyTTeNP2F8LRQc4VuZfHt6mFIZI+BhT1tQyMh+F8romThJh/q33l/mJTu52gz/Qyd2+/efMmGMcB58bZ4o8mB+1L2x/Mi2WzT9cs2Tzr0yk1wyFQ/4E9ZpNHEPw2nzq3mi3plMqzVsyNX952GsdNIPEp1IQxfOx3NbJRBoZ6dXlUh3D6E6jZSLNrcYNKEbxZY4bgdF9ypDkY4JiLCEsoR3XMZ4icJUtXurphb5Ptrgw4QmzPdJpjomEUYE15EBymDm4ptEioJfmMVADyTDkzo6/MUPcmCeNkELDkCbMVoJqOlOqiMApOr242/djEhan3Ka43/zrxmCI/tcNenV6cvUeXb4/8oNuv9nZfm1oCj+YZ9w6N8A9q3joYAsc58jNw1JAdslyLkp++T1UO4Sz7zyeS9tXNPvJczxa361KaDco6IwMG3Ae/Oer8uiuwackCtEBospg/MqG3syMK0TuiJjqKQyS8Mz3ZwZ3006IoDxB40yaLsV9h/ZFEuNyEZezlpsE8OE+QRsTNtzIk74BODrSv/t7AFnrnTcQGEDj69p4FwbwOVBgFgsGjtt/3ATqTPHJxswi3/zHjandUmiCRY52aIletucACCBL0zmYn4mHrB4c4nRg4I2/XJ6ZTgwGVQYzpXXplGdC34C51p0GGwfgu/MIAWXoxrF2A0hlALOjCr12BYk5k0pkYEtCemDYFgJge3I2TBz/0ShmUR8e7u7ubBnQnP/7xz/s782//0PxyfJr5tTTS1i3zS/MP2x4tQnbXCJJ4D0kl6eXY4V6oQwxou65uEVjzqjigrKh0VreKnb3eJ9o9Wi3i4XexDLcABg8BpTyoc3v0F/VGnigCDPg5qEZap4psBoVDmC4X8bEbkX/NT8slq6nqyO0Aeg3KTGJp4yrsvZaaOvo0R758/K7aoKlDBTcylGv7fBOidmrdcn8YkP4XLg3T4V0L2wgJiAs0MxW5BuroPXZj21fb+6j75hHid/dLRfzLP2epjn5IyO1Va2AvQYT2APo87CASfMXG5WuYtyfYb16MweldMf+X7hjjVEXNiUIZ4n0/YSL5jrj+rugXUQefjCl1gHtkbX1hamjg/n6mfKfagSTGWaNWehHNG0oGCLjicrpAdLNJ2/st2fQ6BI6gIc7BclVfaLuSdCFWk+q7rlxkVZhSBgvlAiS9Op1Ca8g+DscEdDhblK4c8zEDRDSZEK8rpFZ3/xp5tmtYBsHY5kPQ6h5Y8B5+Dy5AYBe4S9mrwxjY9vFSIgiYgx5jhNBYipJOnWNRVIqFUrpbaFOV2aDAX3wI8JnXunL4nBry3zEfCLiYvg6Qldi6l5jJxPBH+jYFHtTCS2s6HiSTpHCt8UMFWt+6/VPcZ+k0rzeaDsTLuB7kqbA/dXZscz1YMyj7LYCx2xliBB6H8l4ROrLPO3C6I+reriWZ/0f88J/c1hpjBt6H7ngVyAOt3XrPE5+EtegxiTimoDrHxlOjX1nPwOun3Uyg8TYNHUiMQU25CEmE2MljbhtL2k6qM0cN6svIojbYBAuLTR+maUAinaomcsoT/i77c/ss4XBVdJGIswcY8Z4buAWzmYjkEAejpllqE9Sfl+tKqr1SlH3hLI1sSssVTSe2hHM4TLaBUvljQ0fK7KjFHxu4FXaci2v/dxmlll/W2+gdkGBNQqKICfPXD7Wq3LwZPkYGyYypu8tJTBN8+BDhULAcsnKR731FZ/0gMFvcKGQwcCmJGkz22whK5dX5Ors+HXDBM18InK+IrmTCIq54boJgYoNNUVwfCpCM7Pz5jG4/JN6/WCHfN/3Dtw5j105+UrMd/nA75ffbA4svqZN9sUOv1rvZ42W+NLQEtdAiXOK5ofASFzDI9YAj/ijIyOuQRHXeIhflcrfCiXh74SC+LcBQPwbYR+uYQ+fJ5814mFZJt8v2OEa5/Bl4ByuIQ5fBsTh3xjd8AcENlxjGta5R16Mf79COMO/G5Lhjw9i+PfFL/wxoAshjZEkEVZ8TOO67SHz+mfmCgpfjIkJqY6WHo8lRdgdFZyNw4xTwhIo1YYEQpsXCTmUJZH0cdL0b8gLhaCcfODD30Y85rHZXmclWVVJKZCMl9YzpARInNDfX47w9t7+MnKqrS/bjJB6NClBSmg/NLO8a8p8U+9qrgcHO5iQvebbfdxu7uL9drPfIvvNVpzEO+2dpNXuL9S11UtC+8nfShh6rmXlQVPSJ1g130atqNXcbm23o9ZetL3TbLVarfZCcQ4nixrr6GZEoWxVHcxsDkuMTSDEZ1orKPAxdAa58b5gfkjvIDnbinFWUP4PPZMDLrL5WxoOBB4TfRRrkkZY42qLI/2UeS/eTJjmulgR7YP+aXB64hRLSQfFWhSFY0Vjg+ND4pEJM/iHegv0ZGaKtJVop7Jj0bgI5WMzMHwv1L6rWQWsB6hPlA1E9H1gcCEUomxIpIKyULjQBVGCO5CcsHAGD4eGPVjkcmTh4+nV5QnqXF39n6N/FtZkKHg2iXBKcV3pARtXWpPrCV4R6T0VmBcCBBgKn/gAQfU71JwpkcGd70pbw4JH2NXY9DSOb40YceGh2xYW+LaV+m/a+ptG1+zXEdQocRUOKcgfGYX+yVOewTJlkiBcEBq0oDVEe16iUvnk5r/Qxkc8JDEWCv0Mn97fQPPjRZjVqO0agaXI745nrQEIPpTa8muQCz4cd641oElZ+D+3Wj5OO6eka/TUN2bBn77jHQ+ZaSV5vz89n9taMuKuG5EKZC4KsFTPEH5hc4e7fnHh50NWbPr5ZF9gp7wILu6JlcLxbTSmShDtbG/Bt+UWHIqteZcpd/CwjOZ26x57e7BxeRuQxymAYJprCqx7X51vbz9TvJD/2gvP/NkjxXW656+1P/9HRtKgK7FEBMcjb+5zsy6mOzkpm3ztvfb+wUKCCSMLK1Yhq6/D+xQQW40y+jPnw5Sgs7O5kWFzacScDfQC1HekcxP3uqdG5LpnEECajGRKALawo+C6Z/rDX/fgFcF8PDjT55yRrTN+v/WRJDQbb32gw9F1T8Y4JchhTlOGOpMJYQl9QB2nPCzoRDu3JgvwE78Ygtz7YUARgsGlL01MElNSGGdS8bHxdWV0zU4eJgBdEo5awMdE6CeAjO6aOUjifsUsMMQZvzc/GN7Mz5rBksIwH3j+SgerUtNSHxdquZwvgwH70eGe5C961uyeZe/0Aj1E8P+KuCkJSekdEc4L7LBhSgQ6+efcEcBcEpA2Gtm00fodu0chdgvpq0X8TL+P+OAp/MzJiMrR/1sgT2mmkYkpqiXzmK2PJa1snmHr6ORQAnoB3dCVpcH6OsVpCp+2DhS6JWRiLmuze6DcV487fy3bLHdKCdrPasSH7ABQHh8YtvP5AqY7/pc2zJujmfenaJJiNeBiHKEPRJDNTb1rGGdN8jDCmYRM7NSGjY1eCdxca98Qq4OMPeMqnA8RFrEB2or5eAKJ0kkjx8xpIMLgNZUk+eM5AeAs0kAjmiSENZAgODH/ra+qhr3PGwBBVVEhtfmvDffZjQbaMJ9+BurezPrFPCE9//QcJVT71LU/g5tyRCwh8IRLOUiaHpOQYdB+Hi/aCN4W8wd0aVA3LBYIlfAXkuQFQIAk5Ye0OlNqexU+KSCN3tZ9+IJQZGQTvM6X1uZ5QdKnV6JQz/oY2Fmf85RgViXid+ZPAN1vIEIQHWgD36cZUOngG8rJ/UpkZEVbSv9E2bBXm+O+aRx3n1gx7y6i0n/UfttsBDyZpK4sboxZNsCxQVgB78ZhTlmwtSgYk4RAGSm5s9gHnYnecz996gKeS1UtzjjSc5LoYRJHE8EfpiuSvMIqq08vPw1kPPPeDqRUr8AgMzVMKR8OIYkYElCGAk9GNEZECC5kHoINR4XUzLCtCRdI+6vKzYfOCL4jKGM5+Cn1MH/w1fwr5SwBP6y+azMWj4h2cssLeHJ5+emy9+X86vJL9+rkuHf56dPVilbQPJ/W1Uyia7MgWKEZU+LUYMk6dhCR6IiLCRdhBHdJRhXB45o1hJ5ilWoCxuPC6gFT++uVw0RwbZFHuVbwgz5TO5x8/vDb728/vu38siJJ67tP4fE8DQ8es0ePywD+ha1j7hd9alw2cWIAr+EersTobzdb+v+u2tuH7dbhzjPw+b/Crj7bcxnfT9ylm13FhXO9Av1SlVkUj4qVzb9oRYOV860e0zXme84ZBiAc+H1iqvEKKOWFmmOo9CvAO2t7hvPUwoBi+xyCQH0ZS8cox7JpucJbH/TrklKvNmGgKJgOqcJp0ZjRHizUu+MhpizAn9Pf6FOm3QEL6hysT+UNgQtL8xX1v5zYtPe6nHMIeLwwjr5/wZub1x8EDDCzFQvfX5gb/e0VO7q5x6e17ZgobPqQjTAbPuL6mr95CH8YJnbw89o1zCbQg+RmrKfySP76zBGJboCLHM7RYrQjnPwbdIlrsAYOg3l9lJBiZIeDjGiW0+1RFbSEFpVsQu5obXHEYxjcIooZNWd7sISkl7yd+dsAzjLjPOS6+HHjG5CzfBNQiWycPUKnPk3donIYzSLCCJFpwtmw/mTeda0ki60RH5MtnOZr9GyZ6Il7ZsJlxVJ5tI6h1MO2FX1CLkUEN7henL2S29nMNd+YwYUynnme/u8z/M01pnVQKG2oBShr1AVi7SBDkg4iCMkoAi5bTdvrI45HlBEUTuVOysnZ++rT8vB2v7k/N552BWP9KWRQ1teQ591UO2q2hYXm51FezqhSKUEnLKF4UQdAsxRPsl6NCUBHF198pPzJtTlliszdF7iKD3t59oJ7bZHr7+RBQfVLYhTOhEtJ+ynJ0dX0jJvSX4IROjXE2JBX7mMYZMV+RlPI8tP2JE2t1ov15WSxjAfYPtuOcQqOC7DC8/KbRcRBHiZczAVsP0ixUoT531bm8prhSIJISiBnzcR4wSw2fWMWJ3VEcEJEhPu0ZxN2a9qLQaau24qdIM70zpin8B47wDFBrzrvTl+vgDNIt6qJpw8whcnoeuyMLUG63uF1GQjQNQhw8wO67bzLU06YEtOwa/HKUCutyPMJapA7NzGnes/D5kbrob0BcT8PgOt4eAay4hNcyB7u05qo//rRdetyRln2gD51V7AuNd6Udls9dVkuQfg316zLH2SDo72yK8wMV88VJs0D9jy0MhLEwmai+a7BmQWNgoc5howuMBBjOB4hO1l5kxS8gFsydU1o8hZ3BaRwSezQBrbcZZj0p0hm/abJ/fBDAvwhI1iN0E3IcfTTzVKawo8Tj+j2Ypq6kAZWND5HtCn/yGwwuO/6/iVUmrBAIEVLxyo2AVw9fDKPY/0sbrojzBhnyA6PYpzGWWoUoLdOV8nHIMVztQ1aRGPoXdu1GxlOKEy2ErJrzJktUR3mqy1FtOvK3+ODgSR1lR6W6DezrZaD5wNCuL0f9jh9mm43GUBHrIT8Gm/2EvV6qJUQfUeFynDamz/X61mWbolwO5/L6VopD4tvmwUYWH7bQB+Tb3Xhw2R/9YVvOF7+wrfjPMNmWvTQWUE6+fkttwrya9YXM6QvrTEAEqFnEElo/UirMB3y0wWQT1QG/C3DkiLpYITlPA00FmHFDY/kdNzn0NlqBEdyaaes7pZh7wvdt+br+vVDNMuaEfSAi9s6oU42O3o/3MJTY56HBQ+jWEoe07zRMw5efP3W94L6xEyIooEwEsS++rmhfYoMPBPPTlQa3Q9qZ0Ed+4Kb3uOpNP3ZlN4Edl1gGteZ2PZZB7B381iUz+cH1t8wFQOQHlnk4/zqfdd2v4YXWJzyIc+k7VzYscDLxAT/ukoQPEavOsfd1y7Fgrhl9qMCUdJ81NRHuecyaIYU4zQlCfrfx52rToR+54xEAcATlTkUcyaDcuL+1LeuV9ymY7tu0yjh9yzluNBUxZfpoA5DneMuPNJOJ9oIDfa8e6vlYnyIbo4OrydYja4Vv9Y0g7Pgz8+h5GPS85v0xkjgZua3fmT7JhyAMdgj5ZIm0E3+rQjdlCe8mW1IHnxTn5eQitKXZj+cfwDyq/LdkTdCNh/UP980zAN++OwIGw8ILDfUDxZx/ja/M6d/WFsm24WgYyymtvzt9Bi9+vn0+PWTz/Sb7VarvajVBPN8E17CHMRKPpZ5XAcIi3GyVxMnH4/34I5e9Fp2CBvtmujrfui0V0Jgnt1eA4nbe/srIXKvPU8wb0Ei99rbKyBSJoTUday63eOTk4uliKQsx4RbefGWHjvvB+hMQ3Ov5tafLXotKbPtvf2dtzuLqrMxHZM6Mw4+nn48Ma8oLrUozBg2MYNQySEunHnBB4UQFDJoj4WOhxQzDOXLWEo6BCwfuTUmCcVNeEUIf44eRmqc/uu0c94JDIQBjSlOzZvDf9kWkD7NIEK/avt7bFICMQMbDZjR5pR58erbxit+zDGXyqPDFli3TdUW3YPj+rbgR70Dw1WgDPFYQediuy1xGMjOd19rf7e18N5bMjeyIjXS5zRqJ8n2E11U3jU6K+czV7u1xTzoUO4uOoxYk+Nrk/hKy+Bcv8XdM37PakujAhcYJtgED0pU1pUvY83M2brzL6uqf+/s8DABtzGz6t7Fr8jELLjxSZC3+LxMzK3lN8qEfIuEwqOLL8VkQoXFkCjvG1cnFC6cTTiBcuYJZnXl3xp/FfAHYJqScd/IgZ6wctlpTZO6PsPmKouOJuQbVOp75oPfLsj7Bc5TiBbgVf9vzWk8ntm7YhbGMxndj3aig/1WK2q/2W3Pja1X5piOJzWGZTc7JhLr0PRMjgg0zkYXJ+aUog5DlgrUbELLRfgYCuhC+i8zfWcHlA2JmAjKlKlVAciWO63soPM9oIBPqH1y5wJxA9TGE9IEPnOdKTCTvh5TohG+I4jHcSYAV8c0vrg3/QqhTsJafAL78B5Qb2rhi5UywpqHWBUM0wEVhExBq2z1Uz7cMqAMTW1Lab22td1q72612lsQ66Js2LTppk0jnKYtBY+0zVqOybTi/betnXiXHGxvt/UPSYz3DvZ3ME529pNksPh+calnPTgqNZpA/pwsowm7F53T86vo5LeTxTm2hYl1s2mnWYbdDa/5AfDJRkzh508TYtBsUNfAHywojyXbR5jXDmggQZnx3goR6aBywtgtJiqpB4UioQ39z4rmjO39nbeL3u3Gcui9dBPxyhg4YCRqK0dOxylltws/j9bo08Mig2P7yuzghArAm7Q0l5Fj9McW5COrLXJ8NYLLRkDQ+AsEjUWOyxbURb/qzkSUjTOz2rjyugcnYn9VD86qpfi7N998UibfWdfNJ3h5Ca04vrN2m09I88X04Vioz+YTjP3V/Tdqb7A5J+8voBfHN+ms+YQ4ftDGHVUc/3C9NB9j8sdpolnF4Y/WPfMrPP5922Z+RTB/r36ZXxHG99Aos4qFdYfMb9ghs3IB1q0xv11rzMoF+MF7Yj7N8/fVDPMpXl6C6/39dMF8SpIvxu1eqP3lU5z91X73SvtezsvoC3Cyn9vw8inW/kYO83fZ4jJkREjVk4TMc9YedYVN6cosHCplSrtJQ9PowlbVgFPsW6NJOhyp0GoxlSuevFkONyEe0G43W3tX7TeH23uHu2+iVmshpNQh4VFM1bQuYOEjpzfLj9icKUHwAmhbQDNnimqPrBeX0kNXQvjVPW9aiLy4lKfsZ9+U1cydL2DpFdmqaT3OCwDPdrIy+VyoEeqAk7KAYjCcgC3Vo5LXtURH1lw77X6CNSqbLQuvgqG9rjNh6a7cOUeY4UXgNDXdgNxYshhKNA8J74WYVMXbhLMhVVli9FiKFfyjrIP+G22knG0couabnWi/vft2p9VAGylWG4dody/aa+0dtN+i/1lQJdVZMPlFEtF0ZeczqXmmWa6tPFS2VPWOpPpvQ4FZlmIRwsyrEZmiGGt/tM+zsAzxyHn1qtjgjgpTSxgTpl33hnlcTzkXNuDQ8DGDxHX68YO6jsceeMLY6w0Ue/O0WE6bFweayBVl0DhsDEWhQ8Idt+XUkz6XirNmssBLil7ACZcKp3Wd/M0LGN5o5tkyV1g0x1cBfhs6ReUZwzar1oOcjvHUwyHeMn7PoIMQ0qzARFyg308vQs8QIftYb3vM3NOEpFNTrumcScXdj2UhH+y2dhcIcWsBCzLUFleN6vUSZnhKuzY/L4DPGhBfk361hFeq188Z6ZMF97Q26v7krBZrY2QApJEe393PuSqSWTzSm/G0c94JPlfJob21tzpiCNYK3nqXEcZlr0NFgGszN+d0nvI0/6Fnt+fK02GKvbkQH/hD9kRvrna0He1EC+TIpfibmvwAQfAiLP4xFreUDSOV1lV3uHEl8GBAY3Sm2UQXgise8xQihNp6thTI6JpduriteRnMW/mFPf7QT+jXD6dXJ6Zd38+XJyfn5sfOx3cnl+bHy5PjUg8/+NICArL1Uz08TyhiVXvDzRq20PEy8BfVt9kiepfOwfpjb0RfP/YA7+AblS5w7Hd3F3DzbcJxXfGJ2U7GfuJN6XKdy8uWij97mUhHOFtANdfdKPiy0CM4pewWarZ4CABS1fHpyY3q3llsXW+QpLLlv7TVarXa2zsLqHVtWUhtawEqdlhHu3I/4pNDq4VZoEufIszYoH0syf4uIizmiVa2uRn6nguP+eGIRdyksXMm87u+SxSYrCcPoEIuyfBzRsTU/q5RbAQTczhDnCW+14WFUdEKB14vb9JJT//uJn+l5hO7iP1MuS0adMMz0Q9BYn5HhIOthO49ObSX75WiVdTlyc+9d6fnncv/NJx7pV6BrvH5XdY5anV++fzuqtPpdODf5j//WHbVDRLb1zrmuRTbyrU9cvW0WmfrldUb34zrcFq9nC68DIxFY8DUqr4JS2KXx5MMO0JSNkxzr8J+3u8Pk4n8Ssu3+3sD5Hzy20Xn/LjX/f21RbrJFyWngaq80gjwj2BcO6XF95cmdgwTwt7Vo3/8cnZ1CnPB2G44aH/iR7zDggJydkrYUI3MsPZpG3jNN7Me8/jXT5fHZi+f/Nz7rP9VID3YeMG+8i5dQmI6LlVmo1ckGqKbjfbGTQVs0+a/No4Or4XC14IkPaUm133KrsdTPJlE5IEs1CyzuNfK5Qar6cemMEuwSIpbwIDxWZ3igYJmmTa7ZAnGRnQ2j2glPHX6fUHujKMO96QratXzla6JD/88+7gED7dkWgMLH+gdaUJHfG2qQM0KHwDmYfnN/9P7q187lyfXefGSU/vnV9dHmRCEKfukcX06xkNi6ktOoCus3tmfYFJ5fU+ZJlRv2CUEUq4DWolE3udIS3lVt+mEC3lgzF4BVct7vbSMvMqokNX1Melnw+Ei0E1eaCHpdUXhTWaQtR5K22hxJmSMGSOiJxWeCyH0MWseotWa2M4vWyfHl7bLoQP5zKBz9CBL0ylKiDK9kcc4pTHlmQwLoKAn55fLs7ItvwBv1n9ehq9z433oVaBjaOkXmq3Ftui2rbpBLAB/BprpVaVKbC8Qz6uxZm3jyiL5Fxwwf4ca0/BoqiXxCbiFC50y182/Ff3/7L3rcuM40ij4f54C4Y7YsmclWZLvtdE74bJdM95xVfkru7pnT38zNkRCEtoUwSZA2+pf5zXO650nOYFMAAQvsinaqnLdoqPDkshEZiKRSCTy4p/Fq8d103WfZkrEYiYy2UW73nydKj6mgcJPro5H5XgfihnlcVfzBR+FfKcuDcMUP2s5wr94crvt/cCT213zsQRzRgPvuVmm2D3+qc+e5i/s84kfbMdO/JSl0X/HxAf5V0ia69IAvLn41B1qq65VGN0bNsdf7nf6B10vwqbinHB0LC8uWRr1kGOrOtocA3SrobI0yi25NcgscLlma54hfBoTKWaMBFTC0V8fGmd0TuCYaoovnp7rPWFTpOgCQJGI5nnBF0oKpBFbGcS0W8cOYlAKMXccYg77RFjb+hpBXKNf38cQCdKImXQ8jWfEFUtpRE7Pb3cdTBYHkTCxzte/XWNBwn9fk/XTk8u35OPbIwd0uLc13ECc/Afz8Exrmtu7BVd71FS5sujm7h5Au2LNFjnfTm5WXvc1b37tOOzSR93geUFL1/Il1ccRr1UnCF2TorGXVei2W51kivAx4QqLhMqOFuBYKMJuWTrXQ2Ap0tL7JeB22ISlXIRklklsoTmy5YtYiEcfZoOj8m0dHh4xspbEk7U8Khiqzfb0d99u9VstbeOUQuXoVQnbOVaJ9RSVKZIBy+qna09tKZGslSb2+qdrTMRRJKFpXo7NIN2mwDgQnUVRA4JL/ofnz6w/HWMd1E8fz7DUOpbYMN2m5yKDzte5Rp17AgJ1fvMTOY/JtSXtGkovQc0RVWgQmbJAxFKlGdiAEIfm132HGiY5Gej7XugdLOq619vbW5tYQeRvf/xsvsfPPymRtJsnq3pewly9+hS7CwCnEkGcJZEM7g1yHjre1agOHpOYqTuR3pCZiLkSKY8nqJGcNWv35RHTqs+IiKkBSKU/6RSsexKJiQlU0K9q7TpWLMbKx74pia59qqblzulORmbMiJ97zYGl0jYrtIh2sPs1w6jGWKiqZmolLhragp/bSVJCpfSU17OXxzXgrYIyW2WLIFVEtlFBkIfco+fG8eEh42law9q1tvgtffn0eAcOvU8sRHh7u5qx0ep+SWP/R8ZWlqYAthUMYBaUCxACwvAX48mtI9atST1LJcGv7I1/g70RDTC/Ark/Sk/vMbRoTsdCvwvaIs2P/pjv6uHeM7Y4NmynMN4oU+6pjjcYEosmnIOINedjwmaJyvEB1PHJa/N2qbxWyMdwqaUgAmjE1B3z2qVCY/47gUeYtgYAngZZysKr1R7TLsF5Opky0MN2UNg3cOAOMCZJmNMdMhvhT6UrqYLt6sHCh8FVuzYWwr+uW4PKRf4XZbWPNrCZgJApls4g6C5JWcAli+a2c0DEpSIRvykkVMpsPOb3DiI8s64V/uvNTXwEn+iJdLLRI5fp3N5OJkkq7vkMs2+5hN4yfJZEc6LoTTHswpjHes4jOmKRxFsObRPCJnrHogiovzw7lrmOC0Qvu6kp2PSklHstOzKYstWFPl4A9MWqG7bT8pkEb7avX9cay4jvgo25JQusiK5y2bhBbKcJjP5ER+YfGY3QFjPPwBHMHPa8aMwosmzATAt2H7AELZqpMH3ZsIVRaVkZvdADnwkFhvJCB4cyBpC9wXEsVIzwu2k86kJU4fiiDToYOaBxLHJjtLAGOx4HcldImaARi8RdvUqo1x9FHePzFv1GVKrebG4g4CJCLUKlcgaD89MYKIWzL9AqTa6O03JWgGU2GmoBGhQUVaew4HP0cGMxpx5bnymHsYZeKb0nqZTyKHcC1Cx8KluktGlxVyK5AqI+w2bBxmMTZqPNYBQbw4t1dnl2vNFBJ5WLfs1nIT+4gdLt2FYgoD59jeAtmRq3SHnc3OeVP6nnDKTi695TYD9ZtJ3kM9FsY4Hv2wmYrTy9IsH6ZMA//XTyoxTcSygF96MK3APs+GoLwP2o/fZMtd++xbJv32nFtx/F3uo48c2nrX/rJd6+6epu33hhtx813R7nyfdazu3rruT2o4jblyvi9qN+25er3/adlW77Rqq2/SjY9tyy8GLOyk+s1fY9lGn7Niu0fV/F2b7eumw2EL9HI05X5f5f0+YvDLDOpNOwdmjT4l8ymDtI+IJwbZVmQKrN/vDzAyD8jmL/tOAGjU1a8GubGD7Xakf/poV73vvv+NcphPoK5YNM2R8Zh15tc5HBnVcmGaHk3enlxxNyeHn5fx39E9pgeSVwHAkeub1K9sGr38jav7qHExarNdI8C9JNzcqaE8G88LAyIfkRFe4dIQcHKutAYg4ZsSm95SL1ueeuW2YiZBEzpmWFeT7z6znuA61hvsORh1VGX/R3doZLs3eFNsZauUzBV8ViuFWuMPkwfMvjcGkuJxFVWlmtVMe4QT4vv/1MrV/8TK3DXy8qqVKHf2Y27wn+JIfHptbK0Tn+ccbjzKRPzWjw4QL/fI+RxvDBB/lhPOYBI1u7O/jcBaXmDdu7L35UIqwY+HDrJMLxt17JmQFbKblVl9cA+UgLNTaWkxGfN1Zcnr4mCwK3eM9xOBYoqM6CPZdTpWhw05txlTLoXW8BbIKO3Fx6elaaNTk19/badFtywboZ8Bm51IJFRyGumHfYHxU/XAoRFVZvTBouo9qZ0xRWJ0wP0nQylLaEgs9jDsBQdZPQI///gwQXrDSA0imEG5F1dt9bLKf4ity8POz3+8NNslHlGPxSx5hVbuR+ErmV1cZM8nlSEZCnM6nKo2LOfolNn1nTZmn0kpjlg68yrimUIl9ZMAU/+OdZmna0J69OC2g5dtq35ObloL9zUCN98P0CDj3vGn2W3LAHNO+D5vzS87DAulrZPByJ2YzGIVyGXCAV8QSbRScps9fx1Tn6QgqiMT8fOb+sjJ/N313AWJmNPpeugMB0VBj+qE/Vvz6sp7G33x8sUh29fr/xzfUC5r5ANbNYkyw5QQ8f1VY8QefijqUXUxY1t1rrZ+jLKJnGrPbZu8iyXzGrl3v/4elwkxGh/0VxBcvtDK/rJqnIktcErepSG3Yt9M4rqwSh+i19DouxXijkAUpTh0KSsQgySQR6Xy18QhJbl5YryaIx7EkcSqrBvUM0J/RW8FASHndDlkC6IY3mkss81B1RuO/t9A8MVP+SbswjG6BtKu9rov5SwxSVmjpT/oq2HAp4Ml2Z9/4C80XNxYEttYFDojiGWeq+xpJcPqsr6vLs4urk6PgfJ1cfLw6vfj29/MfV4cnF1WC4f3X05ugKr9KbLtQg4ixWvWq8/bOnWJ+869qSlVLROOzSSMTFK1cBiaN5EAniVomFymQGwjPLFPzRhRxaibVtyXWVpKtgCsVqJFwL5YEmDiik5GBSK94hUAWZK9WWKqenvV7jm7FFmKyIxYdQQ1KMC7z2BjcVxWb0hpEsKV94O2YAig/NRas5yGvv2FmgyoT75KE9WJEFIh79MEjUK4BXNRnjtzWclLUOsX8190QaPKdUTnuzcGdFE3NU0FjxRJviHGLj7LJ/d7xDQj5heJV5fPLRzZ+5YHTcE+MmS6YUaIUZWwJKimhajf/Lz9pzwVd1gVZYdtXFVgGMykz03+7tHu29HR7t7Lx5e7x3vH+y/2b/7fabt2/e9o8OTho3MvDnRE7p4ItNysU/Dgdf/awcnGwdbB0fbA229vf394+H+/vD3d2j4fHBYGc42D4eHA+Ojk7eDBvHXZVmJ99qvsj8DHd262fI8fA2vzt/+gzlUHGmnmfd7O7vvd3d3T3s72yfvB3sHfb3T4Zvh4Pd4cnhm+2jN0f94+HuzsngeG9/b+fNyd72m7dbR3uD4dHhwfD48G3jEG9DIyYhrGjSauKrvAxAW7YdMLCfwLSr3YgKFRS9Waq4PPKUpI9CKHJ0CKlLp/E4pVgtKUsZuWR01iHHRz+7bNnjo5+XyOUwg/9Ot1a1faMSwCJDeYF/HFdCwfNQ29hTTBifk4SlWtS0iF1cnG3mdjchUxqHckpvquWfwm22Mxrsh7ujnZ1gbzDcG+4fbA2Hg+Bgd0SHzXvlGHY8R5bHMVVsEzIhPBsZKrThIE2SPvyVWZMf8WrYHw66ff3fJeRFvO73l+vd4NH75KyPZQkuJ4E8RuzgYK//HMRCkah0lfGYh9rwDmgUaWUZk4v3p0anKhZF0gTzQCYhZshMhVSgVZTAb7y90uoHCB9Xis3Q9Yn3h/owRZTokV+x8l8h1vyW8oiOtEpwgeYO7oRpziccz8HXIdMKDjtfmaKS9cliS1eRtDxHXfkl9XNFI+ea2LHlUY08m+NvoIqPRZDNXEH5Z9LEMkuw2c8VnqVXFWTijlVmmHrboXCIx2+mLIpE3YFlwQl+uLN79fejd/oEv7W/rc8z+YMnR8cPPermZa3V+edHXYAvVxfAn4LvvShALS++sooANTS8hPSGr6wcQA0XX0x+Q6taADUEfenchpUXAniE5heQ6/BZqgDUsOEbTY7wKf3m8v/LxH07yf8+Zd9a5v8C2r7ftP8FDPm+cv4XMOFrSPj3Uf+R7f8Zs/0LjP+R6v/5Uv0LjP/G8/zraf26kvzraHgJR+CvJ8O/joMv5vjbKr2/jqIvff591tz+xwh8AYfdZRP760j6Dg6uX2VK/yrPMwsCGPMTjm0zO+G3LDbXJB280KRJEvGAjqLqTbRkQTLc2U0bn1yYVHQUgWJvQOlIiIjRuI6gN/gTGUe0QJYp/355dkFiNhGK433VHZVeG05teDqTSqU0ltCo3cTJxoTFYA/pz1kcs6jxcovZvbqyIbOfdSpdnO6IwVeANwt75NzU1cczFuHFNh6nh+8P8/bJ636nIE5jCmHLVGordcZiJTdVJLuusZqmoYtwF/7Qu5+qWfQTjZK4a3Hs8lBulEKkTEeW/NAQiTuWQouR2vZXm4NeY6FLmcxmKxU4LkvB1SBwZlxoC+Oo1eJ1jwZOWUobixnep7/MiF+D27IRv1WSvlTE7yJMVsTiVUb8+nPRag5eZsSvwfObifi10/Q1R/z6c/JtRPx+yVl57ojf0ux8IxG/DWcoh/oVRvwaGlca8XuxVGxvJaY33yMQ18pR7rPE9prBf6dbKwsiqw/uxYGfLbh362B7e3tAR7s7ezvbbDjs740GbDDa3tkbbe1uD5oXcEJ+PNcVrlR0llRiXU1g50sI7vXofZZb3WUI/uzBvYbY1QaaXjQOKS0p5BoFUAk6WpkC+BEH+eXiIP0p+N7jIGt58ZXFQdbQ8BIugb6yOMgaLr6Yi6BWcZA1BH3pe6CVx0E+QvMLuBr6LHGQNWz4Rq+TfEq/uTjIMnHfThykT9m3Fge5gLbvNw5yAUO+rzjIBUz4GuIgfdR/xEF+xjjIAuN/xEF+vjjIAuO/8TjIelq/rjjIOhpewhH464mDrOPgizn+toqDrKPoS59/nzUO8jECX8Bhd9k4yDqSvoOD61cZB1m8pn9ubN+jaUYSmrqrDXvdnNBUmngt+F6kfMK18GF0Ws1FTm/Y2Dlu52LF4YHvNfcj/icLMYQOrrBddCBsIj6Zj5FoC48uJNCJXUJjWxu5jqYqRQvoKVDzypjsPDcdbfePhMZgR9uGUYHA6v5aTaiUBqz3F4P5IT6cMnNhBff7ItHHcwjVQyAUI0EpxO91iMyCKYQCQMsIJhXGhkJYgYGrVxoPGKxcSkKq6Egz+4+MpfMeykUu/ePxAd0/2B+M9oIg3KF+bVdA9jOyrswd+IxlVyXWTE4iRtgtsCriN8znjIlHGzF9ciRKTJjmCJ6Q7M2dgUz16Tl1/JvSOIzwpOUG4bFiadfETbLQslSW2bc9Gh8Mx1s7e3ujre2Q7tKtgB0MD8I+67Ptva3dv9RIqCkX67HZ0vCZmW2HbSyu/jscSyhN+WSqmQgo6/fuRHpDZozKLDUHSpBhJ5NGft1U+FJs94gSk/v9cX93j9L+iB70h6O9BkzNUtRjpi7xp49n8HFxXeJPH89sxWHYBkNtu0IRIDwTCo2K2SZpqvQ5/dPHM4m3luZJS5Tmyyhl9IbHExKKu1iLkyAymLIZ6xCs7dQhCVVT874gNsr2KaWGEfCK9PerY4BuxSdLo1wXrRXLUq05kSHkNCZSzBgETGulpfk8o3OspG3C2k/PNRc2NWs1v0OeskBF845zR9AiaXjM7mnY4OPQsDsYNu7unMkdeDcmQo+hf7o2JbWQcz6GSJBGzFxdazwjrlhKI3J6frvrYLI4iITxN17/dg1zd/3va7J+enL5lnx8e+SADve2hhuIk/9g7jqx7hcIFh5p/iQKVoxZhxZdBxHRflXeB2sKgrmcBhv2viqJgL4AGq2ccRhzq7W0HbzGajFL3pEGsgQhv6GNxosYDXH1KG+qLqvQuSQQdSCZIlxrLRN53dFyGQult4t0DuXap7BrFt8vAbfDJizlIiSzTCoAMtI7gsaPhcUdJU9hwIdHjKwl8cSrmqVfX+vp77yx3gtlgpbvsGacoQvMII1nvttZTCVZt6dcRdPe5M+NDlDuYALbqDbpYz9+0AnW+trkz7UO4oMQ1jaq8pQYZ5YVonFKJ7NmPutWMnQuUmWMdKNWCNxo4SL46dpTMkoka6X5uv7pGq+oVMFutkgb8hwtWdTEurUxKebLz9wT5nSMvTb07gIdSflMa0UawxY5FxkUds913tyba6mEH+XFY3KdpVFPw7uGpCmIPQWdieuWS/BkxhjtxEI8BYIxahURmFsOpBRZGtRnvtj8nFwbvd7e3tqUjKbB9G9//Gy+x88/KZEU5sYqhxc/P68+xTMRalMqzDUaiK0kkrG4wDfHr5qVz2MSYwtGMhMxV0Kfc1ChiBEYQqHbLUdMay4jFjCTKaPSn2gKOWQkEhPZcfsZNDtQLCa/a93kzhkmlhgMkMKC8uVixozIudccWCq1nr2j0iHaKRhIsVBVxdJKRDS0BT8XpCehUnq659nTjQz4vHUEbGC9Eg5qurz0lsZR09IYnv4zjFgrDSvSJS8U0Q/y2pysa/EQuS6t4LG9Xb1w2N7eKiAFR81Vmh0wgBFW/HXE0PrAX0zaXh0NTt41T0tCVdlf/gb7C9omvgfGH6WndTYtGpCx0O/CSkzzmzOMpvBw7xnrM8UrOhhvlCn3VMcbDIlF68ZBhJQCGhM2S1SOD6COT16btwMaay3iro05pCzEilPFyIipO8aKGZjqTqDRXtpEMSmTpSy8Wu1549I7XeaDgqq1JyhNb5KwvOF0NsKfvGmsWGseLHwYDnhrYyH8wKM1PSFr/hdlTYlWn+FryBRLZzxmod4/Ay5ZZPI9KOT+GXdFfmEts/GY3zuI8Aykub7e3MRH8ImeSCcbPXKZzk3BYZokqbjnMwzh4FKfRSSfJdGcKDhxVg1CPZURHbFIau0TgbkE+84diyKg/vLsWOaKJhC97GatqsLLcVnOxQYH21XJwQVAX6wWYWMpG9cYKHD9utY8RHwXbFFFyqxArVLI3SCgy40xjNv9nPyR0QiNDfNMjM3oQSHleoBGkaUOnffsPmAJbtlToU8x+rUsDo1lXVnFPTiqU+vc8M4VZQzArWjS2VE7we8BOi2dH0jZpnEwckDjWOTGVmHFdDwO5CfwMkEjFmH+SnUB16/2okbweYvuCipVbzY3EFDkcc1TqdZ6ZfeAgVI4mwGt0lz7OJ1k5VJmo2FPZqNBQa10CsszRw+1uzHlbQh9DmMNnSF6Y1Ap5VF+SK1ZplQ2vgVVIrkCMj6DMmfjMQsgBUFbdigohvp1dnl2vNFBb8hNLO5izcKc7/n5A5Rix3ofQb35S9tbJDUH9fK4uXPFa7YWiBnIwdet80HfL1L3+Uw0U/zwfUFuMsnSFUYYfDLgawxuHwP0mBoXr/282McLUgiuf+PptZYj4TEaxVpB0JHIUHHCo3hWg4517Ja6o7DxKsIpz0mJaW6n5WNKbxl4YhhEfIjUc+nEKuVMGrMRBgG1IlI4GcbwGg+tprDuaBoTCjn55vSIO4CnKGdm4p7UrW5K4wmTvdVqA7/5NXp7RTrPWQ6m8IxBFJwYL7LlaEzOjg/PNWsPUZiPHShfDTSvlm5ohxykFQp2Mcmpeckkg57eVJ85uuf5+5FqOl/J3ADoaIvBNcOonB8PoxFLFTnhsVSMx8uyBGT9i8ksjP6lhRZZsLIewNVrRFeYCag3/TnlXCo220wiqrRCXVq2kYoVbiz+LOJgy6LoZe4/u4x9cn1kTQ0HaDCTYqfSwiY1hqt91JYxobGI5zP+p+f7Rfa7j58kG2eRXoTX+qUeD6+1DOIHTeC1MzoDEY9xnmlU3BjjsMaOzyQLlxfXsqAGeZrHcwqpvVWQNdm/F91Bd6c7HHSH/eH2cPtgMNzb3+sOdw+G28OD7f52d7i1MzjY2d3b3+0O+ktUvDYkVqW4LZHPr54vpiI1Z0KRkkhMvIvdOl7RHmupmlMRrSzL2ZUownAOPRKhaLopnq9zY6OVSHr129oNH9GYXtFwxuO1DllLGRwS48mVBrhE4Z9vzlpyV8j2oPBdGoQ59S/UJMwR/GEU1jDlOzYLy0z4Wg3DMh0v0jTMkfxhHD7FOMz5+A2bhzmR37eBmPPhuzARv4QF4cc9vUTjoHnQzTNYDha7b9UoKNL3Ivf7Ioqffyu34//YpRfu0pZFX+sG7Aqev6y9tbmme+LG66J0voc9VdF0wtR36ZowpL9Qv4TB7qXaHV/AKWE48q0aH8ty4EWaJ8sS8SJ9EQbDHybOUxwRholfqxHUnMIXZiZ9ZheEYcI3bCv5wVJXdGIzebyQKZJ/2yBwCmHY8KkYUvqh5O+MYWw8JaNU3HnZ1W51X07Z3GSjyKm4I3oniskdG9nUYMhd0aB4PMkD7U1NgMyhaoPcnx7rFDI97OdS42a08hzz86mI2SNnl5UglLO0qnXomKa8gNQS+VlfzpSLPWm5KkhLmcJ34k8eRXRzp9cn6zgH/w85Ov9k5oN8uCCD4dUAQzjf0UB/8a8NcpgkEfuVjf7J1eZuf6c36A12HJ7r//zH5buzDr7zdxbciA1bg2RzMOz1yTsx4hHbHOycDLb3DZM3d/vbpmOUY7XsjemMR6tKoPlwQRA+WbeRnykLp1R1SMhGnMYdMk4ZG8mwQ+54HIo7uVFhID5ZwbtZhuXLPHp/wMob8cSYh/Y4EPuJya4DSAoVvNAIrkgXCsw78Tu9ZWUe3bA0Zqs6tFVowNEc2lg4hN4tWhfbve1evzsYDLtQJ5QHZexf4HHuyTNsywx487toSv9V5oc9Qnyu+bTjmbUbsFgJ2SHZKItV9tB6pekdr6xXjdjKjgkSg9+vzTim8gKcFqhiE5HyP/EJUSaSx0q4ydXq2GxZo1TQEKoFsjTQhj/oMc6kd4b44B6XjIxFFIk7Ddm0GcxzpSETbt2VItp4TSIeZ/cdMqMBcDTm93myhuFrtWzEhwsyF9mrV6ne4SnkZUAKgEk7MsnAEZeqY9L8vTwPLC3gQCYiyfQZKuyR84hRyUjEFMkkZESQ0VwzKtYj0Birg+JQJ0cXHc3VJBWJkIxwLz+QhiG0kKzG9AOZTS1lIXurrX5VkfOmCmvQ7w3KG+hqUfXKij1iRulN3zPCbyOzYRrz+5ezw/dNDG/9nDW5aZrncJoj5Jzs94e9wR9E0cm63MDksYQGN0y5gkcScz+oJDyeQCkTaLaBfwJ8KqUIuCnep0HENrkbzu5wuNdUu4VJXUVhMxhuibbRpFsp7zHHvaepr6MiZYFIQw2Ox5PIUKvoBNLMQDtkUA4CulvayZtiAQSN6B9dHnf/ICwOaCIzxFJ2jOuhDjNSyFtX84QHXr6bybaAEi/UJehLFkuRknXWm/TI/2DspkN+5SmTU5rebED2Ob9l0Zy44xk4mlI6hoLLJU7wOGbpwllFEAQfMsTlEyzJus0jMVDNb0X6NxYQ+TB5SJ+BuyyVD5CH2u4vVp1Hc6d/eew0lKY9rpEVLejY7IhZdig6mYAuMCA/jGw3Mk+4rfT2fCk3u0CN/NnHDUgn275rCWq1uFVh6pBZh1TIZZAycICVV5iBCRh48BbNy5in7I5GkeyQFIRfdtADQkMyohGNA5bKZzj/rswJC4SeHuPBQotKXsbazUpVjzfdi1Z4PP6QmKKeQAG4npahQWRK8vCRAuluN8iimKV0xF3BWbstVH5YvD/o7aEAqEFmG60ZmlTS3GzH6dwx9aS0MjT4VloSAjpRibE1ILT+T4MpVwzbeAGBqsIvCmFIMs/3vQTD0RRdsdZ21+mD9bF/S3IMp2A91sWni5MN/Qf2V4jgQQc0f8EWYxQpeWvW+UYhUzVvdv1HRqO5nGQ0DXv4NxQJ/+OOjaYsSjbH4goqA0Wb2j6MWDhhGvRmgcAra2sz2Zuq2W//BYAcYkVm5M/+e6O2LoytcWVzEatm5avf1ixdS9zkBpHeXGwS+YqkBHpGFAZydVYLXJCBSHNLtDA5ua/HL2cDPUSgJXlwK+VmtVbuLxeNC3t7GL+wY3aFl94X9YyEJWd2Nuk2ehrBnukPW/f2gkUR3LLejKuUYQt4rdE2x/QPEO7op+CWXUHC7ZWHnLwKUqaPVb8dQZ15N6yvaTnDHfvkPhFS64ujX058Cv9dmdXTWJ+hPlwQbFJDhr3BsLfb8cu5FNlhzoIfz4+W6PrNoGXDqpeF1Z3erRTYR3h5yuUDU1NdEnVTVLMmTpqyYGV2iqbcUmwUwvrp8YYtLmD6cBSKctRtnQRzvHvk1E/LJlnxos8MYIDaW+kqX8t7RlPRv5tSdcXllV4CPNwwsl6W8dwxUJb10+N/18xRFxsf9fv9xs1voLInW13Z8kOSMiyrtljBFKxso22w1OqMKz7BQ5LjhZ0MJ/1haV7KjKmfkWDCuyMe62/BKxxM+N/0Hz87Pu4OBkuwUQve1UqF35w1RUpkQON6Ua1thTXoD/Z7ywiFhh+ztHfL4lCsquD7pSkWs2hbBxQIolAh65LFdBQ1724UiJT1RnlfnIeIGUeC1m6jry40GKwYkdJ4Ym5R+72+tr8H/V7f1H3Rf5IRs7cQMyEVkeyWpX5twTfasJQGotBnVG2nScmknMG1LWjtJBJcWabMmEp5IMk6VYoGN+QWQnxyvyeW9bvnat4hScpvecQmzFQ9NnEdiqVYEnqjQ/gsoYHKofpRGhqGg6tfm6QAVoMy8VaAk+kEC4WoFxgBNUaXNdBBdLuhCDJN8kbFPt3p7Sw3xSy+5amINbRGt5+faa5PfLQem3Qaz4krWglSYmaoQ9rMENzt85Rp+PIFTJFis0SkL2l2Lg1Gj00MXCHOqMqQ0ZqlIfcKaXUK+7Wdq+D51kVDDq/Wow7H9/e2oUrB/5EfmNff/3K8kW/2UHVMQUdrxyOYBpBPGt/weAKO7LUzcbfWIWvvWMiz2RpK89o/+GS6BlOgD2fkdqgn1alPBxEkQZbdlBBBmI+lYKgc1lavb6pXzcHTGLIxj4tleTWE/OHCHHlSBE9wScRdzEK0XmhMJ+iJenv68eKy9yGdYA8dsg5faOVJPl10sel/LOJukoox945aXveaDrmbCq0MuLS1tJUgUxYloPfB7y5ZAMKpLVvQE9r6SkTs9YNTjM4koUEqJBrOdyKNwgUiGt+GvZhL1ZuIW/BUdI0qAnGtKgO8QmkmqmZKVmhduFmvtTCg7pPmHigKuwlSaAUH/dcjx7Mk5SLlykwESdmEphBj4KmAdhysGPF6mMAN/YhX8n6nf+A7I6FxzlGpI/yD91Vcaisgws0Bb2rwJKIXlnVP6sVyX2rbLwutOX2/JcduH9GcRGIyMV0lyOXZBdHKFO97Qj7hsBPahn15Fz7HERZkStt4ZMRjmnJtx1xsvjt9d1IcLTZR7yMRwjOwgdJoLqGcMhRqt1gK8PvfuDX7q63m7vdAw8BYiR0u9NsdqODtboMhIvBa/wDNka57AMZAnFI5ZdLK2/HJxy6L9a5R7MKv1YyLWTdtB/Sb19D9BYrjFy5hRiy/bHa3g3i7hYjol3tySoc7u9cbjryTWzOpVOWBuH4/3Yqz2d4w5ddvslNExbICWzQhP/w6lcYdrWfbOLDItYpkz2sndW3aRxiI8HMQcRYrw9Cn35XQCBaw3m4go2FV8aKuJ5fpm+eNa+pgrl8cvt/oYSSfHkeSW5rO9Y4QlJYpmA22VSgaEN5cgctnBL0+9fKEKE6c0byJhpb+4/cXxKeYkHUNypaxlsZcLySKsGpn0Fd/9ap+N7Y+TCvvL9KJ0jWibNfDvaZV//It+h39X6I7pSyT1rw9pcH7JXSkXG72sCGlazipTasO+fDp51JbemhB+cBMu7XSdsZfTCfKd1ootFb4hbO7JYn40s0n2y3c0zh4Ap0voAflcmSXJHtJ0r/RXpWxUFfQhqYBOWG+3xbPC3zGCHT44cG0YhRiK4BIxBNmOniHUNH6lkY8rPG5Dvvd/l53sEv6W68HO6+3Dv7vfv9183wfTRDeU62SIvA9NKFmcNDt7wM1g9fb/dfDneWo8drJr7o3+KFroG8DhvCCX1V67pepXKL7tkdPkKW3q1pEcAGu4SMtJpyFRZF+IDA/eQ31vZbn3smMYDd5yxbrvKjQr8+oyc6w8RWBxwR2n4i4WdMpr69JgdYTAyLveMFSKD1enDQMbmhG0O7OztaeO56G7L4UaS6CK4wvK0egNydc8j+bTP4iosFFwf90FyDeXMqEBvqARkZcVa3zYX97v7mbJeU0Wm3rXpMkiUPZO1PYcpzY1u9u4DIBBSQViwPfnz02N9lQwh1mPJnSGLvudghXXmw4nmKV8TQIOCRF2rCAa48kwZBxBzrv6ldh7M7O2zdvDo72jk/evO0f7PcPjgfDo6PD5n35rTtj5YrutJgyXWjibpHwNcKvDEInZzMGV0F+EXrckq37hfxdkDMaT8hROk+UIBEfpTSd98gFY+4mdcLVNBtBfNNERDSebE7E5igSo82JGPQG25syDTYDALCpz/Twv95E/HS2tbXXPdvaqfYk0mb5zm53CTVsG3B/keOmdOfNRT3Tn97y3tH3JY6T7U+TFu+XcJwsqx7rqNGLZ+F58uLy59wG7ZCznwv9/b3zJvry4XT5bLP9Yo6SBaKXpeJLnyUXLcrCxD2FqBdwcCzR2JiMb/QQaBvjr9TS8bKJ0AMOpkdFzLYeQrqrR35NRgyutmkcTEWKH7uBjXg09zlv8JkCCv8vwD6ynZfMnqRfd/cT9moBbkKjyDS3BPezRrXWYw4pUVMhlaeokU804q55ZULV1D7sPViDoP53zJKUBXBr0YWbg/xFuKaBT7yYHUVjm55VwE/T11N8xv60+feL0cMo+NLDMz7BuExzdVCAjhwpgBWwWMxX+OGqTm4WkO7mB8JuIBRgkqUwKThYHX0NWK9nyH/uQbIAaNs5fRCyZq4295ns8Vgqz4n6KI/ALYHvEvsu4aFdFkEksjBfAUf6o40jSMmMKRpSResXxTvzKwaDBIVXIeAwP4/QMLyCB64sSP1kwKTEYDN/jRQoh5d6fEYnXt3bRXdTfr2TGe/SURAOhlu1miUXnVMNm5weu0BHJMTyygjOT+RQzyE8JKLQF2GLqqash/haLjyK7yLxqAXzoIh4o1vUrxow7GEEHBMcpKVxKKitJ2LRdLl4eMxoMOUxu/JyuduiYUD5aeFNsfDjw648LdkWlUXwmuKTpAI07JMFxABaXj5SNslt1bajF4DUjmzVXCiCG1hHRs8d2881SgF/AztK7/dRxKD5Nyg5/E1rLDkVqbrCnSa3j6x5geN1nY5bYAY4tJpwIb+bLwIrqEvcB6E6mPuxjo0eK+tfqWXngqG0Bl1+NNDp3pJectTSm80GbT+caRFLfiKXH44/vCb/EHfakJrRBKsp/K2CS8GkIQ+bNWTx/kTcHoUo9KxMa0vjL4vExsj5P+wzFdCn8Vj40m02P2iHajWdJ9D6+1pxNrvjydGFn69te3bKHgtkbz6LeuY5TCCkKfqaYxF38zdLdYjFokadjVbG4qks1NizIEZCRIzGDadjnPMKUplyMamOK2RvlPGoOmRVApz1sjbYPx70D9aaofPhgsAIfoRRPSKBCFntunkIF6lSpoJpc2TsKFgsNJ47ib3JRiyNmYLgCSOh//S/q4Gb/+6s0aJpmQMlvnw+rJ/zlx7V0QWk20pjeS4SEdYrsKXUgsebRKArrjrteqisZjdoO9K5CMmn0+P6gXhSGafwVfMhTs+rI4AjI6HB87Eth1gdTISV7emJg9mSWAsGKx0dnz6gBViXp69H/N//839JUwOripLZbf765H3N+/lqRpOExxPz7NpfGyoVjyazD89oUkUZCpuiZ/LF4e3hVo+8ZBGkF7081B1m9YinLIl4QGWxYip5svTmcBcsmpAlkZjPSo6Upw+cw10wMLhYx1n07CR7gBcM/Yj923ZgB9bc54R8DHmqCnsu20bzeeXRNIsVn7ENu7WbXTTf18/dFzUYmB/zHd25U+p24Bw2eabtl903PTqYsXt5fPwDx4fyMOIuZmllIB/BygxZzsCrRYMuf6NMFqnLB39MMMhDXvha3BoVZy5iUxLSJ+NTV6uhPGaheEJx1NqfYpHOSlEpteQ3LLls/+WuSCiK/xe7Un4XkbjhtEszJUIuIfktXzb/H/5Kjs0vc+I/RzyP4KMO2RpQvt1s8HAgF11VmOd66LEu5ro9thYb+e7tJY8JZBFjh5pXOK4em8b+q0aInNBgasooT2mhSIEJ6gtoTEaMMK6m+VyEJMywIoqiqcoSKxMIiEOd9xnWR3D3EpADktCUzpjSJKcmZxLmmik4kmMHfPhCf+yYJHxADTKtaKRBKImRTafn+IRRWISHHUiPgSTKAkqQcqUkcKaeuSZ7JElFmAVND+GNWAxBdm6vMQPoY6Kj+iGEViB8BYReSVdZcd3DaeMRpLyk/WfDCaG6mArHMk+ypN6EoeIlj+sxzNIFiW3t8fr08YxMxR1GiyEiZlUAjg9NYZClrOl6LbpjFuDz65TBQsx5ckelW2TGqUUzNdX7la1plJJYKOeRuONxJCa5+l37Fb4YMarW6nXsW5OjZw2hX7H2KWZ/kTMx6ZWdY87ogHvSUqlwrZjvUq5YgQkPTEBK78i/3p1p6zhlksWqUKsJr57FCKTF+KwNhqUwVSxZxSWWHMzvsDWsUrlRSWSW2KKGHs254rS0k8PzU7L+jgepkGKsHHN+4VJRUDwxu2PpRs8vm4XFYB0wUyQG9ikjJpjda6prYSUK+FkyBThdm3eu7mcR8vHagaOyongFVmXC3H+on3jLw4zai/tITPxk9Sl7lN8c7p3HWYRu1FRko4jJqRDKD/xLsjQREjM5GaYemmRn4zj1j+i5HObra5bQ1HNdmlxrH5BGVAkScjqJhYTNYBSxWfn220k9qTVKF0jfYRS5mpW24JvBobII/NRuMoX0f0/s6tyzNOGeAWVqKIQlw/rB48ylm4/ISCJk8eWlLGlosiYDkYY4C4mQkmuxz2tfFmCu3fEYYEZisuac5FVy9WgiLTzeZfcJSznWoMB3/drDBEzE/Ik8L3iR/5YGit9yNb9q5MzLOVg2bB9g4SHBiLpoXi7QBGqWqvyzyV7OUjglWtyAq0UavaxYLRQQdQ2Rg5CnDPuINwg8QlNlF5gsHyDcSHVnY0zLv2p4NG4rZLFXRceVAgACbfZDUdAg7xmCgCua03FIy8cdZrl3kCkwil77eBZHXX5dDBy6ruECgLsyURtFFizrRmolQ24Z5mUhNTJllT/LVAaCxu6DKJP8Fut1F0BBayMg5Rqs4bnIQEACmii0uZF3oAJFbI03iQUECqCUKG5GHds/BU1wqGJxnbPuGsbRDA3JNTw1uO4UcYNvh9emHo8gIu6QEQtoJn015I0AdXVjhMnjogjQNOJQfckQIMZu215qhh/0LZTnyeR2wC0cu5/STEImdWQCCT3U3eo1dYkLgCxfcaX3yJs5mdJbYytIlhddxd3AbFWKzZLIJArNC/DMfmdLIIdUTkeCpqE0RT7gbrIbMZqC8fu7GMmmzpHDgjF4ToMbOmHvl/FRWEhveEzTeYvXVAR3/p8kS0/jJFOXvM3oQqh3edT4ci9e5vErS7yY8Sj8pXD+av7ykTZd4uW5dSTSNAPhPYTqCBfKz95vDCVlMN2fVNCK2ceVoqPLvKvyHpTLvHbLg3aCmb96xuJJSaE2B9CSU/pVIyXv6O8lHbw8CB63AZHy25a802+mT3y1Ldv1L7/Q5WXlJFbp/Ehkcdmz2eDVe5XS03gsln7zLeVRlrbjsvduS1695RFrq4ve6sO3ViSZXPrdv5d212ZvnYYROy0Y961AgPJrN8+ns4SlUsQw+Bm7ZctL2akteNfy9eQQi5+0ePNcpMuT/E82bylcZ1QqvU3+XYjmVyn+yxfTTIXiLm4HYPYUq+RMTET892yJO6DCm6ct3zOXVu1RbmWSwAbTVg28o/d8ls3OWQo3bHHAzlkasBaL6x00C25FO7560WK63vH4udBHSJfTVCgVPQVM+8l4z+6MCLWQwPzlVnPwnt1dBFM2Y62WzXt218pSei9meh96C31A42B50/i9n3bV/LUPUfgEaj9EYStqPxift963W03SOW2hyL3F8cTt9zxlt1xk8qknCQun5cumwPAZl8uvz/br6ymLy7zbbvrMuy3k9LxwcbnEexltZ2CdZ/RcRDyYt+Dvf41b27IfGZUtXgMNQNsOegGH4TeRCG4uq+EUDd7Hhsat5Mm82xp1Y5mhN6GV0WFBgOv/qI0LxkJoO3m23ET7N1uefvT7bHn5vlA0beflaufuaUudEkk7LDHP+1jMKI/bSTVCaGuCm9c/yZZWqPd+G1P08qIFzpfQXP4JPEMArXwX+Gr7o5L3fmvKsfLhEyhvPdv5660mm6VguF5gaeE29IsbFp9E7Ja21sGXKY3ljCvFQrMhLL/c2zKg7dbzq0hvZEvzE++f2r02bPfaVrvXyuGaDV/baffabrvX9tq9tv/ga38pv4OXdEte1bcJdsgvzzGkwZXwKgdpmLZAfuRKzeWiQU8uhfeS18N2jEKrUdN8bu41VqwgF0xpHBfcjyu928fR8ObdlnWELpDQFPUOsmpoaG62Ld8LIL323DHW/bJxY+ayORITeW3zME2BdRPxl0cs1XACcVitfBk6T4+L0U6RmBRiaLCupWVKqvVyUcd5zTLh5ZyFJuR3gJfoAqL58CeUDfy9ZHRK8JkoTqNo3rO5mEWAKaPB1ISozNDTZ+ZnffifreF/CvBsVI+L5pnwGCN6NFLD/+xu/+fhyJ+NYmQATDa7VyWc7ngUkREj/drZhGLzVy8xxMfipKcRFkEBXCBilYoIFoPS+/KYpSks6J6RISyjb8KA7qCIoJqymEwpFJwsLRg/FAjG5ym59thy7eu7mhzXJCieyZ5dd+EI5WgGVFjkksobFGV8CvKcXRtjo+nq6MWQ/EgE1FcCNIEMKIxWRCXETOY0rqY7WuQedoCo4YsN8r+aNEsF/Tyi5erMwI+IfGUpLdoLbGZOUkOQVwL0SZNtxrjioVWBR9A5wVYu/4hZUNZX9RDj49XGpNVs7p6iJutlcRIpkWg7A/NrpMhTqxs1hCkqb1a5zjT8l73KMHfA9G4uFA2u7iTrIiZJyooxaEVLoRx0DZ02zXaKJpwNn6ubDT5jtpFrZVbCohvlaVF9JDBOcBjzgXWppmAcLb86KxBdFGAF0ucNaCRPD2j0IgxrWAdpZLnOfNLyygtLdgfdne5w0N3a2R5sb/UPhvvdYX9nsDcYDAf97mDrYLC1v721e9Ad5C0rG7DEinLeAytX9usXp8euICgNoNgpoVKKgFNbOLik6LmsaHqCpTaKofCxgCZbIjLlqi9Oj7F3UAwVJ5TtMQSxo5AkWw7chB9CcD2Z6E38SvP42kYrWmtNoJ8ht9u9nu8ejnOREZek5yGcY6tX9sXpseyQlN1ydmdU0YSMSyFOAQaiS7S3TFt2E8hvOq8vEp2Ge8wDE/veO/5AKb3SpNVPVAEJ5OwqtwYcIe9Zv0DAPFwxznXGTILhItRV0Rv1/HuaaST9OMI1GN5WPE9PsXUwx6yceOkE/JWJ1+Xm+GnK3zHpTkJeETyTS2UTH/JsqjM2oUEhl8UmWS9KrMIHmCTYok/E/su7vXvT1FjwWFm3htc0zZ0mbvO6ofn7Pa/4EGbCGghQrj4PSL6z/cWuXX53b/dKiau9HuYemRQj8LEwteDEXp9M60kYzl61tBkm5/TyfJgHS6pVT4yPwa288CD8upyKR0aoe+XBMUquskfAl55+EHLJmfUI5NLTD0KOxGQZlhT8Vo/UyJOSTtgVS1O3MSyCDs/0zBtNgBuvUaFm7yOolx1Nj8Bf5Md4dJRFLz44XuG4/8gQhWcfhFp3WH4EeN0rj41hTpaNByiddh8Ej8fBJSS07pz6cEna/Pz3CGjvyYchwoFhaY6UzxkPjlFvYS8ayQ5V/9bjAzXX9uXHH4RdtAQegVx8+EG497PoMYVTl8Jchvl/AgAA//+L2mQ5" + return "eJzsvft7GzeyKPh7/gqsZr+VlEO2SL0sa+/sXkWSE33HD40lT+Yknk8Eu0ESoybQAdCSmbPnf98PVQAa/ZBMyaJjZ3xvjociu4GqQqFQVajHX8jPR29fn73+8f8gJ5IIaQjLuCFmxjWZ8JyRjCuWmnzRI9yQW6rJlAmmqGEZGS+ImTFyenxBCiX/xVLT++4vZEw1y4gU8P0NU5pLQQ6SQTLoZ+wm+e4v5DxnVDNywzU3ZGZMoQ+3tqbczMpxksr5FsupNjzdYqkmRhJdTqdMG5LOqJgy+MoOPeEsz3Ty3Xd9cs0Wh4Sl+jtCDDc5O7QPfEdIxnSqeGG4FPAVeeHeIe7tw+8I6RNB5+yQrP9vw+dMGzov1r8jhJCc3bD8kKRSMfhbsd9Krlh2SIwq8SuzKNghyajBP2vzrZ9Qw7bsmOR2xgSQit0wYYhUfMqFJWHyHbxHyKWlN9fwUBbeYx+Moqkl9UTJeTVCz07MU5rnC6JYoZhmwnAxhYnciNV0nYumZalSFuY/m0Qv4G9kRjUR0kObk0CeHrLHDc1LBkAHYApZlLmdxg3rJptwpQ283wBLsZTxmwqqghcs56KC662jOa4XmUhFaJ7jCDrBdWIf6Lywi76+PRju9wd7/e2dy8HB4WDvcGc3Odjb+WXdrc6Elrm5gqHCIvrlz+mY5bpz4XGV5dhyOHyBH6/w+2u2uJUq62CA41IbObcPbCGtCsqVDrgdU0HGjJR2uxhJaJaROTOUcDGRak7tIPZ7hyu5mMkyz2CLplIYygURTNslRXCAre3/O8pzXBtNqGJEG2kJSLWHNABw6gk3ymR6zdSIUJGR0fWBHjlytCj832u0KHKeAnRrh2RtImV/TNVaj6wxcWO/KZTMyhR+/59lCD9nWtMpu4fyc2rS2ZUU+eLKsA+mg9IvpCK5nDpaASu5YR3jOIrhT/ZJ93OPyMLwOf89sKxlsRvObu124oJQeNp+wVQgnJ1OG1WmprSkzeVUk1tuZrI0hIpqx9Rg6BFpZkw5yUNSXP1UipQaJqJNY6QFYk4omZVzKvqK0YyOc0Z0OZ9TtSAy2qzxDp6XueFFHnDXhH3g2kqLGVtUE87HXLCMcGEkkSI83Vzrn1ieS/KzVHm2xCoaOr1v88SbhE+FVOyKjuUNOyTDwfZue0Vfcm0snu49HXaJoVPCaDrz2NfZ89eY+5Alt9f+uQwX0ikTyFnuBDkKX0yVLItDst3Bd5czhm+GVXU708lxSujYMgVK3Im5tRvSympjz9OJWzoqFnaNqN3YeW63co9kzOAHqYgca6Zu7HIie0vLljNpV1YqYug102TOqC4Vm9sH3LDhseaG14SLNC8zRn5g1IoWwFWTOV0QmmtJVCns225epRM4PAHR5HuHqhtSz6w8HrNK9MNOsPBTnmvPq0gkVQph95VEAlnYIvyUG/J2xlR8UMxoUTDLsRZZ2NkBVThELAGE496JlEZIY3nBI3tIznC61CodcoJIwz63G7dXwZdYViBO8RkzapJovx+dvwIVyB3SdYTcitOi2LKo8JQlpOKNWKBnknnSgSQHnYbwCXIL18Qe5cTMlCynM/JbyUo7vl5ow+aa5Pyakf+kk2vaI29ZxpE/CiVTpjUXU78o7nFdpjMr+F/KqTZUzwjiQS6A3I5kuEGBye/ZJ7HGVO2accnzLPHyzs3elABdMuBOKdDcYacfDBOZ1RDsVDVSThw/4Np5Hne6FIp9q1QJN4CRYXdSsegYD3YgxYVAFSgMaXdGoeQNz1jP6kS6YCmf8JTg26B7cR00REfZSDLNmVE8tTwVVOJnyX4yIBt0nu3vbvZIzsfwM3796z7d3mEHk4PJzmCyNxgMx3Rnd5ftsr3d7CB7no4PttPxcPAsDSBafAzZHmwP+oPt/mCPbO8cDgeHwwH5j8FgMCDvLo//GShcW+EJzTWrLSsrZmzOFM2veFZfVOaW4wkW1s9BeGYl4oQzhdKCa7dvNvgEDig4xfRmc4m5VYbUHBRPbxvQVEltF0Ibqqz4HJeGjJBDeDaC7Wc3XnuFDuiuJfSkRogm+k/D0+8E/81qzg/HO2hsViKhHIP3bkE1HDMCUot3MKBDL6uhZ/9dBYJO8QVxGh8ArRXUhOJTePqhhjLlNww0Xyrca/i0+3nG8mJS5lZmWgngMAwDm1tJXjj5TbjQhorUacKN40fbieEMskzitC1SaVusoAokQxibayIYy9C8vZ3xdNaeKgjyVM7tZNZyi/A+m1j54Q8aQBVPIP+VnBgmSM4mhrB5YRbtpZxIWVtFu1CrWMXLRXHP8vnDzU5AaH5LF5poY/8NtLXWhJ551sRldYYevmuVuqQijQhHdKBq9SyyuJtozKpHQGPhk9rCVyvWZIDa4s9pOrPWZpvE8Tiezk5wr4DUf3dHQp3YDZj2wYWi0u1Ya9U1lbU0Usi5LDW5AA3gI+rrkSC0egWVBrJxdLGJG9Mpow6wVArBwBdxJgxTghlyrqSRqfTn/sbZ+SZRsoTTsFBswj8wTUqRMTyn7emrZG4Hs9JNKjKXihHBzK1U10QWTFEjldVvvfuAzWg+sS9QYtWbnBGazbng2tideeN1aTtWJueoeFNDnEcEkZjPpeiRNGdU5YvqBAQbKEArc54uwL6YMVAZLILJJ+tHopyPg1573xGay6C81ZbIHRU4DqF5LlPQsR2kreVzamf4OmwEt7puoI2ji9ebpITB80V1Emm0rcKS4F45q9EjYsnh3nD/eQ1hqaZU8N9BbCbt4+VT1Aewbq9iKkci0LsFyL1Og47lq5SfBuXfRJjALC3sf5TScuTLl8fRjkxz3jAkj6tv7rEkj9ybdut57qTasSM33O4M3Ah+cdyGdJqwBw4tRMWmVGVgOVjDQArdi55Hq2HM0bXLpaA5meTyliiWWmO75ue4PD53o+I5VYHZgs1+YR+PIIPtqJkI9qJ95uK/XpOCptfMbOjNBGZB10jhBEprKnRfWkWvNqk3dBVo3kxbOJwp5qlkFBWaAjAJuZBzFoyjUqORaZiakzXvk5VqrXLDKDbxssuBIhoIatxw7mfnBMCVHbNgBIMTICKA24wWLDH1y1xNEcOPbg7HRH4Ce5aVurQEcaNW1jcXFrx/lQIXAIxxNK+9x7xjsIq+QprWkFbNwvXqwz72LsngyMTxtvw8wSUNmwcVN5plRLM5FYancBKwD8bpeOwDau89VKm8HNBB0zOS3HCLLv+dVZ4ViyhTYM9pbkrqluNsQhayVGGOCc1zz3z+fLAydCrVomcf9SqKNjzPCRO6VE4fdX5wq8ZkTBvLHpaklmATnudBjNGiULJQnBqWL57AqqZZppjWq7K8YBega8XxnJvQaUlB/MzHfFrKUucL5HJ4JwjSW0suLecM7gVIzjU4P8/Oe9aIxtNYKkLtMfOBaGn5JyHkvyqKB62x0qFwfyh662Hy+2GUuC9GSLK6LioIN5GqmZXoo8aDcpTwYmRBGSUI1qhHMlYwkTljADV5KSogwM/jVrLStZJ/u+Oc6uTf9kSPvFwLw/RH1P5oxdEnVH+tBsgP9gd09IV7PbcTHSOgIG0v0MFuDTBk55XYflbK4h6OrXgHpWPOhjWPd1xzurBbED3P8LKVB5PSHi6/WRk+4SyLxwZlhArUAOxLYVRB0YIGeuJWqObImLIGQCBguHTxd6wARZa5y9MwKBOKp7O5PVW7LOvE/ZGk7h1P6ymTScrN4mpFTpNja8d0cuUrazcx516tgSOF4YIJc5XKbBUwXd7Kfs6MYfY4zVj9rjnMvq674X599N1HNmg3Misi8OuYj/1kbaClMjNyNGeKp7QDyFIYtbjiWq6K5sc4BTm7eANEb0F4fHQnWKtiTQdS5yofU0GzNqXgZPu4t2TK5FUheVAr6peAUky5KTNUwXJq4I8WBOv/TdZyuI3uP9tJ9oe7BzuDHlnLqVk7JLt7yd5g7/nwgPzPegvIpz3OGk5ezVTfq1LRT2jEefL0iHNyoWItJ2SqqChzqrhZxDrRgqRWNwNLIhK8x17lCS5E5HCuUElOmT3snT01yaVUTmfogctsxitrpVIuELycFLOF5vaDv7FMvYzSEQivpYkiQOCelqNjaQ66zZRJj21b4o6lNlL0s7S1NoXUhuar2mXr5zA8ijWqtUx5dXeJMQIO5ArRv7uYikrbd1dQ4bopXKCOGbkW8lZY244SiwpMJBX55eycRDgRYG1QpW+oWpBbnlkNDk41t6vx4go+tun3fHewO3iImFVsyqVYpQB7CzPcJ7/6fzu+C64VSTAHU6cA+1vJxqzNf9aq+b2yCZ70WJ0xDIb6HfygkxrD9cKt7dnR66PouU7g3UG1daSmcCzTrR9KJqS+OuIqUj4/whi8+AiW4YEaHmfnwUqr64cbZ+c3u5bbz85v9jeT2lxzmq5iP786Ou4GpnFpIaQJt8dz6hTwty+OybPB7jbcv2O0IcsOyak1nmRqmCEb4BDgukcO+mNeqahWx9/Eq1+nGrlgtltJfi2LgqmUavZPMmMfaMZSPqc5yfiUG7j7sWqU8VptGNOBjxNbASJIKTSfuqAdNmUqIRdlCnf+N+5BF+uFd1YIAw0jzhbFjHVI38GgPxj0907h353+9k5tpQQ1SZMzOs/Hbu5Yv1RUaPQgnZ1brJw/BQNEXx9dBuck2WDJNHF+dyuVK5cpQU+cd8nXLoHDoRP544hRFC5qxJTkkmZkTHMqUjgDJ1yxW5rn6P9UsrRHY8PKt0gXUpmHGfne5NNG8W7LP6aGHf9roQf6/R5g/dawPse3H2XrbtfhaK3JMib43etx7tYgFhTxfPY80oYpll11WdlPpydaoTTj0xnTJprU0wjn7gEiRcEyD7Iux/hTtP4vqttw1Pei4Zy9bfWVtYaVu2bF11r8Rbdh767fM2aYmoNWWyiWcm31FVCbKPoAIUYJgnnLcc5TosvJhH8II8IzGzNjisOtLXwEn0ikmm4m5FItQCxKVLQ+cKtFopI1XhDN50W+IIZeV+uKPsOcagNiFyNXUacS0hBwfd2yPAfsL1+eVHFRa6lMyuu1tmC8ywkQyL5KbgiTANMHk+EeF4qP54tU+Dz3rAL6OmEfUlaYKuwOXqvuZlvsnsB9PCUFVYZHFw2kBQEID45z2f9zv6M2U9k1YICUdk3szCkV1U0DqfNVL6JAiNttITRmubztZvPuPVHfNzFt125vbxNGtUnmCzcCMgbuDKrNWhSlgEC4UWZUV2G3gCuoH2GaSptb0+V4O9HleFjbfL0aE1fgoUHhXNo+bq0aY62He05IK+B5DpfYTHHZEfpjEVhWEzSyuAI0PoPUY5OJPaRumJ3VMYrDfoNdvjzZ7KExFSypiu6BaCg6ev46EoSAZVnPK9EmSdoCsjlvGDYKLLKrBHzwdUtGkIp3CcVqJZYTj/B9jW9KzVSyWpaJ/Xd4cy0V3gfbyTFkZc7gPkRO7joWqSAvT47OIRAWMT4JQ8W8st7Gjs0pz1eE3DuLAUzgjZikDYCVnh0G8ld0A2PRXNfVMQBOKHpDeU7HeYdxm4+ZMuSUC22YY6waReB69Q9jO5h99XyHSK4sELcdjOrjqhE/Hy8HVz5bRU6NVa472BPhXKFLNV4JnKwNxIzq2ao4wVEKpI2dBx1zSjFr1bUi06kTS4JQIcUiTjFC+yRilXeauYjWEWDBM7yvhj8sdqOgAqRSTHCtaF6bk4qsQ6uCCMsOplpJYPMdcc1IstbuvugP+3v97WF/e7C9u737fLj97OBZf3v/+fbu9vPdwW5/e2dv+Hxv/9nBfn84GAzaSDyds/Azy8GLmbU+0V0PWShc3EsqmrA7ZaCSefNy+slY/kgpCulmwMowk7+vAL9kPRGtAfT6r2vXfEwFvYKYzbUeWVMMtG4xvbID+sSsO+lWxdTJEgEPIXX+i7sj6jDVl+DuDBEWMBQYLGKiaMjhq9BAPxrGbntnAkRwkzuziybkVZXdwXUcZk4FOT3eRovLbtAJM+mMabibiUYn3GiX0FUBaTd3PW+xllDGdQhfroPgxlWlcJliis2lCcHORJZG84xFMzUhQ5gocalMHiHPOqJ61d0r1VMscdBqIMjZcpN7h48dlusKVEewKB/aA+ei1FxYgWb5pO/SXtF6hadcClLyPYpB+MpQNWUm+Z4QI2vMPfbBApg9Z5/yMK2v64j6XrR6jF1EmZxYItRYRCpL1qm0WLhQRN0jiukC9ep8kZCf5C27YSoimWZGkw4E3KANNOalNdulcVmjE7hpC/dVSkrjQA+DE+e0hlPACwNZUaHigAg1iENKTUnzsFCO0pimh7didoE8A/vZGojYFbMiMuQ4OzLGk3kyBqJV9PSpvNInXsVRHgZDW8OatRcNw0U8bHdQdAkIW8tawXYHRdsc1QHdEwQJpnApuDrFcL3ag24uYPM4iIpnIS/XHfoLkvHJhKnYXQ23xxyyTq2qbI/avmGCCkOYuOFKinn9nqaSrUc/X4TJedbzAVog/8mbtz+SswwzZCF4qGzqH23LdX9//9mzZwcHB8+fP+8k5ypDAtoE9SoAzTnV99Ay0DDQ6NNoicZXi5oZ10VOF7EpEvuRsCxHP2M3y7qTnG3Hc24WV+3b1KdTVKJ58LaU+7BOOCnxbFUMb1yAZapTiLgozJYGU+o+o9r0h/XbYZ9TtLqtd+Zzyc5OvEgGFcIf+E1AeX+4vbNrVeXnAzpOMzYZdEO8Qu4OMMfxgm2oo2tg+LKdvPZkEL3yOkeUx3YvGc12MmcZL+s+f3egfZO3TyJvlxAaDYJ/k8hPKZE9cf9Mgnl5tL8e0f0InP544b480F+++F8eF1f77LOcDG6uWOZ2SZaaHDkP7/TI0e+lYtE3HZUqFn03ySPJ8HnktScERsUtSwKUsnUidIvW+YI8mgzWWl0mS+iTo9g9JWDCxCMfF/+it7pHqMW3R6ZpUd02S4VxaDSXKaOi7XK8XTp60CGOEZwrQtsFcD7p4fFA/Hxhn8/D3x4RXxYiLmOTcW24mJZcz/xzuuGkg+pPlbLir22wTBloKp5teoRNQRM5Pd4mN5q8pPNxRnvkx+Nz8uPxKbmpNJyjoiCnYspF2EN/f2Vfsd+7kkJdO5EWBWHuNfvZgdxzmKpS9MiEqik1rEdymL69H/H7ZZfs310k/7vL4j+ZEI6DEr8+ERuC574J0K9GgDof+Tenx+dyejQI/s3p8ZROD0/cfzOnh0P7T+X0aOL0VTg9HNB/CqeHw+XfXcNukOHfVdGuyPBn0reXR/zr1MiXx++bzv6l6+whSE5m7ErzqaCm9KXXXbSczBi5qP1yd9jc5Yxp1qxmXoszhfizMRdULTB9PkyqP71gYsanTJsrmk+l4mY2XyXPzaieQf01P1nQfC1GmKiBlbXvTvuocWWgAzb8oNhAhWvikndDohBUzApD+o4clunhSQUFaV3mSMXPSJsK3Da/6Bnd3ttfdotjeeE6hVsBtGMpc0ZFFxF/wJ8gDJoWEEbJsVKno4NF3WVFt6NDLRt8JP4zch3wqd3nKyxHbRkiClxelhN4h7nkKsH7LhlkTkU5oa5XxHhhKeRbAdwwkUmVRGOyqnK5Yjm7oZgoe1RYvvn+zQUErHVl5MwTOydLPhSpPY4/LJamraGmXFmxuaMs467EZFuKwHnOlMF0QeZA6abxpMx9zf4plB9Si8LIqaLFjKeEKSWVrsIh41FvaM6zuJyKVFYIaePnIy8ZvWGkFFEVxYlPzIdXq1e8FlKNH4a9tbazSGcsve4qAX/69u2bt1fvXl++fXdxeXpy9fbNm8ul16jEjjMrKo9xgcPXS3150R60uqogFU+VtDxMjqUqZK1I9scVC0bnK97Hdoqn3MwwnlRut7pyxH4Lu4YjUbxp5Rx52B4+/dtP//jl4NXB0d+XpqXvyLQENbOKVWsUO7FbhIqM1DtV1U/2Rg8pKOwNZ1pbrm8Ptof9gf3vcrh9OBwc7gx+WVrOwx5jyzDHPefS+oWR9hCGpYv2ecfeJemsni/8d7vhMby4ev2u93xQeirnvt5kD0k549XxXsvk9eHGlaSxp7+UuXbtJ1y4OAExgnoBCqkWuzzsBAVJ9ol07T7wMTEOrKr60X/DFOaJ0ynlIqrrZ98ICqRV8WNPYacspjXif0TQLkOYSmsGDdfJuKAwx1/eU7Q5PFgvzOtK5raaeUW9gFz/EAdkgCJE7JvQog3D5KvI8e+8wIr09BnLiygVDVIvsKpIGFm7pA6xsLaH3etPEIOeFmVShuZd9zOWTmnOsqtJLmlnsbf1c6ZSq+Yen79DGqLRy7Xr8sF/r/rEubqncgJP2zMwKn0gMsINUdgQBLAeWJYdJuQipZApb7UxqewpMhgE/tH441X847K7K+P6OlGMZklHrdAHVYiF80vavVThCGOSjSktp2wTGlQQjeV/sCbEBp1OFZtGLcRcWhHNcwBNbxLNRcqqdHDsRxOV+F/alwmo3ipu2GfA1c5jmPgD0V1lomS17XlWj47mczpdqdMl9qjBZCHDCQGyIhY7Cnla1UEzdLoiyCqZ6uCi00YyfNSp8f7po46N9/RsbHr9YVbX/rA275zNpVo8ncB7BeMRGI8UKP3sx+UFWGD/JxNkK2S5amFFqGQXpsUK1QmbQu2DpxAsd4kUKEVlz2F7IOd5KI4NFbUmNG07Zqpd8WRSxePLxeoQDr1VPeZ/JMJO51gRa73F0cmcCjpF3Z3rCo2WkYLtTiM10GpMV9ooRuexInhiFamL6uuPdIKMRvGamaHXDAvScIGF9b1pIditazVXjR9KXut0xqIrnjPR9Ur94aqQYKhWET0aHLrQ/NMTXDbLxvrMz/hVlxQ5kXkuoSvqnArB1CEZ/XeEMFxq/k+/9pX9rJlpfAvlmwqasv8ZVcoshw6WLs856pAK9lKofTCj0A5ZeWNJOQ8NodpX/anoyMDgizDRCXklVaMrh2MVrOAzkaVwWaBch87UUB0Kgw6SVG6NczndoqLPhQm9RvtG9s2M9UNsAjW0j7P2cZX6uEq/2rcdjIXU5p9hjY8EOcW3NaMqndXWIJVCc0g+rfdOGtP0GvtPZjxlGq3PcGFQZxWoVjvXtfJIjfddbV9yUjJkDtxFN0xAZdL2uBqzkqFMEzKIHYp98KypmLYSw2BrjlpFlE7eZ9rVsAgdSkfvRz0y2rL/fG//+X/tP2v2n/9l//l/7D//n/2HjMgGsFXFJpse4lFvBBdlo7+MEt99XDPcMnWiQ8cXZoUe1PConJd3MMO05BnbYsL3LMdhtsIwW2mpFBNmy1G4nypGDesDlZKZmed/afxCC94vqJn1C6roXP8ak/CfT2CzuU25hCS2TGeoMFf3aEtrlcfa7qGowaaZoaSjhsyhQ61mQjPvhnOutffh6HkfmbteeCXvRatj7UhMufiQULAH7LoXSs6ZmbES/mIig3Lio3hkZlJkvhrnAmgQ03XLwZQ22C0Svs+wF/6M3jBPMaKZiUe9ZaGFEIrd92vgIePp+7VQQ8e/C08kZISlMty3I+cVikeFGcN1EA5MNRl1yNVR8l78wBYSHE4NRo6H7DgyUmu/KU4tkiwjcLxiYYJRgA3nnlEdbYN42JgxD98LQr4nr3yJAs8Ho/4If3ktQXdBD4ewKmkkzdea53O8xg/RXGH/PxVnH2HVE1/CPYyfgPEEH4PDx3UpoiABYV9yMY2J5U6i5L14RQVUSVea0Nza8gsf7shc4XYvjLGzJ114nyJyU23LdOkBQt76e243xphpQwpLbJ4yLEnuyJkQC048JEIGdeK8By6ucA4XLCP39ihx7SyRVZz7HLokQ9eleFx70kAznvDu3cxbP0PqvBqP6dh2FJYmZlrQZir5fQ+3xkN+IuNW3ceXZdslY8GW4dj1I0HkDVOWhCB7FwWrCSLHL3H7ADyd8gWyLsviMJq1XE71GjDfGmr+ei0hPzPCPhQsxe5d9uCnWUbWjLL7Ya3mhVvTC2FmzK7rWtXXjCoyKU2pOuKP7ITL+W2jflw1hb3x9T0Ke/RopXCiU7upIDJvS9U78AXosX3ZFpZKTuquWbgiqjqpYWGdWnO3nquxbDUU76uASGPXogs50i5o1FOddja48wvbgVvUMu5jzeLwHHbN4ip3813t0KIJQE3NoBIrapea5VzUGsFizy836tg3UgMfv6hjrO+a0JOhTky/XeJ+f2dRfSrk1TC2vx50d/T1+vUAb9ySHkpfwQEpup/zVAhYYhOIQOmvqitcrdndUq3hwrbHAZ6qNVwYFlrE4U781hruW2u4f6/WcPF29DXzQTJ+ef3hYlC/NYl7erp/axL3rUnctyZx35rEfWsS961J3Lcmcd+axH2VTeJiJfHL6BQXQfStXdwX0C6OF+Awj/jkIz3SWK05WqH4jRW8J69+2exqj1ZVTv6iOsRBS7Io8NNhCuGgFW2MtItlKXHCIDXv6TFcRc+3Bxixn6/xW23fky+o+1vN3fmtBdy3FnDfWsB9awH3rQXctxZw31rAfWsB91XftHxrAfetBdy3FnDfWsB9awH3rQXcA1rAZTmeuz7O6+VL+PP+hIxlCtmAyz3nY0UVZ5pkC0Hn6ETxBJU0Q0+a9HUD4GbD/QzhnLJgyvWkAhmpMY7cSoc1PaPQz702zxoqhVVtFzBovCEw9mkJzgJgBsfTLsY02FI+JePQQ/M9OUEE+jkX126+BdkYJVmejzZJKudzSKkAB5EU5GcuMnmrq/cvENw3WBBiY5Ro2fXeO8E/9EGZbeHegqUGxiLn464B5zR9c/EEGcm1KkjJt3JCn6+cUIP0X1F1oQbk34oNra7YUJPU32oPffG1h5pL9ucpRdTA7FtloqerTNQk7Z+tUFETv291i1ZUt6hB6G9ljO6gk9U+k3m2tyLp9epkD6d4EDx6RocrAujip6Ph4yCqVNoVwLS9t/84qPbctfdKoNobbj8GKp0xtozEfhRUFyenp+cPg2pFKkfNv+ts1eYBjEdKni/InBa6q3ICGGdQf1hftzfzNVOC5TvbiXdkLIFuQc2qHJkvyjxHiO0kLdwbwB8fvnd+gvcXYOPvbL9/FEIsgdxEw9JQiXgFdWbO35F4Gt+Q2/u0LdotFD/s7z4AC3twUrFYEQKYhANxpzBNi816Pr83I9TAUzxnfajp9qT6ccGSCLBVY9sIf34Esuc0jhH/OHJ2+KsbpvRnwM5N80jM9pOd5Pn+YJAMn+0O9x6AIp8Xq7wPOcJbkFBIrJDKuBY856e408iRIA4K0u9DoAg8RiK4iP3FXaF7O2fCxZSpQnHhqo1DztoNE4RODFNEMaSYy9/07XmsvtgHPCs9TVGhg/mvscSCTKEyR9ZzKX63GGUBmbxYW8UoWlX/sNBjanRdx1MCH6amViFkwhVjCxAUWC/GzBSjpq+YKxCyPRjubg2GW0ZhBZb+nObWaOsjcfrOmQgVQjoCMdP9g8FOusueb28P7YcspXvP93cozXb2s2zyAAbxGVFXsBlWeHUXdsKnSLOL86Oz15fJ6T9OH4Cis4NXjZeb5lPwWwvi+v2Ho1PvnIfPb4KbHY/gtfsJEO5NBBp0/t7k9QX8ec+9yQu8MXEJH3bCk9cX5LeSwQaE+kJC3zJVbQT7O9z/hPRnxmEvhiBncNuKac7CWAtSKC7hhmTKDODlhnWDbowyoaGo1CE8P9okeH4v/CTx6BBO4BPx8R7U3fiYkJyM04bcfo2xL7QWV+ZgQJv2lqETBdcuZHHAOG0o8dXR5lNketcosXSFw1YxCAp3d1EBASrcGxjyQ9OZm4torOdGFDOlEtE1tb9NaHa6uJwxAjEL12zh6FUlWfuFQfpr5mat55CPF+T0+KJyR79lqVSZGwtkNEjW2HM7r9DBH/3kgtzat06PL9zwzdwju8aW97AMBgQeQ0g9w6KhtYIP9jnP4+TIkDkXfF7Oe+7LMK5HCkpgRfyGNXRGFjgoQdBCg+sq4qVnDYowJIQSpnCgcvDMWYyoJoXUmo8xiiSDghtWL4zKm/hyczJi4xagVJO01Eb6cnDNLHaHc5rTlZUZwF4vFFMvwoL4Sn1V7TXf3waOedX23p297gTdjrYqXcdX+ItFI8ae+kD2+uZgFPac9Bl0+GrBRKZ9RA1UaAFp5UkSD+hxbx3/w0Hi/+ukwiozFpuJ30bGzYkaoJOCKYjdjWhzBm4wcEPKCTl+ffTqlECNIlcvTuY3ViuLhNP6usYaP6NIxJio6IQUDKUGhOLoQloSh+uYaBDYlwk5C7JKSOOjJptj+kzx0W8l06HCwcgeOyyq6BEtC4QQ3xE17pfGmGXiB+8tmMwh2NswdQP3WlZ0A8JAgc5V8O5ems5iyc4mIJhq1TG4TqnKWJaQX5iSvhrQHNylMxf3gTK0IuC4ohpO0VGXoJtRV9gI73JWNcF7pIwB3qzBPWM0Y+pqktPp6i4tfcDNNnFZ9VZM4swEZq71mypYamplmw7J0VGPXB73yNuTHnl71CNHJz1yfNIjJ286nMy/rr09WeuRtbdHPhbnrsrXT7o0FidMM4qvw6h2oQ1O6yiUnCo6R9YLtzqVYQepBkxhDZp4IKhbWfCqfAqKBd1hWW8Ph/U2xbLoSHp9cuRd2IwUeIGFChR2BXBXQNdcQK4P6q01VZaQOdOaTlkSB5BwDaFCjnZOgBl/LYjDoGoMlIGIpnjMO2n0t3enb/+rRqMgEz+brqCcdojnBJojH1ULaqJ7lSciHIUN0OITLziLXalMn9IipOiDi8OqgnF92w3MbdnZhronFgIy3N7fjFNFpK69UQnxOLeUasJ0Sgu7p6hmZDjwOaGabLw/OTnZrBTwH2h6TXRO9cwZer+VEqrRhJHdUAm5pGPdIylVitMpc1aDKz+b86ha0oSxLB4Bqskql8f43vTIe4VvvRfAf8zdIz7sdA3r/Ifn7X3L1fuScvUCX3zmpD1ecyo4DO/LtGsJi68ot+z29rab6N8SyVAEfkske1giWcVAn8c8cFbS/ZrF0dFRvaSSN1WvPqXmwVHLQ5fn5OzcKnIMGv+OYs/GqOFi8D+OvKfP8Q6fTHha5uBAKjXrkTFLaamDV/qGKs7MwptGMafOqdHWJIyKeSfk9IOB4sEBvqgqpAfUzJhiWOBX6CQizqjSWaEMODfBmwXhbFDq18zYHKqZREOjXoAvwe+Mag5B9WHEG65LaAzl1BWr4U6k6jRzIqeJtXeqP4dNw8frwZ/DDPBzdVfBef0GAjdr0K1wU6zHuyJ49X2QVNZzFIZKfJbx6sfWQpYqKuIe3QpA8NiU3zBtH4rvE3rwRRxjhlXww7iZ0GGUCcLWvBhYFooKAO/ld3cANSAa80vhi6IWTDn8N2SBXtd8YYfQUoYTxdlquC02E3IkMkKdhyaM2arrazfV3bcT3o9vrTgnDFr8HRy+obdvWrv3OT3+2L3PK2ZoP3ZS+xZ1zgv96a2dOy/aowAexX4ruWLxMJ/EzKfHF+HWHQ62QHfsg2FkQkYs1Yl7aIR5nB6MSiqCqgSyqNQGuybDFXfuykjGDpmfZ0zgWsLCpkrqSIPzld37fec0dRcaFiAIA875dGbyRZWlUXl6Kmzg/Sg/KGcGW6VPlbvhptm/LKi+zko6Y3PaoD+pZW51sNQwGSSDmKPySY2jXr4gP4FT6iOM1ZmH9ZKL8gM5/cDSEk3fl1xcw4cXWGdp4/Tli03ooAhl8z+Z+T5D3NErms6g2HUce+SIbKnVHXd0sN9fPvRovDDsSqpsqULDj8Hhh4VhRLPfSmiBIid3A/6SG5MzcioyTpcPuC/KqxWeX8fn78LxdS/Vz4RhS0etwYnApbiKAtMfE7/utChobMlEpQSFEkkW1HVdMT05s+KCGpcAFjYuN3F7PuVDCjK42LCKm68uOKHX6Et1wSWIilR66YhL9gEiepbAepJTY1h1c1yv0ckxGh2HYxlhOZuHtEcMPV8UbHm40B2e0DFfcfzW3+thW5ajjqJsqx8w/PvMt1IjG0c/nG0+FI1VOlFRRtcvGJv7Ylk4V3i7Cp3W8CiIgHTzPhBMJoxaxPVin6xEmyNmNcGnUtQ1pVwtD6+vDT4MsSVRuNX0AFcH/9Ig6ys65isC9eN7y1McNYg3Fw+l+AqPH8cd951Ay0L52YXaA3eai/R8qnMBh3uCc8GFMS0DmGBRxtajQqd8zFRrrcNJbe3pT4mP0uW4j9psGBK8yIJRMyMjlk8Sj3Hy/Wj5rRxeSmd8mbSTDiFZ63dR18JmvK9/K10G4piOec7NAlLbFR+XMcn0A7uIBritBJbFMgH4DwL9YkaFkIK44UlK87R0EcZBTXs00KsMG7DMd+H4EXaVixR4KIwrvChtgRjXKl4eQl9v/EpOJsv1MXwSYHG2TwBX89+XoexDmoW0gAy12O1kD4d1hWdjC1Q71MMhvOHKlDS/Wr4X0oP0uxaUbr56RbbHAPz41X8EtA9c/ak9cj/XkQmT/dFHJmL8wCPTvfQAFeOxG8VRzRMrMNODYV3xhm7A+bAtDXWGrkJFpBWB6TVMV4WpKvQEaUYQKsV1hMzS8BuWT1aYWeWHJ3oxH0uXgGS30ZIWRXDgKOW6Cnq/bfhi6dpZVES5Fq7YCVxGLCBGLWzed9gNd47bHZ9zwfxFwaCXWs7IhBlsT+mvdaBAXko1urlUHIaLHntuNMsnUR1ggaM/QabFirpbAJExsK8RLI6A122pbAUQ3F3SsQMCF0z4ETC6K9514O1jE+v73dD0+gq6hC6xZW55nqU04PyZa/NdYvWKFJpr+pbUXCPpLLcWOaR6sA+mjuRnClgIy9iLg0uw1gf4+eIUNKz6HRkswQv+L3pDk5yKafK6zPNzCUHlp/7xWIjc+JsoL0TCF/cLEbeBay1IXSoVVMz4YO4ozFQ1yQd+MoqnNWFQdc23jxJoUOQ6U+pWI9FG61ToS1k1J0fhVEV8vJRBNMF9n288HioeUhMyHiBiRkyrMUjoVy4nERJuPD8U9WV+LJdBMURisYeq7L2otasLkMbAlNBOwY3p05gghiduGICt8sIgqRTCKYljZm4ZVJKL+pfSeqdTnIwLbrDXkV2qXGqL25FfiY+TG1rW+CEh/0mU2IQmJ3NGdanAz6NDZ+s2ZaPH4LrD0GsWeDgmc8weFY3nbC4hy5BpO4wfLqso7frK3vAgkQybQ1R2qVhCLhiuuWvZbk+6EaLNMYnL3Sp7LxAUfA0JWWELx4llDlIoSmSoady9ftL1ZtrO0H+6Ro84eogD8RHmruZnpLrHjcIwIzzOehPRW+TMWDYC1qgiDWZUeHqn1LCphPAOP35YdCtIRkCoPs2yUY+M3H7qw35i8JVVkvoYzZGN4r6QUYkjYYHL80VsQLhEdnREso5YolIz1S+o1paYfUw5rS/GlAlzxbOrFVe3m+IOspvL4+HCifBeUSpfrslrHyMALeFZFZSFIQRAmdAv2XWQxabXkarGoUW2v6S5qZecqjclwn49Elq8zawOknomqJdINlUzZddcOYQ1YDRbZcW5ugCKTXLoPj5jRJYmlf6ooyaAJO/q/+DqPAEZ1td1LBy5jmH17XPmly8vvJAKIzqAU6aiZtV23LOTkEg8ZVharRJo8LiVZFzrEjtkV3e69dXxnCo85V1kn6sV5StRNat72QWsjejTt6w+hPR1u6vBooehyBUGwUBDVBc9gj3Kw7BQZeGWWwO8akuGpRcaLeQr2x0qUNeitISM1goKeTJlGcORxV2HRyHKY0bknBvDGt2dO/rWH1YPjCq0+i5iMpA4YnwkEHRIidOpiBy7jLFab1jLJVFkSjXZnGsY6COTZZJpiJsNy9KYt6J1PP+982oupm5aVwNPyPb8sQS2y+uWIHa/jOwsV36Wq7uGrsECJhyytns+3uYV3YJ2h5vj7KQtW/16LWuF+1NiNScfFl50fD6RpYIorGOc03eLxnoJGKzKQ8BGLC4w/M8Fh7s1sAN54MmMM0VVOourTjWPwcoER1GzNuZTMi6h1dYaROpUI3Km6wHqkbTPDVNO4WxMcegO0RFZOH09BLgRKHDvAsbdY9W6pobfcLNwuWihoiyojXAmhcZlbka7KCNfeMWXtqRxa1Fdjj1YTQUjjO8DI928EI4O0sBCWDAVqPF7aPGvQ497HclJaixnwdKESL2Iku1gy9qR9hF/wtOd92fOlk+jtMFQlAKltD3fIGIVai9HlIua+/viB6VmQW/PmK6VFnUWvCaliDr994hiU6qyPF59UMDhaWJNydJ+kIpY9MAHDJGIqOvLG6ZA0YeaQP5I9sY117Wjy9U+QVOzU1bs7u8e1ImPyt5HZMFd4VnrbjfgIPVz3b6zVS87iqSzMm/CVVQUUjGKdZcFijmwxsYLjEsueMFyLtidPI31v1PXN+9/h7KpKDaoib+q2uk6WGv0A2hZCDm7owN6fCoLMrdWkeamxDDSnvO0m1tJwrRuo41ZR7Aqatn+zzROC6+VdvLXqmhgZSyH/HS0TeP4bZfx6+4SGopIzXKEZYFX8WyBNQnl+jPCjZMSDUjmUnAjq0oZ1RBWO5TVitk//U22keSasYKUBeqI8FK8uepUTal23oM6Ha3ijjsupXkvXtmG5tTOZtgeDPf7g73+9s7l4OBwsHe4s5sc7D37pZ7HYM/m1g3p01dMdNM0SjyIGkUwSwkSS7G2lrX0oGyDc2nlcmrJ7Y4bbO1J09o5k8tpz7ngcjnd7MWTxwWS0ZxcuOMFa0NUoi6ulG83RQw2LDrUFZuDzIa6+VZT8zHhMLw1MWtzg7ctlJuYy6zMK9bHHkfYqcFXZM+k6VV6bjxMx2FT0HTGkogWYXlLtUzz9I4rxcabXBSluQrREVRIV1LCu+BKEz9A9Sue57zzGcxVAx4ZdjLOiZu6Fn1OIKsuTFvnJJRTSHW75/FvJjLYQJjPZ6r8uVqFkC5Z5AUNzC4y742xa8pb3ZeYWKYIwl1HSgVq6zRpHiTIb/bg9N97tSoAbs8aSL+TY/DYZXXf8wovo36iekY2CqZmtNB282kD11FVhT4Iy1P01p1kBsKPKaZ4Re73uRTaKIs+eG0hZcFqjk2mH27v7O7tPzt4Puj6dPTD8UkN9VXeoJydWGy8Vyv2ezVgPqC7k73BIKtDJqasXRh8eZ3kMpwJ2ALES1WqFL9hwaJLmTCK5q4yi5GqpWGAbuE7f4AyMKoOnFgXb/ClVxfyRaiYmDhJWZ3EuZat0WvaVDzBnLmi8772Ntr69ry2AEXnuzvLNb3tdDeeCef3srsL/a7WDNO6nFuNQUhicQNrpxc0BXf2+mSvmZJC5nJa6/hjjxp57TNsuT6s0Yr8ryZy1Td+uUdLndl7yXAwXL7k/DVvCqMvzM719RAeZeiifx1z9OxAfT9K83oICr15tSH+OQaldiGhMZndvuyuUqLUNmwhANXbdb2ZVbcF7fxM3mpBeRe37aE5U8YrMrAXahcUDfeVczRN2o7PquEDpofNsNWtxsIwAEGt6GJ0wJEZFRkkhFzO2AKSzG6tqQxNf/w2VcziDPdF1ZeoZgBBlMwrrLmBUWCnz1heYEyNNpYZbmcM3H+hNFQq5+gDItRAQt20zKkKNasq01FZ5apD5bEUrLF+TadamSKLs0TV2qCKEODS1BRdnqkzH8BAQVlVFlgC17EVNFy2JjIMjRZFXk5BE2h7UqpEVwo7QXjtGfXhI1AF4fzd7Pl9gyOPGqUcaqZgdRsMNy72+bv0zBrVvex/EN3r5H1rZTf7YIKPwHKtMFyFTfbOcfmdykHMLiE+BAt+2uf8wBuunJkuco71RLmxFlrs1CmoMnrTcnK8Wbxy3yNA5YlURDFIS7/TTLc2ATzhWoxkMr2qHNBWHFjdJyRkYZE0gqV/WVZtK2tfuGR7AMQozm68tT66wtUfwb1MqRn0GMKek/KGKcUzx6w0Si72+fQe3B4pcmYtUM0YGb1AcQXJNouC6ZEX06NTq1ryFGEkb5lTmztOsgtWkOFzMjg43N4/HA7wLvX49MXh4P/6y3B79/++YGlpFw7/Ilj5eE4FnTKF3w0T9+hw4D5USq4VdboEMYTdzrWRRcEy/wL+r1bpX4eDxP7/Icm0+et2Mky2k21dmL8Ot3e2v4uI0Qj0CEvVdca6C6Uv+pi1huRjT1mH38hX+MiYkC6/MMhwPDsjdzP1CwKBBZX1THlu9bfgWiqY8gWcwkkqDHhM7JmN9ZHxhqelzL2WxhVBc73uXL1gqN1Nww2d18Oz2r5GuYk1IxsqgD21fAuW6JyrTvEGYXr2CHS+S9QOeOUdihCMQD+yh6II8HuVnGK9DTgOC1l6y5VsBNzcPQwWrkRNJQxaFf1B5dThCF6PqjFkFR0buswEPwRqFnb0SNjpUM0BjygrR2iexwu81LLexKnpbmHjchAvSgX8VJFFuCK87owDJyIU+bV6vtYydeEmuA53KF+mJoWrnhx28IoEk0bMkOUMPyvEAIdLiEOrW4168RFDxSIob3DicKhDGq6ao9u762p1NBO641B1ZK2JGFdQelUZ3OsXofZF1z5DdzrsKlRUfH2ei4V2Pri29/2lnEbe5jmqjTUVoyq44U3UkIzsjOY4JC10KLunrqPbLHAkXyz03OqpM2OKbBM86tjprBy7UAV/D93oRRpG3MB2Jb2qH0bfodj3x1X/qLRGpJhu3tW9pbaMilG9uozNtzA6uZ0t4tIVPsysLaTajueOYBw7GtDN6kE8BaXciVZLUcfgIcqnFq8Txv0ZVDAfRgBvj+oyxQ0Z5Ie7mnKvIN1GFWjV0T9bVL3ELPIh6KvRR53csjGBrpOuIpZowBMNaXdvxgR3x47V9awQDMZMOBsa4AUxWltnBBKZcjTOJQRjaG7YqINpLqGAl2tDR0oRLvnrav9H7X7F6i7MFTCbm4C8e/uS5Fxc+9Jg9/fP9HzZ5Do/CrYrhlA3nsahcyGeFgXFUWQx94LSUytBHzkJDsE8tAe1Yni6zqWA20w4csONKNCzvSq+SwcKiLhW3hbMsfWXwQB8jUsvD9fXVzrSEe/SGie5pJ1R02+5viYwAtiHikvFsTpXUxBqJ6uIljkkUuqofOc7zdztGaAG91furg91AbtzkztgvxJSLdMd+U4k1l+DL47/zjIY9iMI9TAOU6cUroADEgPLM8PBoMN/OafcNYx2jfIXsoR1r98ouRMBJQnUE9YRQLp+gWiHuHX+SGsgUedSBDSQaq6GD2hJ2OC6cUfgy6UsQb0HpXetX/g6LJiweteRDtHqjUehkhHC72/eMDuqFQfQg2tQel2vfs4+0NQQqDTjatg7nSgKCIjDATxs1R1muAlqUeuGRWb9A26t7qEUlODFAOMwQX3/1A7M+y5sfw5VzoOxEEaMq6FHtfbwKX+v5OMrYqPcSyeduEvGsvAHdxRqGlYCApbdrNz5FFIpNNcm1rsdZ8auRhMaf3e1JHA6XsBnzCyZoV/TKJfTRMPvif89SWXGRokXvv7r6niNvflVhhDmSLspWopK7VYYpdqEK3ZL88jdeHZysRmiUWtvBPXbsTXhRhN5K8KMWMzNnu9VlbYwbioLDPC9G90oTCkg3D5FntV52lC1TCLy/feEeAn50ZtCF+Ic3xVGHIF3hlVcyh2XhXaf/i7FCgsJ3m+k1lCyG6ISHHaFA0LoaHMJGA7mui6SK0Yzr5O5w9ozenXhEx2TuAE9c1TxrLFFn6aswGI0YVJfGxMq7FO7/aUA0+/sxE2+dloqWbCto7k2TGV0vhaV66bjsWI3aOP6xy8u1zbR5CQ//XQ4n1fChNPcP9Uf7B0OBmubDTHazjT6wrxUZsbVI2MeITyw7oBqhPKt6XLcx+DHNTjpe8hSGEgYnR2kUuRbAZVRTK7uESbseusoQtLJ1QwCDGTk+EKkoG5uoeySgtLpnDq+JGkzCv0zxi46vxIUTqlzTamW6T7yKMZpmg4CxobGaF4jkyDcuIDI9humDZ967OoeniWsCoEh525ovBfgop+xwsxao+OR5C79KmcP3meLOMHP1TsVYHiSIqcpu9M+ucMuqbb8J9kn80WHhQJTbO1tPxtmLBv3J3vjQX93e3jQP3g2GfR3abp78GxAdw4m7H7rxfPDhNJamdAXlH6sTqjVI0rNlE/qC5ER3Yl8k1KgNU+1yzSL0q3AXVrvRN/wOHxabm+eLXsy39Mu3HcL9ykZsPpw4wczuNgh8Kt4ZB9QXo+lZTuG60mTRsMcUXYKMr6pVic81AproZPn2R6lu326f7DX3033Jn26vT3u7+7uTg4G45003T5YFl2j+HS6lOfz7koTJ7WMuhqLueGXT+F3zzun0NVKG95UxHfTBl9Uz99h9rxpzEx6d0jUQ7FbYU7y2mWETmiv3Oap96KrT9F78T7IyveEfA+i772wn4pyrMsxfobwSFD+8W+rkSn8CGfAWpcEXVL8cRdU4MWf//uerOYjbJvdSIGFxjuteBTILtZkbM3CenC6y9K1v0Ksvs9LhZJ8KPf98fcC+oq7YifO6owuTEC/gStYf0D5xF//NxXZllQVsqQWZdtznWTC7dx4gVOe+Qt48qqKcvj1xdmrf/pOp7pK8XWCXW8m+LI7HNxdRyMNFpzE0CWAZUjNBj7hfKii0NyFzpOkymJM+CfYa+svqYtWc8FrOSZG+aE77zX9BVi1xBrDyKEFMBwgeAfXEYZKDZZOW1mZlKrrGK5HmC+2isKXrjwfaK03VC0szxQ5NZb3E/ITUxguD92N2IcZLTVcHuauFgvKgLoSa5Wl4CDncR6oq918w3pwkwq9AbIeybhiqZFqYVX3VC0KEwdWoOxhPTLjWcZED9Iy8F8p8kXPKY49cqu46bi4W/91zT+71iNr+LTvE7BMXprM2JXmU4HJ5Bmf2gOG5lalN7NlHK2P70qEnaNJmKwKjOdTNMTcBcTdDUjieLaAhfZX814Aul5twe4AczsM6RvHgjfKPqkg3MX1MKn8ZkibCtyOW9QZ3d7bfyTpMRXqI6byEupfFLDK4e7RzwDZq2iptg7tdSuJHss09hMX09WpJeuNpnnL8kmUaxEyxkCmR8Vb51SUE5qGegG0uvS9YSKTKql5JoNhHNsCR4Xlqu/fXEBniK7OMfPEzsmSD0WawIXgY0m92kT9+6/RaincBEHpJvmkxBY7uZxO7RYHsSenihYznvqKS8HhEY8Kmb6NYDqjSm38fOQlozeMlKJy0nHfLAZfrV7xRkQ1fuVtoZqUwqWpt1cMuplcvXt9+fbdxeXpydXbN28uH7tkJZZObhesfBJH2AUOXwtbgIxLFGVNxEJYATmWqpC19JqHYmYYna9409spnnLnw3hSua3tgjP8fnfaYlJt9DDoAzf86d9++scvB68Ojv7+WNJ6h/AnKH8ndj9B8mEtHzQwBx4KdiOEwBbMMYLTsn1EbA+2h/2B/e9yuH04HBzuDJbPCWjiZ/fnUqrtPSfe+oWRPpYjlhEd+x77OEdc8vd6TZC75IXr/+z7Ess5HhwQ2QJpnVEycO0WAVoE1a4SrJohZa6r0JEbli+wUgYqICjg2irep5zNIBQ/kczdmgVePU65gTqekY7hSyP44h+R/szIGGulu0SGaEE6xTqtrcVHZPYD6dSVg/0w4woMSN90A62hZe0pSH1CZqu9X7em0ijP6KnMv8picsYqVsbA6kDdBiH+Fnr2wzBuAdG0Kgu4/xvN7VQjd1XA7V5hmowAiyjUyWVlY8K9ZRNT6d/20R7RXKRhOH8L4eH2uxRqSzbyiOMaWU/e+AEGD77gejBhAKhlEmS0DqK3BlcFpR8/TkFwZlAuQXTFbeXjmnGZ4jdR8Da09HbXVdEVUgvDrZmcsy2ae8oHTO1wVzjMpyLbydwnCmx1bD1+D7b1Cy0QzP4sr7RM4SNJO9Oeojz3omAqpZrhAVC79oXDNQ+BJHGD9mWlEssnyZ+jA5TF5GvvAmVx+Co7QQHg/87doPJJ8qV2hLKw/Um6QkWofPGdoSJYv/TuUBGoX0OHqAjcr6lLVAz2V9opKkLhC+8WFUH6pXeMsqB+qV2j4j5KSwD379w5qvbiV9Y9qgb719RBqgb4F9xFqgbnF9tJqgbl19FNqhvkL7ejVA3eL7arVA3Kr6WzVCfQX253qbjf0mc6Wr/WDlO1F7+CLlM1eL/gTlMA51febcri8IV3nIqjmg0Tq7RU4YYozNIj7EOal5m/dMwZhc+ZvKfASHBpwwX/jOoofcIPrMmGD743VCXT3zd74OcOY8JsUJFRxM7skEG/sTb9fa0H3uw1HGGtI0+8cPI3RKVKdd0R1vCE8SgwhSv07yNT4LqqGVcaB6QGlg3ovxFoW/egyJe7tfFDh5ACuJJrTtQaPQzqZiEuzpbmt3ShYYGosUvrqA3T+JBjGNLagsAN0NSm2YgFTrxrDVfOEBJWx+P15YuLnq9DTaiguZzK0qWakKMcMlkMQ0fUhVGMzsnG0cnFZi/UIXbbIozqajHCo9AbJlyh/KuEMix5zjLyf54cXR4l5BcpWHJWBWRg5bG5dAnPtVx4X5vDSBc6GsrXZfJW5JJmcb1ncIoIZqDm9tHJBVyy+VoeFdXdXZtU80MyOj58X1Aze2/kewszaNdhVxxqOWdXgUlHSIFR49swsrvTq6rR+I1SVV6o3kqwbUt9wlGzwF30phVLMRStl5oPVw9APErFHWWeE4u06xyT2M+jHl6rxldRwHjdpXrjRYysw49Iy+nKQn3OFZ9TtcA4achT/PHsZPPee9X14WAwrN/+VlHWq4YwjrXqhK59G2oPqWSe7a0IvlcnezhFe1I9o8MVzXrx09HwnmmrWNgVTLy9t3/P1HvDZfw9j5x6b7h959Q6Y2xVTHhxcXJ6eh5NvcSm5WJ1jR7O7NhV+qtXa/D0qDQXnybS3MHbe/s7Bzv1PTznc7bK69ZXZ69O0ZPtAyDi6EC0NeOdTaTyR6Oc1LwRhJTQQManQd7e3iacCppINd3Cch5gcGzNWcZpH/y88efkw8zM81/Pjl4fRYfbhKec5ugV/mfPRTX4K9eE/Gw1wo669FYVwGuGcc56tfRmbJUQ6shGqId+R0uy0nx1nPTKMlJMdi6ITA3NK+6inUl/64P93UGDhT4xaKojZioEO1EoSwrRbfXNv0It+HXjsHGHfOjTWlkXvnYwRua5OKAWybyl0NTm5a1YWZwGpobZCdZB4VaxH/SeU9PqNk8H0mduzvrCa2px4FyvsXzBtOuIyqqZb1kU7fSwqKytu1a8YJ8j1uj4/F09zshQNWWmSsPsjDVaPtCogIzzgopVhdShYQLV22GalvrX8+mDEMvowlr6GA/awOuTwu8LlkSArRrb6NtHIntOq7iFZZCzw684diBgd1O/J34gZvvJTvJ8fzBIhs92h3sPQJHPixV6xtaP0BnmkHK32FDfnJyf4k6z1rWDgvT70BEPHovbchD7S6O4e9RDA4O4OcMyFIRODCSJI8VcKQvlWi2mMmNYIb+SZooKHbKLNBZX9T0bfP+FW9f2gIqpr5umaHDNAPSYnVkPIVdOPaKmpphNuGJsgaUpxrmcbmGt575VLaxs2toeDHe3BsMt8FNwMe270LM+EqfvchUTq7O17elBun8w2El32fPt7aH9kKV07/n+DqXZzn6WTR7AID6i5Qo2wwrVirATPkWaXZwfnb2+TE7/cfoAFF2azarxctN8Cn5rQVy//3B06v1Z8PlNKOB6gSm3yxLg4TdgHS5lO4jd1mCQ1ByEUXAzKgnoJMJKRVyTNfvnWpuFh/s7B7s1QPGYvvqqVbBLVDVACYPSR4s5VOb5bM3wYbXA6NpA3su4goIKDpLNFs+F6gehFNJKq31AhZyzE7LxDjxuqqrcGWXdbVw03HGoyy/jlPuwN3ieUOeW5jco0lZ+q+VyIqN5XcjVxsXR680EbSowskNZgK4kUVqaGVYEpSKrpSLBko5LUzm/3WUvOTv3N+VM98jJ6wsSY0zIBnQi4XmWUpVp55Znc8rz6r02Yb9PGLY9SFK59D0t0B56OKsE4VzlgeKJ7+pIgdjdOH4NfGOBgDzgiISBuC1sXft08PKRn/h0Ro60LhUVKSMXTN0wRY6PHkeEUpiVpd5UBIBZyMbxJnYsbeL37uIxwEelDli2yoU8iSdy63jymHU8/uu7ix5581e/nmci7ZE37/5qNbKoWFiPHL/+6z1rHrbOJ619LlOat8q5Pvni+2m8vHm52VKaLHtYSfF3zm4fg4lUUypcvb0VYxNPpcnGm0/YzGci/VRkaX5VCr4qxbELZ5oTO6NF/d0jcG8w+mPw14ZCDtUVKK2rq60ejk47HxbDxvnCwXnZIxegupy3WPqY5nwileD0QSgKaa7AeFwCp7u8tZd8DtYeWo3N7G3ogAS6NJiiQvOMKSzuxdsZ7tuD7UF/8Kw/3CeDncPh3uHO8/8YDA4HgwdjhS2eVokW1sxdAqXh8/7gAFAaHu4ODrf3HoESlDBOr67ZYuWVgY5axYB8cQIs9wCQ2JFbqL69eNi5ECGVlupmVRvrEqsY3rAotIoRluf2gdT9VKEVlReCxNVw+HEdFUry9zktIgiuTbG3PXwsJdiHQgr20GyjRr4gDhEWMGPgum4sX6jTsQRW+3t7O8881ZftlPUI7D/RNof69tYyd5ZStKq6oCla7Ny01fvtwe7SpSkBZs0Up/lVLbr/qRnXtZXFqapy/bqsuLj7FIQmKKEKfLqImjNO4gbIsPbFjLp6+D3C4yBXdBD6AC8JplZutRBrL4Us7DB0OqOQpara1N3be/HDD8+Pn52c/vBi8Pxg8PxkuH18fPQwaREqXKxcAkbBVRNLyLjkUiizEUmJn1nVCRzvpANR8OieQE8vLsiPkrykYkqOoRqTC/pcJOSCseAtnXIzK8fgKJ3KnIrp1lRujXM53prKYTLc3dIq3cJyTluWMPBPMpV/ebmz86z/cmdvp0V/DNboP1Q+OyP+j7FcdTBdPRhNrDByNpnmckzzoOUJtvSFRwPJP8Iy/UTD1AP/JVimrepkzgWEff3uME0vLv9aqa498vKvF1SQF9bo5DqVkenas+ZLAobq0677F2OV1jB/FCp/tFl610atLeEnY/YF2KANRB+Gy5/ZnnR3uqtVi6IEYzup01NaXLdzP+QhZpXhZnN1nX90f95T1vlHJn3R4hS6+yi1cDHxUKaRVsFeUAHHwqoYVtSCIHEPaa11ASjjUybDK3H9R99BiGErf4zYZukMFMSqMaOF7Ozca3tSudtj1ddlUeQ8lOz6pFL53CxWVUnx2AvI9j2nFEYxWu+riC0imDBXaSsw7kngubyVfVfdKG0FWobZ13U3zK+X1rYqRFZE2Ne10pRusjbAUpkZOQJbgDYABLXlimu5KlofO83o7OINELutMBx1grQqVnTgdK7sMRW0UVXMb9uPgDJl8iouJlKX2FJMuSkzrBmZUwN/tK+i/pus5VKsHZL+s51kf7h7sDPokbWcmrVDsruX7A32ng8PyP/UrwFXmSX0zsoYn/bYiFqigTQ9X2cOm+LICZkqKsqc1lq3mxlbWJnKUJpGV+vH3jBt9IjlCqVvCp3RdA/vSHMplbOZe8HsbXcSRfDyKnkZ1dUeyDk8KeuZYVVGDLpXuLCGt5yDeI/kd/uCfyy1kaKfpbV1KaQ2NF/Vrlo/h+FRfDVTtmAtPLi1wpzQd6HRtChqqBxaoo4ZuRby1rVssajARFKRX87OYwMHWyhWVeBvecbyBR5k3iaCpj/wsU2757uD3aU9popNrRKyQmH1Fma4T1b1/3bcBdOKpJWDp1NY/a1kY1bnue6Wbk9zZLrOjuR31xYsZrJe0FTOjl4fRc91Au4Ooq0jNYUjl279UDIh9dURV+wjLXHbGUlevwtf3N+3CNOMnJpnpVFH90J4RldNCRo1DZ+2RVEm55SvLE02VhBC4Dr8hYSAJqFz5nqLxt3ba+2WBXl5cnRu9/8RNoGvimEi/HE6XEiQWVV0jfOf8ro7r0JKYoYMZsdsha4Un+vYjGkOACXf1XOZYr79yf99j2HiWzp4tq04NWo9ys0t1+654MOMW5DiidoI7YQmfsGbqbyjzo7CXHcY8upkrwcJaZsES/IwpxIk5CjLPFCT0AgGw1PdEOMFyeUtuJR9YH4dRDzxqfewYh0FbBysWUEVlCd0I9P66bWhBb3Gnmo9gs2RZ3Tnam+4vRkQrHK+q3NOMxPSk9tIw8NRWeoSOvPcBLOXEgWhs1bPYQL6zWKwIDkFFaMfrEQ3oJeN/6I7LigYKRCkMvSYy6rELgQRsnvDLeXCmZpkw+ToqS9YjyhmJ8N615tPYAR+7jTKz59B+cckT/4xeZNfSMpkEH3SVSz3os//fW+rLehr1Wy1hTfXudufVmxwoQ0VUbvj0+MLeDf53kuozi60Vl9ut6aCSaWotp/XYaAV1YwWBRMsAx8bqLpVMMGcUV0qrEV3SzU0kRQJ4OrCIuspSDOqsluqWC/U1pljBWHdIycyvcboCkO5ABPIbvz/LMeQzg9dkLNQmPFT9v3dyUpPojxWId2ujkQ8X1c15Kv9esR0WpRJqel0mSMb+slnV3d3qT9nypqUkD4FZwCuHkS0hMbv7h62artun4bu8TXLhxs8DVzvbWxdH6lRFynNLd4TarUlS6FaX/tIyzqEPygxtxLmAR7sxbe6Ff9Cp50bpujUKxqVme1e173QjXwAkA6D8aURpqsYpmVNsIzr60QxmiVxxu5jr/SNNNUFuM8CJhtTWk7ZJnTqsodnyrSelNYw36DTqWLTqLsAQbrTPAfQ9KarcB/KsmDPOJLKPH9gxT1AFXuDrR5XO49h4o9E9/PZIWgxyEkkNr2U98bIXZZIVU0ed0Yabwk7yPq6vstGCSNKRV4z88PZm4ua9QIzYaXY9tgV0NFMYUSwjlzyi+ooUv/m9eWbizfLLsWUyeQLcscDOH8Wl3wdmS/ULY9AfnGu+RisL8Q9b0H64l30Fshvbvov001v1+abq/7JXfWWrF+iuz6C68tw2VuA/vxu+7oTYEWUX//JjR1radGmOjPOwKtyCjW5nTmpOPKQjcAfaPeKYqZUQnt/Muiozjr/iKv7afBxfm7UjeMGYkc60BHNVuOLJJbwSs/KRt9nPVxjzBkVXEwnZW6l5kKWijBxw5WEckrR8Kd+yV2EvcKYc2dtjsaMGqy416RC8REq8KILT/CN8KKZpBl8kjRdFbOQV0fH8bSBAhZxIY2r2Y61q0BQvn1xTJ4Ndreh93E5nUKt4kNyStMZkalhhmy4NmY9ctAf8yqx2tp7m9jt0mm2zstwK8mvIer6n2TGPtCMpXxOc2wCqMmU33jfOaxpZcggn+PEFJq5lcK1ZObCsClTCblAk5LfuAfx2sv51l1n3jDibFHMWMfhuf7r2mDQHwz6e6fw705/e2etR1pf7voG2XffszzN8r2+d59D/JZLG4YdHu3uaFe/E/yDc0l5vQUM799KmkMpqjBmZCeC14+iBuRc/ZW/qNSW5JCuYJU7RexSZtCvyZq69eUz0j7f2ESudX/CplAT/ClcD3c5HeAKSZbg6aR57qcG1oEmKq1O3iCKnszl0EC1oOk1W6pE+HLIuvG+OHS5WN3SKpYyCCX0SH8huK56bQPefxC+UicTOuf5qsLN31wQHJ9seJ1NsWxGTY9kbMyp6JGJYmyssx65RQdZuwAGPtmCu8zzp4P6M5chad0soISuV4ILFamcb6nb9UVTS+VX8l/0prW210wJ9oRUuh8HnC2ADYadoreuUUML8t1kNxn0h8PtvruPbkL/tL6HL2OF44qMjlB3Lek/mvTwESGfaz39fG7vpkwYqXukHJfClPftV6pueWu/rrCmzvo7jdJw5OYZOW8D9Kc2bCoV/x2fkE0kuTCyUkwrY3OsJM3ApGIKKrCCHOON4kr+cc3IROa5vLUjOwOmXlSVbPh4ErZ5SHIsPj+nKVBU8A9VTuRtq+3sGYL05sJaP+vr0NMD7+fAGeNMKReHkXO8f2P19uP2iXGlw4Wr5ISc54xqKCRJSg1OGXvWyIL5PiWQ4olTnR5f9CxVCyULqRnhJvKJucL1bS0c0HzAkbTain8tPl9WYA0HyXA3GdagbXP109gJl663XsNGeCEVOc5lmYVbG3+hhBkZcJXvWvlCRaKcXzMyMtvJnGW8nI8Sy0w384rb2ldG4d6+h61pwh2Wr+AXZ4JUxnkYsctIr9sKZbFkRd67lKoLlkqR6UohmlFNxowJglFr9WXb2d6LwzmMqUVg/nR5eQ5/3x3O8cLHr4WkGfsSduyH/OYgf0qVe9mjmQlNJDxS1tJSuRcxiv1WMv0EsZh+oLHMFo9Rzz/aW+siri7XAJ/ArE2iHxw8uxtEVz15CSB9Waw/5gy/dJY1Lve9+P7E8lySW6lcs4cW3itYlUu4mtf3rc2GBRYc6NjzsuO0Hu7udC/VyuJg14+cv68ZCgtdsGq0Bse+ciGEuZxqHx0S1jLNOTQQsThqKAcF5U2hpCj1baHC03ZFeVaFSaKkw+sYIqToa0NFRlWGYCDRKn/z6B/9twhZ/+ykahQilf3l2AHKpbC/dlRU3N5hu3v7z/rs4Pm4P9zOdvp0d2+/v7u9vz/cHT7bfUBAi1+kOTMzubKFqq0FTnVfN3zFwHPFjT2PICo29HIJfXkx/LweHTH68fRyVB1JoykzvivKj+xyBI4/ax03i9t4Tat+x9Qm/Pmbi8tu6q24ucD6K+7KCga10u7HpvyPKBqipuYlhPLli3rg35hq9Bb4kzpqGBcLqIqaVvFzz4+O8YX+JejIrg0uOZbzgipvdc5jkGkY1Kp/kdIQZltf1yQe1o3qFZIZywvnuc+YYanrCaEYNZqE0GtC5lynUkz4FLpPuU3dXkk+p1O2NeVLF9D1NFZswpRaWQ7wWzd8xYrx1mnJXF9bY5zLaVwPbKsBuy6k0Oyzn+s47bIHewzk13qy34fx3Ue7x/xzn+0O2scd7g7oP1r0OTCeTvZFS/iEws+N2iH98JfHiL+arAujOuXlSWSeI6421JS6I4rh01us1vcNTtQdzLA7qMdEr9a4B7jucqwNwXivGiE5H3tsDZ7Vvrw/Jy8MEOfl+RpniqVSWcUSLhKwpi9+rM9LauY0FOhWzDWHHy+wTSyyhktrmnDFbmme94iSJbT+yCW1myOnImVqM4xabZMPYZuEsWZUZOBBouHOIZVCuOsDQs7c61TbreDGpMQqdXk0TEUCBM6PpZnQUsGtBtEFFdDicBP3dAyHv2jpIEVH2sOnW8o053RVtaYD6+AseNdRrWSV2tfrCAbzq1p5USzLzn2bI9RxgcQcdOAekaVxHxTJ5r9b6wgi0aolEXTe5cZyLy4rTVZmBlb0OjtpEqvG9hW1Ll6/Om/tH0LOTjpOvqVNqRWGOJ7Fa8Hu5oh2SyYz+wj8VaGHaSy/Xro/78lNOmmlDYFNZk+yXE6ncEKxdEYF13PLXP5LMKkt9FGNGDDKq1QlKwCr1fpoulJrOjeul6GpNRMgtHXLqtV+/iiNuW5H6oXO5TRMNGbRkQb5mWRkwcXHku9HNUT8W1VnNOn8mJA85XrE1jG06oVFgmXx+N8HW3ZcGqKoc5qSEcL8/QjSKYXzpp4eXzjyPUFCVOj/uSqtrtXCyhIcGgCA1YO0Si2zW9O/caMZNux9Pa6W6m1Vbf1JxQ3klmqxvm4wAwczTgJ8PZJJWK/QVfU+j8HWDVVbuZxuTUoBnUB04jfaEhIl7m7zpLcCb7wXxWIV4qH9MtQLOAXaOM6VMaXc7YF2BHJDKTC1oFE+u2EKAppNo+QsnN7C5SZPJSQGItvDIHjBAPvGzZtJhquCG2th364U9IUswRtXlCbebWGvW6nkgSHQ+xAVjQvc6v6nzTh3Tc6ZX0kUSaNbqsSoR0ZMKfs/HP6pdA2ad3jrmFLOPxGJ2mnTg/Bk0a5xAChO5E56exa6Vo6om/kyuaUuQQjFGyseJc2p9gFcXHDDXYpgNQPoDs5SoSQttZHz7igDqaa+3wT2R0rGUhptFC2SH/ynGrHQ4QcdvJKcN4OEHxxCY4eI4mhqjRgpF95+czwH4RKIuXM8xrlojf3SQHV3+048VpkM0eSBp8IufN9VUcBfHYdiIq7/e02yY1wguOFTg+9Vk3W/YscFmVD1o25vsMA3yb/oDe0keinSFRaPbJHcTWd3BTq7W1T+CO9wXwgypLKDmFoCfuwdfxeUTtrNmaGQsxLLcpemEp2BKD3n3MRsccOpGybc+GvGyNsXx5rs7W7vWqR3hvu7SQf8yYSmPOdmkazClbAeYegqPxM/Yet4A2zpDeU5HeexInCUWnsbdoqMsLJ2t0XrjoxkKnzAcZV2HIa0727vtBl3e+deGq1QSkSUsid1Hz1iSxOrgQekMD3rwqVQXKrlitA+bKkby+znaTP0I5eYVUNyTQ7I9xVx/iMoC0kYEY7SUMjcvq+gTwNhHwqWurt+H5BNHfc08tOfDztu+nb2usgaAHj4NvrojglK0tI7pqY6u6MFCtRDY8NIYMTaYlW5pzlxJWmASk1n1dnJxWYvVgytZtcC3u3MqbSEd/aS/3GU3Au61TPhMPN6pgVWGy5SE6mzVt+0Go8sUPHLK7hTWaBN3tAtO0FpLXmnTAgLvmrN4Y9mhjBhPVNgKSYA/+QdHBDZFX/g4kdQtNb91JkJjQjy2CfzOvrqI+WyQvx3rXAMOnLn81I4IwAtcHnDlNNQaFWlBsIR/Dhx4Rddc3f4SPfHlJnxo/sAKDdsM0mUCqcmPUGhl8oAWtU2gk76Ua3kaErsgqhueAqabYhacU6GeMmRl7wjPdBuA/l0K2PakLNz3QOHuO7FFeo1mGO3XPlWF5uNKD1U2Z2+jVwRAWm3UgXneig5EMaoucraMRkVWrq2yBE2Y+ZjOiodqSLYLRtXVLKkHME196hjpJ6LS5zQlI2lvB7FoQAjc2tVVzVqhJog+tEN4ZjFlW+MDBXbMOv4t5KpBRfT9p6lfF7jro4L3JZd/5DL23W8vcVbW2xuzJRCR/9Y2i0FJT4asUlnEzJCNsEb5RFGwFiWscaHtf3998olT/fIyO9j9xNqMbyipi7nHYfV/kGNAE64mMXVKoO+fCdq70oVkPXvkbPbAgvE4c6gmtyyPHfyL+BTKGlkKvMqjb4uGqM2QsRImffpVEht7KHoQ7uM9Lxeyf9JXg+57u4cHfVCsQyS8+nMbAXi9XkGRfQ69MHD2Zv/0K93f/qPVz/uvfqvrYPZmfrH+W/p7i9/+33w19pSBNZYgZ9p7cQP7hUDvzWNopMJT5P34q3vHMNCeBVV7PC9IO8Dcd6T7/3F5ntByPfuZhM/czGWpcjwD1ma6C/uOjG7lz74v+KRyfekFMDc78V7AUJ5TovCCh4QU9o7du2B5wyguRTcSOVLrrAPphcP2eHxrQLToCSOJlBhw1LlhrPbnqvpGDJXNXm/5hFei4eWirxfc9ivJffC60ktFSmY4nNmmGrBH4/tUbkf/hrgzWUNE9Xo0YkcLtNaj7xfC4sGf4VFW3PY+mWLCJG8F5V7qfaKczClSmqYNUBEYApoGo+hflyjGyqGFHqFYe2NhgLkjTBzK2EJNagc7tI7TJKg14vmWtaGRTArTMLktRndpuiYy+emx4P60fzFSATEZRVjH0XUu8yQSZnDt2cX5/YAj4f8+/nrcKKGeP9kre11AlrWxMhEqluqMpZdfUp2e9W6GO9gIidk9JO7FSiU/NCOnho+306GyTCpe1U5FXS1XTmgNMS5Pyxeo42/4QX57e1tYmFIpJpuUa35FPIU9JY/XvoIXPuL5MPMzPPNyhy5cMcKKCG5a3Li39Ju8WnOp8IdaKAbv2bmRS5vMWwZPrnsgjAuRDujdl+69IIunNqt8eqEFmIpEt/tf3wdUmIFU/FFL80ydwK7xB/L+V4ducmpcA/HzuJqb0H8jGBqbvns7y+PXiOH/dbnov8bfmEoXg9zTVzpgYQc5VbJi+rKITz+7tBOm/AMyAqf3SUjwB7B1LjHtbpEGBLg0Exk7tIbZAAsGgQp2p17MNhOhr8RJlJa6DJ3IRpGRmIeI2AalvAvjF33yM9cMT2j6jrZDAT/WBCGRSBx2K1oxwDN26EYtXCd1u5eOsoiwmCFzpA3zrJHZO4KurgTnQeGxqwQEagTMeU3TLhkPCwoDRlFznSo6lj5TddE50eI3P6ZT3gN7M6k9vsMni7jxmeyP8a8ce92GDjVLx0mjv8xDOmNnW4jZ7sed+hF8gr06nUXLffm4v9n7+2b28iRPOH/71MgtBcnux+yROrNliIm7mhJbitGlmVR7u7t0QYFVoEkRkWADaAksTf2uz+BxEuhWCWZIllu2c25vRlZIoHMBJDITGT+8hR95AlJjaV2H1bVdYJwwhmeEuEJiqo9dPCebxroJmHyBkIDN1KO6nOKfV2cT7t2b/B1SKxrj6YHXMgNggakzVAmFcFJYKz+08wTnjoPJZPnBqUg21dZMmkgFU8aiE7u9ps0Hk8aiKg4el2X/FQ8I76aKkPn2Gv2yjb7LNIS2DVyCBqvTiSJG2hCxyCWuoSipy5I5Xu+wn6Ey8u/sNtR4NM2Tv0p/N1T4OZBcuYswjlEA7EHMmno2yoz0XcuKsK4CQHvJu8MrUisGm58k6BisgC/OmKzaEFb71tfMQYfRRZ72/maZ5/54jDNzaCYxcRAJllWwenzhcalDH7FkcjY/AJAkg+Uni5ywGWzGOvu3UQ2ILaq/SvwlilTIpM2vGwu2q2JAH5hXAcM5UzRPLxgBza2qR02JCmYEfIMUi7B9i4NraXaufjoixb+V648/P4MXhZwmj7xsGB1uEuOpgOEma/hAKkbPqXfF9LlhJq9IXO7+wl5Axd2VJPhIWgcoY9EAkTcHxnJzMDo5OoMIPqha7n0kcaJ4IBIlod2/DC+04cgJt6RVyo6eUCi3MlRdwWvISTMmV/Mq3Nn3YJYoRE3blSefw8R+iCZ3HjQWjyAZOIvDK0VzYYADMZwCMVNEhodTF3xgws0ItQ1pQRYjAsRMD+uq7mddalmigrcuxWUFmhHeba0AAX4HiEYiCVkXuVvwb68QKJ1KcGz/aWSDH/42oISx99nsUGJoe/ZjAtZ+M6tuRJTZTje1UUkrBZ2iLzulcCHyJ7g7jEdDGUX+QsgFgRyG4t3he2RdWofFRroxEba8zvo+OPvDfThsoHOyFB/Qjt6swK9yPopjXtmmPmbs6+bGqybGqybGqybGqybGqybGqybGqybGqybGsyHwzDT06Bo5+aPgiuMZDh/v/ZQhg8sfK+xDIduvQ5mLIOLUBLiDx/NKLP8vYczHEffczyjwMMPE9BwXH3DiAZlMR+HST+LRTRypAhsRp25Lay2KkUzIIrhB/1KNOP44+9zS3KxBMA8wS+HHqu+xWvqdFNoclOmwEtq3fRmZm+ssOnN6vzioxxd4Mm1dLn78EFYHgtQYJKhFA9vPJdaWwRbC3Jsc7NhkGfv+VdO//Ko5xpDMoWH8NK+LENcDDGjf866hKcDxHgImAB5zoQkJAmh1y1dKRkoRMYTVeHItXuQNtv9ubAQ67Yc9g8vo2nDui3Hui3Hui3Hui3Hui3H99KWYyJ4ksXz4BAvGsizMzxi0MyQKLctsrvHByCC4rTeChgXGLOT2bBX0XSvrX3JqIj9m7tNI2JeKCADb+zqiYvmvLDtQdFEEPeU4ipr8pGmEyKjKrQvV/skQkx5Z/QB9Fci4X8m8D9ggMEPPE0JAISZ6Jz+KU9yq6j9LwSncnxblvA6UMJ+gYHn23Dd6RgzNRPerjy/KyHNb7Xg7syxnOIRkQrqF+C7Ltt09vdf7b9iUwGDCiJBjLPtCqV865rCrE7HjTGDXrAC4VihbOLu+OWACWivXr3YuTj1qtAU4Ht4TCzEFDmzBYdVw34j3LX7ROH2vFo+TjOpiKgzjFR4j7fTPZe8TNRlPX+5PHPEacE7UdutswzN9e6Sq9AxWUy48MA7yaPFdSw8jI+gu60+r/m+hVoefAslwimOyw7VbdYnTWMZzG2yBM57XXdsMAXCg4EBjbKxQgOr8WrAhfFymoowzFRZIyLIyVbZpMJqt6iL8/LsNOK3OsFuPquaMPCfq9awPoZI1ZzwpBkn8f3cZqfnp0Y/xfVam58XW5Q9LxM10h7eou7EG8vLVJzqYyMYAXQZxsc4gbBFyrNkwDOWiGl5x+VfeZq/R4+Zv+Bnfv8V7KNwHFc6QJjQegIsRuNUBW+yOSBRzMcTzFy0jAubuVKwNmeyPUIwJOkR/EcknQBMFBYCM2MsDGiqhQrjQDc3FxykLCEP4JQx+KALMHoycn5Wge1c2/PUl8pmXGpmSaLSZbE6cr51ECjcaS58lzu6hU3svdJufvc83Rbik8Pz9siB1Zt2NuaxvDH6XcaM1wHjrwSMv+No8fetJVYcKv6O48TrIPE6SDxXhfRLjxCHEBh4SMKb/iL41ZMXfG4tPn6/g3UoFU5TkvhCXzero+9UuREkAu0JWWqlodzX8gxRo4iCa0XSP8NRIRfZD20JMWPamtt8LEg0hS4vcWDmLRUSE/GIKhKrTNSlNOxaFaYqrfrD2/3efhF9oJ/RNKk5XrfZsWepcjVBPWkqZqM1frvkx9ztFv+bAB/EY0JpLUcV6n7omAoDZgrhCQDLuSEqACAHu4M35O1Bkuy3+62Dt2/77W1CWq1W/+Dtwf7+2/03b9qtOJn34McjEt/KrK677cgOXxKW4xA8ljsiDJRq1ZW8/7a/s32Q4IO3BztkZ7d1cBC/Sd7iZC/uH8QHu8XnmWDymjg6LlaGAH5aUTt4yj9NCPOQzIIPBR7Du0mK2TCDqCS3W0pCcuyWICnF/ZRskcGAxjSvekc55kDRszTi7MmY13bPn7IEloYN0YjfhwxDywK/orbaL5NENKEcpYGGKe/jtCQX8+sqRsg8nnKCVaXZd6UVImCAVdJXlFxKY8JkbbbRmRneNpfKY6YhZe6wB3pCm1RYGw9C2bsCZGosDDNi6OwLPkbdi+PfkJvujEqlRSBCm0NK2k9JDqEnJ8kDwOfZIeXW67Ke6UxwPCJ+4O2oVaN/UHlFBFPkO4cXDfP6+mVdYDUykiysGy1tqLD3VCbFFmz9rSOSplhsDflWO2pvRwez/YEBfb22gP0HPtYkmyiYnyx8IvGWDdivVOamiu9Wip5oQOFhdbnWZXozzXvfaINnDq6f1ZzC7ZhC093yPbK9vdP+Zs6RC02XbQFIfLT+gbNDwy1merJNJ6ThOtCpES5+xDxq5U8QEJfwYDSHSEzGDZRMbocN1BfkvoGY/sWQjBuIZfDrf2NRPvNiMvcLTb2WmFvQ4ixhN9jt6CB0Cor+wAn6AL18F/EIfjV+ILrgQumtj04eSJyZH19dnLz2rXy+C3P76OJLYRqksBgS5cPE0OWpZH7v785tPRbC97UUkjAo+oRpChkUpjWgBddNEFbwKZoS6PpXDuzQWHCt9dARFxMuilBWX2GzfqvSs5qUzctncnqBw+rsr3Cmx67ZrfKszfhNz2RrP9qJDvZbraj9Zre9Ny9/dDwZYVlbU80cGh+cmzEg4Bts+4sT24OtwxwVqNmEBqLwMRTQhfRfbM65S1wYUDYkYiIoU6hPGeBtw8M0wgNFBLSp1uLyfS5MU9KYJ6QZtrFEFujTubMSjTAUKcSZENpqN8apgSGMR/B2Buj5SmDvDgP1JsL2Vaj9+/v7aEAFIVMCePv9lA+31EgQrJqCmCaEW9ut9u5Wq72lBI5vKRs2xzjV9kjTCKepJ6RsGI3UOC1fVK14/21rJ94lB9vbbf1DEuO9g/0djJOd/SSZu9+666PRg2NQd0mcFuQyGqx70Tk9v4pOfjuZl796kyk9U1UZlc9kbsPr5+uHzom7heHn2Ye8jae5D3iPXYWyMwyCXz39pD1XpNBNUf0grY+zf5SGHozQCcCizhV7x0PPHTccoslWsBWDbrhjA3gXmcqpGzf9hCY3iA8UYUgqPJUuJm2mQlRJkg4QZn51NVcTatSM/qDxx11/AnjsMuTmceXl7JxhXRXKmx0h8NTitoPwsBhmAAjf0MIQysfrIWOpL3maKeL6IOcqckQQ8YZeoOI+4qlWyiaTwEhsIri2pqAQnCp6Vyg3r6zpAr+wT9mWlKONBtpopvq/M0mE/t92K9L/r70/W9Sl5dYDIInnOUwzkQjChspfUW7P6LEhVWI665kUCqCCLgcOKta2wdAc63/1s/iWKIQZTqeSSsQZGvF7P+RYm21+TdC99qe9UlDcrFFwlNBHuE38F8ZG/pj5EakNRxlDQmZyQmPKM+l7WpWX4BnmbEJ6kg4Zhrh0QodEqh5Oh1xQNaorRgo5NPbCQ34ybwhoegprN7NgBu1XL5hpnDbMqBwhz4VtAIF9e1dbueiL6qBJth/SVWhrVQ6fFADqbFVU3jfOyCYntyx1OcLbe/sLip48UPlVoPM+5ynBrEqm78yfwja3dIBwLpawN0HpyGp1trkg5fonyoY19mPS2yWIAs67T6j0H3VNlGY7kenjmg0wuIqmZDUPFJns+LADJ8lbEQuSkjvbhaUz0bvqp09dQMMo74uYjyM9J4keJnEEOfyLilphldV3tXztNSjoAIcMKdUidxo05aYrRiymE8WHAk9GNDbdymV+R4Wj3uGUJiGulHbbRSaVm0+b4HcEZSwH6LU9hd1X86+45OJ8fD/sPZYoY/AURCp66p9cXn667H05v7r80r06Oe5dfvp0teiSZQAHUxdsUNcMX7BEIXPHqLKVBgVmOFMEj2s+9HqKVZ58GA+e36A+BV4h8ydvY9RH+UHPr+DnHfiTzx9++/3tx7edXxYVrb6hFB5P5hDuY49Dx/o8YZaYZ3PfE8lvDnMp6INgHvT1UYIWP3Bblq+I7dZ2u9nS/3fV3j5stw53Wr8vemXA+Zzr6euJG2+zq7hrLhnqiIpzr918OgOURhPjY+Vff+x7zibT/hxcHCQx0EtqRHM7opAGA7BIBRhxbWZwnrqGXNp0I+nUvEYbA8QouLI5vczdDEpxSTFXWxaQr0yHVOG0aGOYp229mYaYMqkKLgfEdaamX1yh5X+lWseFtfiKzn6unMZjzJJeSufCbLmnaRJjr8JWkt5XlPL7LE0dVUhTZTYKuAu2mb9VdrM5m87H85NaX2/GxzNbFqdp7mwE8ofaxJIXsoQXGLqAqAk9MAXynt+8y0TSQfQNXg0+4nikRV54ObDq4OTs/SOvBm/3m/M/HGhO+lNFelwktdXRvptqy4z8kcHrJx88TvwZVSol6IQlFM9tAGge4knWq/EZ8ejiS6Ea91EGTpnyEd/5CBcEtmovuDAXuVdPHpQw9TYm88JlG/g2l5rcTZk/m7l8EuuY5kaFApXWz2iqTMI1hAuTCLLtMPM4nQN8ay4QGzI2rSR43stiLv7JA8Tq5+B8kGKlCCNJFftntrjZDEcSRAzGnanJM9cilDs/h7YRvF5GuF93heovxRcZvbvCblfvzPWU47m96rw7fb0IK4DAWBMT5q3XgDw+dk6eQ6vepTWReowVRuYtOSDUzrsAqYQpMQ3RmFeWUmGFmk+wCskaKNC6szg3Wg/tDXC4fZt0R3RuTz6LbNnDfVoTuV8/b07yZ5RlD+hTdxHJ13hF2Z3y1C31HEq/ucJb4PTZd95V3R1muBXdHa7H5BzEMRJ4naVGYfA44J6/bE2COcAGpg3HI9fQsrzuQfyB6IWyfl5enGFDr/apCgBz9dAGB8Qhh/SnSGb95kwzWkipZERb9Tchx9FPN8873v6L8YhuL6ZACzAwM4nPtCn/yGwkpY/7NKVqCiF6QftZKDZLx0LLDFcAn8yTgfMs8rsjzBhnyA6PYpzGtl1ubtotRfggxbU9C+qN2LV7E04ZTLYYnTVmBZTIDOsLn0elQ/7v8cFAkrpe/EsEm9mWJHnxlFBI9JyLUN8ZISy4eR69Nd6hJXL1UItReUeFynDas/irq7YLS5Ta+Rze63JE15Ec/CjFC+yEIYSDvtHVCpP91Ver4XiBq9V+8RnmyKIHx0rOCcxvqoXorfmQz9D6/GM+woIkvZT2BSQE1kSqs0zNdMhPZ56RIEWAyoChZ/GgSDqoMSfTDY/kdNznNnVRH6vneyVsqWok1zMkiFUj+HrVY1J7v9naa27vXLXeHrb2Dnd2o7d7O/M/KBnUlBqfHx9HGql6cyQzzR6MFjMvkdBmF15E+gHMi6mSMw3EZQgM6EflA3QPoNKF+m4o0IE+S46QZv5+9+XL6XEDdadyzJlL/kM/fzk9lnndN/QJdkm8MHMGrKZT/1Zqeqf5prLwTFrm+ogzqUQWwysatjl16dQOF0oOULJjPtZUTQSOFY2hFHBMFR2Gz/IXp8dIkEwCXP89SVMo+w0ecbGTZux3GAeERTomDYRjwaWcBbdBrs2Jlh6XquKNLd6Od/f2koPBwcHOm725S0nzx5XV7cJvjBzRmUkQLB7eIEFwRmLh886MTGhVs7/npfBdwcsVVea1upjJl7cFg22liBi7poyAYhZVNYjPjQXcN7YCjOnRO/PJ3Cm3iGhQjRhm1ur/wKNcRQlhe+fNvFtHH8BonOzVpL4+Hu+ZKcqTypHHWFz1rN0PnfYT0+bJcTVMvL23/8TUe+154h0LTr3X3n50apkQMk8Wx0JTd49PTi6CqefYd981zM2mu9JM2MB/v8vHBFJmUGxL7U3tuc2KEkjSMU2rCgBntdcEC61C1gncz0vgnqcyI5fsOsX7W6Z4W8GvM73/skzv6hX4jhK+qxlY533Xl/f9iMTX6d8vPv37kZX7cbLAqxlcJ4OvLhn8EQn/aDnhj7C5Tg2vKTW8Wt7rDPGviWudKP4dJIrb1fpx8sUDhr73tPGAle8yezyk/2+cRB6I4aXmkgck/iAp5WWOXnxmeZnkl55gXqb4e8gzL1P9PaWbV1D/nWadlzl54cnnZYJfeg56QPFLTUUPSFxnpC8qse8tMb2Khe8pP72K/hecpl5F7ovNVq8i9vtIWn+S8pebu15F9otNYa8i9nvJZH+K9peb0F6gep3XvpjEvof09iqyX3CWe0jud57sHrDy3eS8O5q/n9R3T/E6A36dAf8XZ8C7vfhSE+HryXV/jmDW2fDzS+ubJsU/k6xvlzb/fMK+YWL984n7hqn3zyXupSXnW+JeYI7+N0rDn19GE/It3vnr7iaTM/M36SuTM/zjdpjJefzRe83knK67zqy7zsyzT374/jOe079jJ5qyHIZzhSeeFQ0+zb1qyy80aQkq6mzir/Ps+kSPr73o5xpik1nqS8n6z+va6NvdlNZgd3t3+5nEgds1h3CfFbOyWaT1Ra1AQSXR6rfFFQyMTo9XIVtLZY36yZIbvih6gs3szdZziabqZcdfvN8AlM5EJvQOhN83TEjOOBK+Xg9Lv0dBZugoyG30pXuHfshB0H8co77g95IIJIkCbUaVJcJFge5J37SPhduaqXSK+ISwIIt83lXIJpry5+3uouNIYs6SogobYa3GCEPZpLRb2jvbzzXY7rnQxkAvoYLEiosVuh2r3zV6c1iCkSd4tvR3VihbIz4mWzilMZlbNj+GR/n3cSV/aB/yb+A8rr1GtPYan94gP7y7+Lf3E1+ig+iJ+/bun5v6JTl33nz7C123GRpegmPmSXqBbtcTJ+/H8cmcVP46j8tR8NL9qfm3wwqcLUedIEMqlZWF7Ud9Gf7u8YbU74FdZBpIg71lLxs/gN4Jxl2w5Bj2F2vXDAWWYXbyyi3RT65QCmZB94IqRWwb7D6WZH8XERbzRBtV+RF8z4VnXJQZbyCZxSN9CrtE/aLNv5MHKFy5JMPPGRFT+7tGEYwAWl3LidnxPE/HgmI0k6J1k056+nc3kUfQ4BNrbPYz5UyGAFmJKGf13hHhKiwAOSLPZvV1+1oPXJ783Ht3et65/E/DOUmcBVuyJ3///C7rHLU6v3x+d9XpdDrwb/Off8xrZ8ASmxvoa5BLMxX8xYU8MrAEpmpXL6M+KGZcVy/khXLhGcYSYZcsXPVNkL9dC7fQESy/pGwYpHHZz/vNAFOiV1qY3d8bINST3y4658e97u+vzbqHyT6eBqpy54YzYse1U9o6cMh6sxPCRtWjf/xydnUKc8HYbrg0Rf2cyjssKFRkpgDTZoZl2ZgIGgOv+c7VYx7/+uny2Gzck597n/W/CqQHuyzYRB4/KCExHeMUCWLzpY3P9YpEQ3Sz0d64qUhN2vzXxtHhtVD4WpCkp9Tkuk/Z9XiKJ5OIPJBnwNrBxipnF68G1UdhlmCRFNfbXKNWWzicDDnLodkS83Ixond1MNDp9wW5o7Be4Hi4KJeer3SNfPjn2cd5Cb4l0xro/UDvSBNuHXpnswT5AFLzS8R2P72/+rVzeXKdO0VOVZ9fXR8Zi8UWPl6fjrUZ856mBJ1AmqHeoJ9gUnl9T5kmVO+7ub0mrEY1sA/IInrsEDhEL1VDDwcnFHR01cJdLy0Qf8wrBHN9TPrZcBhUxn1FQiGdqxTReeA+G3BCe5eXNsh8FOfGEmi1oq2U/+pxU2kzwLeUROmrekwsMtUAx/oixoqgCb3jJktZ8IwlCKMJJYD14ejTeszdXYDxAh+ASyBEg7NxMKlNY4A/YlM0SbH+JGX6hjk56trMU3QVkmCHNhEmTYnVBeMGkgqCVO524gMAn4EpjE1g70YqAuMl9yUtNh9DN1aK0Y3npKMVZCyI8tnlWkKnF67miUgXYnMBPpYQAUnSDcT7kog7IhouVT3fEcom2TZQnFLCVAO5j+pTwojSRnQ04OIei4QkPTqJ0OkATXmG8GRCLL7O6YXT24rn1NPJTQM+qUlS2lwwQgOJYTSkd4RpFpSgdxSn6bSBGNeWvzbB7kfEb3OqYDIMgcT+NEc7DaY6bB9sR61oO2rvucqgZUzpGsO5nTQ1dweWIyLN9uBMC0q4DWctLoN35I5FA2TotUsmjbMJyHG5XO2oWuQjkk70dpJUZTYoC1LVU20KvUUkoKSNcBG5CsKwOcYpleiVQQIjggw4fENvNK1K4TL0BMyPBgLJ+zXKV49vCuB9yFr/KqhkqBb8iTlbXhzh581VQtD7z8fnsoESPsaUmTL7Bvia0lps9ld6k6cUy2fU3tN5knj9h0pcW31+elHJXDHWIGsDYXL7G/CvZhYBfle1CD43/yuy8vdMZlfJXTLu30/cMPoz9rBD2Y17A3FQbxAPsjUpplSGTb3uRNzJCw+146QJsIWOrmgH4ZQIFXDLuAF0AcZyj8puMpgiKCCyo5knEucfGFcqINzuwkOnmx1RyZhKePrShrTgqb7MlL7uZMN9VBMGp+D0uLt1etHN/zCggtzjNNUbmfTdkAHSSPCBTKQWJU02EGGJwX5JiLKFrVpVmKtNEvTq5PjyNZIQS/eFS0TFK9DQOFMjXtce1uaRPsFDzOif9oLkAk0kyRLOpmN31AwRcNThJ61huUGkIklBqcIauh3ndwxo98K+D127rsKiecZF8gw/LsaKDFcauSsebjeBFYs1Hu1QQeElsZ1t7D3lROBlou+qfNO4GrtqUXSUIuOJdr5OAwvujODbub3b2h/Yr8CDL72tw7Lb5XZyqGbyXcrjWyTIHxmRCizFSdZPaYyOz7umMu7D1dVFF22hq7MuYBPymKdy7qulrvLKjuHx9NioLypd1eA9VSNT8Y1kzA3Mj7aNh2Bmeps0j984tVm5cZ61Ydqt9rxySWlMmKzrESZ0s+xM1jI3NtTTmsGLxlStaZcIJwThO0zTygK/zgTHI4K2o7lT7mp9gCKFV1rgE0KBDkJ1vnNx9unon73j825PH4Le1Vl3Xt4EgYebuC4GNy/dBOjL5ZlePfw15PFwrf3qVt4G/q9ajHp4bdGbu9YGWA3c8+amRAmPs7xeuTgbuGv6ZG5u5vuJcZXvooZ2IkKERYxSym6BH5N2YQhMzSOWEUHf+Sb5JWeRvMAIKkcqXd4GYdE9vaUTklAccTHc0v/aWmh5tQVWG/bM+czOlUQ10ISnNJ42jMViLAJIRPS3rna34GQ/6+43Ja9jMu7nUGJ5gM4GT3sXVuX33hvra145ZdkL0f0Q1+HCZzF4GcGVIPM7wThPwWVgMB2+fh0UFWb5Wmi3Wub/zyu7etPWruAUm4y1LSTIHZWzpkOfaK5h70DUxHZyKbMWfYUnn5ABEg5dp27+myecp479nF5kB9mCpX3pgUCW/htD2DsVMWfMLs/AG+rGFUKCDLGAsKwk4LbIRvB5s/59ah5ujT4dpPwe3uVEkntS77lAV0cXdtSGhQ5zZBraYkLv8gwayqiiOEXd/zxHExzfEvVKOsREO6geMKfFPPqYveiNrtmZrIJMpyV5/K9cCzi5QKIctoNDhNL6RwjHKjO4C5JYZH8xRht+vA2tP+BWC4Z1VLAZwqWB/Ld/tt6jVd5aiytMU5lfFnZEQwpgt7OhW+B8ipAPGzLpFiYwfjVwYUcMYM7BOf13xsymgIcvE3W0364aLBct46o05ABUsF5Gk40462ofmeG3HAvFtzUTJsNJgiQZY6ZobJ6hHuCOxQyRB5Oq2CgodSohtDbIUv2xO6rZpX+S/AVaM0qEwoXYm4ubCj/HQDvUbkxmVKi7SEzg1D55SkXTFBETrjPYShAxAF87COKCwAY0Tb1uwpOJ4BNBsSK+pcNSTvfciF4LGVRwGsyVaBfMh7cLWFF43KfDjGcynZpdDt/x2h/ecaUv4k6pVHo1Ty8aCLu4HYSgM0YfkOR6/0QI/WcucZze46k0Af3iVY7vHU3uPNxE9hc3RmRF241p6yp/uk4y114BQuURndxoUm4iQ9ZNAyVkQuBVAHFrSyDOgoikvmZnEoewjAp4i4vkDlmQHDMOwmnKPZU20MEZH/NMWhVh5J7/2hNoNYgd6FWne/66BEsDScY4HuWRKSNKk+VJKm7uvfb+wSzPYXjmJWINzJ+t9CngpDpj72fOhylBZ2dHBSlUJPvMk9v5KILhO0jrASiVAIsTTqLdCEZhlxfo7W4x4ALb+SuULdxBJ4i954inQKXdnJXt11y7OhMEZRDiw2iQ6cvlD63DAdkpGNvE8Fn+fpA7UHhsn/7G2PbWyedIiKB3AQS+R5c2mk2bNkQrEX1/CT7OjVYmaDzSjlzZfRpwHtl/RLH9jpP1kPAopmpaV1OmI6qm1bvyI2dKEJyWyeFMUUZYFWbQSmi6uufN1CRrAb6Pv9hdLgnMvimr6T7vzOsAFJmpScDnhW5XdrIy0VyoEepA9hGuIDJjSkx7VPK6ZH5kpkCn3U8g9BKFR51Hyapra1qSKlf5CDOclCUFN1vJqSuRMyS8FwLnF5EHORtSlSXGBEuxgn+UY/j/jTZSzjYOUfPNTrTf3n2702qgjRSrjUO0uxfttfYO2m/R/2yWiKwxLrf5RRLRdKbUTMwaIyeeBsImimQMaz5AQ4FZlmIR9rVTIzJFMYDYaU+igClnTR5VjANSYYzkmDDzhgQVHCk3qXV9InIkMOet5MaFIS/NgXVNrLiBYqejwsTFcw4QlvqDxqkCH0TbLGOwbYaEO27LGrfPpeKsmcSltZlwqXBa1ynbvIDhjVrDUvKYFvMEPcmFVl+ZNpFza99mpfiUGn0vufjeLeP3DHI5kWbFgLEJ9PvpBQp4QrC1wZS+w2KK7mmiLTi41eyphsdT82NZfge7rd25w9BarIIMKWd1KrBLmOEp/dX8fPQYXTVpMEtTpQL7nJE+Ke8/7dX8yWe7eK3mWnXlNnp8/3DhNYLLdj3tnHeCz1USby+qrY4YwrWMt95lhHHZ61BB5n+2mnyFy+psiDwxasY+fHV6cberd/vpxd3+62JOxBjHdZznj52jamJmgvyM2wC+sSrNSbt8f4TetHa3AX00Gw4BxfkQnWjniceKKPTKhl4b6G2zT3MTVdv4r02PR2sa2afZe47+lU0mRMRYkv9CI/KAXeoxdLmTaEjvXKw1zD9EjnwzsUkGz5jtVUyZIkMiItTN4phISe/sB43rLskEC9clEPsRR9PJiFRo31ar2Wo1907gv3ea2zuFlWJYRUvkymxeCcykDUpBPV0YROljfVGcd658bNLiRVLrneaXH0cTQe+0uj3++PvrYDmLlw6o7pTjBPVxilkM116QUsEFEjzTt+GMY6/5nPC5CuieVagWCgCqhF+uCEx07xk+brFU0Xx7IY+2WLBXXoYliyit2EN1gNBs1RERJOlV+dIrbmxOhyMiVTCpk5GZuwGMTCYk8SRnffOnmTIfK75GUAICw1mvWlslGzO+7IZWUhvhLx7vnm4i14ANC7CMJKZSWyW29TlE+lJ6a8tFTf6EzAYD+uBHhM+8Gik1OdzaMh8xn4i4GL6O0JVJLVXcmFMPdOwf6/pTJOl4kk6Rwrf5uprIYIqlAuWa4j5JpbGcGFeQGmgQkDX3V2fH0t+jGzGPstuNsvp7zNX3Yq9zN/hJYNN7x+CJQInLSgsM9Twd0aQAkoeYTIxD4cMvNhWiuFXsdo8QOmXaQsVC0eA5AZUoAOVh27Tq/2//bjPXvPcCbkaW2sr4GLP8PQEV91UjkIBtiSDLDPVJyu+rt3n1mSiem1C2G/f39xHBUkXjqR3BbAxzMrBUG3kX91PbkNaMMsI5SLbh1ZQ7uWlym21DZv3tSGb9duHwNQqbOCevALBspRCMsdEwZ45xpASmqT4yEyIor2hXqxmY195TfNIDNr6B1iODAYEexXpWu1Es96/I1dnx64Zxmby/lMvdC82ojoZ7bgQloLes2yvBIYnKCnJ2Xj9sUGGsVwn2wfetGUErPqYU85WYTz3C7wv7JpNERPVumTBKl5cU+0znIIcD8cFj1yJm6Oy4c6FVVsdwfOyHCvfKZpk7MsY0rYm5L5oDmKDYRKdAgNaeK8Yu+cbvLJrNTZlfAxBqeiKdLu0TodAJZVIRu7EKEoFH1L9s25k8mtr3nWGythyix7tz2Dwhm0YEDztbLqu9YnsaOmsMnIYrYSYrE1EnDJSVFGgbqNGB8JswNVCFhENTYGXUEkOYcTYd0z+DjHQjQv/PL5IMslQfhhvggibmVRr+obm78SZAzNnArNVskiNLKqwq7fxVbaqvItKsZivZ1YIpZ093t9lu7jW3283t1vbu9u5Be/vN2zfN7f2D7d3tg93WbnN7Z699sLf/5u1+s91qtcpMrC4k+I31YHekvU9m0exTPqTsSVHhiDyqAwVPa8Ob6Lg6StjKMJN7lYDoo6X50QKKW9rHDPdwMqZso4E2BAGrmw17esCvVlWEOXMOgDFImnO/erKolbhvl1KwVPg3U0QCEYo8MzxoN32PJYp5mpIYgI/sb6+gm5odGMr9pjxDA8oScxy9ckj5UFqt4LvuuLmhHNpkIdqTOuBcMa7IIaqg376iS5IOmqapnHXj7Ocs1ln0k4HNsL806JDRTyhPfPaCMF/Q/FsMSfsln2HjEqaghDfm8PSuBZapITcwEqZoooEg986YkunU7YgP/J5ASatyjWOkiQnNQ+84084qV5pnrfu0QnNrok1r4wFyrmbkRFSeE2szfwsrb3L9ClvLdruzabDmjSdvdiNzweQk68XQasBD+hUlZocN5eYLTLjw2ZiztNmEBYPsYblySanm61G+AcvU5Wv9FfL0oKVFdDSLx6izm+RJyl5wjlvHPgWYUlx4CnVJmNRvyuJ5B70w6/oFcCjoy+VpXszn3hpe0cnd7qEJ7wr0Lzq52/8v+Odrk/wmiMki9MMCTsQrkw4nq/ogvdmOtvejVrR9uLe7MzcUNWF3VHA2JnP1oF9Ipqd5WpmpPPMzWjGHupZKJDLGihBFNqoCcGDugyJjoII8Alg4sESvLBSheRlTeEjZsIE+dxrBdXxHUj4ZQ8ETUXH0ulGiT/vuvieayTTSVy12wDWOqjziYE9ZDlJm7GSvNLUaC2o3ZRD31twFk5eXOGdp7tWdjMiYCJzW2MDvxM1RMu2CE/OKDgACiDxQqbfvzHGhCWLaVk3TqcUfla7JnCAAKChNB78bJ2BtBCecSK39y5J6i3cHe63WoCCMWqzaiv6FvkIAtnG+JU4Hszs95uOJoDIw/fnAgF0wnhCbfVFgOdcrfsuA4QCBm4TICsHar5SaD4bEWASuMb7V97pCEy4l7RuQPG+n5KEoba/ojTwmStDY2C4A8DRjvRQhI7ThBAHjOEuxAHr9kGRMFSS05gaj/9s5VzaxmhpsC0bMlS0Jyb9gT1KBDIhl84LY8/MfpHCbimnjzGKFbvT3rGelHS34p5Y+mNm4Ioia7Lwhe6Q/IC1M9uPdgzfbSZ8cDFrtN7u4vb/zpt9/u737ZrBf2I815SwUYhJus5nM9ydvLVLK2LS71J9MsPMBGMTuF5ym/N4sv+9zH2xmr/RAqiIDLAEfDweUiaKXbCwFV4/g9Cy8d+YnhPkwf3hDWNMFS+DgJMVS0dgibxROkXOYw8i5eWjMpPJJ2igICr8jWMmqQUxo1Sph6Lw58SiG/qN6IW9y196gyAz0wTBvM0Hf0orgfMhH0x634ibiCak1H83tJuy3BEw5o2eCnaDuudFF4QUZXtvMps/7v8ExDUouQ1xPSK8CQ9vAmzSCRXCse7WYp5P1XbdVP6i9TjxlDuLGjTbfXppRyQEJ5R01Q4D+rFnzoP6uuFHtHow0CXp6WWEg6UuPbW7mYQWA8rZ2O7ziAXN+tsbMqx4XjkgLABKCjueRDA4nmrJhRuXIr1p+KOFI6/sCZZPCVW/vOS41qSgMOFk8RysXBlYw5C14lVC2rSp3Ta5g3O55jZpGK3gZW6bGmJmiLUkqzAQ3X7Nl/9Muamjrya19jtX6HFasa9fjR3Y93CKvPZDniGvto6x9lJfgo8y/Y9dezNqLWdiLecY2W/s5az9n7ees1s+Z//jJAFx3pSWCBrEZwfgz0pgbmNPSWBM+OjwTO/ykZ99G8MWZtl7GLq94Ay7YK95SKDxCGk6CSU7cIp8OzCBc+DGwIDPUzZ7yRxT8vbPgbgq6++Yruv2ZC1aJ37OaNful2GrOLZl7t5/Dm7aaXnGUcn6LsL4aDR4oUebZdObFPuhu5++Qsrx2ou1o7jaLf92p8+kt5rV4HQFZbQTEinUdAfmRIyBukdcRkOeIax0BWUdAvpMIiN2x6wjIOgJSZwTEbbN1BGQdAVlHQL55BMQevxcdAbE0riMg30sExC7YOgLyNTmtd/RL2NFPIm7/TfarD8rlESJXbpT/5olqI/MpV6jj2hqVoJ6RJKbOZBCgdTuo4y0DuBIUeMhC06QAe1lvDFyEg25YvJYQwB1AL62ZEIKhGKoKRITQ2HkPv5CpAF/6K8jSIZ6NhZfOeXoMQDmYJeZM0gRQHbTMtGuRUkbCZsAGJdiO2nfQy1BTzIp8y8cmdGIoCtPt9RAp/DSodTOhJz+2izlYyAuHJGmwr11Vk3dYoIzONJOr/pyTgufSwMZ5cX9fONJW7msc6TWO9BpH+i/FkTYn0bVqz5XgCwSTNqSuwaRXL/I1mPQaTHoNJr0Gk16DSa/BpNdg0msw6e8TTNrYhy8ETBqIWYNJvxgwabs7vgKirLUyRF7y6497fOVKIOWgtxtSAkNskQ1fPLD0o+KIlpTHCwSWnt/F/Ybo0lY/oJeELm0EtUaXXqNLr9Gl1+jSa3TpNbr0Gl16jS69Rpdeo0uv0aXX6NJrdOk1uvTfBl1ajQTBRso22+sq/83j2V4b702Wjj6mKZaSDqauAAaK0FIi9I9xzEXiDCs7F1L4gTM+nl5bCq+9UaQZ/nh6dXmCOldX/+fon9cPnRM0EHhMtE0VXbNSQpjWBprfAiX5wJYOk9/kvRwqbAjAxcROj7sNdP7z+19trZ7La8co5uOx1tKW5CgfGuLLwFCkcKxoHP0UEjYmmEEjf5cIp2wswhrFrtU+4oN8TOXHtIRdb9DxBMfqeuN1VJiRxCNQCE9Pmo9sUnBuKYMoB9i4OB55fOj+1D1TKZN/aOZpwLrFMR9PUirhzSYfcshx6skkLIEXRpQQprWn9tNMwqEmfeN/oSVTtvKEgnnOo0EGrzx1xhPQMsjfoyhLtEvNhUS8/28SK2nnc6Fjm12IWVIw/gMgaYhcuyEpZ1tBBsS8/mHAY+RJmoNbQ3MVt5/gL0H64yNcV3C7HNXR3ymZaxkhvfTsr+USvBaWjLPE4rrs3Y28bvy6p9Va746whIsmI5kS8GbtKLjuCQCjv+5lEv4n0IJaD55zRrbO+P3WR5LQbLz1gQ5H1z0Z4zRP9aQMdSaQEfmAOu5q716d/oa2o3Z4wwXj/mII8tncOUUIBvfNEEz+FZYozqTiY5dvfM1OHiagzcNR7+z7uiCH1wyhnyCzoOsq+9yvGDE/nfF784PhzfysGdyYXXnzgeVWPVihmpb92KVhmKvWFkiYJGct4CSL3dtiftnOsnp6gR4i+H+QtG8aJkD+SUrviHBqtMOGKRHo5J9LqlIIXdSMUBGgKHgzzVNgn0cLIRT0ioq824XfX3xg/XjK2euS4CYjKkf/bzb+v7BgBjQlEYYXWjKPB5/kBW5F5/MMnje00Q2BdJoaLA43dGUROOMKLEr9aXO/SHRLyAQpgeNbs6v012Hc6CvG+HycKlu4XB9MiXNJQAT5fIEAOv6X9qkgz6rpT5GPYKAPRJDNTQnlm6xJHkY4kxCaceaX0UOBOaXtJ0EQsTrL5KW7pJ9DhEU8onekYdAKYF0aecyogQiLxXSiSJIH/ckDiTNFGmhEk4SwBhIEJ+a/9TXXsHZBA90LqioKYzb/teE+qx0s8+mvOlZzrWXME9KTdMiwNtOjhA6JVD2cDrmgajSua4HhPRRLsPT8ZL7ES9NjQuiCxxAm9aKcCciHBbWeCyjx1T4T7B4qkc2m8E84UMeQB1CmQUm1/qQA8A0b08+BV4xscnLL6yRHeHtv7nLX+VfF4Ih8JQjS5zwlmFWJ+535U+gEUqjEcjNoIdmElrKHr92hGraa/omyYY1YLXqTBWGqeXdX0KqogA0S4NlADfQAx5oRk3yDJB+oe603jPkWBWMSB2IgkSApubOucWei9+JPn7pQMlf1/jKO9JwkepjE0UTwh2kNq6CwyuqEm6L6x9kopi/Bi4mwFVsEGVKqV2OQmTeslA+HkI2uVSwfCjwZ0RgRIbTz6LM5w1HvcEqTMLuWC+3gS+XmQ2cE3xGUsaCObuDytOCr+VdcPnk+vh9W39MZi0ckvq3CpTi5vPx02ftyfnX5pXt1cty7/PTpqobVzMDPriuvsmuGL9SIQKarUZslS5zGgutzgY64mHCBn9VQZ26mFcHjmrWInmKVqgTG48LqClsW6xSIxb8Kep75QZ+pQU4+f/jt97cf33Z+qUHq+g5VeDxPxuBj9u6xPqCYJcbkvfeVmG5LmbtJn6whYcRkOkJ9Jtzn5Ztqu7Xdbrb0/121tw/brcOd1u813FygC+Yy9J+4kze7igvn/gX6qELHoHhUzHf5RSsm05cu//pj33POuYmdQuCqYYQ+orkRVMhEcb3qco2obSTOU4tRgm1nQQTqzlhPRpmWTdearAfQzUuuQLVZZJ6Ah1ThtGggaY8aMqLwEFMWFK5BXTRl2vWAQGwBravydsGFZfrK1bE6EWpvejkH9b22qGEcfY+DRzmvTwrFv2aLFr6/Es70SCt2vHOv04JCYFNiA/AA1a64A/OzcWEYxu4I455mE00BuhnrqW4sJhjV55JIdANcBDAS+hsQVfs36Bv3KAeOiv5oA0nKYj8cJCmwnG6fj6cltAopJySA0lh9QMyiUJhmoUEacchGyeNK8CoYc957Xbz5LJAce8r5pvYtIUKnvq7d5nkaTSTCqJapzmxY/zavTCrJZWvEx2QLp/l6LSUfTUTPTL6siCqP3zEU99ra0ydkdJUXX1FprilnD+X2PUO/UpbwezlTC2KiBjl2gK/XMNeh1lmh5GOeVpWwLfmeAPIk6SCCMJIi4ELWtO0+4ngEUB3BVO40nZy9rz5RD2/3m/tzowZ9hcn+VJEeF8ny2+YRFt9NteNI/sjgNYIPHufrjCqVEnTCEopX4YRo9uJJ1ivjJq2MuaOLLwXopEd5O2WKpKviyV7OvaSEwvasK/XkQQkM8VNQVh5B1ReJ6Bk3pb9YI3RqiLHhu9znUWAg9TOaKoO0N57Q1GrM2OEP9wka4FtjqY5xCo4UsMKFXPLZw4uGPEy4mOvZf5BipQirfvk/s4FnMxxJEEkJwDCbODaY5tMJWRnZI4ITIiLcp71KVKmV7dcZYCm9XTtBzOydMZHhHXuAY4Jedd6dvl4xl5B5UxN/H2AKk9zz2JlcERtBy/uVGyPailVYn8WABzvvarkgTIlpWO+/sgI7uxT5BDWvh8lsqfn8bG60HtobBj3awZs4fuRKLPiQI9nDfVoTJ18/9m69zijLHtCn7orXq8Zb2W69py7mFTHxzbX1apUAHa/0ujTD1X9dSltbPAfdj2f3bXYYwvCIHaa8MZshZ8pxcDxCdrLyRip4LrdkaiNvufdin+ssapokPmEwBHbrT5HM+k2Th+OHhIJARrAaoZuQ4+inm5VpGT9mPKLbi2n/Qtpe0TAe0ab8I7PB8j7u05SqaY6oXkC3jMPC45WxpW8ePpknYPAszrojzBhnyA6PYpzGWWrrDXx5dU08DVI8rMt20ju7azc7nGiYbOUs1FiYUuIgzDtcGQMOhKfHBwNJ6mpWU+LFzFYfN5L+Oc+6PAdbr8SDxy/Sk62clRotihInBqR4xQzcUaEynPbmz997lkVeYsLOVyx1rIGfxbfWAsysdmsNly8jmN/QgMn+akPDcLxaQ8OO+Qy7bdFDaoXqZOm34qpZqVnXzLCxUm0zwoIkvZT2BRa0tgRR5xOY6ZCfrlhDlPO6KvYUSQc1Fp+64ZGcjvs8NfWn+giv1MHU1NYZxYA3Yj9LA5GHOM0Sl6yQEgw/J7y6p5XPAoHHH8g0KsBv+IEleuUSuBUW0fDP1w14EfJjelQE6APg9Zl96k/Qq43hnxsNePfZMCNsVPQdnAQ3xOJCH3Bxu+Kq/plrQO+TW3gCznPuTH/HGbhDHLzK++PhhfaJmZBMI+jR6If2aU/wlD87UWl0P6idBXXsy7pBA9fLipXeEHaNYBpXlw5DWvgW80CXz+cH1t8w1SeQIlvk4/zqfbdhNAG8jOOUD3kGr/OYoU4KaFuKmIBoVwmCx+hV57j72qXHELfkflTT5MB81JR/uyfKf2dSaW8tJQn638edq06EfueMRKd50phpcDeGV8tCY6D+1L1YQuYApO3btAGJEn7PUo4dsHGxFAx1GOocd+HB3OGB5VK37+ZcjA/RzdHh9QSr0bXi15pmcF78WTqUfEx6fpPeGAnczPzWj2zf582DamguuCQXdJN/K0I35Qldeyk/ZPBNfV5CKkpfmv1w/gHImct3R5am0Fe0YT+of75pmMSK8KkXNl6AzBAc/3ARA5d9cU0wrC1T8ULQMRZTi+hweoxe/Xx6/PrJ9InNdqvVXoUlltfS1s1XmHtaydOqkh705RuNk72auPp4vAf3+yqudBhHjnC7Jlq7HzrtlRObV0rUQO723v7KCd5rzxPIXJDgvfb2igmWCSF1Hclu9/jk5GJlBFNWwiZeXUEhK0HZ56lFuaXpehzMKsjtvf2dtzurUJFjOiZ1Zot8PP14Yl6lXBpZmHFu8W8DxYm4cKYMHxTCbAhBfTEaKTWRh1tb9/f3EcUMR1wMt7CUdGi6T2+NSUJxE15fwp+jh5Eap/867fiWANoYGdCY4tS81fxXw2Z5ubSQCP2q7f6xSRHFDOxBYIZKV3jTt4BufswxlyrvMRWy7jBxVrFs9W3NjwASPijsRx4rnObbtRo1dbO1v9tayZ5cMm+2Im3W57tqp40npk3rCkj9RpBTdh1CjzVwZbWL40qXfNJoaXmcW7oa15Hfs9rS58BVhwk2wbsTlVgKq7KotPm9OkZWjyrx3vkLYQJ3Y2Y3+LBERcZuIfSQBDmtz8vY3VrtBpqQb5FsenTxpZhoahpven++Otl0JZmmEyjhn2BWV/72qUfmNtOUnJCGa8QLSfo2Q7FpyiNmWK6rKG5CvgFqhRfETIeTBeRwgcM2MEvxrf+35tQsz/hdMWvmmUzvRzvRwX6rFbXf7Lb3VsM9HU/qxEPsmCi05dfm9ADgIbo4MacadRiyVKBmE4Ci4WMooAvpv8x0ch1QNiRiIihTpn4KoI/utKIcKCKQIEaYtp2j66QZ84Q0gc9c3wrMpK8vlqZ/N4/jTAiSNCzmmGnLamp0rKUpsA9hAvUGC6JYvSWsWYpVwSAeUEHIFDTPVj/lwy0DVtLUdpvWg1vbrfbuVqu9BfE8yoZNm5bcNMJpWviDSNvKFb0a4v23rZ14lxxsb7f1D0mM9w72dzBOdvaTZLCavePSDHtwhGo0sfz5WUZzdi86p+dX0clvJ6vh3hba1s2ynWYZ1jf8rQFAhDZaDD9/mhCDCoW6BhZkBbJ5/pN6xQuQHkTrCfAsC5H5oGrH2EUmOqsHhSK2Df3PCkDq9v7O21XYC8Yy6b10c/TKGFBgkGorSk7HKWW3K3lurjEOAYsPzvgrs8sTKqB7gKW/jMakP7YCnrLaIutXDn789Bi9+gJBdYEkiTNB1TTEBXjVnYm4G+eqvrj7w17rIML2KYveGR1e+6u7hYEI5rXJuK+6nfPXkXGoIdDjAZmqIDNwpkYcRAiwxkFFNGyffqbyBzOHjJw3oSKygY7PuyjkGKFXtsFaEmORSPuUVwAMyzOF8+X4KbKd2KOYr2xZqJQZEZFhoc7L1a2LhYiFe+bV0TlsRE0EAKYE0vVyLwnCtsOHCDqg66GOlJnALCaoa5piH83d5nNu+UCzu9plY7rrvTp6DQaknGX9S3fFfAXQVCSpc/mPw4ns6h8vsvpH//jSbaBP/3C74JTFDfTpyz+gcUqOlddAR+f/eGKn+LNY146BdpU5pE9dW8ZN43Tb2euSRao3ldZKv1Byv2ImQzzWmhkNp5Lo1aclFMcpi2uUA057GaN1GexV4sAp0jNqqXxZQCwzJ2fFopEKQ3l1D/yI+iBq/b2v59Omj5vP3/pXDdQFG++idEaOcEoHXDC6CqAG4J5x1YMAwRzsPvZwcUXH4NGbyMAsbg6ViHFwbyDcwCRNoPEUgM6UFnm7td1qtt402/uotXPY3jvcOfj/Wq3D1tyNWudhuE8GfK7Y7cIcD6iQah5u2wfN1lvgtn242zrc3lstt6YnUu+WTGuHoeyUkCcdzlTYwOmWlA/2ZXdll1rAb5yJu7oOsfZhYPwgR5Ygkqb6A7H9U85xAHMJqBv+UqcyAOx0j68l+TAq1WRvu12DkMjDhDPy3JLiGWwCM4Rf9oTAY83MonsMtzkY3t/b23njFoQl5GGmMQiPeya4ONswZHWCWTJqA00J6Z8+RBXsBTnBsYnlUFX2nrZbu29XxY4kguK0Nzdi/xINbMxUDosfrlR/LKpvd2j2BApSKsLiaQ7w65qrm4xI2DGTEWYZtGtuIBrWU5gwtUvH5eDkptrw0p6qx6TxQ8cjDDgaoiz4vb33794dHL05Pnn3vnXwtnVw3N4+OuqsTDN59LPaFfFpsS9VARXUQ7AFGulXYh4HxkTLTIa98IxJMuAZA+Tmnzk6w2yIjgAw1FYKTCPUJcSH84dUjbI+RPKHPMVsuDXkW/2U97eGvB21d7ekiLcM4uiWFgz8VzTk/3G2s/Omebazt1NuewQpaM0VXhM26PLXhBOkjyc4MmYZNpUY0TDlfZx6m5eRVTzxzfD/V4QL6osWOL5eQrighMhrA336cD4aL+he/SO38Rvo7B9dzNB7gVlMZcyDeEJDe4cRRA++2W55MaGCglBWzeVfHSt4TCkUFr5Opl9AYGBGBitj82/q5Ns8i3otwQACRU9qTbPSNt5ZlikhVU8SMs/ZfNR9NyVRs3DJlCntwg1NMx5brQWOvOnCRwAseaSK3YK1V+PJm+V2E+IZ7XaztXfVfnO4vXe4+yZqtZZGUh4SHsVUTesCJz9y+recOMCZEgQviZAH9HOmqPYce3EpLXglTFzd86aFwYxLeet+9k1Zzej5ktZmkcWa1um8AB5vJyuzwoUaoQ44UEsqFcMV2HM9KnldS3dkTcbT7idYu7K5tJLVMXzUdYYsD5W76wgzvCzcruYB0FxLlkqJ/iHhvRA7rnhbcTakKkuMPkyxgn+Uddl/o42Us41D1HyzE+23d9/utBpoI8Vq4xDt7kV7rb2D9lv0PytQbXUW936RRDQd1MJM6iVGTp4NBxBt+nryARoKzLIUi7D9hRqRKYqx9qf7PAtLZo9chEKPESQrUWHqXmPCFBHSNNUfpJwLGzxp+PhH4rqa+UENeWkOzmJ8iQaKvblcLAPPC1lNdI4yaKQ4hgLmIeGO23J6UJ9LxVkzWfIFSi/mhEuF07o0xeYFDG80/Gx5Niyg47EA+Q/d8vIMcptZ7QGRx3jqoVBvGb9n0C0NaVZgIi7Q76cXoTeLkE2WsH2z7mlC0qkpM3YOMHS/hh/LAj/Ybe0uGfbXwhZkqC29GlXzJczwlGZufl4S1zlgpCbdbJmoVM2fM9InK9j32rD8k7NaLBvXTlqP7+7/XHW5xsunnfNO8LlKbq1VsNURQ7CM8Na7jDAuex0qAqyohaRA5ymZ9B96duvCPH2p2LcQ8YE/lE/0LWxH29FOtGQOZIq/qTsCEBwvzhsZY3FL2TBSaV01shtXAg8GNEZnmmV0IbjiMU8hUqqteUuBjNClC2WbR9e8K2rYLhX9hH79cHp1Yjqf/nx5cnJufux8fHdyaX68PDkutUP9dUTVkq9Nroyvh+eJsKxqy7hZw85hXh7+7vv2O0dv5DnE8Ngz29e1BKCe+B7RC2iJ3d0lIxY2L72usMtV0b7M2d+ULiW+vJyp+LOXiXSEsyU1vCDQz7G2QNqlGx99uTxDKWW3UDrIQ7ycqmZ4T25m91Rly9SDnKIt/6WtVqvV3t5Z8nbQRozU5h6A8odl4St3az45kGuYBZqfKsKMGdzHkuzvIsJinmg9nVvC77nwcDmOWMRNFQRnMjclukSB1XzyACrnkgw/Z0RM7e8axf5XMYdzxlni2/dYBCKtoOBh+Cad9PTvbvLEAD6xC9rPlNu6QWNRE8gRJOZ3RDiUWmhglqPr+bZQWqVdnvzce3d63rn8T8O5vxAqgGk+v8s6R63OL5/fXXU6nQ782/znH6vcAQYk8WvNR13GdeU6H7mScK3v9SrrA2HGddDNXmYXXh7GYDLYhlXfhOWxS+VJht0hKRumuZNjP+/3iklMf6Vl3f29ATI/+e2ic37c6/7+2gJG5QuU00BVXswGkGIwrp3StiCRJoQOE8I+1qN//HJ2dQpzwdhuOOju5Ee8w4ICKH9K2FCNzLA2gwB4zTe2HvP410+Xx2Zfn/zc+6z/VSA92ITBHvMeZkJiOi4BDaBXJBqim432xk0FEtrmvzaODq+FwteCJD2lJtd9yq7HUzyZROSBLN2PuLjvyhUqq2lhqTBLsEiK28HgZFpd47G3ZgVgdsyKmBzR2VSvlfDX6fcFuTPxBLhjXf21nq90rXz459nHFfFzS6Y1sPOB3pGmIKkpMoFSKD4AmNJyysWn91e/di5PrvNaOXdNnF9dH2VCEKbsi8/16RgPiSlVOoHm3Hr3f4JJ5fU9ZZpQvalXJJxyqdlKpPM+BzjLQQpMc3JI4WP2+qha9uul5eVVTIXcro9JPxsOl0VM8wIM2ajrMcIkb1krpLS9VsOQjDFjRPSkwnMB/z7mRUCgXhPe+WXr5PjSNpJ12L0ZNPwfZGk6RQlRpo39GKc0pjyTYb0dtEP+cnlW9iGW5NO6+cvweG48IL06dAydUkMTGQBmeF8ScUcSrbKTLLboTuBTQY/SqqyV7SVDljWWTm5c2aYiBYfQ39HGDD2aaql8As7BYKAMda9Of0PbUSsKIwblsMKhCRPgTHHGxzyTTeNP2F8LRQc4VuZfHt6mFIZI+BhT1tQyMh+F8romThJh/q33l/mJTu52gz/Qyd2+/efMmGMcB58bZ4o8mB+1L2x/Mi2WzT9cs2Tzr0yk1wyFQ/4E9ZpNHEPw2nzq3mi3plMqzVsyNX952GsdNIPEp1IQxfOx3NbJRBoZ6dXlUh3D6E6jZSLNrcYNKEbxZY4bgdF9ypDkY4JiLCEsoR3XMZ4icJUtXurphb5Ptrgw4QmzPdJpjomEUYE15EBymDm4ptEioJfmMVADyTDkzo6/MUPcmCeNkELDkCbMVoJqOlOqiMApOr242/djEhan3Ka43/zrxmCI/tcNenV6cvUeXb4/8oNuv9nZfm1oCj+YZ9w6N8A9q3joYAsc58jNw1JAdslyLkp++T1UO4Sz7zyeS9tXNPvJczxa361KaDco6IwMG3Ae/Oer8uiuwackCtEBospg/MqG3syMK0TuiJjqKQyS8Mz3ZwZ3006IoDxB40yaLsV9h/ZFEuNyEZezlpsE8OE+QRsTNtzIk74BODrSv/t7AFnrnTcQGEDj69p4FwbwOVBgFgsGjtt/3ATqTPHJxswi3/zHjandUmiCRY52aIletucACCBL0zmYn4mHrB4c4nRg4I2/XJ6ZTgwGVQYzpXXplGdC34C51p0GGwfgu/MIAWXoxrF2A0hlALOjCr12BYk5k0pkYEtCemDYFgJge3I2TBz/0ShmUR8e7u7ubBnQnP/7xz/s782//0PxyfJr5tTTS1i3zS/MP2x4tQnbXCJJ4D0kl6eXY4V6oQwxou65uEVjzqjigrKh0VreKnb3eJ9o9Wi3i4XexDLcABg8BpTyoc3v0F/VGnigCDPg5qEZap4psBoVDmC4X8bEbkX/NT8slq6nqyO0Aeg3KTGJp4yrsvZaaOvo0R758/K7aoKlDBTcylGv7fBOidmrdcn8YkP4XLg3T4V0L2wgJiAs0MxW5BuroPXZj21fb+6j75hHid/dLRfzLP2epjn5IyO1Va2AvQYT2APo87CASfMXG5WuYtyfYb16MweldMf+X7hjjVEXNiUIZ4n0/YSL5jrj+rugXUQefjCl1gHtkbX1hamjg/n6mfKfagSTGWaNWehHNG0oGCLjicrpAdLNJ2/st2fQ6BI6gIc7BclVfaLuSdCFWk+q7rlxkVZhSBgvlAiS9Op1Ca8g+DscEdDhblK4c8zEDRDSZEK8rpFZ3/xp5tmtYBsHY5kPQ6h5Y8B5+Dy5AYBe4S9mrwxjY9vFSIgiYgx5jhNBYipJOnWNRVIqFUrpbaFOV2aDAX3wI8JnXunL4nBry3zEfCLiYvg6Qldi6l5jJxPBH+jYFHtTCS2s6HiSTpHCt8UMFWt+6/VPcZ+k0rzeaDsTLuB7kqbA/dXZscz1YMyj7LYCx2xliBB6H8l4ROrLPO3C6I+reriWZ/0f88J/c1hpjBt6H7ngVyAOt3XrPE5+EtegxiTimoDrHxlOjX1nPwOun3Uyg8TYNHUiMQU25CEmE2MljbhtL2k6qM0cN6svIojbYBAuLTR+maUAinaomcsoT/i77c/ss4XBVdJGIswcY8Z4buAWzmYjkEAejpllqE9Sfl+tKqr1SlH3hLI1sSssVTSe2hHM4TLaBUvljQ0fK7KjFHxu4FXaci2v/dxmlll/W2+gdkGBNQqKICfPXD7Wq3LwZPkYGyYypu8tJTBN8+BDhULAcsnKR731FZ/0gMFvcKGQwcCmJGkz22whK5dX5Ors+HXDBM18InK+IrmTCIq54boJgYoNNUVwfCpCM7Pz5jG4/JN6/WCHfN/3Dtw5j105+UrMd/nA75ffbA4svqZN9sUOv1rvZ42W+NLQEtdAiXOK5ofASFzDI9YAj/ijIyOuQRHXeIhflcrfCiXh74SC+LcBQPwbYR+uYQ+fJ5814mFZJt8v2OEa5/Bl4ByuIQ5fBsTh3xjd8AcENlxjGta5R16Mf79COMO/G5Lhjw9i+PfFL/wxoAshjZEkEVZ8TOO67SHz+mfmCgpfjIkJqY6WHo8lRdgdFZyNw4xTwhIo1YYEQpsXCTmUJZH0cdL0b8gLhaCcfODD30Y85rHZXmclWVVJKZCMl9YzpARInNDfX47w9t7+MnKqrS/bjJB6NClBSmg/NLO8a8p8U+9qrgcHO5iQvebbfdxu7uL9drPfIvvNVpzEO+2dpNXuL9S11UtC+8nfShh6rmXlQVPSJ1g130atqNXcbm23o9ZetL3TbLVarfZCcQ4nixrr6GZEoWxVHcxsDkuMTSDEZ1orKPAxdAa58b5gfkjvIDnbinFWUP4PPZMDLrL5WxoOBB4TfRRrkkZY42qLI/2UeS/eTJjmulgR7YP+aXB64hRLSQfFWhSFY0Vjg+ND4pEJM/iHegv0ZGaKtJVop7Jj0bgI5WMzMHwv1L6rWQWsB6hPlA1E9H1gcCEUomxIpIKyULjQBVGCO5CcsHAGD4eGPVjkcmTh4+nV5QnqXF39n6N/FtZkKHg2iXBKcV3pARtXWpPrCV4R6T0VmBcCBBgKn/gAQfU71JwpkcGd70pbw4JH2NXY9DSOb40YceGh2xYW+LaV+m/a+ptG1+zXEdQocRUOKcgfGYX+yVOewTJlkiBcEBq0oDVEe16iUvnk5r/Qxkc8JDEWCv0Mn97fQPPjRZjVqO0agaXI745nrQEIPpTa8muQCz4cd641oElZ+D+3Wj5OO6eka/TUN2bBn77jHQ+ZaSV5vz89n9taMuKuG5EKZC4KsFTPEH5hc4e7fnHh50NWbPr5ZF9gp7wILu6JlcLxbTSmShDtbG/Bt+UWHIqteZcpd/CwjOZ26x57e7BxeRuQxymAYJprCqx7X51vbz9TvJD/2gvP/NkjxXW656+1P/9HRtKgK7FEBMcjb+5zsy6mOzkpm3ztvfb+wUKCCSMLK1Yhq6/D+xQQW40y+jPnw5Sgs7O5kWFzacScDfQC1HekcxP3uqdG5LpnEECajGRKALawo+C6Z/rDX/fgFcF8PDjT55yRrTN+v/WRJDQbb32gw9F1T8Y4JchhTlOGOpMJYQl9QB2nPCzoRDu3JgvwE78Ygtz7YUARgsGlL01MElNSGGdS8bHxdWV0zU4eJgBdEo5awMdE6CeAjO6aOUjifsUsMMQZvzc/GN7Mz5rBksIwH3j+SgerUtNSHxdquZwvgwH70eGe5C961uyeZe/0Aj1E8P+KuCkJSekdEc4L7LBhSgQ6+efcEcBcEpA2Gtm00fodu0chdgvpq0X8TL+P+OAp/MzJiMrR/1sgT2mmkYkpqiXzmK2PJa1snmHr6ORQAnoB3dCVpcH6OsVpCp+2DhS6JWRiLmuze6DcV487fy3bLHdKCdrPasSH7ABQHh8YtvP5AqY7/pc2zJujmfenaJJiNeBiHKEPRJDNTb1rGGdN8jDCmYRM7NSGjY1eCdxca98Qq4OMPeMqnA8RFrEB2or5eAKJ0kkjx8xpIMLgNZUk+eM5AeAs0kAjmiSENZAgODH/ra+qhr3PGwBBVVEhtfmvDffZjQbaMJ9+BurezPrFPCE9//QcJVT71LU/g5tyRCwh8IRLOUiaHpOQYdB+Hi/aCN4W8wd0aVA3LBYIlfAXkuQFQIAk5Ye0OlNqexU+KSCN3tZ9+IJQZGQTvM6X1uZ5QdKnV6JQz/oY2Fmf85RgViXid+ZPAN1vIEIQHWgD36cZUOngG8rJ/UpkZEVbSv9E2bBXm+O+aRx3n1gx7y6i0n/UfttsBDyZpK4sboxZNsCxQVgB78ZhTlmwtSgYk4RAGSm5s9gHnYnecz996gKeS1UtzjjSc5LoYRJHE8EfpiuSvMIqq08vPw1kPPPeDqRUr8AgMzVMKR8OIYkYElCGAk9GNEZECC5kHoINR4XUzLCtCRdI+6vKzYfOCL4jKGM5+Cn1MH/w1fwr5SwBP6y+azMWj4h2cssLeHJ5+emy9+X86vJL9+rkuHf56dPVilbQPJ/W1Uyia7MgWKEZU+LUYMk6dhCR6IiLCRdhBHdJRhXB45o1hJ5ilWoCxuPC6gFT++uVw0RwbZFHuVbwgz5TO5x8/vDb728/vu38siJJ67tP4fE8DQ8es0ePywD+ha1j7hd9alw2cWIAr+EersTobzdb+v+u2tuH7dbhzjPw+b/Crj7bcxnfT9ylm13FhXO9Av1SlVkUj4qVzb9oRYOV860e0zXme84ZBiAc+H1iqvEKKOWFmmOo9CvAO2t7hvPUwoBi+xyCQH0ZS8cox7JpucJbH/TrklKvNmGgKJgOqcJp0ZjRHizUu+MhpizAn9Pf6FOm3QEL6hysT+UNgQtL8xX1v5zYtPe6nHMIeLwwjr5/wZub1x8EDDCzFQvfX5gb/e0VO7q5x6e17ZgobPqQjTAbPuL6mr95CH8YJnbw89o1zCbQg+RmrKfySP76zBGJboCLHM7RYrQjnPwbdIlrsAYOg3l9lJBiZIeDjGiW0+1RFbSEFpVsQu5obXHEYxjcIooZNWd7sISkl7yd+dsAzjLjPOS6+HHjG5CzfBNQiWycPUKnPk3donIYzSLCCJFpwtmw/mTeda0ki60RH5MtnOZr9GyZ6Il7ZsJlxVJ5tI6h1MO2FX1CLkUEN7henL2S29nMNd+YwYUynnme/u8z/M01pnVQKG2oBShr1AVi7SBDkg4iCMkoAi5bTdvrI45HlBEUTuVOysnZ++rT8vB2v7k/N552BWP9KWRQ1teQ591UO2q2hYXm51FezqhSKUEnLKF4UQdAsxRPsl6NCUBHF198pPzJtTlliszdF7iKD3t59oJ7bZHr7+RBQfVLYhTOhEtJ+ynJ0dX0jJvSX4IROjXE2JBX7mMYZMV+RlPI8tP2JE2t1ov15WSxjAfYPtuOcQqOC7DC8/KbRcRBHiZczAVsP0ixUoT531bm8prhSIJISiBnzcR4wSw2fWMWJ3VEcEJEhPu0ZxN2a9qLQaau24qdIM70zpin8B47wDFBrzrvTl+vgDNIt6qJpw8whcnoeuyMLUG63uF1GQjQNQhw8wO67bzLU06YEtOwa/HKUCutyPMJapA7NzGnes/D5kbrob0BcT8PgOt4eAay4hNcyB7u05qo//rRdetyRln2gD51V7AuNd6Udls9dVkuQfg316zLH2SDo72yK8wMV88VJs0D9jy0MhLEwmai+a7BmQWNgoc5howuMBBjOB4hO1l5kxS8gFsydU1o8hZ3BaRwSezQBrbcZZj0p0hm/abJ/fBDAvwhI1iN0E3IcfTTzVKawo8Tj+j2Ypq6kAZWND5HtCn/yGwwuO/6/iVUmrBAIEVLxyo2AVw9fDKPY/0sbrojzBhnyA6PYpzGWWoUoLdOV8nHIMVztQ1aRGPoXdu1GxlOKEy2ErJrzJktUR3mqy1FtOvK3+ODgSR1lR6W6DezrZaD5wNCuL0f9jh9mm43GUBHrIT8Gm/2EvV6qJUQfUeFynDamz/X61mWbolwO5/L6VopD4tvmwUYWH7bQB+Tb3Xhw2R/9YVvOF7+wrfjPMNmWvTQWUE6+fkttwrya9YXM6QvrTEAEqFnEElo/UirMB3y0wWQT1QG/C3DkiLpYITlPA00FmHFDY/kdNzn0NlqBEdyaaes7pZh7wvdt+br+vVDNMuaEfSAi9s6oU42O3o/3MJTY56HBQ+jWEoe07zRMw5efP3W94L6xEyIooEwEsS++rmhfYoMPBPPTlQa3Q9qZ0Ed+4Kb3uOpNP3ZlN4Edl1gGteZ2PZZB7B381iUz+cH1t8wFQOQHlnk4/zqfdd2v4YXWJzyIc+k7VzYscDLxAT/ukoQPEavOsfd1y7Fgrhl9qMCUdJ81NRHuecyaIYU4zQlCfrfx52rToR+54xEAcATlTkUcyaDcuL+1LeuV9ymY7tu0yjh9yzluNBUxZfpoA5DneMuPNJOJ9oIDfa8e6vlYnyIbo4OrydYja4Vv9Y0g7Pgz8+h5GPS85v0xkjgZua3fmT7JhyAMdgj5ZIm0E3+rQjdlCe8mW1IHnxTn5eQitKXZj+cfwDyq/LdkTdCNh/UP980zAN++OwIGw8ILDfUDxZx/ja/M6d/WFsm24WgYyymtvzt9Bi9+vn0+PWTz/Sb7VarvajVBPN8E17CHMRKPpZ5XAcIi3GyVxMnH4/34I5e9Fp2CBvtmujrfui0V0Jgnt1eA4nbe/srIXKvPU8wb0Ei99rbKyBSJoTUday63eOTk4uliKQsx4RbefGWHjvvB+hMQ3Ov5tafLXotKbPtvf2dtzuLqrMxHZM6Mw4+nn48Ma8oLrUozBg2MYNQySEunHnBB4UQFDJoj4WOhxQzDOXLWEo6BCwfuTUmCcVNeEUIf44eRmqc/uu0c94JDIQBjSlOzZvDf9kWkD7NIEK/avt7bFICMQMbDZjR5pR58erbxit+zDGXyqPDFli3TdUW3YPj+rbgR70Dw1WgDPFYQediuy1xGMjOd19rf7e18N5bMjeyIjXS5zRqJ8n2E11U3jU6K+czV7u1xTzoUO4uOoxYk+Nrk/hKy+Bcv8XdM37PakujAhcYJtgED0pU1pUvY83M2brzL6uqf+/s8DABtzGz6t7Fr8jELLjxSZC3+LxMzK3lN8qEfIuEwqOLL8VkQoXFkCjvG1cnFC6cTTiBcuYJZnXl3xp/FfAHYJqScd/IgZ6wctlpTZO6PsPmKouOJuQbVOp75oPfLsj7Bc5TiBbgVf9vzWk8ntm7YhbGMxndj3aig/1WK2q/2W3Pja1X5piOJzWGZTc7JhLr0PRMjgg0zkYXJ+aUog5DlgrUbELLRfgYCuhC+i8zfWcHlA2JmAjKlKlVAciWO63soPM9oIBPqH1y5wJxA9TGE9IEPnOdKTCTvh5TohG+I4jHcSYAV8c0vrg3/QqhTsJafAL78B5Qb2rhi5UywpqHWBUM0wEVhExBq2z1Uz7cMqAMTW1Lab22td1q72612lsQ66Js2LTppk0jnKYtBY+0zVqOybTi/betnXiXHGxvt/UPSYz3DvZ3ME529pNksPh+calnPTgqNZpA/pwsowm7F53T86vo5LeTxTm2hYl1s2mnWYbdDa/5AfDJRkzh508TYtBsUNfAHywojyXbR5jXDmggQZnx3goR6aBywtgtJiqpB4UioQ39z4rmjO39nbeL3u3Gcui9dBPxyhg4YCRqK0dOxylltws/j9bo08Mig2P7yuzghArAm7Q0l5Fj9McW5COrLXJ8NYLLRkDQ+AsEjUWOyxbURb/qzkSUjTOz2rjyugcnYn9VD86qpfi7N998UibfWdfNJ3h5Ca04vrN2m09I88X04Vioz+YTjP3V/Tdqb7A5J+8voBfHN+ms+YQ4ftDGHVUc/3C9NB9j8sdpolnF4Y/WPfMrPP5922Z+RTB/r36ZXxHG99Aos4qFdYfMb9ghs3IB1q0xv11rzMoF+MF7Yj7N8/fVDPMpXl6C6/39dMF8SpIvxu1eqP3lU5z91X73SvtezsvoC3Cyn9vw8inW/kYO83fZ4jJkREjVk4TMc9YedYVN6cosHCplSrtJQ9PowlbVgFPsW6NJOhyp0GoxlSuevFkONyEe0G43W3tX7TeH23uHu2+iVmshpNQh4VFM1bQuYOEjpzfLj9icKUHwAmhbQDNnimqPrBeX0kNXQvjVPW9aiLy4lKfsZ9+U1cydL2DpFdmqaT3OCwDPdrIy+VyoEeqAk7KAYjCcgC3Vo5LXtURH1lw77X6CNSqbLQuvgqG9rjNh6a7cOUeY4UXgNDXdgNxYshhKNA8J74WYVMXbhLMhVVli9FiKFfyjrIP+G22knG0couabnWi/vft2p9VAGylWG4dody/aa+0dtN+i/1lQJdVZMPlFEtF0ZeczqXmmWa6tPFS2VPWOpPpvQ4FZlmIRwsyrEZmiGGt/tM+zsAzxyHn1qtjgjgpTSxgTpl33hnlcTzkXNuDQ8DGDxHX68YO6jsceeMLY6w0Ue/O0WE6bFweayBVl0DhsDEWhQ8Idt+XUkz6XirNmssBLil7ACZcKp3Wd/M0LGN5o5tkyV1g0x1cBfhs6ReUZwzar1oOcjvHUwyHeMn7PoIMQ0qzARFyg308vQs8QIftYb3vM3NOEpFNTrumcScXdj2UhH+y2dhcIcWsBCzLUFleN6vUSZnhKuzY/L4DPGhBfk361hFeq188Z6ZMF97Q26v7krBZrY2QApJEe393PuSqSWTzSm/G0c94JPlfJob21tzpiCNYK3nqXEcZlr0NFgGszN+d0nvI0/6Fnt+fK02GKvbkQH/hD9kRvrna0He1EC+TIpfibmvwAQfAiLP4xFreUDSOV1lV3uHEl8GBAY3Sm2UQXgise8xQihNp6thTI6JpduriteRnMW/mFPf7QT+jXD6dXJ6Zd38+XJyfn5sfOx3cnl+bHy5PjUg8/+NICArL1Uz08TyhiVXvDzRq20PEy8BfVt9kiepfOwfpjb0RfP/YA7+AblS5w7Hd3F3DzbcJxXfGJ2U7GfuJN6XKdy8uWij97mUhHOFtANdfdKPiy0CM4pewWarZ4CABS1fHpyY3q3llsXW+QpLLlv7TVarXa2zsLqHVtWUhtawEqdlhHu3I/4pNDq4VZoEufIszYoH0syf4uIizmiVa2uRn6nguP+eGIRdyksXMm87u+SxSYrCcPoEIuyfBzRsTU/q5RbAQTczhDnCW+14WFUdEKB14vb9JJT//uJn+l5hO7iP1MuS0adMMz0Q9BYn5HhIOthO49ObSX75WiVdTlyc+9d6fnncv/NJx7pV6BrvH5XdY5anV++fzuqtPpdODf5j//WHbVDRLb1zrmuRTbyrU9cvW0WmfrldUb34zrcFq9nC68DIxFY8DUqr4JS2KXx5MMO0JSNkxzr8J+3u8Pk4n8Ssu3+3sD5Hzy20Xn/LjX/f21RbrJFyWngaq80gjwj2BcO6XF95cmdgwTwt7Vo3/8cnZ1CnPB2G44aH/iR7zDggJydkrYUI3MsPZpG3jNN7Me8/jXT5fHZi+f/Nz7rP9VID3YeMG+8i5dQmI6LlVmo1ckGqKbjfbGTQVs0+a/No4Or4XC14IkPaUm133KrsdTPJlE5IEs1CyzuNfK5Qar6cemMEuwSIpbwIDxWZ3igYJmmTa7ZAnGRnQ2j2glPHX6fUHujKMO96QratXzla6JD/88+7gED7dkWgMLH+gdaUJHfG2qQM0KHwDmYfnN/9P7q187lyfXefGSU/vnV9dHmRCEKfukcX06xkNi6ktOoCus3tmfYFJ5fU+ZJlRv2CUEUq4DWolE3udIS3lVt+mEC3lgzF4BVct7vbSMvMqokNX1Melnw+Ei0E1eaCHpdUXhTWaQtR5K22hxJmSMGSOiJxWeCyH0MWseotWa2M4vWyfHl7bLoQP5zKBz9CBL0ylKiDK9kcc4pTHlmQwLoKAn55fLs7ItvwBv1n9ehq9z433oVaBjaOkXmq3Ftui2rbpBLAB/BprpVaVKbC8Qz6uxZm3jyiL5Fxwwf4ca0/BoqiXxCbiFC50y182/Ff3/7H1tUyM50uD3/RUKJuIa9mxjm/e+mNuggd7llu7maeiZfW6eXZCrZFtLuVQjqQDPp/sb9/ful1woU6pSvRjKBe6m32JiAttVqcxUKpVK5Yt/Fq8e123XfZpqEYuZSFUX7Xr7tdR8TAONn7I6HpXjfShmlMddwxd8FPKdujQMJX42coR/8eR22/uBJ7e79mMJ5owG3nOzVLN7/NOcPe1f2OcTP7iOnfgpldF/xcQH+WdImuvSALy5+NQdaquuUxjdGzbHX+53+gddL8Km4pzI6FheXFIZ9ZBjqzraHAN0p6FSGeWW3BpkFmS5ZmueIXwaEyVmjARUwdHfHBpndE7gmGqLL56emz1hU0h0AaBIRPO84AslBdKIqwxi261jBzEohZg7DjGHfSKcbX2NIK7Rr+9jiAQZxGw6nsEz4ppJGpHT89vdDCaLg0jYWOfr366xIOE/r8n66cnlW/Lx7VEGdLi3NdxAnPwH8/BMZ5q7u4Ws9qitcuXQzd09gHbFmi1yvp3crLzua978OuNwlj6aDZ4XtMxavkhzHPFadYLQNSkae1mF7rrVKaYJHxOusUio6hgBjoUm7JbJuRkCS5GW3i8Bd8MmTHIRklmqsIXmyJUvYiEefZgLjsq3dXh4xMhaEk/W8qhgqDbbM999u9VvjbSNJYXK0asStnOsEuspKlskA5bVT9ee2tIiWStN7PVP15iIo0lCZV6OzSLdpsA4EJ1GUQOCS/6H58+sPx1jHdRPH8+w1DqW2LDdpucihc7XuUadewICdX7zEzmPybUj7RpKL0HNEV1oEClZIGKlZQo2IMSh+XXfoYZJTgb6vhd6B4u67vX29tYmVhD5y+8/2+/x809aJO3myamelzBXrz7F2QVAphJBnBVRDO4Nch5mvKtRHTwmMdN3Qt6QmYi5FpLHE9RImTXr9uURM6rPioitAUiVP+kUrHsSiYkNVDCvGu061izGyse+KYmufaqn5c7pmYzMmBW/7LUMLFWuWaFDtIPdrxlGNcZCVzVTK3Ex0Bb83E6SEqqUp7yevTyuBe8UlN0qWwSpIrKNCoI85B49t44PDxlP01rWrrXFb+nLp8c7cJh9YiHC29vVjI1W90sG+99TtrI0BbCtYAC7oLIAISAMf7Ge3DpiszVpZqkk+JW98S+wN6IB5lcg90fpmT2GFs3pWJh3QVvI/OiP+a4e7j1ri2PDdgrjjVKdPdXxBkNi0YTLIGLN+ZiwWaJzfAB1fPLavl0qrxXyMVxqaYgAGjF9x7x2qdCY/07gEaatAYCnQSZZeLXaY9olOE8nUwZ62A0K+wYO3AHGJAnLdIdKR/hT6UqqYLt6sPBhcNWujYXwr+vWoHKR/0VZ7aMNbCcgZJrJGQTdJZIFXLFo7joHRFxpEvGbQkKlSsdjfp9BhGfWjcJ/vbmJj+ATPSEnGz1yKefudjJJpLjnM8y+5Qp6y/BZEs2JpjfFsAtrHps5j+iIRQpvOYxNCJvoHYsioP7y7FjlOi4QvfSmpmDTk1LujeyoYMpWF/p4AdAXq27YTstnErzZvn5daywjvgs25pYscCK6ymWTDeI6TWD0Jzoyf09phLaYfQaOYPaw50VjRpFjA2ZasPuAJWjRTIXty4YtjErLyuqFHvhMKDCUFzo4lDGA7A2OY6FihN9t49EsRBWOL8agg5EDGsciN0YLa7DjcSB3hZQJGrFI3NWrhHr9UdQxPm/Rb0SV7s3mFgIuItQiVOnMYMj8NBZK4ewLtCqbq5NpOSfAKh0NjQANCoqqU1jwOXq4sdhTj6vPlMNYQ6+U2ZO0pDzKnQA1C5+qFiltRty1SK6AqM+wWbDx2IbZGDMYxcbyYp1dnh1vdNBJlUW/5rOQH9xA6XZcKxBQn75G8JZMjVukPG7u88qfNHMGUvF17ymwnyzaTvKZaLaxwPftBMxVnl6RYH2y4J9+OvlRCu4llIL7UQXuAXZ8tQXgftR+e6bab99i2bfvtOLbj2JvdZz45tPWv/USb990dbdvvLDbj5puj/Pkey3n9nVXcvtRxO3LFXH7Ub/ty9Vv+85Kt30jVdt+FGx7bll4MWflJ9Zq+x7KtH2bFdq+r+JsX29dNheI36MRp6ty/68Z8xcGWGcq07BuaNviXzGYO0j4gnBtLVMg1WV/+PkBEH5HsX9acIPGJi34tW0MX9Zqx/xmhHve+6/41ymE+grtg5Ts95RDr7a5SOHOK1WMUPLu9PLjCTm8vPxvR3+HNlheCZyMBI/cXiX74NVvZO0f3cMJi/UaaZ4FmU3NypoTwbzwsDIh+REV7h0hBwcq60BiDhmxKb3lQvrcy65bZiJkEbOmZYV5PvPrOe4DrWF+hiMPq4y+6O/sDJdm7wptjLVymYKvisVwq1xh8mH4lsfh0lxOIqqNslqpjskG+bz89jO1fvEztQ5/vaikSh3+kbq8J/iTHB7bWitH5/jHGY9Tmz41o8GHC/zzPUYawwcf5IfxmAeMbO3u4HMXlNo3XO+++FGJcGLgw62TiIy/9UrODthKya26vAbIhyzU2FhORnzeOHF5+posCNziPSfDsUBBdRbcuZxqTYOb3oxryaB3vQOwCTpyc+npWWnW5NTe2xvTbckFm82Az8ilFiw6CnHFvMP+qPjhUoiosHpj0nAZ1c6cobA6YWaQppOhjSUUfB5zAIaqm4Qe+c8HCS5YaQClUwg3IuvsvrdYTvEVtXl52O/3h5tko8ox+KWOMavcyP0kcierjZnk86QiIE9nUpVHxZz9Eps+s6ZNZfSSmOWDrzKuKZQiX1kwBT/451mabrQnr04HaDl2urfU5uWgv3NQI33w/QIOPe8afZbcsAc074Pm/NLzsMC6Wtk8HInZjMYhXIZcIBXxBJtFJ5K56/jqHH0hBdGYn4+cX1bGz+bvLmCsSkefS1dAYDoqDH/Up+pfH9bT2NvvDxapjl6/3/jmegFzX6CaWaxJlpygh49qK56gc3HH5MWURc2t1voZ+jJKpjGrffYusuxXzOrl3n94OrLJiND/ormG5XaG13UTKdLkNUGrutSG3Qh95pXVglDzljmHxVgvFPIAla1DochYBKkiAr2vDj4hiatLy7Vi0Rj2JA4l1eDeIZoTeit4qAiPuyFLIN2QRnPFVR7qjijc93b6Bxaqf0k35pEL0LaV9w1Rf6phipa2zpS/oh2HAp5MV+a9v8B8UXtx4Ept4JAojmEqs6+xJJfP6oq6PLu4Ojk6/tvJ1ceLw6tfTy//dnV4cnE1GO5fHb05usKr9KYLNYg4i3WvGm//7CnWJ++6rmSl0jQOuzQScfHKVUDiaB5EgrhVYqFSlYLwzFINf3Qhh1ZhbVtyXSXpKphCsRoF10J5oEkGFFJyMKkV7xCohsyVakuV09Ner/HN2CJMVsTiQ6ghKcYFXnuD24piM3rDSJqUL7wzZgCKD81FqznIa++4WaDahvvkoT1YkQUiHv0wSNQrgFc1GeO3NZyUtQ5xfzX3RFo8p1RNe7NwZ0UTc1TQWPHEmOIcYuPcsn93vENCPmF4lXl88jGbP3vBmHFPjJssmVKgFWZsCSgpYmi1/i8/ay8LvqoLtMKyq1lsFcCozET/7d7u0d7b4dHOzpu3x3vH+yf7b/bfbr95++Zt/+jgpHEjA39O1JQOvtikXPztcPDVz8rBydbB1vHB1mBrf39//3i4vz/c3T0aHh8MdoaD7ePB8eDo6OTNsHHcVWl28q3mi8zPcGe3foYyHt7md+dPn6EcKs7U86yb3f29t7u7u4f9ne2Tt4O9w/7+yfDtcLA7PDl8s3305qh/PNzdORkc7+3v7bw52dt+83braG8wPDo8GB4fvm0c4m1pxCSEFU1aTXyVlwHoyrYDBu4TmHa1G1GhgqI3SxWXR56S9FEITY4OIXXpNB5LitWSUsnIJaOzDjk++jnLlj0++nmJXA47+L/p1qq2b1QCWGQoL/CP4yooeB4aG3uKCeNzkjBpRM2I2MXF2WZudxMypXGopvSmWv4p3GY7o8F+uDva2Qn2BsO94f7B1nA4CA52R3TYvFeOZcdzZHkcU802IRPCs5GhQhsO0iTpw1+ZNfkRr4b94aDbN/9dQl7E635/ud4NHr1PzvpYluByEshjxA4O9vrPQSwUiZKrjMc8NIZ3QKPIKMuYXLw/tTpVsyhSNpgHMgkxQ2YqlAatogV+4+2VTj9A+LjWbIauT7w/NIcpokWP/IqV/wqx5reUR3RkVEIWaJ7BnTDD+YTjOfg6ZEbBYecrW1SyPlls6SqSjueoK7+kfq5o5FwTZ2x5VCPP5vgbqOJjEaSzrKD8M2lilSbY7OcKz9KrCjLJjlV2mHrboXCIx2+mLIpE3YFlwQl+uLN79dejd+YEv7W/bc4z+YMnR8cPPZrNy1qr88+PugBfri6APwXfe1GAWl58ZRUBamh4CekNX1k5gBouvpj8hla1AGoI+tK5DSsvBPAIzS8g1+GzVAGoYcM3mhzhU/rN5f+Xift2kv99yr61zP8FtH2/af8LGPJ95fwvYMLXkPDvo/4j2/8zZvsXGP8j1f/zpfoXGP+N5/nX0/p1JfnX0fASjsBfT4Z/HQdfzPG3VXp/HUVf+vz7rLn9jxH4Ag67yyb215H0HRxcv8qU/lWeZxYEMOYnHNdmdsJvWWyvSTp4oUmTJOIBHUXVm2jFgmS4sysbn1yY0nQUgWJvQOlIiIjRuI6gN/gTGUe0QJYt/355dkFiNhGa433VHVVeG05jeGYmlZY0VtCo3cbJxoTFYA+Zz2kcs6jxcovZvb5yIbOfdSqzON0Rg68Abxb2yLmtq49nLMKLbTxOD98f5u2T1/1OQZzGFMKWqTJW6ozFWm3qSHWzxmqGhi7CXfhD736qZ9FPNErirsOxy0O1UQqRsh1Z8kNDJO6YhBYjte2vNge9xkInmUpnKxU4rkrB1SBwdlxoC5NRa8TrHg2cspQ2FjO8T3+ZEb8Wt2UjfqskfamI30WYrIjFq4z49eei1Ry8zIhfi+c3E/Hrpulrjvj15+TbiPj9krPy3BG/pdn5RiJ+G85QDvUrjPi1NK404vdiqdjeSkxvvkcgrpWj3GeJ7bWD/5turSyIrD64Fwd+tuDerYPt7e0BHe3u7O1ss+GwvzcasMFoe2dvtLW7PWhewAn58VxXuErTWVKJdbWBnS8huNej91ludZch+LMH91piVxtoetE4pLSkkGsUQCXoaGUK4Ecc5JeLg/Sn4HuPg6zlxVcWB1lDw0u4BPrK4iBruPhiLoJaxUHWEPSl74FWHgf5CM0v4Gros8RB1rDhG71O8in95uIgy8R9O3GQPmXfWhzkAtq+3zjIBQz5vuIgFzDha4iD9FH/EQf5GeMgC4z/EQf5+eIgC4z/xuMg62n9uuIg62h4CUfgrycOso6DL+b42yoOso6iL33+fdY4yMcIfAGH3WXjIOtI+g4Orl9lHGTxmv65sX2PphlJqMyuNtx1c0KlsvFa8L2QfMKN8GF0Ws1FTm/Y2Dnu5mLF4YHvDfcj/gcLMYQOrrCz6EDYRHwyHyPRFR5dSGAmdgmNXW3kOpqqFC2gp0DNK2uy89x0dN0/EhqDHe0aRgUCq/sbNaElDVjvTxbzQ3xYMnthBff7IjHHcwjVQyAUI0EpxO91iEqDKYQCQMsIpjTGhkJYgYVrVhoPGKxcSkKq6cgw+/eUyXkP5SKX/vH4gO4f7A9Ge0EQ7lC/tisg+xlZV+YOfMayqwprJicRI+wWWBXxG+ZzxsajjZg5ORItJsxwBE9I7ubOQqbm9Cwz/k1pHEZ40soG4bFmsmvjJlnoWKrK7NsejQ+G462dvb3R1nZId+lWwA6GB2Gf9dn23tbun2ok1JaL9djsaPjMzHbDNhZX/x2OJZSmfDI1TASUzXt3Qt6QGaMqlfZACTKcyaSV32wqfCl2e0SJyf3+uL+7R2l/RA/6w9FeA6amEvWYrUv86eMZfFxcl/jTxzNXcRi2wdDYrlAECM+EwqBit0kqtTmnf/p4pvDW0j7piDJ8GUlGb3g8IaG4i404CaKCKZuxDsHaTh2SUD217wviomyfUmoYAa9If786BuhOfFIZ5bporViWai0TGUJOY6LEjEHAtFFahs8zOsdK2jas/fTccGHTsNbwO+SSBTqadzJ3BC2ShsfsnoENPg4Du4Nh49mdM7kD78ZEmDHMT9e2pBZyzscQCTKI2atrg2fENZM0Iqfnt7sZTBYHkbD+xuvfrmHurv95TdZPTy7fko9vjzKgw72t4Qbi5D+Yu06c+wWChUeGP4mGFWPXoUM3g4hovyrvgzUFwbKcBhf2viqJgL4ABq2ccRhza7S0G7zGarFLPiMNZAlCfkMXjRcxGuLq0d5UXVahc0Ug6kAxTbjRWjbyumPkMhbabBdyDuXap7BrFt8vAXfDJkxyEZJZqjQAGZkdweDHwuKOkqcw4MMjRtaSeOJVzTKvr/XMd95Y74W2Qct3WDPO0gVmkMEz3+0cpoqsu1OuprI3+WOjA5RnMIFt1Jj0sR8/mAnW+trkj7UO4oMQ1jaq8pRYZ5YTorGkk1kzn3UrGToXUlsj3aoVAjdauAh+uvaUjBbJWmm+rn+6xisqXbCbHdKWvIyWNGpi3bqYFPvlZ+4JczrGXhtmd4GOpHxmtCKNYYucixQKu+c6b+7NtdLCj/LiMblOZdQz8K4haQpiT0Fn4rrlCjyZMUY7sRBPgWCMOkUE5lYGUolUBvWZLy4/J9dGr7e3tzYVozKY/uX3n+33+PknLZLC3Djl8OLn59WneCZCY0qFuUYDsVVEMRYX+Jbxq2bl85jE2IKRzETMtTDnHFQoYgSGUJjtliNmNJcVC5hJyajyJ5pCDhmJxER1sv0Mmh1oFpN/G92UnTNsLDEYIIUF5cvFjFmRy17LwFJl9OwdVRminYKBFAtdVSytRMRAW/BzQXoSqpSne5493ciCz1tHwAbWK+Ggp8tLb2kcPS2N4ek/y4i10rBCLnmhiH6Q1/ZkXYuHyHVpBY/t7eqFw/b2VgEpOGqu0uyAAayw4q8jhtYH/mLT9upoyOTd8LQkVJX95S+wv6Bt4ntg/FF6RmfTogEZC/MurESZ35xhNIWHe89anxKv6GC8UaqzpzreYEgsWjcZREgpoDFhs0Tn+ADq+OS1fTugsdEi2bUxh5SFWHOqGRkxfcdYMQNT3wk02kubKCZlMsnCq9WeNy6902U+KKhad4Iy9CYJyxtOpyP8yZvGirXmwcKH4YC3NhbCDzxaMxOy5n9R1pRo9Vm+hkwzOeMxC83+GXDFIpvvQSH3z7or8gtrlY7H/D6DCM9AmuvrzU18BJ/oCTnZ6JFLObcFh2mSSHHPZxjCwZU5iyg+S6I50XDirBqEZiojOmKRMtonAnMJ9p07FkVA/eXZscoVTSB66c1aVYWX47IyFxscbFclBxcAfbFahI2lbFxjoMD161rzEPFdsEUVKXMCtUohzwYBXW6NYdzu5+T3lEZobNhnYmxGDwop1wM0ihx16Lxn9wFLcMueCnOKMa+lcWgt68oq7sFRnTrnhneuKGMAbkWbzo7aCX4P0GmZ+YG0axoHIwc0jkVubBVWTMfjQH4CLxM0YhHmr1QXcP1qL2oEn7forqBK92ZzCwFFHtc8VXqtV3YPWCiFsxnQquy1T6aTnFyqdDTsqXQ0KKiVTmF55uihdremvAuhz2GsoTPEbAxaUh7lh9SaZUpV41tQLZIrIOMzKHM2HrMAUhCMZYeCYqlfZ5dnxxsd9IbcxOIuNizM+Z6fP0Apdpz3EdSbv7S9RVJzUC+PmztXvGZrgZiBHHzdOh/0/SJ1n89EM8UP3xfkJlVMrjDC4JMFX2Nw+xigx9S6eN3nxT5ekEJw/VtPr7McCY/RKDYKgo5EiooTHsWzGnSsY7c0OwpbryKc8jIpsc3tjHxM6S0DTwyDiA8hPZdOrCVnypqNMAioFSHhZBjDazx0msK5o2lMKOTk29Mj7gCeopzZiXtSt7opjSdM9VarDfzm1+jtFXKesxxM4RmDKDgxXmTL0ZicHR+eG9YeojAfZ6B8NdC8WrqlHXKQVijYxSSn5iWTLHpmU33m6J7n70dq6HylcgOgYyyGrBlG5fx4GI2Y1OSEx0ozHi/LEpD1LyazMPqXFlpkwcp6AFevEbPCTEC97c+p5kqz2WYSUW0U6tKyjVSscGPxZxEHWxZFL3P/2WXsU9ZH1tZwgAYzEjuVFjapMVzto7aMCY1FPJ/xPzzfL7I/+/hJsXEamUV4bV7q8fDayCB+MAReZ0ZnIOIxzjONihtjHNbY8ali4fLiWhbUIE/zeE4hdbcKqib796I76O50h4PusD/cHm4fDIZ7+3vd4e7BcHt4sN3f7g63dgYHO7t7+7vdQX+JiteWxKoUtyXy+dXzxVRIeyYUkkRi4l3s1vGK9lhL1SxFtLIs56xEEYZzmJEIRdNN83ydWxutRNKr39Zu+IjG9IqGMx6vdciaZHBIjCdXBuAShX++OWspu0J2B4Xv0iDMqX+hJmGO4A+jsIYp37FZWGbC12oYlul4kaZhjuQP4/ApxmHOx2/YPMyJ/L4NxJwP34WJ+CUsCD/u6SUaB82Dbp7BcnDYfatGQZG+F7nfF1H8/Fu5G//HLr1wl3Ys+lo34Kzg+cvaW5truiduvFmUzvewp2oqJ0x/l64JS/oL9UtY7F6q3fEFnBKWI9+q8bEsB16kebIsES/SF2Ex/GHiPMURYZn4tRpBzSl8YWbSZ3ZBWCZ8w7aSHyx1RScuk8cLmSL5tw0CpxCGC5+KIaUfSv7OGMbGUzKS4s7Lrs5W9+WUzW02ipqKO2J2opjcsZFLDYbcFQOKx5M80N7WBEgzVF2Q+9NjnUJmhv1catyOVp5jfj4VMXvk7LIShHKWVrUOHVPJC0gtkZ/15Uy52JOWq4K0lCl8J/7gUUQ3d3p9so5z8D/I0fknOx/kwwUZDK8GGML5jgbmi39skMMkidivbPR3rjd3+zu9QW+wk+G5/ve/Xb476+A7f2XBjdhwNUg2B8Nen7wTIx6xzcHOyWB73zJ5c7e/bTtGZaxWvTGd8WhVCTQfLgjCJ+su8lOycEp1h4RsxGncIWPJ2EiFHXLH41DcqY0KA/HJCt7NMixf5tH7A1beiCfWPHTHgdhPTM46gEio4IVGcEW6UGDeiX/TW1bm0Q2TMVvVoa1CA46WoY2FQ+jdonWx3dvu9buDwbALdUJ5UMb+BR7nnjzDrsyAN7+LpvQfZX64I8Tnmk83nl27AYu1UB2SjtJYpw+tVyrveGW9GsRWdkxQGPx+bcexlRfgtEA1mwjJ/8AnRJlIHmuRTa5Rx3bLGklBQ6gWyGRgDH/QY5wp7wzxIXtcMTIWUSTuDGTbZjDPlYZMuPWsFNHGaxLxOL3vkBkNgKMxv8+TNSxfq2UjPlyQuUhfvZJmh6eQlwEpADbtyCYDR1zpjk3z9/I8sLRABjIRSWrOUGGPnEeMKkYipkmqICOCjOaGUbEZgcZYHRSHOjm66BiuJlIkQjHCvfxAGobQQrIa0w9kNrWUheqttvpVRc6bKqxBvzcob6CrRdUrK/aIGWU2fc8Iv43shmnN71/ODt83MbzNc87kpjLP4bRHyDnZ7w97g9+JppN1tYHJYwkNbpjOCh4pzP2givB4AqVMoNkG/gnwqVIi4LZ4nwERu+RuOLvD4d5QnS1MmlUUtoPhlugaTWYr5T3muPcM9XVUSBYIGRpwPJ5EllpNJ5BmBtohhXIQ0N3STd4UCyAYRH/v8rj7O2FxQBOVIpaqY10PdZiRQt66nic88PLdbLYFlHihWYK+YrESkqyz3qRH/jdjNx3yK5dMTam82YDsc37LojnJjmfgaJJ0DAWXS5zgcczkwllFEAQfssTlE6zIussjsVDtb0X6NxYQ+TB5SJ+FuyyVD5CH2u5PTp1H80z/8jjTUIb2uEZWjKBjsyPm2KHpZAK6wIL8MHLdyDzhdtLb86Xc7gI18ucetyAz2fZdS1CrJVsVtg6Zc0iFXAWSgQOsvMIsTMDAg7doXsZcsjsaRapDJAi/6qAHhIZkRCMaB0yqZzj/rswJC4SeHuPBwohKXsY6m5WqHm+6F63wePwhsUU9gQJwPS1Dg0i14uEjBdKz3SCNYibpiGcFZ922UPlh8f5gtocCoAaZbbRmaFJJc3Mdp3PH1JPSytDgW2lJCOhEJcbOgDD6XwZTrhm28QICdYVfFMKQVJ7vewmGoy264qztbqYP1sf+LckxnILNWBefLk42zB/YXyGCBzOg+QuuGKOQ5K1d5xuFTNW82fXvKY3mapJSGfbwbygS/vsdG01ZlGyOxRVUBoo2jX0YsXDCDOjNAoFXztZmqjfVs9/+AwBliBWZkT/7z43aujCuxpXLRayala9+W3N0LXGTG0Rmc3FJ5CuSEugZURgoq7Na4IIKhMwt0cLk5L4ev5wN9BCBluTBrVKb1Vq5v1w0LuztYfzCjtkVXnpf1DMSlpzd2VS20dMI9kx/2Lq3FyyK4Jb1ZlxLhi3gjUbbHNPfQbijn4JbdgUJt1cecuoqkMwcq347gjrz2bC+puUMd+yT+0Qooy+OfjnxKfxnZVZPY3OG+nBBsEkNGfYGw95uxy/nUmSHPQt+PD9aous3g5YNq14WTnd6t1JgH+HlKVcPTE11SdRNUc2aOGnKgpXZKYZyR7FVCOunxxuuuIDtw1EoylG3dRLM8e6RUz8tm6TFiz47gAXqbqWrfC3vGU1F/25K9RVXV2YJ8HDDynpZxnPHQFnWT4//WTNHXWx81O/3Gze/gcqebHVlyw+JZFhWbbGCKVjZVttgqdUZ13yCh6SMF24yMukPS/NSZkz9jAQT3h3x2HwLXuFgwv9i/vg54+PuYLAEG43gXa1U+O1ZU0iiAhrXi2ptK6xBf7DfW0YoDPyYyd4ti0OxqoLvl7ZYzKJtHVAgiEKFrEsW01HUvLtRICTrjfK+OA8RM44Erd1GX10YMFgxQtJ4Ym9R+72+sb8H/V7f1n0xf5IRc7cQM6E0UeyWSb+24BtjWCoLUZgzqrHTlGJKzeDaFrR2EgmuHVNmTEseKLJOtabBDbmFEJ/c74ll/e65nndIIvktj9iE2arHNq5DM4kloTc6hM8SGugcqh+lYWBkcM1rEwlgDSgbbwU42U6wUIh6gRFQY3Q5Ax1EtxuKIDUkb1Ts053eznJTzOJbLkVsoDW6/fxMc33io/XYpNN4TrKilSAldoY6pM0Mwd0+l8zAVy9gijSbJUK+pNm5tBg9NjFwhTijOkVGG5aG3Cuk1Sns126ugudbFw05vFqPOhzf37uGKgX/R35gXn//y/FGvtlD1TENHa0zHsE0gHzS+IbHE3Bkr52Ju7UOWXvHQp7O1lCa1/7GJ9M1mAJzOCO3QzOpmfrMIIIkqLKbEiII87E0DJXD2ur1bfWqOXgaQzbmcbEsr4GQP1yYI0+K4AmuiLiLWYjWC43pBD1Rb08/Xlz2PsgJ9tAh6/CFUZ7k00UXm/7HIu4mUoy5d9Tyutd0yN1UGGXAlaulrQWZsigBvQ9+d8UCEE5j2YKeMNZXImKvH5xmdKYIDaRQaDjfCRmFC0Q0vg17MVe6NxG34KnoWlUE4lpVBniF0kxU7ZSs0LrIZr3WwoC6T4Z7oCjcJkihFRz0X48yniWSC8m1nQgi2YRKiDHwVEA7DlaMeDNMkA39iFfyfqd/4DsjoXHOUakj/IP3VVwZKyDCzQFvavAkYhaWc0+axXJfatuvCq05fb8lx24f0ZxEYjKxXSXI5dkFMcoU73tCPuGwE7qGfXkXvowjLEi1sfHIiMdUcmPHXGy+O313UhwttlHvIxHCM7CB0miuoJwyFGp3WArw+99ka/ZXV83d74GGgbEKO1yYtztQwTu7DYaIwGvzAzRHuu4BGAtxStWUKSdvxycfuyw2u0axC79RM1nMum07YN68hu4vUBy/cAkzYvllc3Y7iLdbiIh5uaemdLize72RkXdyayeV6jwQ1++nW3E2uxum/PpNdYqoOFZgiybkh1+n0rqjzWxbBxa51pHqee2krm37CAsRfg4izmJtGfr0uxIawQI22w1kNKwqXjTryWX75nnj2jqY6xeH7zd6GMlnxlHklsq52RGC0jIFs8G1CkUDwpsrcPmMoNenWZ4QxYkzmjfRMNJ//P6C+BQTsm5AuTLWyprrhUQRVu0M+urPXtXvxtaHbeX9RTpRZo0o2/Vwr2nVv3yL/oz+L9GdUpVJa96e0uL9EjpSLjd72JAyazhpTKsO+fDp51JbemhB+cBMZ2ul7Yy/mE6U74xQGK3wC2d3SxLxpZtPtlu4p3HwBDpfQA/K5cguSfaSpH+jvSpjoa+gDU0DcsJ8vy2eF/iMEejww4NpxSjEVgCRiCfMdvAOoaL1LY14WONzHfa7/b3uYJf0t14Pdl5vHfz3fv9183wfQxDeU62SIvA9NKFmcNDt7wM1g9fb/dfDneWo8drJr7o3+GHWQN8FDOEFv6703C9TuUT3bY+eIJW3q1pEcAFu4CMtNpyFRZF5ILA/eQ31vZbn3smMYDd5xxbnvKjQb86oyc6w8RWBxwR2n4i4WdMpr69JgdYTCyLveMEklB4vThoGNzQjaHdnZ2svO56G7L4UaS6CK4wvK0egNydc8T+aTP4iosFFwf/ILkC8uVQJDcwBjYy4rlrnw/72fnM3i+Q0Wm3rXpskiUO5O1PYcjKxrd/dwGUCCkhpFge+P3tsb7KhhDvMeDKlMXbd7RCuvdhwPMVq62kQcEiKjGEB1x5JgiHjGei8q1+FsTs7b9+8OTjaOz5587Z/sN8/OB4Mj44Om/fld+6MlSu602LKdKGJu0PC1wi/MgidnM0YXAX5RehxS3buF/JXQc5oPCFHcp5oQSI+klTOe+SCsewmdcL1NB1BfNNERDSebE7E5igSo82JGPQG25tKBpsBANg0Z3r4X28ifjrb2trrnm3tVHsSGbN8Z7e7hBp2Dbi/yHFTZefNRT3Tn97yPqPvSxwn258mHd4v4ThZVj3OUWMWz8Lz5MXlz7kN2iFnPxf6+3vnTfTlw+ny2Wb7xRwlC0QvS8WXPksuWpSFiXsKUS/g4FiisTEZ3+gh0DXGX6ml42UToQccTI+KmG09hHTXjPyajBhcbdM4mAqJH7uBi3i09zlv8JkCCv8TYB+5zkt2TzKvZ/cT7moBbkKjyDa3BPezQbXWYw4pUVOhtKeokU804lnzyoTqqXvYe7AGQfPvmCWSBXBr0YWbg/xFuKaBT7yYHUVjl55VwM/Q19N8xv5w+feL0cMo+NLDMz7BuEx7dVCAjhwpgBWwWOxX+OGqTm4WkJ7ND4TdQCjAJJUwKThYHX0NWG9myH/uQbIAaNs5fRCyYa4x95nq8Vhpz4n6KI/ALYHvEvcu4aFbFkEk0jBfAUfmo4sjkGTGNA2ppvWL4p39FYNBgsKrEHCYn0doGF7BA1cOpHkyYEphsJm/RgqUw0s9PqMTr+7torspv97JjHfpKAgHw61azZKLzqmBTU6Ps0BHJMTxygrOT+TQzCE8JKLQF2GHqqGsh/g6LjyK7yLxqAXzoIh4ozvUrxow7GEEMiZkkJbGoaC2nohF0+Xi4TGjwZTH7MrL5W6LhgXlp4U3xcKPD7vytGRbVBbBa4pPIgVo2CcLiAW0vHxINslt1bajF4DUjuzUXCiCG1hHVs8du881SgF/AzvK7PdRxKD5Nyg5/M1oLDUVUl/hTpPbR868wPG6mY5bYAZkaDXhQn43XwRWUJe4D0J1sOzHOjZ6rKx/pZadC4YyGnT50UCne0t6yVFLbzYbtP1wtkUs+Ylcfjj+8Jr8TdwZQ2pGE6ym8JcKLgWThjxs1pDF+xPJ9ihEoedk2lgaf1okNlbO/+aeqYA+jcfCl267+UE7VKfpPIE239eKs90dT44u/Hxt17NT9VigevNZ1LPPYQIhlehrjkXczd8s1SEWixp1NloZi6eyUGPPgRgJETEaN5yOcc4rSGXKxaQ6rlC9Ucqj6pBVCcisl7XB/vGgf7DWDJ0PFwRG8COM6hEJRMhq181DuCgtmQ6mzZFxo2Cx0HieSexNOmIyZhqCJ6yE/t3/rgZu/ntmjRZNyxwo8eXzYf2cv/Soji4g3VYay3ORiLBegS2lFjzeJAJdcdVpN0OlNbtB25HORUg+nR7XD8STyjiFr5oPcXpeHQEcGQkNno9tOcTqYCKsbE9PHMyVxFowWOno+PQBHcC6PH0z4v/7P/9X2RpYVZTsbvPnJ+9r3s9XM5okPJ7YZ9f+3FCpeDTZfXhGkyrKUNgUPZMvDm8Pt3rkFYsgvejloZ5hVo+4ZEnEA6qKFVPJk6U3h7tg0YQsicR8VnKkPH3gHO6CgcHFOk6jZyfZA7xg6Efs37YDZ2DtfU7Ix5CnqrHnsms0n1celWms+YxtuK3d7qL5vn6efVGDgf0x39Ezd0rdDpzDJs+0/bL7pkcHO3Yvj49/4PhQHkbcxUxWBvIRrMyQ4wy8WjTo8jfKZJG6fPDHBIM85IWvxa1RceYiNiUhfTI+dbUaymMWiicUR639KRZyVopKqSW/Ycll9y93RUJR/D+5lfJvEYkbTrs01SLkCpLf8mXzv/BXcmx/mRP/OeJ5BB91yNaA8u1mi0cGctFVhX2uhx7rYq7bY2uxke/eXfLYQBYxzlDzCsfVY9PYf9UIkRMaTG0Z5SktFCmwQX0BjcmIEcb1NJ+LkIQpVkTRVOo0cTKBgDjUeZ9hfYTsXgJyQBIq6YxpQ7K0OZMw10zDkRw74MMX5mPHJuEDapBpRSMDQiuMbDo9xyeswiI87EB6DCRRFlCClCutgDP1zLXZI4kUYRo0PYQ3YjEE2WV7jR3AHBMzqh9CaAXCV0DolcoqK657OG08gpSXtP9sOCHULKYiY5knWcpswlDxksf1GKZyQWJbe7w+fTwjU3GH0WKIiF0VgONDUxikkjVdr0V3zAJ8fp0yWIg5T+6oyhaZdWrRVE/NfuVqGkkSC515JO54HIlJrn7XfoUvRozqtXod+9bm6DlD6FesfYrZX+RMTHpl51hmdMA9aalUuFHMd5JrVmDCAxMg6R35x7szYx1LplisC7Wa8OpZjEBarM/aYlgKU8WSVVxhycH8DtvAKpUbVUSliStq6NGcK05HOzk8PyXr73gghRJjnTHnF640BcUTszsmN3p+2SwsBpsBs0ViYJ+yYoLZvba6FlaigJ8V04DTtX3n6n4WIR+vM3BUVRSvwKpMmPsP9RNveZhSd3EfiYmfrD5lj/Kbw73zOI3QjSpFOoqYmgqh/cC/JJWJUJjJyTD10CY7W8epf0TP5TBfX7OESs91aXOtfUAGUS1IyOkkFgo2g1HEZuXb70zqSa1RukD6DqMoq1npCr5ZHCqLwE/tJlNI//fErs49SxPuGVC2hkJYMqwfPM5cZvMRWUmELL68lCUNbdZkIGSIs5AIpbgR+7z2ZQHm2h2PAWYkJmuZk7xKrhlNyMLjXXafMMmxBgW+69ceJmAi5k/kecGL/Lc00PyW6/lVI2dezsGyYfsACw8JRtRF83KBJlCzVOefbfZyKuGU6HADrhZp9LJijVBA1DVEDkKeMuwj3iDwCJXaLTBVPkBkI9WdjTEt/6rh0bitkMVeFZ2sFAAQ6LIfioIGec8QBFzRnBmHjHzcYZZ7B5kCo5i1j2dx1OXXxcCh6we48MGGhfrttB4WjBYuBNBk2PDK2ZgBhLYiP8x+DIeOTl5hRUgSsohpLHDr9Xd5jBLeTLxbULG02GNvnKxryWOYl+Tx2WfA8RxE5hkYD99f2cCfIm7LeiJbqaFMk+eVRQ0yZathluoUJo3dB1Gq+C2WfC+Agu5YQMo1HKjmIgUdE9BE47ENlx/soiJ29r/CGhQFUFoU7ZmOa8GDpzgohHKds+4axjEMDck1PDW47hRxg2+H17akkyAi7pARC2iq/J3MGwFKM8cIs7CoCWFURhwKeFkCxDiz/Jaa4QfdU+V5sulBcJHL7qc0VZCMH9lYVA/1bAOwpa0LgBxfcbPokTdzMqW31txULK/biwaFFV/NZklkc83mBXjWZHJVtEOqpiNBZahsnRi43u5GjEo4P/1bjFRT/9ph4TxxToMbOmHvl3FzOUhveEzlvMVrOoKwkU+KydM4SfUlbzO6EPpdnniw3IuXeQjUEi+mPAp/KRzhm798ZKzfeHluHQkpUxDeQyiwcaH9AhCNoUgG0/1JB62YfVypW7vMuzpvY7rMa2ZvaiWY+atnLJ6UFGpzAC05ZV61UvKO/rukg5cHweM2ICS/bck786Z84qtt2W5++YUuLysnsZbzI2NCLP/qvZb0NB6Lpd98S3mUynZc9t5tyau3PGJtddFbHtPIKJJULf3uX0u7a7O3TsOInRbOh61AgPJrN8+ns4RJJWIY/IzdsuWl7NTVTGz5enKI9XNavHku5PIk/53NWwrXGVXabJN/FaL5bZz/8sU01aG4i9sBmD3FKjkTExH/NV3iGrHw5mnL9+y9Z3uUW5kksMG0VQPv6D2fpbNzJuGSNg7YOZMBa7G43kG/6Va046sXLabrHY+fC32EdDmVQuvoKWDaT8Z7dmdFqIUE5i+3moP37O4imLIZa7Vs3rO7VpbSezEz+9BbaCUbB8ubxu/9zL3mr32IwidQ+yEKW1H7wV6bmH271SSd0xaK3FscT9x+zyW75SJVTz1JODgtX7Y1qs+4Wn59tl9fT1lc9t1202ffbSGn54W77yXeS2k7A+s8peci4sG8BX//Y9zalv3IqGrxGmgA2nbQCzgMv4lEcHNZjchp8D72xG4lT/bd1qhbywy9Ca2MDgcCbo+O2rhgHIS2k+cqlrR/s+Xpx7zPlpfvC01lOy9XO3dPW+q0SNphiaUCjuEipZ1UI4S2Jrh9/ZNqaYV677cxRS8vWuB8CXcwT+AZAmjlu8BX2x+VvPdbU47FM59AeevZzl9vNdlMguF6gdWp29Avblh8ErFb2loHX0oaqxnXmoV2Q1h+ubdlQNut51chb1RL8xPvn9q9Nmz32la718oRvw1f22n32m671/bavbb/4Gt/Kr+Dl3RLRnu0iZfJb7sxKiarAleO87Gdpfzgp5rLRYueWgrvJa+H3RiFbrW2f+Hc681ZQS6Y0jguuB9XGh6Co2HwhqsMCo1Eoa/uHSRm0dDebDu+F0B6Hd5jLB3nQg/tZXMkJurapfLaGv02aDQPeqvhBOKwWvmydJ4eFwPmIjEphGFhaVTHFGn0clHHef1W4eWchTZqfICX6AICQvEnlA38vWR0KvCZaE6jaN5z6bxFgJLRYGrDPWbo6bPzsz7819bwXwV4LjAsCwib8BiDwgxSw3/tbv/r4eCxjWJkAEw2u9clnO54FJERI/3a2YR+BVcvMUrM4WSmERZBAVwgYi1FBItBm315zKSEBd2zMoSdGGwk2R3UodRTFpMphZqlpQXjR5PB+FySa48t176+q0mTToLimezZdReOUI5mQIVFLqm6QVHGpyBVPuuEbTVdHb2Y1RGJgPpKgCaQRIcBr6iEmE2+x9V0R4vcwyYiNXxxeSJXk2bZxJ9HtLJSRfAjIl9ZSov2ApfcldQQ5FWRfdJk2zGueOhU4BE033DF7z9iIp3zVT3E+Hi1YY01m7unqMl6WZyEJAptZ2B+jRR5anWjhjBN1c0q15mB/7JXGaaf2PbfhbrT1Z1kXcQkkawYg1a0FMpx+9Cs1W6naMK58Lm62eAz5noBV2YlLLpRnhbVRwLrBIcx61CRqdKHWks+ShuO2zZ2lQV8RiO7s4sxoW5ULPUVszvEhljOYJ8iDHldhPkxl2iJrRRzN4jBuima5t95NeSdXF9+/HRxeXV8+vHk6PL0w/ur49OLwzdnJ8fXnepvp+/ffPj0/rgczFh+7MOnS3wO1lnl5zen2d+HZ9cLOFk627/YwNlH+Hr5n+cnV8cffn1/dvLLyVnOU/j+07n9to6d8MS708sCExHc0UkN19yOpqdwrFh+X6tAzOJnK5A+bygweXoosBebW7N0IYc3tzaetDHlVX27g+5Odzjobu1sD7a3+gfD/e6wvzPYGwyGg353sHUw2Nrf3to96A7yfsENWOI2gbwBYW4mrV+cHm+Uw/GpUiLg1FVtL5lIXNWK9Om4lIcUC+hwKCLbK+Di9Bg1TQzlfrRr8AZR1xD2XhZr+AH1ko17xq8Mj69dnK875wj00OUnXotkCce5SEmWIe0hnGNr9sSL02PVIZLdcqMsYROfGB1fPIvg0lV4UqHa2ZijiM3IjM7JqG6/yqh9mkZ67zkOoI5padLqJ6qARCXb49kXo8320I45CwTMwxUjxGfMZncvQl0Xdf3zW4O2i//jCNdgeFvx2T7llIAJvuWs90zAX9lId24dN7b2qDVJzGNeBVKbyOqyzvJU1jM2oUEhkdBVuFiU1YoPMEWwP6qI/Zd3e/e2o7zgsXYOQa9jZXYOv82LNufv97zKb1iGwEKAXiF5KP+da+54nRXX6O1eaXG118PET5vfCd5Jphf4uuorGXgShrNXrSuJmZG9PBnxwXqWVV/LY3ArLzwIvy6h7ZER6l55cIySk/kR8KWnH4RccgM/Arn09IOQIzFZhiUFj+8jBUqVohN2xaTMNoZF0OGZnn2jCXDrby0UTH8E9bKL9hH4izyAj46y6MUHxys4yh4ZovDsg1Dr3EyPAK975bExrE+m8QAlP9GD4NGRsoSE1nl4Hq4HnntOHgHtPfkwRDgwLM2R8jnjwTHqLexFI7mh6t96fKDm2r78+IOwi5bAI5CLDz8I934WPaZw6upHlGH+/wAAAP//pR/9Dg==" } diff --git a/winlogbeat/module/pipeline.go b/winlogbeat/module/pipeline.go index 170fe48fe41e..3ddc4f10f11b 100644 --- a/winlogbeat/module/pipeline.go +++ b/winlogbeat/module/pipeline.go @@ -52,11 +52,12 @@ type pipeline struct { // UploadPipelines reads all pipelines embedded in the Winlogbeat executable // and adapts the pipeline for a given ES version, converts to JSON if -// necessary and creates or updates ingest pipeline in ES. -func UploadPipelines(info beat.Info, esClient *eslegclient.Connection, overwritePipelines bool) error { +// necessary and creates or updates ingest pipeline in ES. The IDs of pipelines +// uploaded to ES are returned in loaded. +func UploadPipelines(info beat.Info, esClient *eslegclient.Connection, overwritePipelines bool) (loaded []string, err error) { pipelines, err := readAll(info) if err != nil { - return err + return nil, err } return load(esClient, pipelines, overwritePipelines) } @@ -94,7 +95,7 @@ func ExportPipelines(info beat.Info, version version.V, directory string) error // with load. func readAll(info beat.Info) (pipelines []pipeline, err error) { p, err := readDir(".", info) - if err == errNoFS { + if err == errNoFS { //nolint:errorlint // Bad linter! This is never wrapped. return nil, nil } return p, err @@ -118,7 +119,7 @@ func readDir(dir string, info beat.Info) (pipelines []pipeline, err error) { continue } p, err := readFile(path.Join(dir, de.Name()), info) - if err == errNoFS { + if err == errNoFS { //nolint:errorlint // Bad linter! This is never wrapped. continue } if err != nil { @@ -149,11 +150,11 @@ func readFile(filename string, info beat.Info) (p pipeline, err error) { } // load uses esClient to load pipelines to Elasticsearch cluster. -// Will only overwrite existing pipelines if overwritePipelines is -// true. An error in loading one of the pipelines will cause the +// The IDs of loaded pipelines will be returned in loaded. +// load will only overwrite existing pipelines if overwritePipelines is +// true. An error in loading one of the pipelines will cause the // successfully loaded ones to be deleted. -func load(esClient *eslegclient.Connection, pipelines []pipeline, overwritePipelines bool) (err error) { - var pipelineIDsLoaded []string +func load(esClient *eslegclient.Connection, pipelines []pipeline, overwritePipelines bool) (loaded []string, err error) { log := logp.NewLogger(logName) for _, pipeline := range pipelines { @@ -162,20 +163,20 @@ func load(esClient *eslegclient.Connection, pipelines []pipeline, overwritePipel err = fmt.Errorf("error loading pipeline %s: %w", pipeline.id, err) break } - pipelineIDsLoaded = append(pipelineIDsLoaded, pipeline.id) + loaded = append(loaded, pipeline.id) } if err != nil { errs := multierror.Errors{err} - for _, pipelineID := range pipelineIDsLoaded { - err = fileset.DeletePipeline(esClient, pipelineID) + for _, id := range loaded { + err = fileset.DeletePipeline(esClient, id) if err != nil { errs = append(errs, err) } } - return errs.Err() + return nil, errs.Err() } - return nil + return loaded, nil } func applyTemplates(prefix string, version string, filename string, original []byte) (converted map[string]interface{}, err error) { diff --git a/x-pack/winlogbeat/cmd/root.go b/x-pack/winlogbeat/cmd/root.go index 9ac4f71a8910..2bc5d4049460 100644 --- a/x-pack/winlogbeat/cmd/root.go +++ b/x-pack/winlogbeat/cmd/root.go @@ -7,11 +7,13 @@ package cmd import ( "github.com/elastic/beats/v7/libbeat/cmd" winlogbeatCmd "github.com/elastic/beats/v7/winlogbeat/cmd" - "github.com/elastic/beats/v7/x-pack/winlogbeat/module" // Register fields. _ "github.com/elastic/beats/v7/x-pack/libbeat/include" _ "github.com/elastic/beats/v7/x-pack/winlogbeat/include" + + // Enable pipelines. + _ "github.com/elastic/beats/v7/x-pack/winlogbeat/module" ) // Name of this beat. @@ -25,5 +27,4 @@ func init() { settings.ElasticLicensed = true RootCmd = winlogbeatCmd.Initialize(settings) RootCmd.ExportCmd.AddCommand(GenExportPipelineCmd(settings)) - module.Init() } diff --git a/x-pack/winlogbeat/magefile.go b/x-pack/winlogbeat/magefile.go index a40fb6f54232..56d55306cc40 100644 --- a/x-pack/winlogbeat/magefile.go +++ b/x-pack/winlogbeat/magefile.go @@ -8,33 +8,83 @@ package main import ( + "context" + "fmt" + "github.com/magefile/mage/mg" devtools "github.com/elastic/beats/v7/dev-tools/mage" + "github.com/elastic/beats/v7/dev-tools/mage/target/test" - // mage:import + //mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/common" - // mage:import + //mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/build" - // mage:import + //mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/pkg" - // mage:import + //mage:import _ "github.com/elastic/beats/v7/dev-tools/mage/target/dashboards" - // mage:import - _ "github.com/elastic/beats/v7/dev-tools/mage/target/test" - // mage:import - "github.com/elastic/beats/v7/dev-tools/mage/target/unittest" - // mage:import + //mage:import winlogbeat "github.com/elastic/beats/v7/winlogbeat/scripts/mage" ) func init() { - unittest.RegisterGoTestDeps(winlogbeat.Update.Fields) - winlogbeat.SelectLogic = devtools.XPackProject devtools.BeatLicense = "Elastic License" + + RegisterGoTestDeps(winlogbeat.Update.Fields) + test.RegisterDeps(UnitTest) +} + +var goTestDeps, pythonTestDeps []interface{} + +// RegisterGoTestDeps registers dependencies of the GoUnitTest target. +func RegisterGoTestDeps(deps ...interface{}) { + goTestDeps = append(goTestDeps, deps...) +} + +// RegisterPythonTestDeps registers dependencies of the PythonUnitTest target. +func RegisterPythonTestDeps(deps ...interface{}) { + pythonTestDeps = append(pythonTestDeps, deps...) +} + +// UnitTest executes the unit tests (Go and Python). +func UnitTest() { + mg.SerialDeps(GoUnitTest, PythonUnitTest) } // Update is an alias for update:all. This is a workaround for // https://github.com/magefile/mage/issues/217. func Update() { mg.Deps(winlogbeat.Update.All) } + +// GoUnitTest executes the Go unit tests. +// Use TEST_COVERAGE=true to enable code coverage profiling. +// Use RACE_DETECTOR=true to enable the race detector. +func GoUnitTest(ctx context.Context) error { + mg.SerialCtxDeps(ctx, goTestDeps...) + args := devtools.DefaultGoTestUnitArgs() + // The module unit tests depend on a running docker container to provide + // the ES instance to run the processor pipeline. In the absence of a + // test supervisor or a single test executable to ensure that only a + // single container is running, or additional logic to ensure no network + // collisions, we ensure that only one test package is running at a time. + args.ExtraFlags = append(args.ExtraFlags, "-p", "1") + return devtools.GoTest(ctx, args) +} + +// PythonUnitTest executes the python system tests. +func PythonUnitTest() error { + mg.SerialDeps(pythonTestDeps...) + mg.Deps(devtools.BuildSystemTestBinary) + return devtools.PythonTest(devtools.DefaultPythonTestUnitArgs()) +} + +// PythonVirtualEnv creates the testing virtual environment and prints its location. +func PythonVirtualEnv() error { + venv, err := devtools.PythonVirtualenv(true) + if err != nil { + return err + } + fmt.Println(venv) + return nil +} diff --git a/x-pack/winlogbeat/module/.gitignore b/x-pack/winlogbeat/module/.gitignore new file mode 100644 index 000000000000..378eac25d311 --- /dev/null +++ b/x-pack/winlogbeat/module/.gitignore @@ -0,0 +1 @@ +build diff --git a/x-pack/winlogbeat/module/pipeline.go b/x-pack/winlogbeat/module/pipeline.go index baa335e4b2a1..b369cca8f6e6 100644 --- a/x-pack/winlogbeat/module/pipeline.go +++ b/x-pack/winlogbeat/module/pipeline.go @@ -14,6 +14,6 @@ import ( //go:embed */ingest/*.yml var pipelinesFS embed.FS -func Init() { +func init() { module.PipelinesFS = &pipelinesFS } diff --git a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml index 5a7c93a939ed..80e6c8acc05e 100644 --- a/x-pack/winlogbeat/module/powershell/ingest/powershell.yml +++ b/x-pack/winlogbeat/module/powershell/ingest/powershell.yml @@ -235,7 +235,7 @@ processors: field: param3 source: |- def parseRawDetail(String raw) { - Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; + Pattern detailRegex = /^([^:(]+)\((.+)\)\:\s*(.+)?$/; Pattern parameterBindingRegex = /name\=(.+);\s*value\=(.+)$/; def matcher = detailRegex.matcher(raw); diff --git a/x-pack/winlogbeat/module/powershell/test/powershell_ingest_test.go b/x-pack/winlogbeat/module/powershell/test/powershell_ingest_test.go new file mode 100644 index 000000000000..80217b997497 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/powershell_ingest_test.go @@ -0,0 +1,29 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Windows is excluded not because the tests won't pass on Windows in general, +// but because they won't pass on Windows in a VM — where we are using this — due +// to the VM inception problem. +// +//go:build !windows +// +build !windows + +package test + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/winlogbeat/module" +) + +// Ignore these fields because they can be different on different versions +// of windows. +var ignoreFields = []string{ + "event.ingested", + "message", +} + +func TestPowerShellIngest(t *testing.T) { + module.TestIngestPipeline(t, "routing", "testdata/collection/*.evtx.golden.json", module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json new file mode 100644 index 000000000000..e6860bdb9a06 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json @@ -0,0 +1,230 @@ +[ + { + "@timestamp": "2020-05-14T07:00:30.8914235Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "400", + "ingested": "2022-06-08T06:07:25.791038Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 13, + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519", + "title": "ServerRemoteHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1492", + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-14T07:01:14.3715076Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "400", + "ingested": "2022-06-08T06:07:25.791068400Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 13, + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "056a5045-a7bb-49c6-9a9d-2ea95acea751" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "83c6a631-910d-4530-bec2-18b2d0fc380a", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1511", + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-14T11:32:51.9892568Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "400", + "ingested": "2022-06-08T06:07:25.791084400Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 13, + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "24067d05-e98a-4fbb-9cda-020e4c65017d" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\patata.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1", + "entity_id": "f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab", + "title": "Windows PowerShell ISE Host" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1579", + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-06-04T07:20:27.7472275Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "400", + "ingested": "2022-06-08T06:07:25.791099600Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 9, + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Available", + "previous_state": "None", + "version": "2.0" + }, + "process": { + "executable_version": "2.0" + }, + "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099" + }, + "process": { + "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "18591", + "task": "Engine Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json new file mode 100644 index 000000000000..5c04bdf9c293 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json @@ -0,0 +1,234 @@ +[ + { + "@timestamp": "2020-05-14T15:31:22.4269238Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "403", + "ingested": "2022-06-08T06:07:25.874127300Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 33, + "type": "end" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "6f14a54e-5992-42dd-b38c-68830a28b1b6" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe", + "entity_id": "1929aa68-472a-404a-8ead-96bd7b49f2db", + "title": "Windows PowerShell ISE Host" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1687", + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-15T08:11:47.932007Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "403", + "ingested": "2022-06-08T06:07:25.874167200Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 37, + "type": "end" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1706", + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-15T08:28:53.6266982Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "403", + "ingested": "2022-06-08T06:07:25.874176600Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 37, + "type": "end" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "5.1.17763.1007" + }, + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "8228a4bd-3125-4d1a-997b-3a4df8c085f2" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-executionpolicy", + "bypass", + "-encodedCommand", + "IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA=", + "-inputFormat", + "xml", + "-outputFormat", + "text" + ], + "args_count": 9, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text", + "entity_id": "f9cd0d65-6665-4b88-9142-f03a2d20f8b8", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1766", + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-06-04T07:20:28.6861939Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Engine Lifecycle", + "category": "process", + "code": "403", + "ingested": "2022-06-08T06:07:25.874238900Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 10, + "type": "end" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "new_state": "Stopped", + "previous_state": "Available", + "version": "2.0" + }, + "process": { + "executable_version": "2.0" + }, + "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099" + }, + "process": { + "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "18592", + "task": "Engine Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json new file mode 100644 index 000000000000..2497de593916 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json @@ -0,0 +1,240 @@ +[ + { + "@timestamp": "2020-05-15T08:11:47.8979495Z", + "destination": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Executing Pipeline", + "category": "process", + "code": "4103", + "ingested": "2022-06-08T06:07:25.896041700Z", + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 34, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "CommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"\n\n\nContext:\n Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name = \n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "cmd.exe", + "type": "CommandInvocation", + "value": "\"cmd.exe\"" + }, + { + "related_command": "Out-Null", + "type": "CommandInvocation", + "value": "\"Out-Null\"" + }, + { + "name": "\"InputObject\"", + "related_command": "Out-Null", + "type": "ParameterBinding", + "value": "\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" + } + ], + "name": "cmd.exe", + "path": "C:\\Windows\\system32\\cmd.exe", + "type": "Application" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "1", + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", + "name": "vagrant" + }, + "winlog": { + "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4103", + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 3984, + "thread": { + "id": 3616 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3885", + "task": "Executing Pipeline", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-15T08:13:06.7032939Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Executing Pipeline", + "category": "process", + "code": "4103", + "ingested": "2022-06-08T06:07:25.896068100Z", + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 22, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "CommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\n\nContext:\n Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User = \n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Resolve-Path", + "type": "CommandInvocation", + "value": "\"Resolve-Path\"" + }, + { + "name": "\"ErrorAction\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"Ignore\"" + }, + { + "name": "\"WarningAction\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"Ignore\"" + }, + { + "name": "\"InformationAction\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"Ignore\"" + }, + { + "name": "\"Verbose\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"False\"" + }, + { + "name": "\"Debug\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"False\"" + }, + { + "name": "\"Path\"", + "related_command": "Resolve-Path", + "type": "ParameterBinding", + "value": "\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"" + } + ], + "name": "Resolve-Path", + "type": "Cmdlet" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "9", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", + "name": "vagrant" + }, + "winlog": { + "activity_id": "{1aca0717-2acb-0003-db0b-ca1acb2ad601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4103", + "opcode": "To be used when operation is just executing a method", + "process": { + "pid": 5032, + "thread": { + "id": 4160 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3917", + "task": "Executing Pipeline", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json new file mode 100644 index 000000000000..86d384caace8 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json @@ -0,0 +1,119 @@ +[ + { + "@timestamp": "2020-05-14T11:33:51.3892662Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Execute a Remote Command", + "category": "process", + "code": "4104", + "ingested": "2022-06-08T06:07:25.944364800Z", + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "message": "Creating Scriptblock text (1 of 1):\n.\\patata.ps1\n\nScriptBlock ID: 50d2dbda-7361-4926-a94d-d9eadfdb43fa\nPath: ", + "powershell": { + "file": { + "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "script_block_text": ".\\patata.ps1" + }, + "sequence": 1, + "total": 1 + }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4104", + "opcode": "On create calls", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3580", + "task": "Execute a Remote Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-14T11:33:51.3938848Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Execute a Remote Command", + "category": "process", + "code": "4104", + "ingested": "2022-06-08T06:07:25.944391600Z", + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": "info" + }, + "file": { + "directory": "C:\\Users\\vagrant\\Desktop", + "extension": "ps1", + "name": "patata.ps1", + "path": "C:\\Users\\vagrant\\Desktop\\patata.ps1" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "message": "Creating Scriptblock text (1 of 1):\n\n\nScriptBlock ID: f5521cbd-656e-4296-b74d-9ffb4eec23b0\nPath: C:\\Users\\vagrant\\Desktop\\patata.ps1", + "powershell": { + "file": { + "script_block_id": "f5521cbd-656e-4296-b74d-9ffb4eec23b0" + }, + "sequence": 1, + "total": 1 + }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4104", + "opcode": "On create calls", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3582", + "task": "Execute a Remote Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json new file mode 100644 index 000000000000..15e6d136a609 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2020-05-13T09:04:04.7552325Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Starting Command", + "category": "process", + "code": "4105", + "ingested": "2022-06-08T06:07:25.962029500Z", + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": "start" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "message": "Started invocation of ScriptBlock ID: f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\nRunspace ID: 9c031e5c-8d5a-4b91-a12e-b3624970b623", + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" + }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4105", + "opcode": "On create calls", + "process": { + "pid": 4204, + "thread": { + "id": 1476 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "790", + "task": "Starting Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json new file mode 100644 index 000000000000..791fe2892351 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2020-05-13T10:40:32.5957152Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Stopping Command", + "category": "process", + "code": "4106", + "ingested": "2022-06-08T06:07:25.970830900Z", + "kind": "event", + "module": "powershell", + "provider": "Microsoft-Windows-PowerShell", + "type": "end" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "message": "Completed invocation of ScriptBlock ID: 4c487c13-46f7-4485-925b-34855c7e873c\nRunspace ID: 3f1a9181-0523-4645-a42c-2c1868c39332", + "powershell": { + "file": { + "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" + }, + "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" + }, + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", + "api": "wineventlog", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4106", + "opcode": "On create calls", + "process": { + "pid": 4776, + "thread": { + "id": 5092 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "933", + "task": "Stopping Command", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json new file mode 100644 index 000000000000..5c5603ad84dc --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json @@ -0,0 +1,171 @@ +[ + { + "@timestamp": "2020-05-13T13:21:43.1831809Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Provider Lifecycle", + "category": "process", + "code": "600", + "ingested": "2022-06-08T06:07:25.978294200Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "C:\\Users\\vagrant\\Desktop\\lateral.ps1" + ], + "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", + "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", + "title": "Windows PowerShell ISE Host" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1089", + "task": "Provider Lifecycle" + } + }, + { + "@timestamp": "2020-05-13T13:25:04.6564269Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Provider Lifecycle", + "category": "process", + "code": "600", + "ingested": "2022-06-08T06:07:25.978319400Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 1, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Provider \"Registry\" is Started. \n\nDetails: \n\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Registry", + "new_state": "Started" + } + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "44b8d66c-f5a2-4abb-ac7d-6db73990a6d3", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1266", + "task": "Provider Lifecycle" + } + }, + { + "@timestamp": "2020-06-04T07:25:04.8574302Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Provider Lifecycle", + "category": "process", + "code": "600", + "ingested": "2022-06-08T06:07:25.978335600Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 8, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "powershell": { + "process": { + "executable_version": "2.0" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + } + }, + "process": { + "entity_id": "99a16837-7392-463d-afe5-5f3ed24bd358", + "title": "ConsoleHost" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "18640", + "task": "Provider Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json new file mode 100644 index 000000000000..b3c502fd4653 --- /dev/null +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json @@ -0,0 +1,375 @@ +[ + { + "@timestamp": "2020-02-26T09:37:40.4872415Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Pipeline Execution Details", + "category": "process", + "code": "800", + "ingested": "2022-06-08T06:07:25.991754100Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 17, + "type": "info" + }, + "file": { + "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", + "extension": "psm1", + "name": "Microsoft.PowerShell.Archive.psm1", + "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1" + }, + "host": { + "name": "vagrant-2019" + }, + "log": { + "level": "information" + }, + "message": "Pipeline execution details for command line: Add-Type -AssemblyName System.IO.Compression.FileSystem\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n \n\nDetails: \nCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Add-Type", + "type": "CommandInvocation", + "value": "\"Add-Type\"" + }, + { + "name": "\"AssemblyName\"", + "related_command": "Add-Type", + "type": "ParameterBinding", + "value": "\"System.IO.Compression.FileSystem\"" + } + ], + "value": " Add-Type -AssemblyName System.IO.Compression.FileSystem" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "1", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "6a447a2c-693e-4d41-948d-129b455b2569", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "powershell", + "-executionpolicy", + "bypass", + "\u0026", + "{", + "if", + "(Test-Path", + "variable:global:ProgressPreference){set-variable", + "-name", + "variable:global:ProgressPreference", + "-value", + "'SilentlyContinue'};.", + "c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1;", + "\u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1';", + "exit", + "$LastExitCode", + "}" + ], + "args_count": 17, + "command_line": "powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }", + "entity_id": "ac3c99ce-7983-4996-807e-6a689eaba50b", + "title": "ConsoleHost" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2019", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant-2019", + "event_id": "800", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "191", + "task": "Pipeline Execution Details" + } + }, + { + "@timestamp": "2020-05-15T08:33:26.3769931Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Pipeline Execution Details", + "category": "process", + "code": "800", + "ingested": "2022-06-08T06:07:25.991821100Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 135, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Pipeline execution details for command line: \u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails } \n\nDetails: \nCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Set-StrictMode", + "type": "CommandInvocation", + "value": "\"Set-StrictMode\"" + }, + { + "name": "\"Version\"", + "related_command": "Set-StrictMode", + "type": "ParameterBinding", + "value": "\"1.0\"" + } + ], + "value": "\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "71", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "800", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1843", + "task": "Pipeline Execution Details" + } + }, + { + "@timestamp": "2020-05-15T08:33:26.393089Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Pipeline Execution Details", + "category": "process", + "code": "800", + "ingested": "2022-06-08T06:07:25.991832300Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 141, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n \n\nDetails: \nCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Import-LocalizedData", + "type": "CommandInvocation", + "value": "\"Import-LocalizedData\"" + }, + { + "name": "\"FileName\"", + "related_command": "Import-LocalizedData", + "type": "ParameterBinding", + "value": "\"ArchiveResources\"" + }, + { + "name": "\"BindingVariable\"", + "related_command": "Import-LocalizedData", + "type": "ParameterBinding", + "value": "\"LocalizedData\"" + }, + { + "related_command": "Import-LocalizedData", + "type": "NonTerminatingError", + "value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" + } + ], + "value": "Import-LocalizedData LocalizedData -filename ArchiveResources" + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "71", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "800", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1846", + "task": "Pipeline Execution Details" + } + }, + { + "@timestamp": "2020-05-15T08:33:26.393089Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "Pipeline Execution Details", + "category": "process", + "code": "800", + "ingested": "2022-06-08T06:07:25.991841100Z", + "kind": "event", + "module": "powershell", + "provider": "PowerShell", + "sequence": 143, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Pipeline execution details for command line: . \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine= \n\nDetails: \nCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"", + "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Out-Default", + "type": "CommandInvocation", + "value": "\"Out-Default\"" + }, + { + "name": "\"InputObject\"", + "related_command": "Out-Default", + "type": "ParameterBinding", + "value": "\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"" + } + ] + }, + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "71", + "process": { + "executable_version": "5.1.17763.1007" + }, + "runspace_id": "a87e8389-57c7-4997-95ff-f82f644965bf", + "sequence": 1, + "total": 1 + }, + "process": { + "args": [ + "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "-noexit", + "-command", + "'C:\\Gopath\\src\\github.com\\elastic\\beats'" + ], + "args_count": 4, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'", + "entity_id": "aae5217d-054f-435f-9968-4b5bebf12116", + "title": "ConsoleHost" + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "800", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": "1847", + "task": "Pipeline Execution Details" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index b68343aa93c0..c20fc3161237 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -818,10 +818,15 @@ processors: } Long newUacValue = Long.decode(ctx.winlog.event_data.NewUacValue); ArrayList uacResult = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((newUacValue.longValue() & flag.longValue()) == flag.longValue()) { - uacResult.add(entry.getValue()); + def[] w = new def[] { null }; + for (long b = 0; b < 32; b++) { + long flag = 1L << b; + if ((newUacValue.longValue() & flag) == flag) { + w[0] = flag; + def desc = params[String.format("0x%08X", w)]; + if (desc != null) { + uacResult.add(desc); + } } } if (uacResult.length == 0) { @@ -873,10 +878,15 @@ processors: } Long tOpts = Long.decode(ctx.winlog.event_data.TicketOptions); ArrayList tDescs = new ArrayList(); - for (entry in params.entrySet()) { - Long flag = Long.decode(entry.getKey()); - if ((tOpts.longValue() & flag.longValue()) == flag.longValue()) { - tDescs.add(entry.getValue()); + def[] w = new def[] { null }; + for (long b = 0; b < 32; b++) { + long flag = 1L << b; + if ((tOpts.longValue() & flag) == flag) { + w[0] = flag; + def desc = params[String.format("0x%08X", w)]; + if (desc != null) { + tDescs.add(desc); + } } } if (tDescs.length == 0) { @@ -2088,6 +2098,22 @@ processors: "0x40000000": ADS_RIGHT_GENERIC_WRITE "0x80000000": ADS_RIGHT_GENERIC_READ source: |- + def split(String s) { + def f = new ArrayList(); + int last = 0; + for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} + for (def i = last; i < s.length(); i++) { + if (!Character.isWhitespace(s.charAt(i))) { + continue; + } + f.add(s.substring(last, i)); + for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} + last = i; + } + f.add(s.substring(last)); + return f; + } + if (ctx?.winlog?.event_data?.FailureReason != null) { def code = ctx.winlog.event_data.FailureReason.replace("%%",""); if (params.descriptions.containsKey(code)) { @@ -2116,7 +2142,7 @@ processors: } if (ctx?.winlog?.event_data?.AccessList != null) { ArrayList results = new ArrayList(); - for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) { + for (elem in split(ctx.winlog.event_data.AccessList)) { def code = elem.replace("%%","").trim(); if (params.descriptions.containsKey(code)) { results.add(params.descriptions[code]); @@ -2127,17 +2153,36 @@ processors: } } if (ctx?.winlog?.event_data?.AccessMask != null) { - ArrayList results = new ArrayList(); - Long accessMask = Long.decode(ctx.winlog.event_data.AccessMask); - for (entry in params.AccessMaskDescriptions.entrySet()) { - Long accessFlag = Long.decode(entry.getKey()); - if ((accessMask.longValue() & accessFlag.longValue()) == accessFlag.longValue()) { - results.add(entry.getValue()); + ArrayList list = new ArrayList(); + long accessMask; + for (elem in split(ctx.winlog.event_data.AccessMask)) { + if (elem.length() == 0) { + continue; } + list.add(elem); + def code = elem.replace("%%","").trim(); + accessMask |= Long.decode(code).longValue(); } - if (results.length > 0) { - ctx.winlog.event_data.put("AccessMaskDescription", results); + if (list.length > 0) { + ctx.winlog.event_data.put("AccessMask", list); } + + ArrayList desc = new ArrayList(); + def[] w = new def[] { null }; + for (long b = 0; b < 32; b++) { + long flag = 1L << b; + if ((accessMask & flag) == flag) { + w[0] = flag; + def fDesc = params.AccessMaskDescriptions[String.format("0x%08X", w)]; + if (fDesc != null) { + desc.add(fDesc); + } + } + } + if (desc.length > 0) { + ctx.winlog.event_data.put("AccessMaskDescription", desc); + } + ArrayList results = new ArrayList(); } - script: lang: painless @@ -3318,14 +3363,32 @@ processors: } } - void splitSidList(def sids, def params, def ctx) { - ArrayList al = new ArrayList(); - def sidList = sids.splitOnToken(" "); - ctx.winlog.event_data.put("SidList", sidList); - for (def i = 0; i < sidList.length; i++ ) { - al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params)); + def split(String s) { + def f = new ArrayList(); + int last = 0; + for (; last < s.length() && Character.isWhitespace(s.charAt(last)); last++) {} + for (def i = last; i < s.length(); i++) { + if (!Character.isWhitespace(s.charAt(i))) { + continue; + } + f.add(s.substring(last, i)); + for (; i < s.length() && Character.isWhitespace(s.charAt(i)); i++) {} + last = i; } - ctx.winlog.event_data.put("SidListDesc", al); + f.add(s.substring(last)); + return f; + } + + void splitSidList(def sids, def params, def ctx) { + ArrayList list = new ArrayList(); + ArrayList desc = new ArrayList(); + def sidList = split(sids); + for (def i = 0; i < sidList.length; i++) { + list.add(sidList[i]); + desc.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", ""), params)); + } + ctx.winlog.event_data.put("SidList", list); + ctx.winlog.event_data.put("SidListDesc", desc); } if (ctx?.event?.code == null || diff --git a/x-pack/winlogbeat/module/security/test/security_ingest_test.go b/x-pack/winlogbeat/module/security/test/security_ingest_test.go new file mode 100644 index 000000000000..c76dd90a425b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/security_ingest_test.go @@ -0,0 +1,29 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Windows is excluded not because the tests won't pass on Windows in general, +// but because they won't pass on Windows in a VM — where we are using this — due +// to the VM inception problem. +// +//go:build !windows +// +build !windows + +package test + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/winlogbeat/module" +) + +// Ignore these fields because they can be different on different versions +// of windows. +var ignoreFields = []string{ + "event.ingested", + "message", +} + +func TestSecurityIngest(t *testing.T) { + module.TestIngestPipeline(t, "security", "testdata/collection/*.evtx.golden.json", module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json new file mode 100644 index 000000000000..1eaf254cb9cd --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json @@ -0,0 +1,50 @@ +[ + { + "@timestamp": "2019-11-07T10:37:04.2260925Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logging-service-shutdown", + "category": [ + "process" + ], + "code": "1100", + "ingested": "2022-06-08T06:21:07.784686200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "The event logging service has shut down.", + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1100", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14257", + "task": "Service shutdown" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json new file mode 100644 index 000000000000..6374f10e8eb5 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2019-11-07T10:34:29.0559196Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "audit-log-cleared", + "category": [ + "iam" + ], + "code": "1102", + "ingested": "2022-06-08T06:21:07.838072400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50E87", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1102", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x50e87" + }, + "opcode": "Info", + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14224", + "task": "Log clear", + "user_data": { + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x50e87", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "xml_name": "LogFileCleared" + } + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json new file mode 100644 index 000000000000..d54a6ee27af3 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json @@ -0,0 +1,50 @@ +[ + { + "@timestamp": "2019-11-08T07:56:17.3217049Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logging-full", + "category": [ + "iam" + ], + "code": "1104", + "ingested": "2022-06-08T06:21:07.850785400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "error" + }, + "message": "The security log is now full.", + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1104", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1096, + "thread": { + "id": 1444 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "19352", + "task": "Event processing" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json new file mode 100644 index 000000000000..066a1ba598d3 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json @@ -0,0 +1,55 @@ +[ + { + "@timestamp": "2019-11-07T16:22:14.8425353Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "auditlog-archieved", + "category": [ + "iam" + ], + "code": "1105", + "ingested": "2022-06-08T06:21:07.856253Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "Event log automatic backup\n\tLog:\tSecurity\n\tFile:\tC:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1105", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 1156, + "thread": { + "id": 1484 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "18197", + "task": "Log automatic backup", + "user_data": { + "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", + "Channel": "Security", + "xml_name": "AutoBackup" + } + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..0ac7449263be --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json @@ -0,0 +1,87 @@ +[ + { + "@timestamp": "2020-07-28T13:22:18.7993488Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "permissions-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4670", + "ingested": "2022-06-08T06:21:07.861752100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x56c\n\nProcess:\n\tProcess ID:\t0x2fc\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 764 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "HandleId": "0x56c", + "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", + "NewSdDacl0": "Local system :Access Allowed ([Generic All])", + "NewSdDacl1": "OW :Access Allowed ([Read Permissions])", + "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])", + "ObjectName": "-", + "ObjectServer": "Security", + "ObjectType": "Token", + "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", + "OldSdDacl0": "Local system :Access Allowed ([Generic All])", + "OldSdDacl1": "Network service account :Access Allowed ([Generic All])", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4670", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 4604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "31932", + "task": "Authorization Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..7d98f44725cf --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2020-07-27T09:42:48.3690009Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "domain-trust-added", + "category": [ + "configuration" + ], + "code": "4706", + "ingested": "2022-06-08T06:21:07.908218700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "A new trust was created to a domain.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0\n\nTrust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\tDisabled", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "%%1796", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" + }, + "event_id": "4706", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 3056 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6017", + "task": "Authentication Policy Change", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", + "trustType": "TRUST_TYPE_MIT" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..ab4a62ab9b2f --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2020-07-28T06:18:04.600444Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "domain-trust-removed", + "category": [ + "configuration" + ], + "code": "4707", + "ingested": "2022-06-08T06:21:07.915673700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "A trust to a domain was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nDomain Information:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4707", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13679", + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..7a8930ce885f --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2020-07-28T10:15:43.4951882Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "kerberos-policy-changed", + "category": [ + "configuration" + ], + "code": "4713", + "ingested": "2022-06-08T06:21:07.921167700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "Kerberos policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nChanges Made:\n('--' means no changes, otherwise each change is shown as:\n(Parameter Name):\t(new value) (old value))\nKerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4713", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "21265", + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..57c656a76707 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2020-07-28T08:17:00.4706442Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "trusted-domain-information-changed", + "category": [ + "configuration" + ], + "code": "4716", + "ingested": "2022-06-08T06:21:07.926829100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "Trusted domain information was modified.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t-\n\tDomain ID:\t\tS-1-0-0\n\nNew Trust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "-", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" + }, + "event_id": "4716", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 3776 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "14929", + "task": "Authentication Policy Change", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", + "trustType": "TRUST_TYPE_MIT" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..30a0da980a23 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json @@ -0,0 +1,74 @@ +[ + { + "@timestamp": "2020-07-27T09:30:41.9034803Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "system-security-access-granted", + "category": [ + "iam", + "configuration" + ], + "code": "4717", + "ingested": "2022-06-08T06:21:07.932459300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "level": "information" + }, + "message": "System security access was granted to an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-9\n\nAccess Granted:\n\tAccess Right:\t\tSeNetworkLogonRight", + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessGranted": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-9" + }, + "event_id": "4717", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1571", + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..3becc27b8f20 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json @@ -0,0 +1,74 @@ +[ + { + "@timestamp": "2020-07-27T09:30:41.8778082Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "system-security-access-removed", + "category": [ + "iam", + "configuration" + ], + "code": "4718", + "ingested": "2022-06-08T06:21:07.938661600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "level": "information" + }, + "message": "System security access was removed from an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-32-545\n\nAccess Removed:\n\tAccess Right:\t\tSeNetworkLogonRight", + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessRemoved": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-32-545" + }, + "event_id": "4718", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1565", + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json new file mode 100644 index 000000000000..b43487b6efb4 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json @@ -0,0 +1,82 @@ +[ + { + "@timestamp": "2019-11-07T15:22:57.6553291Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-audit-config", + "category": [ + "iam", + "configuration" + ], + "code": "4719", + "ingested": "2022-06-08T06:21:07.944221400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\nAudit Policy Change:\n\tCategory:\t\tLogon/Logoff\n\tSubcategory:\t\tNetwork Policy Server\n\tSubcategory GUID:\t{0cce9243-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess Added, Failure added", + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "AuditPolicyChanges": "%%8449, %%8451", + "AuditPolicyChangesDescription": [ + "Success Added", + "Failure Added" + ], + "Category": "Logon/Logoff", + "CategoryId": "%%8273", + "SubCategory": "Network Policy Server", + "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12552", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 2944 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "17154", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..92e60c91e1d6 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2020-08-18T13:45:57.4803543Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-audit-config", + "category": [ + "iam", + "configuration" + ], + "code": "4719", + "ingested": "2022-06-08T06:21:07.955823800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x44D7D\n\nAudit Policy Change:\n\tCategory:\t\tObject Access\n\tSubcategory:\t\tOther Object Access Events\n\tSubcategory GUID:\t{0cce9227-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess removed", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditPolicyChanges": "%%8448", + "AuditPolicyChangesDescription": [ + "Success removed" + ], + "Category": "Object Access", + "CategoryId": "%%8274", + "SubCategory": "Other Object Access Events", + "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12804", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x44d7d", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x44d7d" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 2764 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123879", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..b7a566a0fffd --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json @@ -0,0 +1,78 @@ +[ + { + "@timestamp": "2020-07-27T09:34:50.1578005Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "domain-policy-changed", + "category": [ + "configuration" + ], + "code": "4739", + "ingested": "2022-06-08T06:21:07.963089600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "Domain Policy was changed.\n\nChange Type:\t\tPassword Policy modified\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nDomain:\n\tDomain Name:\t\tTEST\n\tDomain ID:\t\tS-1-5-21-2024912787-2692429404-2351956786\n\nChanged Attributes:\n\tMin. Password Age:\t\n\tMax. Password Age:\t\n\tForce Logoff:\t\t\n\tLockout Threshold:\t\n\tLockout Observation Window:\t\n\tLockout Duration:\t\n\tPassword Properties:\t\n\tMin. Password Length:\t\n\tPassword History Length:\t-\n\tMachine Account Quota:\t-\n\tMixed Domain Mode:\t-\n\tDomain Behavior Version:\t-\n\tOEM Information:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainBehaviorVersion": "-", + "DomainName": "TEST", + "DomainPolicyChanged": "Password Policy", + "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", + "MachineAccountQuota": "-", + "MixedDomainMode": "-", + "OemInformation": "-", + "PasswordHistoryLength": "-", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4739", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3532", + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json new file mode 100644 index 000000000000..1ae1d6e9de9f --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json @@ -0,0 +1,109 @@ +[ + { + "@timestamp": "2019-12-18T16:22:12.3112534Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-computer-account", + "category": [ + "iam" + ], + "code": "4741", + "ingested": "2022-06-08T06:21:07.970367200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A computer account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Computer Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\tTESTCOMPUTEROBJ$\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t515\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x85\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Workstation Trust Account' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\u003cvalue not set\u003e\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "%%1793", + "NewUACList": [ + "SCRIPT", + "ENCRYPTED_TEXT_PWD_ALLOWED" + ], + "NewUacValue": "0x85", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "515", + "PrivilegeList": [ + "-" + ], + "ProfilePath": "-", + "SamAccountName": "TESTCOMPUTEROBJ$", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$", + "UserAccountControl": [ + "2080", + "2082", + "2087" + ], + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + }, + "event_id": "4741", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699929", + "task": "Computer Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json new file mode 100644 index 000000000000..6eb53747422c --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json @@ -0,0 +1,107 @@ +[ + { + "@timestamp": "2019-12-18T16:22:12.3425087Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-computer-account", + "category": [ + "iam" + ], + "code": "4742", + "ingested": "2022-06-08T06:21:07.984310900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountExpires": "-", + "AllowedToDelegateTo": "-", + "ComputerAccountChange": "-", + "DisplayName": "-", + "DnsHostName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "-", + "NewUACList": [ + "ENCRYPTED_TEXT_PWD_ALLOWED" + ], + "NewUacValue": "0x84", + "OldUacValue": "0x85", + "PasswordLastSet": "-", + "PrimaryGroupId": "-", + "PrivilegeList": [ + "-" + ], + "ProfilePath": "-", + "SamAccountName": "-", + "ScriptPath": "-", + "ServicePrincipalNames": "-", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$", + "UserAccountControl": [ + "2048" + ], + "UserParameters": "-", + "UserPrincipalName": "-", + "UserWorkstations": "-" + }, + "event_id": "4742", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699934", + "task": "Computer Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json new file mode 100644 index 000000000000..29f38474c35d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-12-18T16:25:21.5781833Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-computer-account", + "category": [ + "iam" + ], + "code": "4743", + "ingested": "2022-06-08T06:21:07.989281200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A computer account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nTarget Computer:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": [ + "-" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$" + }, + "event_id": "4743", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699966", + "task": "Computer Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json new file mode 100644 index 000000000000..635787f0a4a3 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-12-18T16:26:46.8744233Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-distribution-group-account", + "category": [ + "iam" + ], + "code": "4744", + "ingested": "2022-06-08T06:21:07.994556700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal" + }, + "event_id": "4744", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699973", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json new file mode 100644 index 000000000000..eeee7ce2fc9e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-12-18T16:29:05.0175739Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-distribution-group-account", + "category": [ + "iam" + ], + "code": "4745", + "ingested": "2022-06-08T06:21:08.002640900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestdistlocal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4745", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700000", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json new file mode 100644 index 000000000000..db2cde52acd9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json @@ -0,0 +1,91 @@ +[ + { + "@timestamp": "2019-12-18T16:31:01.6117458Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-member-to-distribution-group", + "category": [ + "iam" + ], + "code": "4746", + "ingested": "2022-06-08T06:21:08.017662600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A member was added to a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4746", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700022", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json new file mode 100644 index 000000000000..b1d1db2e16af --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json @@ -0,0 +1,91 @@ +[ + { + "@timestamp": "2019-12-18T16:35:16.6816525Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "removed-member-from-distribution-group", + "category": [ + "iam" + ], + "code": "4747", + "ingested": "2022-06-08T06:21:08.025768800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A member was removed from a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4747", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700064", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json new file mode 100644 index 000000000000..bc74a2fdf8b4 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2019-12-19T08:01:45.9824133Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-distribution-group-account", + "category": [ + "iam" + ], + "code": "4748", + "ingested": "2022-06-08T06:21:08.030353100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4748", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707490", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json new file mode 100644 index 000000000000..bc107b8485b2 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-12-19T08:03:42.7234679Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-distribution-group-account", + "category": [ + "iam" + ], + "code": "4749", + "ingested": "2022-06-08T06:21:08.034749600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestglobal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal" + }, + "event_id": "4749", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707497", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json new file mode 100644 index 000000000000..5f6bdc8c532b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-12-19T08:10:57.4737631Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-distribution-group-account", + "category": [ + "iam" + ], + "code": "4750", + "ingested": "2022-06-08T06:21:08.039233400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4750", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707550", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json new file mode 100644 index 000000000000..47f8fc9c650a --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json @@ -0,0 +1,91 @@ +[ + { + "@timestamp": "2019-12-19T08:20:29.0889568Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-member-to-distribution-group", + "category": [ + "iam" + ], + "code": "4751", + "ingested": "2022-06-08T06:21:08.051295Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A member was added to a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4751", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707667", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json new file mode 100644 index 000000000000..24b12c361f93 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json @@ -0,0 +1,91 @@ +[ + { + "@timestamp": "2019-12-19T08:21:23.6444225Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "removed-member-from-distribution-group", + "category": [ + "iam" + ], + "code": "4752", + "ingested": "2022-06-08T06:21:08.057508500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A member was removed from a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4752", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707686", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json new file mode 100644 index 000000000000..df72711f8062 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2019-12-19T08:24:36.5952761Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-distribution-group-account", + "category": [ + "iam" + ], + "code": "4753", + "ingested": "2022-06-08T06:21:08.063346200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4753", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707709", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json new file mode 100644 index 000000000000..7c62dac0da7b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-12-19T08:26:26.1432582Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-distribution-group-account", + "category": [ + "iam" + ], + "code": "4759", + "ingested": "2022-06-08T06:21:08.069524100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestuni\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni" + }, + "event_id": "4759", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707737", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json new file mode 100644 index 000000000000..f92c3a95d657 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-12-19T08:28:21.0305977Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-distribution-group-account", + "category": [ + "iam" + ], + "code": "4760", + "ingested": "2022-06-08T06:21:08.074975800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestuni2\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni2", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4760", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707745", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json new file mode 100644 index 000000000000..8c22b8f7d591 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json @@ -0,0 +1,91 @@ +[ + { + "@timestamp": "2019-12-19T08:29:38.4487328Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-member-to-distribution-group", + "category": [ + "iam" + ], + "code": "4761", + "ingested": "2022-06-08T06:21:08.080868Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A member was added to a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4761", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707755", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json new file mode 100644 index 000000000000..e088f163bc89 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json @@ -0,0 +1,91 @@ +[ + { + "@timestamp": "2019-12-19T08:33:25.9678735Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "removed-member-from-distribution-group", + "category": [ + "iam" + ], + "code": "4762", + "ingested": "2022-06-08T06:21:08.086379300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A member was removed from a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", + "target": { + "domain": "SAAS", + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4762", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707841", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json new file mode 100644 index 000000000000..1a0a51efac0b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2019-12-19T08:34:23.1623432Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-distribution-group-account", + "category": [ + "iam" + ], + "code": "4763", + "ingested": "2022-06-08T06:21:08.092821300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A security-disabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4763", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707847", + "task": "Distribution Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..8917f0c86ec2 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2020-08-17T12:49:09.4942066Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "object-audit-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4817", + "ingested": "2022-06-08T06:21:08.101661100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tLSA\n\tObject Type:\tGlobal SACL\n\tObject Name:\tFile\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$", + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "NewSdSacl0": "Administrator :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "NewSdSacl1": "null :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "ObjectName": "File", + "ObjectServer": "LSA", + "ObjectType": "Global SACL", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4817", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 3052 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "114278", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..bab3c88b7951 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json @@ -0,0 +1,56 @@ +[ + { + "@timestamp": "2020-08-19T06:07:08.801981Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "user-audit-policy-created", + "category": [ + "iam", + "configuration" + ], + "code": "4902", + "ingested": "2022-06-08T06:21:08.110215500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "The Per-user audit policy table was created.\n\nNumber of Elements:\t0\nPolicy ID:\t0x9FD2", + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "PuaCount": "0", + "PuaPolicyId": "0x9fd2" + }, + "event_id": "4902", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 832 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "140273", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..b253a2460136 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2020-08-19T07:56:52.019802Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "security-event-source-added", + "category": [ + "iam", + "configuration" + ], + "code": "4904", + "ingested": "2022-06-08T06:21:08.115118100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to register a security event source.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0xe18\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x460422", + "process": { + "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", + "name": "inetinfo.exe", + "pid": 3608 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x460422", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4904", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "146939", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..38daa55319b4 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2020-08-19T07:56:51.5792901Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "security-event-source-removed", + "category": [ + "iam", + "configuration" + ], + "code": "4905", + "ingested": "2022-06-08T06:21:08.119957100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to unregister a security event source.\n\nSubject\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0x1364\n\tProcess Name:\t-\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x457B22", + "process": { + "executable": "-", + "name": "-", + "pid": 4964 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x457b22", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4905", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "146938", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..742d95031e5c --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json @@ -0,0 +1,55 @@ +[ + { + "@timestamp": "2020-08-18T09:19:00.2372249Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "crash-on-audit-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4906", + "ingested": "2022-06-08T06:21:08.124490200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "The CrashOnAuditFail value has changed.\n\nNew Value of CrashOnAuditFail:\t1", + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "CrashOnAuditFailValue": "1" + }, + "event_id": "4906", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 804 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123786", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..1010ad2b281c --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json @@ -0,0 +1,82 @@ +[ + { + "@timestamp": "2020-08-19T07:56:17.1121901Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "audit-setting-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4907", + "ingested": "2022-06-08T06:21:08.129757100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1\n\tHandle ID:\t0x93c\n\nProcess Information:\n\tProcess ID:\t0x10cc\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "process": { + "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", + "name": "TiWorker.exe", + "pid": 4300 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "HandleId": "0x93c", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "NewSdSacl0": "Everyone :System Audit ([Delete All Child Objects, List Contents, Read All Properties, All Extended Rights, Delete, Modify Permissions, Modify Owner])", + "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", + "ObjectServer": "Security", + "ObjectType": "File", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4907", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 408 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "146933", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json new file mode 100644 index 000000000000..7fcc0d935f56 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json @@ -0,0 +1,62 @@ +[ + { + "@timestamp": "2020-08-19T06:07:25.0461779Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "special-group-table-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4908", + "ingested": "2022-06-09T04:25:10.390738Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.", + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "SidList": [ + "%{S-1-5-32-544}", + "%{S-1-5-32-123-54-65}" + ], + "SidListDesc": [ + "Administrators", + "S-1-5-32-123-54-65" + ] + }, + "event_id": "4908", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "140274", + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json new file mode 100644 index 000000000000..ee3d3ecca909 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2020-04-06T06:39:04.5491199Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "privileged-service-called", + "category": [ + "iam" + ], + "code": "4673", + "ingested": "2022-06-08T06:21:08.143556300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A privileged service was called.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDC_TEST2K12$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nService:\n\tServer:\tNT Local Security Authority / Authentication Service\n\tService Name:\tLsaRegisterLogonProcess()\n\nProcess:\n\tProcess ID:\t0x1f0\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\n\nService Request Information:\n\tPrivileges:\t\tSeTcbPrivilege", + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe", + "pid": 496 + }, + "related": { + "user": [ + "DC_TEST2K12$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "DC_TEST2K12$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ObjectServer": "NT Local Security Authority / Authentication Service", + "PrivilegeList": [ + "SeTcbPrivilege" + ], + "Service": "LsaRegisterLogonProcess()", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "DC_TEST2K12$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4673", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5109160", + "task": "Sensitive Privilege Use" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json new file mode 100644 index 000000000000..8a5984909503 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json @@ -0,0 +1,89 @@ +[ + { + "@timestamp": "2020-04-06T06:38:31.1087891Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "privileged-operation", + "category": [ + "iam" + ], + "code": "4674", + "ingested": "2022-06-08T06:21:08.149617100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x8AA365B\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1ee0\n\nProcess Information:\n\tProcess ID:\t0x374\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\t\t\t\t\n\tPrivileges:\t\tSeSecurityPrivilege", + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 884 + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccessMask": [ + "%%1538", + "%%1542" + ], + "AccessMaskDescription": [ + "Delete Child", + "List Contents" + ], + "HandleId": "0x1ee0", + "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", + "ObjectServer": "Security", + "ObjectType": "File", + "PrivilegeList": [ + "SeSecurityPrivilege" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x8aa365b", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" + }, + "event_id": "4674", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x8aa365b" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5109140", + "task": "Sensitive Privilege Use" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json new file mode 100644 index 000000000000..2364c9c945a3 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2020-04-02T14:34:08.8896056Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "service-installed", + "category": [ + "iam", + "configuration" + ], + "code": "4697", + "ingested": "2022-06-08T06:21:08.156998700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4C323\n\nService Information:\n\tService Name: \t\twinlogbeat\n\tService File Name:\t\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\n\tService Type: \t\t0x10\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem", + "related": { + "user": [ + "Administrator" + ] + }, + "service": { + "name": "winlogbeat", + "type": "Win32 Own Process" + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "ServiceAccount": "LocalSystem", + "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", + "ServiceName": "winlogbeat", + "ServiceStartType": "2", + "ServiceType": "0x10", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4c323", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4697", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4c323" + }, + "opcode": "Info", + "process": { + "pid": 792, + "thread": { + "id": 2492 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "90108", + "task": "Security System Extension" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json new file mode 100644 index 000000000000..16ac2d25a4c8 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2020-04-01T14:34:34.6061085Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "scheduled-task-created", + "category": [ + "iam", + "configuration" + ], + "code": "4698", + "ingested": "2022-06-08T06:21:08.162693600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A scheduled task was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": "4698", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5043782", + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json new file mode 100644 index 000000000000..c467fe970561 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2020-04-01T14:35:47.822282Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "scheduled-task-deleted", + "category": [ + "iam", + "configuration" + ], + "code": "4699", + "ingested": "2022-06-08T06:21:08.168246300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A scheduled task was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": "4699", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5043801", + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json new file mode 100644 index 000000000000..8fee3ad99d1b --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2020-04-01T14:35:14.8732455Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "scheduled-task-enabled", + "category": [ + "iam", + "configuration" + ], + "code": "4700", + "ingested": "2022-06-08T06:21:08.173701300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A scheduled task was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": "4700", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5043792", + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json new file mode 100644 index 000000000000..62b7e37c3bb6 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2020-04-01T14:35:04.7030004Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "scheduled-task-disabled", + "category": [ + "iam", + "configuration" + ], + "code": "4701", + "ingested": "2022-06-08T06:21:08.178899800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A scheduled task was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContent": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": "4701", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3684 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5043789", + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json new file mode 100644 index 000000000000..6525f91ebfd2 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2020-04-01T14:35:36.2637108Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "scheduled-task-updated", + "category": [ + "iam", + "configuration" + ], + "code": "4702", + "ingested": "2022-06-08T06:21:08.184651500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change", + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A scheduled task was updated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask New Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x60d1ca6", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TaskContentNew": "\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e", + "TaskName": "\\test1" + }, + "event_id": "4702", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ca6" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 1284 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5043795", + "task": "Other Object Access Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json new file mode 100644 index 000000000000..f3740d6b1cf6 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json @@ -0,0 +1,89 @@ +[ + { + "@timestamp": "2020-04-01T08:45:44.1717416Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "kerberos-authentication-ticket-requested", + "category": [ + "authentication" + ], + "code": "4768", + "ingested": "2022-06-08T06:21:08.190661800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A Kerberos authentication ticket (TGT) was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm\n\tSupplied Realm Name:\tTEST.SAAS\n\tUser ID:\t\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\nService Information:\n\tService Name:\t\tkrbtgt\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-502\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tResult Code:\t\t0x0\n\tTicket Encryption Type:\t0x12\n\tPre-Authentication Type:\t2\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number:\t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.", + "related": { + "ip": [ + "::1" + ], + "user": [ + "at_adm" + ] + }, + "service": { + "name": "krbtgt" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "2", + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetUserName": "at_adm", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Renewable-ok", + "Name-canonicalize", + "Renewable", + "Forwardable" + ] + }, + "event_id": "4768", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040235", + "task": "Kerberos Authentication Service" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json new file mode 100644 index 000000000000..8af6ff6551c0 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json @@ -0,0 +1,87 @@ +[ + { + "@timestamp": "2020-04-01T08:45:44.1717416Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "kerberos-service-ticket-requested", + "category": [ + "authentication" + ], + "code": "4769", + "ingested": "2022-06-08T06:21:08.199357500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A Kerberos service ticket was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\tLogon GUID:\t\t{46f85809-d26e-96f5-fbf2-73bd761a2d68}\n\nService Information:\n\tService Name:\t\tDC_TEST2K12$\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-1110\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810000\n\tTicket Encryption Type:\t0x12\n\tFailure Code:\t\t0x0\n\tTransited Services:\t-\n\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\n\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\n\nTicket options, encryption types, and failure codes are defined in RFC 4120.", + "related": { + "ip": [ + "::1" + ], + "user": [ + "at_adm" + ] + }, + "service": { + "name": "DC_TEST2K12$" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", + "ServiceName": "DC_TEST2K12$", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "at_adm@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810000", + "TicketOptionsDescription": [ + "Name-canonicalize", + "Renewable", + "Forwardable" + ], + "TransmittedServices": "-" + }, + "event_id": "4769", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040236", + "task": "Kerberos Service Ticket Operations" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json new file mode 100644 index 000000000000..41b1b2aee08a --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json @@ -0,0 +1,82 @@ +[ + { + "@timestamp": "2020-04-01T07:32:55.0104462Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "kerberos-service-ticket-renewed", + "category": [ + "authentication" + ], + "code": "4770", + "ingested": "2022-06-08T06:21:08.204255500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A Kerberos service ticket was renewed.\n\nAccount Information:\n\tAccount Name:\t\tDC_TEST2K12$@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\nService Information:\n\tService Name:\t\tkrbtgt\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-502\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x10002\n\tTicket Encryption Type:\t0x12\n\nTicket options and encryption types are defined in RFC 4120.", + "related": { + "ip": [ + "::1" + ], + "user": [ + "DC_TEST2K12$" + ] + }, + "service": { + "name": "krbtgt" + }, + "source": { + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "TEST.SAAS", + "name": "DC_TEST2K12$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "DC_TEST2K12$@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x10002", + "TicketOptionsDescription": [ + "Renew", + "Name-canonicalize" + ] + }, + "event_id": "4770", + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 4468 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5039598", + "task": "Kerberos Service Ticket Operations" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json new file mode 100644 index 000000000000..27c8e247554e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json @@ -0,0 +1,84 @@ +[ + { + "@timestamp": "2020-03-31T07:50:27.1681182Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "kerberos-preauth-failed", + "category": [ + "authentication" + ], + "code": "4771", + "ingested": "2022-06-08T06:21:08.209027300Z", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "Kerberos pre-authentication failed.\n\nAccount Information:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-3057\n\tAccount Name:\t\tMPUIG\n\nService Information:\n\tService Name:\t\tkrbtgt/test.saas\n\nNetwork Information:\n\tClient Address:\t\t::ffff:192.168.5.44\n\tClient Port:\t\t53366\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tFailure Code:\t\t0x12\n\tPre-Authentication Type:\t0\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number: \t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\n\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.", + "related": { + "ip": [ + "192.168.5.44" + ], + "user": [ + "MPUIG" + ] + }, + "service": { + "name": "krbtgt/test.saas" + }, + "source": { + "ip": "192.168.5.44", + "port": 53366 + }, + "user": { + "id": "S-1-5-21-1717121054-434620538-60925301-3057", + "name": "MPUIG" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "0", + "ServiceName": "krbtgt/test.saas", + "Status": "0x12", + "StatusDescription": "KDC_ERR_CLIENT_REVOKED", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", + "TargetUserName": "MPUIG", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Renewable-ok", + "Name-canonicalize", + "Renewable", + "Forwardable" + ] + }, + "event_id": "4771", + "keywords": [ + "Audit Failure" + ], + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 4552 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5027836", + "task": "Kerberos Authentication Service" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json new file mode 100644 index 000000000000..2e6296b41231 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json @@ -0,0 +1,69 @@ +[ + { + "@timestamp": "2020-04-01T08:45:42.1873153Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "credential-validated", + "category": [ + "authentication" + ], + "code": "4776", + "ingested": "2022-06-08T06:21:08.213859200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "The computer attempted to validate the credentials for an account.\n\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\nLogon Account:\tat_adm\nSource Workstation:\tEQP01777\nError Code:\t0x0", + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "Status": "0x0", + "TargetUserName": "at_adm", + "Workstation": "EQP01777" + }, + "event_id": "4776", + "keywords": [ + "Audit Success" + ], + "logon": { + "failure": { + "status": "Status OK." + } + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 1864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040222", + "task": "Credential Validation" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json new file mode 100644 index 000000000000..19127eb1267e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json @@ -0,0 +1,78 @@ +[ + { + "@timestamp": "2020-04-05T16:33:32.3888253Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-reconnected", + "category": [ + "authentication", + "session" + ], + "code": "4778", + "ingested": "2022-06-08T06:21:08.218876200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A session was reconnected to a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x76FEA87\n\nSession:\n\tSession Name:\t\tRDP-Tcp#127\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.9\n\nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.", + "related": { + "ip": [ + "10.100.150.9" + ], + "user": [ + "at_adm" + ] + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.9" + }, + "user": { + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.9", + "ClientName": "EQP01777", + "LogonID": "0x76fea87", + "SessionName": "RDP-Tcp#127" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x76fea87" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 4184 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5101675", + "task": "Other Logon/Logoff Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json new file mode 100644 index 000000000000..aabbb2b28434 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json @@ -0,0 +1,78 @@ +[ + { + "@timestamp": "2020-04-03T10:18:01.8822336Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "session-disconnected", + "category": [ + "authentication", + "session" + ], + "code": "4779", + "ingested": "2022-06-08T06:21:08.225133500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "level": "information" + }, + "message": "A session was disconnected from a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CCB\n\nSession:\n\tSession Name:\t\tRDP-Tcp#116\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.17\n\n\nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.", + "related": { + "ip": [ + "10.100.150.17" + ], + "user": [ + "at_adm" + ] + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.17" + }, + "user": { + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.17", + "ClientName": "EQP01777", + "LogonID": "0x60d1ccb", + "SessionName": "RDP-Tcp#116" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x60d1ccb" + }, + "opcode": "Info", + "process": { + "pid": 496, + "thread": { + "id": 3852 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5069070", + "task": "Other Logon/Logoff Events" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json new file mode 100644 index 000000000000..9fa6d71e344a --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json @@ -0,0 +1,1623 @@ +[ + { + "@timestamp": "2019-03-29T21:10:39.7868321Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233175700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 536 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1535", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.2555609Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233202400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1538", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.3805426Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233212800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1c0\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 448 + }, + "related": { + "ip": [ + "127.0.0.1" + ], + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "127.0.0.1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x1008e", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1542", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.5055514Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233221700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1545", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.6305447Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233234500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x129F1\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V1\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "ANONYMOUS LOGON" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-7", + "name": "ANONYMOUS LOGON" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "NTLM V1", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x129f1", + "TargetUserName": "ANONYMOUS LOGON", + "TargetUserSid": "S-1-5-7", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1547", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:53.6617957Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233247200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x28D31\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x28d31", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1550", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:54.6618303Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233259700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x29F0F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x29f0f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1553", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:55.4587259Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233272300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x2A362\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x2a362", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1556", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.3025591Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233284800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x324F8\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t127.0.0.1\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "-", + "name": "-", + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "domain": "127.0.0.1" + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp ", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x324f8", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1561", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.5213056Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233299300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-2\n\tAccount Name:\t\tDWM-2\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x33444\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "related": { + "user": [ + "DWM-2", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-2", + "name": "DWM-2" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x33444", + "TargetUserName": "DWM-2", + "TargetUserSid": "S-1-5-90-2", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1563", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.6149946Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233312100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t10\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x3444F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t10.0.2.2\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "related": { + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "10.0.2.2", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", + "LogonType": "10", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x3444f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "RemoteInteractive" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1567", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:18.7869259Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233322700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x357FD\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x88c\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2188 + }, + "related": { + "user": [ + "DWM-3", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-3", + "name": "DWM-3" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x357fd", + "TargetUserName": "DWM-3", + "TargetUserSid": "S-1-5-90-3", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1570", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.7402309Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233331Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1574", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.7402309Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233343700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1576", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:50.5840151Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233356Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1578", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:23:42.5201798Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233386300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1581", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:26:24.1764267Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "ingested": "2022-06-08T06:21:08.233400100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Advapi ", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 344 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1583", + "task": "Logon", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:45:35.177054Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logon-failed", + "category": [ + "authentication" + ], + "code": "4625", + "ingested": "2022-06-08T06:21:08.233408800Z", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tbosch\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x344\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tseclogo\n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 836 + }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "bosch" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-0-0", + "name": "bosch" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2012-r2", + "event_data": { + "AuthenticationPackageName": "Negotiate", + "FailureReason": "%%2313", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "seclogo", + "LogonType": "2", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "VAGRANT-2012-R2", + "SubjectLogonId": "0x1008e", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetUserName": "bosch", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-" + }, + "event_id": "4625", + "keywords": [ + "Audit Failure" + ], + "logon": { + "failure": { + "reason": "Unknown user name or bad password.", + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" + }, + "id": "0x1008e", + "type": "Interactive" + }, + "opcode": "Info", + "process": { + "pid": 516, + "thread": { + "id": 2756 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1585", + "task": "Logon" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json new file mode 100644 index 000000000000..bdb665abba4e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2018-05-18T23:09:03.2086661Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in-special", + "category": [ + "iam" + ], + "code": "4672", + "ingested": "2022-06-08T06:21:08.268186400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1766348727-1038078804-3833492317-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2016\n\tLogon ID:\t\t0x76A087\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2016", + "id": "S-1-5-21-1766348727-1038078804-3833492317-1000", + "name": "vagrant" + }, + "winlog": { + "activity_id": "{3be96152-eefc-0002-c061-e93bfceed301}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant-2016", + "event_data": { + "PrivilegeList": [ + "SeSecurityPrivilege", + "SeTakeOwnershipPrivilege", + "SeLoadDriverPrivilege", + "SeBackupPrivilege", + "SeRestorePrivilege", + "SeDebugPrivilege", + "SeSystemEnvironmentPrivilege", + "SeImpersonatePrivilege", + "SeDelegateSessionUserImpersonatePrivilege" + ], + "SubjectDomainName": "VAGRANT-2016", + "SubjectLogonId": "0x76a087", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1766348727-1038078804-3833492317-1000" + }, + "event_id": "4672", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x76a087" + }, + "opcode": "Info", + "process": { + "pid": 596, + "thread": { + "id": 636 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "143340", + "task": "Special Logon" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json new file mode 100644 index 000000000000..278965f26e12 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json @@ -0,0 +1,140 @@ +[ + { + "@timestamp": "2019-05-17T11:06:58.210768Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-out", + "category": [ + "authentication" + ], + "code": "4634", + "ingested": "2022-06-08T06:21:08.274378300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "related": { + "user": [ + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x767a77", + "TargetUserName": "audittest", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000" + }, + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x767a77", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 540 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "485", + "task": "Logoff" + } + }, + { + "@timestamp": "2019-05-19T16:15:38.542273Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-out", + "category": [ + "authentication" + ], + "code": "4634", + "ingested": "2022-06-08T06:21:08.274397100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x104a4a6", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x104a4a6", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "747", + "task": "Logoff" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json new file mode 100644 index 000000000000..42d00562adbc --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json @@ -0,0 +1,212 @@ +[ + { + "@timestamp": "2019-09-06T13:24:39.2933111Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "code": "4720", + "ingested": "2022-06-08T06:21:08.280835800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "creation" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "%%1793", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUACList": [ + "SCRIPT", + "LOCKOUT" + ], + "NewUacValue": "0x15", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "elastictest1", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1", + "UserAccountControl": [ + "2080", + "2082", + "2084" + ], + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": "4720", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2751", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:25:21.8672707Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "code": "4720", + "ingested": "2022-06-08T06:21:08.280855300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "creation" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "%%1793", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUACList": [ + "SCRIPT", + "LOCKOUT" + ], + "NewUacValue": "0x15", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "audittest0609", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609", + "UserAccountControl": [ + "2080", + "2082", + "2084" + ], + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": "4720", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2775", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json new file mode 100644 index 000000000000..4309e4ab5630 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json @@ -0,0 +1,158 @@ +[ + { + "@timestamp": "2019-09-06T13:28:46.1631928Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "enabled-user-account", + "category": [ + "iam" + ], + "code": "4722", + "ingested": "2022-06-08T06:21:08.289118900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "related": { + "user": [ + "Administrator", + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2815", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:29:08.5737904Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "enabled-user-account", + "category": [ + "iam" + ], + "code": "4722", + "ingested": "2022-06-08T06:21:08.289135100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2826", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json new file mode 100644 index 000000000000..78be6924e116 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json @@ -0,0 +1,158 @@ +[ + { + "@timestamp": "2019-09-06T13:32:13.8554125Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "code": "4723", + "ingested": "2022-06-08T06:21:08.294838400Z", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": "4723", + "keywords": [ + "Audit Failure" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2838", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:32:23.8855201Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "changed-password", + "category": [ + "iam" + ], + "code": "4723", + "ingested": "2022-06-08T06:21:08.294849500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2839", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json new file mode 100644 index 000000000000..1222c6ba73ec --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json @@ -0,0 +1,158 @@ +[ + { + "@timestamp": "2019-09-06T13:24:39.339071Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "reset-password", + "category": [ + "iam" + ], + "code": "4724", + "ingested": "2022-06-08T06:21:08.301226700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4724", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 816 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2762", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:25:21.9005914Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "reset-password", + "category": [ + "iam" + ], + "code": "4724", + "ingested": "2022-06-08T06:21:08.301245800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4724", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2787", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json new file mode 100644 index 000000000000..1ef20e9827b7 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json @@ -0,0 +1,158 @@ +[ + { + "@timestamp": "2019-09-06T13:28:40.0015275Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "disabled-user-account", + "category": [ + "iam" + ], + "code": "4725", + "ingested": "2022-06-08T06:21:08.307262100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "related": { + "user": [ + "Administrator", + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2810", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:28:55.2644212Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "disabled-user-account", + "category": [ + "iam" + ], + "code": "4725", + "ingested": "2022-06-08T06:21:08.307282600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2820", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json new file mode 100644 index 000000000000..7ae020ab4103 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json @@ -0,0 +1,160 @@ +[ + { + "@timestamp": "2019-09-06T13:35:25.5153959Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-user-account", + "category": [ + "iam" + ], + "code": "4726", + "ingested": "2022-06-08T06:21:08.313870400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "related": { + "user": [ + "Administrator", + "audittest23" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1001", + "name": "audittest23" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", + "TargetUserName": "audittest23" + }, + "event_id": "4726", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2851", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:35:29.6900555Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-user-account", + "category": [ + "iam" + ], + "code": "4726", + "ingested": "2022-06-08T06:21:08.313890100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "deletion" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "related": { + "user": [ + "Administrator", + "audittest" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4726", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2857", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json new file mode 100644 index 000000000000..5f769bd55805 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-10-22T11:26:12.4955445Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-group-account", + "category": [ + "iam" + ], + "code": "4727", + "ingested": "2022-06-08T06:21:08.321314400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1110", + "name": "DnsUpdateProxy" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x27438\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1110\n\tGroup Name:\t\tDnsUpdateProxy\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tDnsUpdateProxy\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "DnsUpdateProxy", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x27438", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", + "TargetUserName": "DnsUpdateProxy" + }, + "event_id": "4727", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x27438" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4105", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json new file mode 100644 index 000000000000..7b84dca06396 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json @@ -0,0 +1,90 @@ +[ + { + "@timestamp": "2019-10-22T11:33:26.8613751Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-member-to-group", + "category": [ + "iam" + ], + "code": "4728", + "ingested": "2022-06-08T06:21:08.326362Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2" + }, + "event_id": "4728", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4657", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json new file mode 100644 index 000000000000..143098d35b54 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json @@ -0,0 +1,90 @@ +[ + { + "@timestamp": "2019-10-22T11:33:45.5433159Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "removed-member-from-group", + "category": [ + "iam" + ], + "code": "4729", + "ingested": "2022-06-08T06:21:08.331614100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4729", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4665", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json new file mode 100644 index 000000000000..d49edf637285 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2019-10-22T11:34:01.6107262Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-group-account", + "category": [ + "iam" + ], + "code": "4730", + "ingested": "2022-06-08T06:21:08.335699200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4730", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4670", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json new file mode 100644 index 000000000000..de17dbfd0f30 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-10-22T11:29:49.3586766Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-group-account", + "category": [ + "iam" + ], + "code": "4731", + "ingested": "2022-06-08T06:21:08.339943300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4731", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4569", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json new file mode 100644 index 000000000000..c4309ee4d91d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json @@ -0,0 +1,90 @@ +[ + { + "@timestamp": "2019-10-22T11:31:58.0398598Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-member-to-group", + "category": [ + "iam" + ], + "code": "4732", + "ingested": "2022-06-08T06:21:08.344534800Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4732", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4625", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json new file mode 100644 index 000000000000..17f9624127af --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json @@ -0,0 +1,90 @@ +[ + { + "@timestamp": "2019-10-22T11:32:14.8941288Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "removed-member-from-group", + "category": [ + "iam" + ], + "code": "4733", + "ingested": "2022-06-08T06:21:08.349155Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4733", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4627", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json new file mode 100644 index 000000000000..225dcd822b51 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2019-10-22T11:32:35.1274042Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-group-account", + "category": [ + "iam" + ], + "code": "4734", + "ingested": "2022-06-08T06:21:08.353949600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4734", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4630", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json new file mode 100644 index 000000000000..4c8ed6942289 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-10-22T11:32:30.425487Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "modified-group-account", + "category": [ + "iam" + ], + "code": "4735", + "ingested": "2022-06-08T06:21:08.358858100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1v1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4735", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4628", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json new file mode 100644 index 000000000000..31ca8e5aa0d9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-10-22T11:33:57.2710608Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "modified-group-account", + "category": [ + "iam" + ], + "code": "4737", + "ingested": "2022-06-08T06:21:08.363652300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4737", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4668", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json new file mode 100644 index 000000000000..c696e8495fee --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json @@ -0,0 +1,210 @@ +[ + { + "@timestamp": "2019-09-06T13:36:17.5667652Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "code": "4738", + "ingested": "2022-06-08T06:21:08.368099900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\telastictest1\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:30:28\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x210\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t-\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "elastictest1", + "Dummy": "-", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x210", + "OldUacValue": "0x210", + "PasswordLastSet": "6/9/2019 10:30:28", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "elastictest1", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1", + "UserAccountControl": [ + "-" + ], + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": "4738", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2862", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:36:36.3634107Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" + ], + "code": "4738", + "ingested": "2022-06-08T06:21:08.368122700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\taudittest0609s\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:25:21\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x10\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t\n\t\t'Don't Expire Password' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "audittest0609" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "audittest0609s", + "Dummy": "-", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x210", + "OldUacValue": "0x10", + "PasswordLastSet": "6/9/2019 10:25:21", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "%%1793", + "SamAccountName": "audittest0609", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609", + "UserAccountControl": [ + "2089" + ], + "UserParameters": "%%1793", + "UserPrincipalName": "-", + "UserWorkstations": "%%1793" + }, + "event_id": "4738", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2866", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json new file mode 100644 index 000000000000..f9adb19e87ff --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json @@ -0,0 +1,80 @@ +[ + { + "@timestamp": "2019-09-06T13:39:43.0856521Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "locked-out-user-account", + "category": [ + "iam" + ], + "code": "4740", + "ingested": "2022-06-08T06:21:08.374783400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\nAdditional Information:\n\tCaller Computer Name:\tWIN-41OB2LO92CR", + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4740", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2883", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json new file mode 100644 index 000000000000..f59e7492bb51 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-10-22T11:34:33.783048Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-group-account", + "category": [ + "iam" + ], + "code": "4754", + "ingested": "2022-06-08T06:21:08.378911400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "creation" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "Test_group3", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3" + }, + "event_id": "4754", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4676", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json new file mode 100644 index 000000000000..b2481b95d8f0 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-10-22T11:35:09.0701134Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "modified-group-account", + "category": [ + "iam" + ], + "code": "4755", + "ingested": "2022-06-08T06:21:08.383281700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4755", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4685", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json new file mode 100644 index 000000000000..b72c1368c6d9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json @@ -0,0 +1,90 @@ +[ + { + "@timestamp": "2019-10-22T11:34:58.4130288Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "added-member-to-group", + "category": [ + "iam" + ], + "code": "4756", + "ingested": "2022-06-08T06:21:08.387537200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4756", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4684", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json new file mode 100644 index 000000000000..d91aeda784d8 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json @@ -0,0 +1,90 @@ +[ + { + "@timestamp": "2019-10-22T11:35:09.0701919Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "removed-member-from-group", + "category": [ + "iam" + ], + "code": "4757", + "ingested": "2022-06-08T06:21:08.392196700Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "local", + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4757", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4686", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json new file mode 100644 index 000000000000..74efb603c38c --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json @@ -0,0 +1,79 @@ +[ + { + "@timestamp": "2019-10-22T11:35:13.5502867Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "deleted-group-account", + "category": [ + "iam" + ], + "code": "4758", + "ingested": "2022-06-08T06:21:08.397524900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "deletion" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4758", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4687", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json new file mode 100644 index 000000000000..c7bc4ea695b0 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json @@ -0,0 +1,80 @@ +[ + { + "@timestamp": "2019-10-22T11:33:57.271141Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "type-changed-group-account", + "category": [ + "iam" + ], + "code": "4764", + "ingested": "2022-06-08T06:21:08.402264500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "change" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4764", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4669", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json new file mode 100644 index 000000000000..580a61a6c5dc --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json @@ -0,0 +1,80 @@ +[ + { + "@timestamp": "2019-09-06T13:40:52.3149485Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "unlocked-user-account", + "category": [ + "iam" + ], + "code": "4767", + "ingested": "2022-06-08T06:21:08.406967900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user account was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4767", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2892", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json new file mode 100644 index 000000000000..9a35ec91ecb1 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json @@ -0,0 +1,166 @@ +[ + { + "@timestamp": "2019-09-06T13:38:17.5566269Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "renamed-user-account", + "category": [ + "iam" + ], + "code": "4781", + "ingested": "2022-06-08T06:21:08.411904100Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest0609\n\tNew Account Name:\taudittest06\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "audittest06", + "audittest0609" + ] + }, + "user": { + "changes": { + "name": "audittest06" + }, + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "name": "audittest0609" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest06", + "OldTargetUserName": "audittest0609", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": "4781", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2873", + "task": "User Account Management" + } + }, + { + "@timestamp": "2019-09-06T13:38:23.5161066Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "renamed-user-account", + "category": [ + "iam" + ], + "code": "4781", + "ingested": "2022-06-08T06:21:08.411917600Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest06\n\tNew Account Name:\taudittest0609\n\nAdditional Information:\n\tPrivileges:\t\t-", + "related": { + "user": [ + "Administrator", + "audittest0609", + "audittest06" + ] + }, + "user": { + "changes": { + "name": "audittest0609" + }, + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "name": "audittest06" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest0609", + "OldTargetUserName": "audittest06", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": "4781", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2875", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json new file mode 100644 index 000000000000..509e419a4068 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json @@ -0,0 +1,82 @@ +[ + { + "@timestamp": "2019-10-08T10:20:34.0535453Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "group-membership-enumerated", + "category": [ + "iam" + ], + "code": "4798", + "ingested": "2022-06-08T06:21:08.418048300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "info" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe", + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x3f0", + "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 1740 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2996", + "task": "User Account Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json new file mode 100644 index 000000000000..d409e37cd1c9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json @@ -0,0 +1,81 @@ +[ + { + "@timestamp": "2019-10-08T10:20:44.4724208Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "user-member-enumerated", + "category": [ + "iam" + ], + "code": "4799", + "ingested": "2022-06-08T06:21:08.422696500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "group", + "info" + ] + }, + "group": { + "domain": "Builtin", + "id": "S-1-5-32-544", + "name": "Administrators" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "level": "information" + }, + "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe", + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x494", + "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-5-32-544", + "TargetUserName": "Administrators" + }, + "event_id": "4799", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3002", + "task": "Security Group Management" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json new file mode 100644 index 000000000000..43f17a4f460e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json @@ -0,0 +1,154 @@ +[ + { + "@timestamp": "2020-03-21T23:50:34.347458Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in-special", + "category": [ + "iam" + ], + "code": "4964", + "ingested": "2022-06-08T06:21:08.427966400Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "group" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1D22ED\n\tLogon GUID:\t{c25cdf73-2322-651f-f4fb-db862c0e03a8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetLogonGuid": "{c25cdf73-2322-651f-f4fb-db862c0e03a8}", + "TargetLogonId": "0x1d22ed", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4964", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 788, + "thread": { + "id": 828 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "68259", + "task": "Special Logon" + } + }, + { + "@timestamp": "2020-03-24T16:36:59.5703294Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "logged-in-special", + "category": [ + "iam" + ], + "code": "4964", + "ingested": "2022-06-08T06:21:08.427985300Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "group" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "level": "information" + }, + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x7C0BE\n\tLogon GUID:\t{38fec9bc-577f-76f6-5d29-e0175ce19797}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{a22b4bf4-ffdc-0000-ee4d-2ba2dcffd501}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "SidList": "\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetLogonGuid": "{38fec9bc-577f-76f6-5d29-e0175ce19797}", + "TargetLogonId": "0x7c0be", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4964", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 2608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "68620", + "task": "Special Logon" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json new file mode 100644 index 000000000000..b25a579320a5 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json @@ -0,0 +1,97 @@ +[ + { + "@timestamp": "2019-11-14T17:10:15.1515514Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "created-process", + "category": [ + "process" + ], + "code": "4688", + "ingested": "2022-06-08T06:21:08.435053500Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\t%%1937\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "process": { + "args": [ + "\"C:\\Windows\\system32\\wevtutil.exe\"", + "cl", + "Security" + ], + "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "parent": { + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "name": "powershell.exe", + "pid": 4652 + }, + "pid": 4556 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "effective": { + "id": "S-1-0-0" + }, + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "MandatoryLabel": "S-1-16-12288", + "ProcessId": "0x122c", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1937" + }, + "event_id": "4688", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x274a2" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 5076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5010", + "task": "Process Creation", + "version": 2 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json new file mode 100644 index 000000000000..b645ea0b1cf9 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json @@ -0,0 +1,221 @@ +[ + { + "@timestamp": "2019-11-14T21:26:49.4961966Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "ingested": "2022-06-08T06:21:08.450696200Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "pid": 5412 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": "4689", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x274a2" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 1168 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7538", + "task": "Process Termination" + } + }, + { + "@timestamp": "2019-11-14T21:27:46.9609089Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "ingested": "2022-06-08T06:21:08.450710900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274F1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0", + "process": { + "executable": "C:\\Windows\\System32\\taskhostw.exe", + "name": "taskhostw.exe", + "pid": 3988 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274f1", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": "4689", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x274f1" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 500 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7542", + "task": "Process Termination" + } + }, + { + "@timestamp": "2019-11-14T21:28:18.4605129Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "ingested": "2022-06-08T06:21:08.450714900Z", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", + "name": "wevtutil.exe", + "pid": 2760 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "vagrant", + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" + }, + "event_id": "4689", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x274a2" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 5636 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "7544", + "task": "Process Termination" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/sysmon_ingest_test.go b/x-pack/winlogbeat/module/sysmon/test/sysmon_ingest_test.go new file mode 100644 index 000000000000..ce4bb4a8d441 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/sysmon_ingest_test.go @@ -0,0 +1,37 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Windows is excluded not because the tests won't pass on Windows in general, +// but because they won't pass on Windows in a VM — where we are using this — due +// to the VM inception problem. +// +//go:build !windows +// +build !windows + +package test + +import ( + "testing" + + "github.com/elastic/beats/v7/x-pack/winlogbeat/module" +) + +// Ignore these fields so that the tests will pass if Sysmon is not installed. +var ignoreFields = []string{ + "event.action", + "event.ingested", + "message", + "winlog.opcode", + "winlog.task", + + // Ignore these fields as under some circumstances they are not populated. + // (observed under Windows 7). + "winlog.user.type", + "winlog.user.name", + "winlog.user.domain", +} + +func TestSysmonIngest(t *testing.T) { + module.TestIngestPipeline(t, "sysmon", "testdata/collection/*.evtx.golden.json", module.WithFieldFilter(ignoreFields)) +} diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json new file mode 100644 index 000000000000..57fddb0e275d --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json @@ -0,0 +1,19511 @@ +[ + { + "@timestamp": "2019-07-18T03:34:01.239Z", + "dns": { + "answers": [ + { + "data": "go.microsoft.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e11290.dspg.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.223.14.67", + "type": "A" + } + ], + "question": { + "name": "go.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "go", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.223.14.67" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773701Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 + }, + "related": { + "hosts": [ + "go.microsoft.com.edgekey.net", + "e11290.dspg.akamaiedge.net", + "go.microsoft.com" + ], + "ip": [ + "23.223.14.67" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "66", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.261Z", + "dns": { + "answers": [ + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "www.msn.com", + "registered_domain": "msn.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773734900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "www.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "67", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.449Z", + "dns": { + "answers": [ + { + "data": "a1999.dscg2.akamai.net", + "type": "CNAME" + }, + { + "data": "23.50.53.192", + "type": "A" + }, + { + "data": "23.50.53.195", + "type": "A" + } + ], + "question": { + "name": "static-global-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-global-s-msn-com", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.50.53.192", + "23.50.53.195" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773751300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "a1999.dscg2.akamai.net", + "static-global-s-msn-com.akamaized.net" + ], + "ip": [ + "23.50.53.192", + "23.50.53.195" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "68", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.457Z", + "dns": { + "answers": [ + { + "data": "a-0001.a-afdentry.net.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "dual-a-0001.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.200", + "type": "A" + }, + { + "data": "13.107.21.200", + "type": "A" + } + ], + "question": { + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.200", + "13.107.21.200" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773860300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 + }, + "related": { + "hosts": [ + "a-0001.a-afdentry.net.trafficmanager.net", + "dual-a-0001.a-msedge.net", + "www.bing.com" + ], + "ip": [ + "204.79.197.200", + "13.107.21.200" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "69", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.494Z", + "dns": { + "answers": [ + { + "data": "linkmaker.itunes.apple.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e4541.dsce9.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.64.104.249", + "type": "A" + } + ], + "question": { + "name": "linkmaker.itunes.apple.com", + "registered_domain": "apple.com", + "subdomain": "linkmaker.itunes", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.64.104.249" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773878300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "linkmaker.itunes.apple.com.edgekey.net", + "e4541.dsce9.akamaiedge.net", + "linkmaker.itunes.apple.com" + ], + "ip": [ + "23.64.104.249" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "70", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.810Z", + "dns": { + "answers": [ + { + "data": "151.101.1.194", + "type": "A" + }, + { + "data": "151.101.65.194", + "type": "A" + }, + { + "data": "151.101.129.194", + "type": "A" + }, + { + "data": "151.101.193.194", + "type": "A" + } + ], + "question": { + "name": "confiant-integrations.global.ssl.fastly.net", + "registered_domain": "confiant-integrations.global.ssl.fastly.net", + "top_level_domain": "global.ssl.fastly.net" + }, + "resolved_ip": [ + "151.101.1.194", + "151.101.65.194", + "151.101.129.194", + "151.101.193.194" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773931300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "confiant-integrations.global.ssl.fastly.net" + ], + "ip": [ + "151.101.1.194", + "151.101.65.194", + "151.101.129.194", + "151.101.193.194" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "71", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.894Z", + "dns": { + "answers": [ + { + "data": "c.msn.com.nsatc.net", + "type": "CNAME" + }, + { + "data": "20.36.253.92", + "type": "A" + } + ], + "question": { + "name": "c.msn.com", + "registered_domain": "msn.com", + "subdomain": "c", + "top_level_domain": "com" + }, + "resolved_ip": [ + "20.36.253.92" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773947600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "c.msn.com.nsatc.net", + "c.msn.com" + ], + "ip": [ + "20.36.253.92" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "72", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:01.948Z", + "dns": { + "answers": [ + { + "data": "c-bing-com.a-0001.a-msedge.net", + "type": "CNAME" + }, + { + "data": "dual-a-0001.a-msedge.net", + "type": "CNAME" + }, + { + "data": "13.107.21.200", + "type": "A" + }, + { + "data": "204.79.197.200", + "type": "A" + } + ], + "question": { + "name": "c.bing.com", + "registered_domain": "bing.com", + "subdomain": "c", + "top_level_domain": "com" + }, + "resolved_ip": [ + "13.107.21.200", + "204.79.197.200" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.773963700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "c-bing-com.a-0001.a-msedge.net", + "dual-a-0001.a-msedge.net", + "c.bing.com" + ], + "ip": [ + "13.107.21.200", + "204.79.197.200" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "73", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.085Z", + "dns": { + "answers": [ + { + "data": "23.52.167.93", + "type": "A" + } + ], + "question": { + "name": "contextual.media.net", + "registered_domain": "media.net", + "subdomain": "contextual", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.52.167.93" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774007200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "contextual.media.net" + ], + "ip": [ + "23.52.167.93" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "74", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.174Z", + "dns": { + "answers": [ + { + "data": "glb-ads.atwola.adtechus.com", + "type": "CNAME" + }, + { + "data": "cs670.wac.thetacdn.net", + "type": "CNAME" + }, + { + "data": "cs670.lb.wac.apr-1b09e.edgecastdns.net", + "type": "CNAME" + }, + { + "data": "cs935.wac.thetacdn.net", + "type": "CNAME" + }, + { + "data": "152.195.32.120", + "type": "A" + } + ], + "question": { + "name": "at.atwola.com", + "registered_domain": "atwola.com", + "subdomain": "at", + "top_level_domain": "com" + }, + "resolved_ip": [ + "152.195.32.120" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774062200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "glb-ads.atwola.adtechus.com", + "cs670.wac.thetacdn.net", + "cs670.lb.wac.apr-1b09e.edgecastdns.net", + "cs935.wac.thetacdn.net", + "at.atwola.com" + ], + "ip": [ + "152.195.32.120" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "75", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.274Z", + "dns": { + "answers": [ + { + "data": "microsoft.geo.appnexusgslb.net", + "type": "CNAME" + }, + { + "data": "m.anycast.adnxs.com", + "type": "CNAME" + }, + { + "data": "204.13.192.56", + "type": "A" + }, + { + "data": "204.13.192.120", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + } + ], + "question": { + "name": "m.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "m", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.13.192.56", + "204.13.192.120", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774078900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "microsoft.geo.appnexusgslb.net", + "m.anycast.adnxs.com", + "m.adnxs.com" + ], + "ip": [ + "204.13.192.56", + "204.13.192.120", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "76", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.291Z", + "dns": { + "answers": [ + { + "data": "spcms-global.pbp.gysm.yahoodns.net", + "type": "CNAME" + }, + { + "data": "74.6.137.78", + "type": "A" + } + ], + "question": { + "name": "cms.analytics.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "cms.analytics", + "top_level_domain": "com" + }, + "resolved_ip": [ + "74.6.137.78" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774112400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "spcms-global.pbp.gysm.yahoodns.net", + "cms.analytics.yahoo.com" + ], + "ip": [ + "74.6.137.78" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "77", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.413Z", + "dns": { + "answers": [ + { + "data": "cvision.media.net.edgekey.net", + "type": "CNAME" + }, + { + "data": "e607.d.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.167.93", + "type": "A" + } + ], + "question": { + "name": "cvision.media.net", + "registered_domain": "media.net", + "subdomain": "cvision", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.52.167.93" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774166300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cvision.media.net.edgekey.net", + "e607.d.akamaiedge.net", + "cvision.media.net" + ], + "ip": [ + "23.52.167.93" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "78", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.424Z", + "dns": { + "answers": [ + { + "data": "g-bing-com.a-0001.a-msedge.net", + "type": "CNAME" + }, + { + "data": "dual-a-0001.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.200", + "type": "A" + }, + { + "data": "13.107.21.200", + "type": "A" + } + ], + "question": { + "name": "g.bing.com", + "registered_domain": "bing.com", + "subdomain": "g", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.200", + "13.107.21.200" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774267400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "g-bing-com.a-0001.a-msedge.net", + "dual-a-0001.a-msedge.net", + "g.bing.com" + ], + "ip": [ + "204.79.197.200", + "13.107.21.200" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "79", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.427Z", + "dns": { + "answers": [ + { + "data": "23.52.167.93", + "type": "A" + } + ], + "question": { + "name": "lg3.media.net", + "registered_domain": "media.net", + "subdomain": "lg3", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.52.167.93" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774283800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "lg3.media.net" + ], + "ip": [ + "23.52.167.93" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "80", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.469Z", + "dns": { + "answers": [ + { + "data": "service.sp.aolp-ds-prd.aws.oath.cloud", + "type": "CNAME" + }, + { + "data": "54.88.96.255", + "type": "A" + }, + { + "data": "34.233.100.168", + "type": "A" + }, + { + "data": "54.209.58.223", + "type": "A" + } + ], + "question": { + "name": "service.sp.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "service.sp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "54.88.96.255", + "34.233.100.168", + "54.209.58.223" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774312Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "service.sp.aolp-ds-prd.aws.oath.cloud", + "service.sp.advertising.com" + ], + "ip": [ + "54.88.96.255", + "34.233.100.168", + "54.209.58.223" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "81", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.485Z", + "dns": { + "answers": [ + { + "data": "sb.scorecardresearch.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e1879.e7.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "184.25.176.117", + "type": "A" + } + ], + "question": { + "name": "sb.scorecardresearch.com", + "registered_domain": "scorecardresearch.com", + "subdomain": "sb", + "top_level_domain": "com" + }, + "resolved_ip": [ + "184.25.176.117" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774330300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sb.scorecardresearch.com.edgekey.net", + "e1879.e7.akamaiedge.net", + "sb.scorecardresearch.com" + ], + "ip": [ + "184.25.176.117" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "82", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.500Z", + "dns": { + "answers": [ + { + "data": "iceotf-prod-fe-tm.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "iceotf-prod-fe-eastus.cloudapp.net", + "type": "CNAME" + }, + { + "data": "40.114.54.223", + "type": "A" + } + ], + "question": { + "name": "otf.msn.com", + "registered_domain": "msn.com", + "subdomain": "otf", + "top_level_domain": "com" + }, + "resolved_ip": [ + "40.114.54.223" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774385800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "iceotf-prod-fe-tm.trafficmanager.net", + "iceotf-prod-fe-eastus.cloudapp.net", + "otf.msn.com" + ], + "ip": [ + "40.114.54.223" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "83", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.580Z", + "dns": { + "answers": [ + { + "data": "35.171.101.225", + "type": "A" + }, + { + "data": "34.196.57.87", + "type": "A" + }, + { + "data": "34.194.164.46", + "type": "A" + }, + { + "data": "34.233.181.142", + "type": "A" + }, + { + "data": "34.194.167.169", + "type": "A" + }, + { + "data": "34.193.242.172", + "type": "A" + }, + { + "data": "34.234.152.11", + "type": "A" + }, + { + "data": "34.206.12.124", + "type": "A" + } + ], + "question": { + "name": "ping.chartbeat.net", + "registered_domain": "chartbeat.net", + "subdomain": "ping", + "top_level_domain": "net" + }, + "resolved_ip": [ + "35.171.101.225", + "34.196.57.87", + "34.194.164.46", + "34.233.181.142", + "34.194.167.169", + "34.193.242.172", + "34.234.152.11", + "34.206.12.124" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774419200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ping.chartbeat.net" + ], + "ip": [ + "35.171.101.225", + "34.196.57.87", + "34.194.164.46", + "34.233.181.142", + "34.194.167.169", + "34.193.242.172", + "34.234.152.11", + "34.206.12.124" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "84", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.628Z", + "dns": { + "answers": [ + { + "data": "151.101.194.79", + "type": "A" + }, + { + "data": "151.101.2.79", + "type": "A" + }, + { + "data": "151.101.66.79", + "type": "A" + }, + { + "data": "151.101.130.79", + "type": "A" + } + ], + "question": { + "name": "clarium.freetls.fastly.net", + "registered_domain": "clarium.freetls.fastly.net", + "top_level_domain": "freetls.fastly.net" + }, + "resolved_ip": [ + "151.101.194.79", + "151.101.2.79", + "151.101.66.79", + "151.101.130.79" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774434800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "clarium.freetls.fastly.net" + ], + "ip": [ + "151.101.194.79", + "151.101.2.79", + "151.101.66.79", + "151.101.130.79" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "85", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.633Z", + "dns": { + "answers": [ + { + "data": "68.67.178.252", + "type": "A" + }, + { + "data": "68.67.179.11", + "type": "A" + }, + { + "data": "68.67.179.228", + "type": "A" + }, + { + "data": "68.67.178.184", + "type": "A" + }, + { + "data": "204.13.192.141", + "type": "A" + }, + { + "data": "68.67.180.43", + "type": "A" + }, + { + "data": "68.67.179.23", + "type": "A" + }, + { + "data": "68.67.179.197", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + } + ], + "question": { + "name": "nym1-ib.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "nym1-ib", + "top_level_domain": "com" + }, + "resolved_ip": [ + "68.67.178.252", + "68.67.179.11", + "68.67.179.228", + "68.67.178.184", + "204.13.192.141", + "68.67.180.43", + "68.67.179.23", + "68.67.179.197", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774450Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "nym1-ib.adnxs.com" + ], + "ip": [ + "68.67.178.252", + "68.67.179.11", + "68.67.179.228", + "68.67.178.184", + "204.13.192.141", + "68.67.180.43", + "68.67.179.23", + "68.67.179.197", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "86", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.716Z", + "dns": { + "answers": [ + { + "data": "us-east-eb2.3lift.com", + "type": "CNAME" + }, + { + "data": "dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "34.196.86.129", + "type": "A" + }, + { + "data": "34.233.250.110", + "type": "A" + }, + { + "data": "18.209.244.108", + "type": "A" + }, + { + "data": "34.224.204.11", + "type": "A" + }, + { + "data": "34.237.44.255", + "type": "A" + }, + { + "data": "3.210.231.21", + "type": "A" + }, + { + "data": "54.172.198.255", + "type": "A" + }, + { + "data": "34.199.186.227", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + } + ], + "question": { + "name": "eb2.3lift.com", + "registered_domain": "3lift.com", + "subdomain": "eb2", + "top_level_domain": "com" + }, + "resolved_ip": [ + "34.196.86.129", + "34.233.250.110", + "18.209.244.108", + "34.224.204.11", + "34.237.44.255", + "3.210.231.21", + "54.172.198.255", + "34.199.186.227", + "192.5.6.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774489600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "us-east-eb2.3lift.com", + "dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com", + "eb2.3lift.com" + ], + "ip": [ + "34.196.86.129", + "34.233.250.110", + "18.209.244.108", + "34.224.204.11", + "34.237.44.255", + "3.210.231.21", + "54.172.198.255", + "34.199.186.227", + "192.5.6.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "87", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.727Z", + "dns": { + "answers": [ + { + "data": "mix.linkedin.com", + "type": "CNAME" + }, + { + "data": "any-na.mix.linkedin.com", + "type": "CNAME" + }, + { + "data": "108.174.10.14", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "px.ads.linkedin.com", + "registered_domain": "linkedin.com", + "subdomain": "px.ads", + "top_level_domain": "com" + }, + "resolved_ip": [ + "108.174.10.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774523Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "mix.linkedin.com", + "any-na.mix.linkedin.com", + "px.ads.linkedin.com" + ], + "ip": [ + "108.174.10.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "88", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.733Z", + "dns": { + "answers": [ + { + "data": "login.msa.msidentity.com", + "type": "CNAME" + }, + { + "data": "lgin.msa.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "40.90.23.239", + "type": "A" + }, + { + "data": "40.90.23.213", + "type": "A" + }, + { + "data": "40.90.23.154", + "type": "A" + } + ], + "question": { + "name": "login.live.com", + "registered_domain": "live.com", + "subdomain": "login", + "top_level_domain": "com" + }, + "resolved_ip": [ + "40.90.23.239", + "40.90.23.213", + "40.90.23.154" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774562600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "login.msa.msidentity.com", + "lgin.msa.trafficmanager.net", + "login.live.com" + ], + "ip": [ + "40.90.23.239", + "40.90.23.213", + "40.90.23.154" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "89", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.792Z", + "dns": { + "answers": [ + { + "data": "74.119.119.150", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + }, + { + "data": "192.35.51.30", + "type": "A" + } + ], + "question": { + "name": "dis.criteo.com", + "registered_domain": "criteo.com", + "subdomain": "dis", + "top_level_domain": "com" + }, + "resolved_ip": [ + "74.119.119.150", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774578600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dis.criteo.com" + ], + "ip": [ + "74.119.119.150", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "90", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.792Z", + "dns": { + "answers": [ + { + "data": "g.geogslb.com", + "type": "CNAME" + }, + { + "data": "ib.anycast.adnxs.com", + "type": "CNAME" + }, + { + "data": "68.67.180.12", + "type": "A" + }, + { + "data": "68.67.179.228", + "type": "A" + }, + { + "data": "68.67.180.44", + "type": "A" + }, + { + "data": "204.13.192.141", + "type": "A" + }, + { + "data": "68.67.178.230", + "type": "A" + }, + { + "data": "68.67.178.252", + "type": "A" + }, + { + "data": "68.67.179.23", + "type": "A" + }, + { + "data": "68.67.179.232", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "ib.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "ib", + "top_level_domain": "com" + }, + "resolved_ip": [ + "68.67.180.12", + "68.67.179.228", + "68.67.180.44", + "204.13.192.141", + "68.67.178.230", + "68.67.178.252", + "68.67.179.23", + "68.67.179.232", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774592900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "g.geogslb.com", + "ib.anycast.adnxs.com", + "ib.adnxs.com" + ], + "ip": [ + "68.67.180.12", + "68.67.179.228", + "68.67.180.44", + "204.13.192.141", + "68.67.178.230", + "68.67.178.252", + "68.67.179.23", + "68.67.179.232", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "91", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.809Z", + "dns": { + "answers": [ + { + "data": "pagead.l.doubleclick.net", + "type": "CNAME" + }, + { + "data": "172.217.10.34", + "type": "A" + } + ], + "question": { + "name": "cm.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "cm.g", + "top_level_domain": "net" + }, + "resolved_ip": [ + "172.217.10.34" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774604100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead.l.doubleclick.net", + "cm.g.doubleclick.net" + ], + "ip": [ + "172.217.10.34" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "92", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.821Z", + "dns": { + "answers": [ + { + "data": "match-975362022.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "54.208.129.24", + "type": "A" + }, + { + "data": "54.175.5.93", + "type": "A" + }, + { + "data": "52.86.210.96", + "type": "A" + }, + { + "data": "3.93.252.59", + "type": "A" + }, + { + "data": "54.86.97.130", + "type": "A" + }, + { + "data": "34.194.239.194", + "type": "A" + }, + { + "data": "3.94.67.102", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "match.adsrvr.org", + "registered_domain": "adsrvr.org", + "subdomain": "match", + "top_level_domain": "org" + }, + "resolved_ip": [ + "54.208.129.24", + "54.175.5.93", + "52.86.210.96", + "3.93.252.59", + "54.86.97.130", + "34.194.239.194", + "3.94.67.102", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774616600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "match-975362022.us-east-1.elb.amazonaws.com", + "match.adsrvr.org" + ], + "ip": [ + "54.208.129.24", + "54.175.5.93", + "52.86.210.96", + "3.93.252.59", + "54.86.97.130", + "34.194.239.194", + "3.94.67.102", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "93", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.821Z", + "dns": { + "answers": [ + { + "data": "ssum-sec.casalemedia.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e8037.g.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.162.21", + "type": "A" + } + ], + "question": { + "name": "ssum-sec.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "ssum-sec", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.52.162.21" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774629200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ssum-sec.casalemedia.com.edgekey.net", + "e8037.g.akamaiedge.net", + "ssum-sec.casalemedia.com" + ], + "ip": [ + "23.52.162.21" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "94", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.828Z", + "dns": { + "answers": [ + { + "data": "adserver-clarium-446793891.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "18.204.130.216", + "type": "A" + }, + { + "data": "18.209.246.43", + "type": "A" + }, + { + "data": "107.23.153.61", + "type": "A" + }, + { + "data": "18.235.141.27", + "type": "A" + }, + { + "data": "3.210.79.248", + "type": "A" + }, + { + "data": "18.209.146.43", + "type": "A" + }, + { + "data": "18.210.64.206", + "type": "A" + }, + { + "data": "18.214.161.226", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + } + ], + "question": { + "name": "protected-by.clarium.io", + "registered_domain": "clarium.io", + "subdomain": "protected-by", + "top_level_domain": "io" + }, + "resolved_ip": [ + "18.204.130.216", + "18.209.246.43", + "107.23.153.61", + "18.235.141.27", + "3.210.79.248", + "18.209.146.43", + "18.210.64.206", + "18.214.161.226", + "192.5.6.30", + "2001:503:a83e::2:30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774645300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "adserver-clarium-446793891.us-east-1.elb.amazonaws.com", + "protected-by.clarium.io" + ], + "ip": [ + "18.204.130.216", + "18.209.246.43", + "107.23.153.61", + "18.235.141.27", + "3.210.79.248", + "18.209.146.43", + "18.210.64.206", + "18.214.161.226", + "192.5.6.30", + "2001:503:a83e::2:30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "95", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.838Z", + "dns": { + "answers": [ + { + "data": "pagead46.l.doubleclick.net", + "type": "CNAME" + }, + { + "data": "172.217.10.66", + "type": "A" + } + ], + "question": { + "name": "pagead2.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "pagead2", + "top_level_domain": "com" + }, + "resolved_ip": [ + "172.217.10.66" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774658100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead46.l.doubleclick.net", + "pagead2.googlesyndication.com" + ], + "ip": [ + "172.217.10.66" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "96", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.839Z", + "dns": { + "answers": [ + { + "data": "pagead46.l.doubleclick.net", + "type": "CNAME" + }, + { + "data": "172.217.10.66", + "type": "A" + } + ], + "question": { + "name": "googleads.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "googleads.g", + "top_level_domain": "net" + }, + "resolved_ip": [ + "172.217.10.66" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774732100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead46.l.doubleclick.net", + "googleads.g.doubleclick.net" + ], + "ip": [ + "172.217.10.66" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "97", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.841Z", + "dns": { + "answers": [ + { + "data": "prod.ups-adcom.aolp-ds-prd.aws.oath.cloud", + "type": "CNAME" + }, + { + "data": "prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud", + "type": "CNAME" + }, + { + "data": "52.22.184.73", + "type": "A" + }, + { + "data": "54.152.30.174", + "type": "A" + }, + { + "data": "3.213.70.197", + "type": "A" + }, + { + "data": "54.158.57.141", + "type": "A" + }, + { + "data": "52.6.39.34", + "type": "A" + }, + { + "data": "52.0.113.251", + "type": "A" + }, + { + "data": "3.213.8.28", + "type": "A" + }, + { + "data": "3.215.246.105", + "type": "A" + } + ], + "question": { + "name": "pixel.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, + "resolved_ip": [ + "52.22.184.73", + "54.152.30.174", + "3.213.70.197", + "54.158.57.141", + "52.6.39.34", + "52.0.113.251", + "3.213.8.28", + "3.215.246.105" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774764Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "prod.ups-adcom.aolp-ds-prd.aws.oath.cloud", + "prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud", + "pixel.advertising.com" + ], + "ip": [ + "52.22.184.73", + "54.152.30.174", + "3.213.70.197", + "54.158.57.141", + "52.6.39.34", + "52.0.113.251", + "3.213.8.28", + "3.215.246.105" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "98", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.844Z", + "dns": { + "answers": [ + { + "data": "uplynk.adaptv.advertising.com", + "type": "CNAME" + }, + { + "data": "uplynk-geo.adap.tv", + "type": "CNAME" + }, + { + "data": "uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "54.210.214.197", + "type": "A" + }, + { + "data": "52.202.202.147", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "onevideosync.uplynk.com", + "registered_domain": "uplynk.com", + "subdomain": "onevideosync", + "top_level_domain": "com" + }, + "resolved_ip": [ + "54.210.214.197", + "52.202.202.147", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774798100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "uplynk.adaptv.advertising.com", + "uplynk-geo.adap.tv", + "uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com", + "onevideosync.uplynk.com" + ], + "ip": [ + "54.210.214.197", + "52.202.202.147", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "99", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:02.956Z", + "dns": { + "answers": [ + { + "data": "ad.turn.com.akadns.net", + "type": "CNAME" + }, + { + "data": "50.116.194.21", + "type": "A" + } + ], + "question": { + "name": "ad.turn.com", + "registered_domain": "turn.com", + "subdomain": "ad", + "top_level_domain": "com" + }, + "resolved_ip": [ + "50.116.194.21" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774809600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ad.turn.com.akadns.net", + "ad.turn.com" + ], + "ip": [ + "50.116.194.21" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "100", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.005Z", + "dns": { + "answers": [ + { + "data": "prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud", + "type": "CNAME" + }, + { + "data": "34.225.20.218", + "type": "A" + }, + { + "data": "3.216.14.125", + "type": "A" + }, + { + "data": "52.200.28.150", + "type": "A" + }, + { + "data": "3.216.103.132", + "type": "A" + }, + { + "data": "52.4.86.222", + "type": "A" + }, + { + "data": "52.21.200.160", + "type": "A" + }, + { + "data": "3.216.249.238", + "type": "A" + }, + { + "data": "3.94.175.146", + "type": "A" + } + ], + "question": { + "name": "ups.analytics.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "ups.analytics", + "top_level_domain": "com" + }, + "resolved_ip": [ + "34.225.20.218", + "3.216.14.125", + "52.200.28.150", + "3.216.103.132", + "52.4.86.222", + "52.21.200.160", + "3.216.249.238", + "3.94.175.146" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774843200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud", + "ups.analytics.yahoo.com" + ], + "ip": [ + "34.225.20.218", + "3.216.14.125", + "52.200.28.150", + "3.216.103.132", + "52.4.86.222", + "52.21.200.160", + "3.216.249.238", + "3.94.175.146" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "101", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.070Z", + "dns": { + "answers": [ + { + "data": "dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "34.237.248.89", + "type": "A" + }, + { + "data": "35.153.21.25", + "type": "A" + }, + { + "data": "52.200.238.112", + "type": "A" + }, + { + "data": "52.206.93.38", + "type": "A" + }, + { + "data": "34.227.35.137", + "type": "A" + }, + { + "data": "35.169.96.208", + "type": "A" + }, + { + "data": "52.22.206.42", + "type": "A" + }, + { + "data": "52.201.81.61", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "pm.w55c.net", + "registered_domain": "w55c.net", + "subdomain": "pm", + "top_level_domain": "net" + }, + "resolved_ip": [ + "34.237.248.89", + "35.153.21.25", + "52.200.238.112", + "52.206.93.38", + "34.227.35.137", + "35.169.96.208", + "52.22.206.42", + "52.201.81.61", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774880100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com", + "pm.w55c.net" + ], + "ip": [ + "34.237.248.89", + "35.153.21.25", + "52.200.238.112", + "52.206.93.38", + "34.227.35.137", + "35.169.96.208", + "52.22.206.42", + "52.201.81.61", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "102", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.093Z", + "dns": { + "answers": [ + { + "data": "35.186.239.238", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + }, + { + "data": "192.35.51.30", + "type": "A" + } + ], + "question": { + "name": "cm.eyereturn.com", + "registered_domain": "eyereturn.com", + "subdomain": "cm", + "top_level_domain": "com" + }, + "resolved_ip": [ + "35.186.239.238", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774892300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cm.eyereturn.com" + ], + "ip": [ + "35.186.239.238", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "103", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.099Z", + "dns": { + "answers": [ + { + "data": "pagead46.l.doubleclick.net", + "type": "CNAME" + }, + { + "data": "172.217.10.66", + "type": "A" + } + ], + "question": { + "name": "www.googletagservices.com", + "registered_domain": "googletagservices.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "172.217.10.66" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774905800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead46.l.doubleclick.net", + "www.googletagservices.com" + ], + "ip": [ + "172.217.10.66" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "104", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.107Z", + "dns": { + "answers": [ + { + "data": "rtb.adgrx.com", + "type": "CNAME" + }, + { + "data": "173.231.178.117", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + } + ], + "question": { + "name": "cm.adgrx.com", + "registered_domain": "adgrx.com", + "subdomain": "cm", + "top_level_domain": "com" + }, + "resolved_ip": [ + "173.231.178.117", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774932Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "rtb.adgrx.com", + "cm.adgrx.com" + ], + "ip": [ + "173.231.178.117", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "105", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.107Z", + "dns": { + "answers": [ + { + "data": "j2waycm.netmng.com", + "type": "CNAME" + }, + { + "data": "j2waycm-us-wdc.netmng.com", + "type": "CNAME" + }, + { + "data": "104.193.83.156", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + } + ], + "question": { + "name": "csm2waycm-atl.netmng.com", + "registered_domain": "netmng.com", + "subdomain": "csm2waycm-atl", + "top_level_domain": "com" + }, + "resolved_ip": [ + "104.193.83.156", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774942600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "j2waycm.netmng.com", + "j2waycm-us-wdc.netmng.com", + "csm2waycm-atl.netmng.com" + ], + "ip": [ + "104.193.83.156", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "106", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.112Z", + "dns": { + "answers": [ + { + "data": "ds-pr-bh.ybp.gysm.yahoodns.net", + "type": "CNAME" + }, + { + "data": "72.30.2.182", + "type": "A" + } + ], + "question": { + "name": "pr-bh.ybp.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "pr-bh.ybp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "72.30.2.182" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774956100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ds-pr-bh.ybp.gysm.yahoodns.net", + "pr-bh.ybp.yahoo.com" + ], + "ip": [ + "72.30.2.182" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "107", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.113Z", + "dns": { + "answers": [ + { + "data": "3.83.220.223", + "type": "A" + } + ], + "question": { + "name": "ps.eyeota.net", + "registered_domain": "eyeota.net", + "subdomain": "ps", + "top_level_domain": "net" + }, + "resolved_ip": [ + "3.83.220.223" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774966100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ps.eyeota.net" + ], + "ip": [ + "3.83.220.223" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "108", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.146Z", + "dns": { + "answers": [ + { + "data": "idpix.media6degrees.com.cdn.cloudflare.net", + "type": "CNAME" + }, + { + "data": "map.media6degrees.com", + "type": "CNAME" + }, + { + "data": "map.media6degrees.com.cdn.cloudflare.net", + "type": "CNAME" + }, + { + "data": "204.2.197.201", + "type": "A" + }, + { + "data": "204.2.197.211", + "type": "A" + } + ], + "question": { + "name": "idpix.media6degrees.com", + "registered_domain": "media6degrees.com", + "subdomain": "idpix", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.2.197.201", + "204.2.197.211" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.774991400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "idpix.media6degrees.com.cdn.cloudflare.net", + "map.media6degrees.com", + "map.media6degrees.com.cdn.cloudflare.net", + "idpix.media6degrees.com" + ], + "ip": [ + "204.2.197.201", + "204.2.197.211" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "109", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.146Z", + "dns": { + "answers": [ + { + "data": "pagead-googlehosted.l.google.com", + "type": "CNAME" + }, + { + "data": "172.217.10.1", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + } + ], + "question": { + "name": "tpc.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "tpc", + "top_level_domain": "com" + }, + "resolved_ip": [ + "172.217.10.1", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775006900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead-googlehosted.l.google.com", + "tpc.googlesyndication.com" + ], + "ip": [ + "172.217.10.1", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "110", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.182Z", + "dns": { + "answers": [ + { + "data": "pug44000nfc.pubmatic.com", + "type": "CNAME" + }, + { + "data": "pug44000nf.pubmatic.com", + "type": "CNAME" + }, + { + "data": "162.248.19.147", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + } + ], + "question": { + "name": "image2.pubmatic.com", + "registered_domain": "pubmatic.com", + "subdomain": "image2", + "top_level_domain": "com" + }, + "resolved_ip": [ + "162.248.19.147", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775021800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pug44000nfc.pubmatic.com", + "pug44000nf.pubmatic.com", + "image2.pubmatic.com" + ], + "ip": [ + "162.248.19.147", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "111", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.183Z", + "dns": { + "answers": [ + { + "data": "www.msn.com", + "type": "CNAME" + }, + { + "data": "www-msn-com.a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "a-0003.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.203", + "type": "A" + } + ], + "question": { + "name": "sam.msn.com", + "registered_domain": "msn.com", + "subdomain": "sam", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.203" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775036700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "www.msn.com", + "www-msn-com.a-0003.a-msedge.net", + "a-0003.a-msedge.net", + "sam.msn.com" + ], + "ip": [ + "204.79.197.203" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "112", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.222Z", + "dns": { + "answers": [ + { + "data": "52.85.89.250", + "type": "A" + }, + { + "data": "52.85.89.94", + "type": "A" + }, + { + "data": "52.85.89.22", + "type": "A" + }, + { + "data": "52.85.89.139", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + } + ], + "question": { + "name": "ocsp.sca1b.amazontrust.com", + "registered_domain": "amazontrust.com", + "subdomain": "ocsp.sca1b", + "top_level_domain": "com" + }, + "resolved_ip": [ + "52.85.89.250", + "52.85.89.94", + "52.85.89.22", + "52.85.89.139", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775051600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ocsp.sca1b.amazontrust.com" + ], + "ip": [ + "52.85.89.250", + "52.85.89.94", + "52.85.89.22", + "52.85.89.139", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "113", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.271Z", + "dns": { + "answers": [ + { + "data": "track.adformnet.akadns.net", + "type": "CNAME" + }, + { + "data": "track-us.adformnet.akadns.net", + "type": "CNAME" + }, + { + "data": "185.167.164.43", + "type": "A" + }, + { + "data": "185.167.164.42", + "type": "A" + } + ], + "question": { + "name": "c1.adform.net", + "registered_domain": "adform.net", + "subdomain": "c1", + "top_level_domain": "net" + }, + "resolved_ip": [ + "185.167.164.43", + "185.167.164.42" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775066300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "track.adformnet.akadns.net", + "track-us.adformnet.akadns.net", + "c1.adform.net" + ], + "ip": [ + "185.167.164.43", + "185.167.164.42" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "114", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.271Z", + "dns": { + "answers": [ + { + "data": "wd-prod-ss.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com", + "type": "CNAME" + }, + { + "data": "40.84.140.84", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + } + ], + "question": { + "name": "urs.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "urs", + "top_level_domain": "com" + }, + "resolved_ip": [ + "40.84.140.84", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775081Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "wd-prod-ss.trafficmanager.net", + "wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com", + "urs.microsoft.com" + ], + "ip": [ + "40.84.140.84", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "115", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.290Z", + "dns": { + "answers": [ + { + "data": "dsum-sec.casalemedia.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e8037.g.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.162.21", + "type": "A" + } + ], + "question": { + "name": "dsum-sec.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "dsum-sec", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.52.162.21" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775096200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dsum-sec.casalemedia.com.edgekey.net", + "e8037.g.akamaiedge.net", + "dsum-sec.casalemedia.com" + ], + "ip": [ + "23.52.162.21" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "116", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.292Z", + "dns": { + "answers": [ + { + "data": "ocsp.godaddy.com.akadns.net", + "type": "CNAME" + }, + { + "data": "72.167.239.239", + "type": "A" + } + ], + "question": { + "name": "ocsp.godaddy.com", + "registered_domain": "godaddy.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "72.167.239.239" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775111500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ocsp.godaddy.com.akadns.net", + "ocsp.godaddy.com" + ], + "ip": [ + "72.167.239.239" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "117", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.315Z", + "dns": { + "question": { + "name": "googleads.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "googleads.g", + "top_level_domain": "net" + } + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775148400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "googleads.g.doubleclick.net" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "118", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.315Z", + "dns": { + "question": { + "name": "tpc.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "tpc", + "top_level_domain": "com" + } + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775184200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tpc.googlesyndication.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "119", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.333Z", + "dns": { + "answers": [ + { + "data": "t3j2g9x7.stackpathcdn.com", + "type": "CNAME" + }, + { + "data": "151.139.128.14", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "ocsp.usertrust.com", + "registered_domain": "usertrust.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775246500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "t3j2g9x7.stackpathcdn.com", + "ocsp.usertrust.com" + ], + "ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "120", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.343Z", + "dns": { + "answers": [ + { + "data": "isrg.trustid.ocsp.identrust.com.edgesuite.net", + "type": "CNAME" + }, + { + "data": "a279.dscq.akamai.net", + "type": "CNAME" + }, + { + "data": "23.50.53.179", + "type": "A" + }, + { + "data": "23.50.53.176", + "type": "A" + } + ], + "question": { + "name": "isrg.trustid.ocsp.identrust.com", + "registered_domain": "identrust.com", + "subdomain": "isrg.trustid.ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.50.53.179", + "23.50.53.176" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775264600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "isrg.trustid.ocsp.identrust.com.edgesuite.net", + "a279.dscq.akamai.net", + "isrg.trustid.ocsp.identrust.com" + ], + "ip": [ + "23.50.53.179", + "23.50.53.176" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "121", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.391Z", + "dns": { + "answers": [ + { + "data": "dart.l.doubleclick.net", + "type": "CNAME" + }, + { + "data": "172.217.6.198", + "type": "A" + } + ], + "question": { + "name": "ad.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "ad", + "top_level_domain": "net" + }, + "resolved_ip": [ + "172.217.6.198" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775280100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dart.l.doubleclick.net", + "ad.doubleclick.net" + ], + "ip": [ + "172.217.6.198" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "122", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.393Z", + "dns": { + "answers": [ + { + "data": "t3j2g9x7.stackpathcdn.com", + "type": "CNAME" + }, + { + "data": "151.139.128.14", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "ocsp.sectigo.com", + "registered_domain": "sectigo.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775295Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "t3j2g9x7.stackpathcdn.com", + "ocsp.sectigo.com" + ], + "ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "123", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.468Z", + "dns": { + "answers": [ + { + "data": "ocsp.int-x3.letsencrypt.org.edgesuite.net", + "type": "CNAME" + }, + { + "data": "a771.dscq.akamai.net", + "type": "CNAME" + }, + { + "data": "23.50.53.179", + "type": "A" + }, + { + "data": "23.50.53.177", + "type": "A" + } + ], + "question": { + "name": "ocsp.int-x3.letsencrypt.org", + "registered_domain": "letsencrypt.org", + "subdomain": "ocsp.int-x3", + "top_level_domain": "org" + }, + "resolved_ip": [ + "23.50.53.179", + "23.50.53.177" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775309500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ocsp.int-x3.letsencrypt.org.edgesuite.net", + "a771.dscq.akamai.net", + "ocsp.int-x3.letsencrypt.org" + ], + "ip": [ + "23.50.53.179", + "23.50.53.177" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "124", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.581Z", + "dns": { + "answers": [ + { + "data": "pki-goog.l.google.com", + "type": "CNAME" + }, + { + "data": "172.217.12.195", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "ocsp.pki.goog", + "registered_domain": "pki.goog", + "subdomain": "ocsp", + "top_level_domain": "goog" + }, + "resolved_ip": [ + "172.217.12.195", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775324500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pki-goog.l.google.com", + "ocsp.pki.goog" + ], + "ip": [ + "172.217.12.195", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "125", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.872Z", + "dns": { + "answers": [ + { + "data": "pagead.l.doubleclick.net", + "type": "CNAME" + }, + { + "data": "172.217.10.34", + "type": "A" + } + ], + "question": { + "name": "googleads4.g.doubleclick.net", + "registered_domain": "doubleclick.net", + "subdomain": "googleads4.g", + "top_level_domain": "net" + }, + "resolved_ip": [ + "172.217.10.34" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775338700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead.l.doubleclick.net", + "googleads4.g.doubleclick.net" + ], + "ip": [ + "172.217.10.34" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "126", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.889Z", + "dns": { + "answers": [ + { + "data": "f2.taboola.map.fastly.net", + "type": "CNAME" + }, + { + "data": "151.101.2.2", + "type": "A" + }, + { + "data": "151.101.66.2", + "type": "A" + }, + { + "data": "151.101.130.2", + "type": "A" + }, + { + "data": "151.101.194.2", + "type": "A" + } + ], + "question": { + "name": "images.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "images", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.101.2.2", + "151.101.66.2", + "151.101.130.2", + "151.101.194.2" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775353200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "f2.taboola.map.fastly.net", + "images.taboola.com" + ], + "ip": [ + "151.101.2.2", + "151.101.66.2", + "151.101.130.2", + "151.101.194.2" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "127", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.890Z", + "dns": { + "answers": [ + { + "data": "f2.taboola.map.fastly.net", + "type": "CNAME" + }, + { + "data": "151.101.66.2", + "type": "A" + }, + { + "data": "151.101.130.2", + "type": "A" + }, + { + "data": "151.101.194.2", + "type": "A" + }, + { + "data": "151.101.2.2", + "type": "A" + } + ], + "question": { + "name": "api-s2s.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "api-s2s", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.101.66.2", + "151.101.130.2", + "151.101.194.2", + "151.101.2.2" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775367700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "f2.taboola.map.fastly.net", + "api-s2s.taboola.com" + ], + "ip": [ + "151.101.66.2", + "151.101.130.2", + "151.101.194.2", + "151.101.2.2" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "128", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.892Z", + "dns": { + "answers": [ + { + "data": "35.231.30.22", + "type": "A" + }, + { + "data": "35.196.212.198", + "type": "A" + } + ], + "question": { + "name": "x.bidswitch.net", + "registered_domain": "bidswitch.net", + "subdomain": "x", + "top_level_domain": "net" + }, + "resolved_ip": [ + "35.231.30.22", + "35.196.212.198" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775383700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "x.bidswitch.net" + ], + "ip": [ + "35.231.30.22", + "35.196.212.198" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "129", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.894Z", + "dns": { + "answers": [ + { + "data": "anycast.pixel.adsafeprotected.com", + "type": "CNAME" + }, + { + "data": "199.166.0.26", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "pixel.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, + "resolved_ip": [ + "199.166.0.26", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775398800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "anycast.pixel.adsafeprotected.com", + "pixel.adsafeprotected.com" + ], + "ip": [ + "199.166.0.26", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "130", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.894Z", + "dns": { + "answers": [ + { + "data": "35.171.48.231", + "type": "A" + }, + { + "data": "52.206.107.32", + "type": "A" + }, + { + "data": "35.175.80.59", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "ml314.com", + "registered_domain": "ml314.com", + "top_level_domain": "com" + }, + "resolved_ip": [ + "35.171.48.231", + "52.206.107.32", + "35.175.80.59", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775413200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ml314.com" + ], + "ip": [ + "35.171.48.231", + "52.206.107.32", + "35.175.80.59", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "131", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.902Z", + "dns": { + "answers": [ + { + "data": "156.154.200.36", + "type": "A" + }, + { + "data": "63.251.88.56", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + } + ], + "question": { + "name": "aa.agkn.com", + "registered_domain": "agkn.com", + "subdomain": "aa", + "top_level_domain": "com" + }, + "resolved_ip": [ + "156.154.200.36", + "63.251.88.56", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775427900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "aa.agkn.com" + ], + "ip": [ + "156.154.200.36", + "63.251.88.56", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "132", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.911Z", + "dns": { + "answers": [ + { + "data": "s0-2mdn-net.l.google.com", + "type": "CNAME" + }, + { + "data": "172.217.10.134", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "s0.2mdn.net", + "registered_domain": "2mdn.net", + "subdomain": "s0", + "top_level_domain": "net" + }, + "resolved_ip": [ + "172.217.10.134", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775442300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "s0-2mdn-net.l.google.com", + "s0.2mdn.net" + ], + "ip": [ + "172.217.10.134", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "133", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.911Z", + "dns": { + "answers": [ + { + "data": "b.scorecardresearch.com.edgesuite.net", + "type": "CNAME" + }, + { + "data": "a1294.w20.akamai.net", + "type": "CNAME" + }, + { + "data": "23.50.53.195", + "type": "A" + }, + { + "data": "23.50.53.185", + "type": "A" + } + ], + "question": { + "name": "b.scorecardresearch.com", + "registered_domain": "scorecardresearch.com", + "subdomain": "b", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.50.53.195", + "23.50.53.185" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775456800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "b.scorecardresearch.com.edgesuite.net", + "a1294.w20.akamai.net", + "b.scorecardresearch.com" + ], + "ip": [ + "23.50.53.195", + "23.50.53.185" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "134", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:03.921Z", + "dns": { + "answers": [ + { + "data": "f2.shared.global.fastly.net", + "type": "CNAME" + }, + { + "data": "151.101.130.2", + "type": "A" + }, + { + "data": "151.101.194.2", + "type": "A" + }, + { + "data": "151.101.2.2", + "type": "A" + }, + { + "data": "151.101.66.2", + "type": "A" + } + ], + "question": { + "name": "edw.edmunds.com", + "registered_domain": "edmunds.com", + "subdomain": "edw", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.101.130.2", + "151.101.194.2", + "151.101.2.2", + "151.101.66.2" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775472Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "f2.shared.global.fastly.net", + "edw.edmunds.com" + ], + "ip": [ + "151.101.130.2", + "151.101.194.2", + "151.101.2.2", + "151.101.66.2" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "135", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.101Z", + "dns": { + "answers": [ + { + "data": "cs9.wac.phicdn.net", + "type": "CNAME" + }, + { + "data": "72.21.91.29", + "type": "A" + } + ], + "question": { + "name": "ocsp.digicert.com", + "registered_domain": "digicert.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "72.21.91.29" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775486500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cs9.wac.phicdn.net", + "ocsp.digicert.com" + ], + "ip": [ + "72.21.91.29" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "136", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.137Z", + "dns": { + "answers": [ + { + "data": "usermatch.targeting.unrulymedia.com", + "type": "CNAME" + }, + { + "data": "35.167.55.0", + "type": "A" + }, + { + "data": "52.24.219.168", + "type": "A" + }, + { + "data": "52.43.21.209", + "type": "A" + }, + { + "data": "54.200.225.167", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + } + ], + "question": { + "name": "pre-usermatch.targeting.unrulymedia.com", + "registered_domain": "unrulymedia.com", + "subdomain": "pre-usermatch.targeting", + "top_level_domain": "com" + }, + "resolved_ip": [ + "35.167.55.0", + "52.24.219.168", + "52.43.21.209", + "54.200.225.167", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775501200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "usermatch.targeting.unrulymedia.com", + "pre-usermatch.targeting.unrulymedia.com" + ], + "ip": [ + "35.167.55.0", + "52.24.219.168", + "52.43.21.209", + "54.200.225.167", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "137", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.141Z", + "dns": { + "answers": [ + { + "data": "farm-hetzner.plista.com", + "type": "CNAME" + }, + { + "data": "144.76.67.119", + "type": "A" + }, + { + "data": "148.251.77.207", + "type": "A" + }, + { + "data": "148.251.15.115", + "type": "A" + }, + { + "data": "176.9.103.51", + "type": "A" + }, + { + "data": "88.198.208.110", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + } + ], + "question": { + "name": "farm.plista.com", + "registered_domain": "plista.com", + "subdomain": "farm", + "top_level_domain": "com" + }, + "resolved_ip": [ + "144.76.67.119", + "148.251.77.207", + "148.251.15.115", + "176.9.103.51", + "88.198.208.110", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775515700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "farm-hetzner.plista.com", + "farm.plista.com" + ], + "ip": [ + "144.76.67.119", + "148.251.77.207", + "148.251.15.115", + "176.9.103.51", + "88.198.208.110", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "138", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.168Z", + "dns": { + "answers": [ + { + "data": "beacon-n-ash.lb.krxd.net", + "type": "CNAME" + }, + { + "data": "beacon-17-537698933.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "50.17.180.35", + "type": "A" + }, + { + "data": "50.19.103.40", + "type": "A" + }, + { + "data": "50.19.210.19", + "type": "A" + }, + { + "data": "50.19.117.149", + "type": "A" + }, + { + "data": "50.19.222.244", + "type": "A" + }, + { + "data": "50.19.222.88", + "type": "A" + }, + { + "data": "50.19.81.100", + "type": "A" + }, + { + "data": "54.204.10.30", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + } + ], + "question": { + "name": "beacon.krxd.net", + "registered_domain": "krxd.net", + "subdomain": "beacon", + "top_level_domain": "net" + }, + "resolved_ip": [ + "50.17.180.35", + "50.19.103.40", + "50.19.210.19", + "50.19.117.149", + "50.19.222.244", + "50.19.222.88", + "50.19.81.100", + "54.204.10.30", + "192.5.6.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775530400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "beacon-n-ash.lb.krxd.net", + "beacon-17-537698933.us-east-1.elb.amazonaws.com", + "beacon.krxd.net" + ], + "ip": [ + "50.17.180.35", + "50.19.103.40", + "50.19.210.19", + "50.19.117.149", + "50.19.222.244", + "50.19.222.88", + "50.19.81.100", + "54.204.10.30", + "192.5.6.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "139", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.169Z", + "dns": { + "answers": [ + { + "data": "dsum.casalemedia.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e8037.g.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.162.21", + "type": "A" + } + ], + "question": { + "name": "dsum.casalemedia.com", + "registered_domain": "casalemedia.com", + "subdomain": "dsum", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.52.162.21" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775570Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dsum.casalemedia.com.edgekey.net", + "e8037.g.akamaiedge.net", + "dsum.casalemedia.com" + ], + "ip": [ + "23.52.162.21" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "140", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.169Z", + "dns": { + "answers": [ + { + "data": "pixel-origin.mathtag.com", + "type": "CNAME" + }, + { + "data": "216.200.232.235", + "type": "A" + }, + { + "data": "216.200.232.201", + "type": "A" + }, + { + "data": "74.121.138.26", + "type": "A" + }, + { + "data": "216.200.232.185", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + } + ], + "question": { + "name": "sync.mathtag.com", + "registered_domain": "mathtag.com", + "subdomain": "sync", + "top_level_domain": "com" + }, + "resolved_ip": [ + "216.200.232.235", + "216.200.232.201", + "74.121.138.26", + "216.200.232.185", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775583800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pixel-origin.mathtag.com", + "sync.mathtag.com" + ], + "ip": [ + "216.200.232.235", + "216.200.232.201", + "74.121.138.26", + "216.200.232.185", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "141", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.184Z", + "dns": { + "answers": [ + { + "data": "ocsp.digicert.com", + "type": "CNAME" + }, + { + "data": "cs9.wac.phicdn.net", + "type": "CNAME" + }, + { + "data": "72.21.91.29", + "type": "A" + } + ], + "question": { + "name": "status.rapidssl.com", + "registered_domain": "rapidssl.com", + "subdomain": "status", + "top_level_domain": "com" + }, + "resolved_ip": [ + "72.21.91.29" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775615300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ocsp.digicert.com", + "cs9.wac.phicdn.net", + "status.rapidssl.com" + ], + "ip": [ + "72.21.91.29" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "142", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.184Z", + "dns": { + "answers": [ + { + "data": "cookiesyncing-1395500543.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "34.197.195.131", + "type": "A" + }, + { + "data": "34.192.39.82", + "type": "A" + }, + { + "data": "34.199.231.204", + "type": "A" + }, + { + "data": "34.199.113.81", + "type": "A" + }, + { + "data": "34.197.3.157", + "type": "A" + }, + { + "data": "34.205.112.156", + "type": "A" + }, + { + "data": "34.195.29.8", + "type": "A" + }, + { + "data": "34.201.247.123", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "sync.extend.tv", + "registered_domain": "extend.tv", + "subdomain": "sync", + "top_level_domain": "tv" + }, + "resolved_ip": [ + "34.197.195.131", + "34.192.39.82", + "34.199.231.204", + "34.199.113.81", + "34.197.3.157", + "34.205.112.156", + "34.195.29.8", + "34.201.247.123", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775648500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cookiesyncing-1395500543.us-east-1.elb.amazonaws.com", + "sync.extend.tv" + ], + "ip": [ + "34.197.195.131", + "34.192.39.82", + "34.199.231.204", + "34.199.113.81", + "34.197.3.157", + "34.205.112.156", + "34.195.29.8", + "34.201.247.123", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "143", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.185Z", + "dns": { + "answers": [ + { + "data": "t3j2g9x7.stackpathcdn.com", + "type": "CNAME" + }, + { + "data": "151.139.128.14", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "ocsp.comodoca.com", + "registered_domain": "comodoca.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775770600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "t3j2g9x7.stackpathcdn.com", + "ocsp.comodoca.com" + ], + "ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "144", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.189Z", + "dns": { + "answers": [ + { + "data": "sync.tubemogul.com", + "type": "CNAME" + }, + { + "data": "syncf.tubemogul.com", + "type": "CNAME" + }, + { + "data": "h2.shared.global.fastly.net", + "type": "CNAME" + }, + { + "data": "151.101.2.49", + "type": "A" + }, + { + "data": "151.101.66.49", + "type": "A" + }, + { + "data": "151.101.130.49", + "type": "A" + }, + { + "data": "151.101.194.49", + "type": "A" + } + ], + "question": { + "name": "sync-tm.everesttech.net", + "registered_domain": "everesttech.net", + "subdomain": "sync-tm", + "top_level_domain": "net" + }, + "resolved_ip": [ + "151.101.2.49", + "151.101.66.49", + "151.101.130.49", + "151.101.194.49" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775788300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sync.tubemogul.com", + "syncf.tubemogul.com", + "h2.shared.global.fastly.net", + "sync-tm.everesttech.net" + ], + "ip": [ + "151.101.2.49", + "151.101.66.49", + "151.101.130.49", + "151.101.194.49" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "145", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.237Z", + "dns": { + "answers": [ + { + "data": "34.95.92.78", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + }, + { + "data": "192.35.51.30", + "type": "A" + } + ], + "question": { + "name": "idsync.rlcdn.com", + "registered_domain": "rlcdn.com", + "subdomain": "idsync", + "top_level_domain": "com" + }, + "resolved_ip": [ + "34.95.92.78", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775820400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "idsync.rlcdn.com" + ], + "ip": [ + "34.95.92.78", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "146", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.274Z", + "dns": { + "answers": [ + { + "data": "track-eu.adformnet.akadns.net", + "type": "CNAME" + }, + { + "data": "37.157.2.239", + "type": "A" + }, + { + "data": "37.157.6.253", + "type": "A" + }, + { + "data": "37.157.2.238", + "type": "A" + }, + { + "data": "37.157.4.25", + "type": "A" + }, + { + "data": "37.157.4.24", + "type": "A" + }, + { + "data": "37.157.6.247", + "type": "A" + } + ], + "question": { + "name": "cm.adform.net", + "registered_domain": "adform.net", + "subdomain": "cm", + "top_level_domain": "net" + }, + "resolved_ip": [ + "37.157.2.239", + "37.157.6.253", + "37.157.2.238", + "37.157.4.25", + "37.157.4.24", + "37.157.6.247" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775851100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "track-eu.adformnet.akadns.net", + "cm.adform.net" + ], + "ip": [ + "37.157.2.239", + "37.157.6.253", + "37.157.2.238", + "37.157.4.25", + "37.157.4.24", + "37.157.6.247" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "147", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.302Z", + "dns": { + "answers": [ + { + "data": "37.18.16.16", + "type": "A" + } + ], + "question": { + "name": "dm.hybrid.ai", + "registered_domain": "hybrid.ai", + "subdomain": "dm", + "top_level_domain": "ai" + }, + "resolved_ip": [ + "37.18.16.16" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775888700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "dm.hybrid.ai" + ], + "ip": [ + "37.18.16.16" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "148", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.304Z", + "dns": { + "answers": [ + { + "data": "anycast.static.adsafeprotected.com", + "type": "CNAME" + }, + { + "data": "199.166.0.32", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "static.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "static", + "top_level_domain": "com" + }, + "resolved_ip": [ + "199.166.0.32", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775899100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "anycast.static.adsafeprotected.com", + "static.adsafeprotected.com" + ], + "ip": [ + "199.166.0.32", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "149", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.322Z", + "dns": { + "answers": [ + { + "data": "f2.taboola.map.fastly.net", + "type": "CNAME" + }, + { + "data": "151.101.130.2", + "type": "A" + }, + { + "data": "151.101.194.2", + "type": "A" + }, + { + "data": "151.101.2.2", + "type": "A" + }, + { + "data": "151.101.66.2", + "type": "A" + } + ], + "question": { + "name": "trc.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "trc", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.101.130.2", + "151.101.194.2", + "151.101.2.2", + "151.101.66.2" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775953700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "f2.taboola.map.fastly.net", + "trc.taboola.com" + ], + "ip": [ + "151.101.130.2", + "151.101.194.2", + "151.101.2.2", + "151.101.66.2" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "150", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.379Z", + "dns": { + "answers": [ + { + "data": "107.178.254.65", + "type": "A" + } + ], + "question": { + "name": "pippio.com", + "registered_domain": "pippio.com", + "top_level_domain": "com" + }, + "resolved_ip": [ + "107.178.254.65" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.775968900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pippio.com" + ], + "ip": [ + "107.178.254.65" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "151", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.482Z", + "dns": { + "answers": [ + { + "data": "pixel-a.sitescout.com", + "type": "CNAME" + }, + { + "data": "209.15.36.34", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "pixel-sync.sitescout.com", + "registered_domain": "sitescout.com", + "subdomain": "pixel-sync", + "top_level_domain": "com" + }, + "resolved_ip": [ + "209.15.36.34", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776019500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pixel-a.sitescout.com", + "pixel-sync.sitescout.com" + ], + "ip": [ + "209.15.36.34", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "152", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.502Z", + "dns": { + "answers": [ + { + "data": "35.186.202.217", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + } + ], + "question": { + "name": "prod.y-medialink.com", + "registered_domain": "y-medialink.com", + "subdomain": "prod", + "top_level_domain": "com" + }, + "resolved_ip": [ + "35.186.202.217", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776052500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "prod.y-medialink.com" + ], + "ip": [ + "35.186.202.217", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "153", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.507Z", + "dns": { + "answers": [ + { + "data": "jadserve.postrelease.com.akadns.net", + "type": "CNAME" + }, + { + "data": "54.80.117.178", + "type": "A" + }, + { + "data": "3.217.22.176", + "type": "A" + }, + { + "data": "35.153.215.15", + "type": "A" + }, + { + "data": "52.207.54.164", + "type": "A" + }, + { + "data": "52.204.186.237", + "type": "A" + }, + { + "data": "52.86.46.105", + "type": "A" + } + ], + "question": { + "name": "jadserve.postrelease.com", + "registered_domain": "postrelease.com", + "subdomain": "jadserve", + "top_level_domain": "com" + }, + "resolved_ip": [ + "54.80.117.178", + "3.217.22.176", + "35.153.215.15", + "52.207.54.164", + "52.204.186.237", + "52.86.46.105" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776093500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "jadserve.postrelease.com.akadns.net", + "jadserve.postrelease.com" + ], + "ip": [ + "54.80.117.178", + "3.217.22.176", + "35.153.215.15", + "52.207.54.164", + "52.204.186.237", + "52.86.46.105" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "154", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.508Z", + "dns": { + "answers": [ + { + "data": "partners-1732315393.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "107.21.43.184", + "type": "A" + }, + { + "data": "54.164.220.86", + "type": "A" + }, + { + "data": "52.72.172.174", + "type": "A" + }, + { + "data": "3.209.65.250", + "type": "A" + }, + { + "data": "3.94.51.187", + "type": "A" + }, + { + "data": "34.193.211.130", + "type": "A" + }, + { + "data": "18.214.47.10", + "type": "A" + }, + { + "data": "18.214.151.246", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + } + ], + "question": { + "name": "appnexus-partners.tremorhub.com", + "registered_domain": "tremorhub.com", + "subdomain": "appnexus-partners", + "top_level_domain": "com" + }, + "resolved_ip": [ + "107.21.43.184", + "54.164.220.86", + "52.72.172.174", + "3.209.65.250", + "3.94.51.187", + "34.193.211.130", + "18.214.47.10", + "18.214.151.246", + "192.5.6.30", + "2001:503:a83e::2:30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776107700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "partners-1732315393.us-east-1.elb.amazonaws.com", + "appnexus-partners.tremorhub.com" + ], + "ip": [ + "107.21.43.184", + "54.164.220.86", + "52.72.172.174", + "3.209.65.250", + "3.94.51.187", + "34.193.211.130", + "18.214.47.10", + "18.214.151.246", + "192.5.6.30", + "2001:503:a83e::2:30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "155", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.531Z", + "dns": { + "answers": [ + { + "data": "gtm13.nexac.com", + "type": "CNAME" + }, + { + "data": "ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "107.21.14.70", + "type": "A" + }, + { + "data": "107.23.33.163", + "type": "A" + }, + { + "data": "23.22.192.59", + "type": "A" + }, + { + "data": "100.24.96.238", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "x.dlx.addthis.com", + "registered_domain": "addthis.com", + "subdomain": "x.dlx", + "top_level_domain": "com" + }, + "resolved_ip": [ + "107.21.14.70", + "107.23.33.163", + "23.22.192.59", + "100.24.96.238", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776118400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "gtm13.nexac.com", + "ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com", + "x.dlx.addthis.com" + ], + "ip": [ + "107.21.14.70", + "107.23.33.163", + "23.22.192.59", + "100.24.96.238", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "156", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.532Z", + "dns": { + "answers": [ + { + "data": "haproxy-dmp.sizmdx.com", + "type": "CNAME" + }, + { + "data": "dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "18.205.112.71", + "type": "A" + }, + { + "data": "50.19.40.146", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + } + ], + "question": { + "name": "dh.serving-sys.com", + "registered_domain": "serving-sys.com", + "subdomain": "dh", + "top_level_domain": "com" + }, + "resolved_ip": [ + "18.205.112.71", + "50.19.40.146", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776133300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "haproxy-dmp.sizmdx.com", + "dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com", + "dh.serving-sys.com" + ], + "ip": [ + "18.205.112.71", + "50.19.40.146", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "157", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.534Z", + "dns": { + "answers": [ + { + "data": "match-us-east-1.sharethrough.com", + "type": "CNAME" + }, + { + "data": "52.55.160.246", + "type": "A" + }, + { + "data": "3.211.67.240", + "type": "A" + }, + { + "data": "35.173.61.59", + "type": "A" + }, + { + "data": "34.233.179.235", + "type": "A" + }, + { + "data": "34.228.105.237", + "type": "A" + }, + { + "data": "52.7.23.213", + "type": "A" + }, + { + "data": "52.201.177.113", + "type": "A" + }, + { + "data": "34.235.70.251", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + } + ], + "question": { + "name": "match.sharethrough.com", + "registered_domain": "sharethrough.com", + "subdomain": "match", + "top_level_domain": "com" + }, + "resolved_ip": [ + "52.55.160.246", + "3.211.67.240", + "35.173.61.59", + "34.233.179.235", + "34.228.105.237", + "52.7.23.213", + "52.201.177.113", + "34.235.70.251", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776144300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "match-us-east-1.sharethrough.com", + "match.sharethrough.com" + ], + "ip": [ + "52.55.160.246", + "3.211.67.240", + "35.173.61.59", + "34.233.179.235", + "34.228.105.237", + "52.7.23.213", + "52.201.177.113", + "34.235.70.251", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "158", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.601Z", + "dns": { + "answers": [ + { + "data": "35.241.16.233", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + } + ], + "question": { + "name": "tags.rd.linksynergy.com", + "registered_domain": "linksynergy.com", + "subdomain": "tags.rd", + "top_level_domain": "com" + }, + "resolved_ip": [ + "35.241.16.233", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776158800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tags.rd.linksynergy.com" + ], + "ip": [ + "35.241.16.233", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "159", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.604Z", + "dns": { + "answers": [ + { + "data": "2-01-275d-002d.cdx.cedexis.net", + "type": "CNAME" + }, + { + "data": "rtb-csync-tmk.smartadserver.com", + "type": "CNAME" + }, + { + "data": "199.187.193.166", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + } + ], + "question": { + "name": "rtb-csync.smartadserver.com", + "registered_domain": "smartadserver.com", + "subdomain": "rtb-csync", + "top_level_domain": "com" + }, + "resolved_ip": [ + "199.187.193.166", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776170Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "2-01-275d-002d.cdx.cedexis.net", + "rtb-csync-tmk.smartadserver.com", + "rtb-csync.smartadserver.com" + ], + "ip": [ + "199.187.193.166", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "160", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.621Z", + "dns": { + "answers": [ + { + "data": "anycast.sc.iasds01.com", + "type": "CNAME" + }, + { + "data": "199.166.0.200", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "sc.iasds01.com", + "registered_domain": "iasds01.com", + "subdomain": "sc", + "top_level_domain": "com" + }, + "resolved_ip": [ + "199.166.0.200", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776180100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "anycast.sc.iasds01.com", + "sc.iasds01.com" + ], + "ip": [ + "199.166.0.200", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "161", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.822Z", + "dns": { + "answers": [ + { + "data": "sjedt.adsafeprotected.com", + "type": "CNAME" + }, + { + "data": "104.244.38.20", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "dt.adsafeprotected.com", + "registered_domain": "adsafeprotected.com", + "subdomain": "dt", + "top_level_domain": "com" + }, + "resolved_ip": [ + "104.244.38.20", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776194800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sjedt.adsafeprotected.com", + "dt.adsafeprotected.com" + ], + "ip": [ + "104.244.38.20", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "162", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.822Z", + "dns": { + "answers": [ + { + "data": "ocsp.digicert.com", + "type": "CNAME" + }, + { + "data": "cs9.wac.phicdn.net", + "type": "CNAME" + }, + { + "data": "72.21.91.29", + "type": "A" + } + ], + "question": { + "name": "status.thawte.com", + "registered_domain": "thawte.com", + "subdomain": "status", + "top_level_domain": "com" + }, + "resolved_ip": [ + "72.21.91.29" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776209300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ocsp.digicert.com", + "cs9.wac.phicdn.net", + "status.thawte.com" + ], + "ip": [ + "72.21.91.29" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "163", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.860Z", + "dns": { + "answers": [ + { + "data": "ip1.ads.stickyadstv.com.akadns.net", + "type": "CNAME" + }, + { + "data": "wlb1.ads.stickyadstv.com.akadns.net", + "type": "CNAME" + }, + { + "data": "fp4.ads.stickyadstv.com.akadns.net", + "type": "CNAME" + }, + { + "data": "38.134.110.101", + "type": "A" + }, + { + "data": "38.134.110.143", + "type": "A" + }, + { + "data": "38.134.110.141", + "type": "A" + }, + { + "data": "38.134.110.171", + "type": "A" + }, + { + "data": "38.134.110.177", + "type": "A" + }, + { + "data": "38.134.110.115", + "type": "A" + }, + { + "data": "38.134.110.104", + "type": "A" + }, + { + "data": "38.134.110.114", + "type": "A" + } + ], + "question": { + "name": "ads.stickyadstv.com", + "registered_domain": "stickyadstv.com", + "subdomain": "ads", + "top_level_domain": "com" + }, + "resolved_ip": [ + "38.134.110.101", + "38.134.110.143", + "38.134.110.141", + "38.134.110.171", + "38.134.110.177", + "38.134.110.115", + "38.134.110.104", + "38.134.110.114" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776223400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ip1.ads.stickyadstv.com.akadns.net", + "wlb1.ads.stickyadstv.com.akadns.net", + "fp4.ads.stickyadstv.com.akadns.net", + "ads.stickyadstv.com" + ], + "ip": [ + "38.134.110.101", + "38.134.110.143", + "38.134.110.141", + "38.134.110.171", + "38.134.110.177", + "38.134.110.115", + "38.134.110.104", + "38.134.110.114" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "164", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.904Z", + "dns": { + "answers": [ + { + "data": "hbx.media.net.edgekey.net", + "type": "CNAME" + }, + { + "data": "e607.d.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.167.93", + "type": "A" + } + ], + "question": { + "name": "hbx.media.net", + "registered_domain": "media.net", + "subdomain": "hbx", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.52.167.93" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776242400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "hbx.media.net.edgekey.net", + "e607.d.akamaiedge.net", + "hbx.media.net" + ], + "ip": [ + "23.52.167.93" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "165", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:04.911Z", + "dns": { + "answers": [ + { + "data": "trc.taboola.map.fastly.net", + "type": "CNAME" + }, + { + "data": "151.101.194.49", + "type": "A" + }, + { + "data": "151.101.2.49", + "type": "A" + }, + { + "data": "151.101.66.49", + "type": "A" + }, + { + "data": "151.101.130.49", + "type": "A" + } + ], + "question": { + "name": "match.taboola.com", + "registered_domain": "taboola.com", + "subdomain": "match", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.101.194.49", + "151.101.2.49", + "151.101.66.49", + "151.101.130.49" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776257400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "trc.taboola.map.fastly.net", + "match.taboola.com" + ], + "ip": [ + "151.101.194.49", + "151.101.2.49", + "151.101.66.49", + "151.101.130.49" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "166", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.056Z", + "dns": { + "answers": [ + { + "data": "a1834.dspg2.akamai.net", + "type": "CNAME" + }, + { + "data": "23.50.53.185", + "type": "A" + }, + { + "data": "23.50.53.194", + "type": "A" + } + ], + "question": { + "name": "img-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "img-s-msn-com", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.50.53.185", + "23.50.53.194" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776271800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "a1834.dspg2.akamai.net", + "img-s-msn-com.akamaized.net" + ], + "ip": [ + "23.50.53.185", + "23.50.53.194" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "167", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.064Z", + "dns": { + "answers": [ + { + "data": "a1505.g2.akamai.net", + "type": "CNAME" + }, + { + "data": "23.50.53.194", + "type": "A" + }, + { + "data": "23.50.53.186", + "type": "A" + } + ], + "question": { + "name": "static-entertainment-eus-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-entertainment-eus-s-msn-com", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.50.53.194", + "23.50.53.186" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776286200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "a1505.g2.akamai.net", + "static-entertainment-eus-s-msn-com.akamaized.net" + ], + "ip": [ + "23.50.53.194", + "23.50.53.186" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "168", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.178Z", + "dns": { + "answers": [ + { + "data": "radarmaps.weather.microsoft.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e15275.g.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.217.149.91", + "type": "A" + } + ], + "question": { + "name": "radarmaps.weather.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "radarmaps.weather", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.217.149.91" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776300500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "radarmaps.weather.microsoft.com.edgekey.net", + "e15275.g.akamaiedge.net", + "radarmaps.weather.microsoft.com" + ], + "ip": [ + "23.217.149.91" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "169", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.455Z", + "dns": { + "answers": [ + { + "data": "a1505.g2.akamai.net", + "type": "CNAME" + }, + { + "data": "23.50.53.194", + "type": "A" + }, + { + "data": "23.50.53.186", + "type": "A" + } + ], + "question": { + "name": "static-entertainment-eus-s-msn-com.akamaized.net", + "registered_domain": "akamaized.net", + "subdomain": "static-entertainment-eus-s-msn-com", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.50.53.194", + "23.50.53.186" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776314800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 + }, + "related": { + "hosts": [ + "a1505.g2.akamai.net", + "static-entertainment-eus-s-msn-com.akamaized.net" + ], + "ip": [ + "23.50.53.194", + "23.50.53.186" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "170", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.494Z", + "dns": { + "answers": [ + { + "data": "cs747173190.wac.omegacdn.net", + "type": "CNAME" + }, + { + "data": "152.195.32.163", + "type": "A" + } + ], + "question": { + "name": "tag.sp.advertising.com", + "registered_domain": "advertising.com", + "subdomain": "tag.sp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "152.195.32.163" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776329Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cs747173190.wac.omegacdn.net", + "tag.sp.advertising.com" + ], + "ip": [ + "152.195.32.163" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "171", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:06.567Z", + "dns": { + "answers": [ + { + "data": "a-0001.a-afdentry.net.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "dual-a-0001.a-msedge.net", + "type": "CNAME" + }, + { + "data": "204.79.197.200", + "type": "A" + }, + { + "data": "13.107.21.200", + "type": "A" + } + ], + "question": { + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.79.197.200", + "13.107.21.200" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776343200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "a-0001.a-afdentry.net.trafficmanager.net", + "dual-a-0001.a-msedge.net", + "www.bing.com" + ], + "ip": [ + "204.79.197.200", + "13.107.21.200" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "172", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.228Z", + "dns": { + "answers": [ + { + "data": "akacdn.doubleverify.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e17513.d.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.164.109", + "type": "A" + } + ], + "question": { + "name": "cdn.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "cdn", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.52.164.109" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776357400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "akacdn.doubleverify.com.edgekey.net", + "e17513.d.akamaiedge.net", + "cdn.doubleverify.com" + ], + "ip": [ + "23.52.164.109" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "173", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.357Z", + "dns": { + "answers": [ + { + "data": "cdn.doubleverify.com", + "type": "CNAME" + }, + { + "data": "akacdn.doubleverify.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e17513.d.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.164.109", + "type": "A" + } + ], + "question": { + "name": "cdn3.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "cdn3", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.52.164.109" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776371400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cdn.doubleverify.com", + "akacdn.doubleverify.com.edgekey.net", + "e17513.d.akamaiedge.net", + "cdn3.doubleverify.com" + ], + "ip": [ + "23.52.164.109" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "174", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.721Z", + "dns": { + "answers": [ + { + "data": "bs-geo.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "nycp-hlb.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "204.154.111.122", + "type": "A" + } + ], + "question": { + "name": "rtb0.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "rtb0", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.154.111.122" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776385700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "bs-geo.dvgtm.akadns.net", + "nycp-hlb.dvgtm.akadns.net", + "rtb0.doubleverify.com" + ], + "ip": [ + "204.154.111.122" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "175", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.774Z", + "dns": { + "answers": [ + { + "data": "platform.maps.glbdns2.microsoft.com", + "type": "CNAME" + }, + { + "data": "fe-bmplatform-prod-atm.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "20.36.236.157", + "type": "A" + } + ], + "question": { + "name": "dev.virtualearth.net", + "registered_domain": "virtualearth.net", + "subdomain": "dev", + "top_level_domain": "net" + }, + "resolved_ip": [ + "20.36.236.157" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776400100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "platform.maps.glbdns2.microsoft.com", + "fe-bmplatform-prod-atm.trafficmanager.net", + "dev.virtualearth.net" + ], + "ip": [ + "20.36.236.157" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "176", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.847Z", + "dns": { + "answers": [ + { + "data": "t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net", + "type": "CNAME" + }, + { + "data": "e7622.g.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.161.238", + "type": "A" + } + ], + "question": { + "name": "t.ssl.ak.dynamic.tiles.virtualearth.net", + "registered_domain": "virtualearth.net", + "subdomain": "t.ssl.ak.dynamic.tiles", + "top_level_domain": "net" + }, + "resolved_ip": [ + "23.52.161.238" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776414600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net", + "e7622.g.akamaiedge.net", + "t.ssl.ak.dynamic.tiles.virtualearth.net" + ], + "ip": [ + "23.52.161.238" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "177", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.943Z", + "dns": { + "answers": [ + { + "data": "74.217.253.61", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + }, + { + "data": "192.35.51.30", + "type": "A" + } + ], + "question": { + "name": "rp.gwallet.com", + "registered_domain": "gwallet.com", + "subdomain": "rp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "74.217.253.61", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776428700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "rp.gwallet.com" + ], + "ip": [ + "74.217.253.61", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "178", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.945Z", + "dns": { + "answers": [ + { + "data": "fo-fd-world-new.yax.gysm.yahoodns.net", + "type": "CNAME" + }, + { + "data": "98.139.225.43", + "type": "A" + }, + { + "data": "98.138.49.44", + "type": "A" + }, + { + "data": "72.30.3.43", + "type": "A" + }, + { + "data": "216.155.194.56", + "type": "A" + } + ], + "question": { + "name": "ads.yahoo.com", + "registered_domain": "yahoo.com", + "subdomain": "ads", + "top_level_domain": "com" + }, + "resolved_ip": [ + "98.139.225.43", + "98.138.49.44", + "72.30.3.43", + "216.155.194.56" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776443200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "fo-fd-world-new.yax.gysm.yahoodns.net", + "ads.yahoo.com" + ], + "ip": [ + "98.139.225.43", + "98.138.49.44", + "72.30.3.43", + "216.155.194.56" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "179", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.954Z", + "dns": { + "answers": [ + { + "data": "169.55.104.49", + "type": "A" + }, + { + "data": "169.60.66.35", + "type": "A" + }, + { + "data": "169.61.103.241", + "type": "A" + } + ], + "question": { + "name": "um.simpli.fi", + "registered_domain": "simpli.fi", + "subdomain": "um", + "top_level_domain": "fi" + }, + "resolved_ip": [ + "169.55.104.49", + "169.60.66.35", + "169.61.103.241" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776457400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "um.simpli.fi" + ], + "ip": [ + "169.55.104.49", + "169.60.66.35", + "169.61.103.241" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "180", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.955Z", + "dns": { + "answers": [ + { + "data": "35.186.236.204", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + } + ], + "question": { + "name": "mpp.vindicosuite.com", + "registered_domain": "vindicosuite.com", + "subdomain": "mpp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "35.186.236.204", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776471400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "mpp.vindicosuite.com" + ], + "ip": [ + "35.186.236.204", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "181", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.955Z", + "dns": { + "answers": [ + { + "data": "8.41.222.152", + "type": "A" + } + ], + "question": { + "name": "sync.1rx.io", + "registered_domain": "1rx.io", + "subdomain": "sync", + "top_level_domain": "io" + }, + "resolved_ip": [ + "8.41.222.152" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776485800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sync.1rx.io" + ], + "ip": [ + "8.41.222.152" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "182", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:07.956Z", + "dns": { + "answers": [ + { + "data": "sync.teads.tv.edgekey.net", + "type": "CNAME" + }, + { + "data": "e9957.g.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.52.160.7", + "type": "A" + } + ], + "question": { + "name": "sync.teads.tv", + "registered_domain": "teads.tv", + "subdomain": "sync", + "top_level_domain": "tv" + }, + "resolved_ip": [ + "23.52.160.7" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776500100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sync.teads.tv.edgekey.net", + "e9957.g.akamaiedge.net", + "sync.teads.tv" + ], + "ip": [ + "23.52.160.7" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "183", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.019Z", + "dns": { + "answers": [ + { + "data": "td.thebrighttag.com", + "type": "CNAME" + }, + { + "data": "3.15.109.176", + "type": "A" + }, + { + "data": "52.15.225.252", + "type": "A" + }, + { + "data": "3.18.121.79", + "type": "A" + }, + { + "data": "3.15.101.187", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + } + ], + "question": { + "name": "s.thebrighttag.com", + "registered_domain": "thebrighttag.com", + "subdomain": "s", + "top_level_domain": "com" + }, + "resolved_ip": [ + "3.15.109.176", + "52.15.225.252", + "3.18.121.79", + "3.15.101.187", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776514300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "td.thebrighttag.com", + "s.thebrighttag.com" + ], + "ip": [ + "3.15.109.176", + "52.15.225.252", + "3.18.121.79", + "3.15.101.187", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "184", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.050Z", + "dns": { + "answers": [ + { + "data": "d386jaag4hn9zl.cloudfront.net", + "type": "CNAME" + }, + { + "data": "54.192.55.189", + "type": "A" + } + ], + "question": { + "name": "t.a3cloud.net", + "registered_domain": "a3cloud.net", + "subdomain": "t", + "top_level_domain": "net" + }, + "resolved_ip": [ + "54.192.55.189" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776528600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "d386jaag4hn9zl.cloudfront.net", + "t.a3cloud.net" + ], + "ip": [ + "54.192.55.189" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "186", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.070Z", + "dns": { + "answers": [ + { + "data": "nycp-hlb.doubleverify.com", + "type": "CNAME" + }, + { + "data": "nycp-hlb.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "204.154.111.122", + "type": "A" + } + ], + "question": { + "name": "tps618.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps618", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.154.111.122" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776542700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "nycp-hlb.doubleverify.com", + "nycp-hlb.dvgtm.akadns.net", + "tps618.doubleverify.com" + ], + "ip": [ + "204.154.111.122" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "187", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.090Z", + "dns": { + "answers": [ + { + "data": "gslb-2.demdex.net", + "type": "CNAME" + }, + { + "data": "edge-va6.demdex.net", + "type": "CNAME" + }, + { + "data": "dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "54.157.69.185", + "type": "A" + }, + { + "data": "18.209.139.81", + "type": "A" + }, + { + "data": "18.233.36.36", + "type": "A" + }, + { + "data": "52.54.198.81", + "type": "A" + }, + { + "data": "52.55.201.28", + "type": "A" + }, + { + "data": "18.210.34.44", + "type": "A" + }, + { + "data": "52.72.163.149", + "type": "A" + }, + { + "data": "18.232.198.130", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + } + ], + "question": { + "name": "dpm.demdex.net", + "registered_domain": "demdex.net", + "subdomain": "dpm", + "top_level_domain": "net" + }, + "resolved_ip": [ + "54.157.69.185", + "18.209.139.81", + "18.233.36.36", + "52.54.198.81", + "52.55.201.28", + "18.210.34.44", + "52.72.163.149", + "18.232.198.130", + "192.5.6.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776556700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "gslb-2.demdex.net", + "edge-va6.demdex.net", + "dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com", + "dpm.demdex.net" + ], + "ip": [ + "54.157.69.185", + "18.209.139.81", + "18.233.36.36", + "52.54.198.81", + "52.55.201.28", + "18.210.34.44", + "52.72.163.149", + "18.232.198.130", + "192.5.6.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "188", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.308Z", + "dns": { + "answers": [ + { + "data": "g.geogslb.com", + "type": "CNAME" + }, + { + "data": "ib.anycast.adnxs.com", + "type": "CNAME" + }, + { + "data": "68.67.179.228", + "type": "A" + }, + { + "data": "68.67.180.44", + "type": "A" + }, + { + "data": "204.13.192.141", + "type": "A" + }, + { + "data": "68.67.178.230", + "type": "A" + }, + { + "data": "68.67.178.252", + "type": "A" + }, + { + "data": "68.67.179.23", + "type": "A" + }, + { + "data": "68.67.179.232", + "type": "A" + }, + { + "data": "68.67.180.12", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "secure.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "secure", + "top_level_domain": "com" + }, + "resolved_ip": [ + "68.67.179.228", + "68.67.180.44", + "204.13.192.141", + "68.67.178.230", + "68.67.178.252", + "68.67.179.23", + "68.67.179.232", + "68.67.180.12", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776570600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "g.geogslb.com", + "ib.anycast.adnxs.com", + "secure.adnxs.com" + ], + "ip": [ + "68.67.179.228", + "68.67.180.44", + "204.13.192.141", + "68.67.178.230", + "68.67.178.252", + "68.67.179.23", + "68.67.179.232", + "68.67.180.12", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "189", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.478Z", + "dns": { + "answers": [ + { + "data": "tps-geo.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "nycp-hlb.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "204.154.111.122", + "type": "A" + } + ], + "question": { + "name": "tps.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.154.111.122" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776586800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tps-geo.dvgtm.akadns.net", + "nycp-hlb.dvgtm.akadns.net", + "tps.doubleverify.com" + ], + "ip": [ + "204.154.111.122" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "190", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.536Z", + "dns": { + "answers": [ + { + "data": "idaas-production.us-east-1.elasticbeanstalk.com", + "type": "CNAME" + }, + { + "data": "52.71.175.22", + "type": "A" + }, + { + "data": "52.71.208.229", + "type": "A" + }, + { + "data": "52.86.201.172", + "type": "A" + }, + { + "data": "52.7.6.198", + "type": "A" + }, + { + "data": "54.152.156.164", + "type": "A" + }, + { + "data": "54.152.56.202", + "type": "A" + }, + { + "data": "54.164.15.83", + "type": "A" + }, + { + "data": "52.86.191.75", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + } + ], + "question": { + "name": "i.liadm.com", + "registered_domain": "liadm.com", + "subdomain": "i", + "top_level_domain": "com" + }, + "resolved_ip": [ + "52.71.175.22", + "52.71.208.229", + "52.86.201.172", + "52.7.6.198", + "54.152.156.164", + "54.152.56.202", + "54.164.15.83", + "52.86.191.75", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776601200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "idaas-production.us-east-1.elasticbeanstalk.com", + "i.liadm.com" + ], + "ip": [ + "52.71.175.22", + "52.71.208.229", + "52.86.201.172", + "52.7.6.198", + "54.152.156.164", + "54.152.56.202", + "54.164.15.83", + "52.86.191.75", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "191", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.544Z", + "dns": { + "answers": [ + { + "data": "67.231.251.189", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + }, + { + "data": "192.35.51.30", + "type": "A" + } + ], + "question": { + "name": "pixel.s3xified.com", + "registered_domain": "s3xified.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, + "resolved_ip": [ + "67.231.251.189", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776616500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pixel.s3xified.com" + ], + "ip": [ + "67.231.251.189", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "192", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.550Z", + "dns": { + "answers": [ + { + "data": "104.20.252.85", + "type": "A" + }, + { + "data": "104.20.253.85", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "router.infolinks.com", + "registered_domain": "infolinks.com", + "subdomain": "router", + "top_level_domain": "com" + }, + "resolved_ip": [ + "104.20.252.85", + "104.20.253.85", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776672300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "router.infolinks.com" + ], + "ip": [ + "104.20.252.85", + "104.20.253.85", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "193", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.552Z", + "dns": { + "answers": [ + { + "data": "94.23.171.206", + "type": "A" + }, + { + "data": "188.165.137.78", + "type": "A" + }, + { + "data": "87.98.128.108", + "type": "A" + }, + { + "data": "94.23.73.243", + "type": "A" + }, + { + "data": "94.23.144.220", + "type": "A" + }, + { + "data": "87.98.228.78", + "type": "A" + }, + { + "data": "188.165.27.173", + "type": "A" + }, + { + "data": "87.98.252.5", + "type": "A" + }, + { + "data": "188.165.4.142", + "type": "A" + }, + { + "data": "87.98.242.60", + "type": "A" + } + ], + "question": { + "name": "grey.erne.co", + "registered_domain": "erne.co", + "subdomain": "grey", + "top_level_domain": "co" + }, + "resolved_ip": [ + "94.23.171.206", + "188.165.137.78", + "87.98.128.108", + "94.23.73.243", + "94.23.144.220", + "87.98.228.78", + "188.165.27.173", + "87.98.252.5", + "188.165.4.142", + "87.98.242.60" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776839200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "grey.erne.co" + ], + "ip": [ + "94.23.171.206", + "188.165.137.78", + "87.98.128.108", + "94.23.73.243", + "94.23.144.220", + "87.98.228.78", + "188.165.27.173", + "87.98.252.5", + "188.165.4.142", + "87.98.242.60" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "194", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.552Z", + "dns": { + "answers": [ + { + "data": "54.243.145.203", + "type": "A" + }, + { + "data": "54.221.211.153", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + } + ], + "question": { + "name": "sync.jivox.com", + "registered_domain": "jivox.com", + "subdomain": "sync", + "top_level_domain": "com" + }, + "resolved_ip": [ + "54.243.145.203", + "54.221.211.153", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776888800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "sync.jivox.com" + ], + "ip": [ + "54.243.145.203", + "54.221.211.153", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "195", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.594Z", + "dns": { + "answers": [ + { + "data": "b1-lsw-use1.zemanta.com", + "type": "CNAME" + }, + { + "data": "207.244.121.25", + "type": "A" + }, + { + "data": "108.59.0.1", + "type": "A" + }, + { + "data": "162.210.196.115", + "type": "A" + }, + { + "data": "207.244.94.20", + "type": "A" + }, + { + "data": "108.59.0.12", + "type": "A" + }, + { + "data": "207.244.121.65", + "type": "A" + }, + { + "data": "162.210.199.69", + "type": "A" + }, + { + "data": "207.244.76.83", + "type": "A" + }, + { + "data": "162.210.197.137", + "type": "A" + }, + { + "data": "207.244.108.217", + "type": "A" + }, + { + "data": "207.244.121.137", + "type": "A" + }, + { + "data": "207.244.67.99", + "type": "A" + }, + { + "data": "198.7.56.229", + "type": "A" + }, + { + "data": "198.7.56.231", + "type": "A" + }, + { + "data": "108.59.4.172", + "type": "A" + }, + { + "data": "108.62.117.43", + "type": "A" + }, + { + "data": "108.59.4.171", + "type": "A" + }, + { + "data": "207.244.121.27", + "type": "A" + }, + { + "data": "207.244.71.67", + "type": "A" + }, + { + "data": "207.244.121.70", + "type": "A" + }, + { + "data": "199.58.84.25", + "type": "A" + }, + { + "data": "207.244.67.98", + "type": "A" + }, + { + "data": "162.210.196.116", + "type": "A" + }, + { + "data": "207.244.73.10", + "type": "A" + }, + { + "data": "207.244.110.3", + "type": "A" + }, + { + "data": "108.59.4.173", + "type": "A" + }, + { + "data": "108.59.0.8", + "type": "A" + }, + { + "data": "207.244.71.88", + "type": "A" + }, + { + "data": "207.244.121.73", + "type": "A" + }, + { + "data": "207.244.69.231", + "type": "A" + }, + { + "data": "108.59.0.2", + "type": "A" + }, + { + "data": "207.244.121.74", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + }, + { + "data": "2001:502:1ca1::30", + "type": "AAAA" + }, + { + "data": "192.35.51.30", + "type": "A" + }, + { + "data": "2001:503:d414::30", + "type": "AAAA" + }, + { + "data": "192.42.93.30", + "type": "A" + }, + { + "data": "2001:503:eea3::30", + "type": "AAAA" + }, + { + "data": "192.54.112.30", + "type": "A" + }, + { + "data": "2001:502:8cc::30", + "type": "AAAA" + }, + { + "data": "192.43.172.30", + "type": "A" + }, + { + "data": "2001:503:39c1::30", + "type": "AAAA" + }, + { + "data": "192.48.79.30", + "type": "A" + }, + { + "data": "2001:502:7094::30", + "type": "AAAA" + } + ], + "question": { + "name": "b1sync.zemanta.com", + "registered_domain": "zemanta.com", + "subdomain": "b1sync", + "top_level_domain": "com" + }, + "resolved_ip": [ + "207.244.121.25", + "108.59.0.1", + "162.210.196.115", + "207.244.94.20", + "108.59.0.12", + "207.244.121.65", + "162.210.199.69", + "207.244.76.83", + "162.210.197.137", + "207.244.108.217", + "207.244.121.137", + "207.244.67.99", + "198.7.56.229", + "198.7.56.231", + "108.59.4.172", + "108.62.117.43", + "108.59.4.171", + "207.244.121.27", + "207.244.71.67", + "207.244.121.70", + "199.58.84.25", + "207.244.67.98", + "162.210.196.116", + "207.244.73.10", + "207.244.110.3", + "108.59.4.173", + "108.59.0.8", + "207.244.71.88", + "207.244.121.73", + "207.244.69.231", + "108.59.0.2", + "207.244.121.74", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30", + "2001:503:d414::30", + "192.42.93.30", + "2001:503:eea3::30", + "192.54.112.30", + "2001:502:8cc::30", + "192.43.172.30", + "2001:503:39c1::30", + "192.48.79.30", + "2001:502:7094::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "b1-lsw-use1.zemanta.com", + "b1sync.zemanta.com" + ], + "ip": [ + "207.244.121.25", + "108.59.0.1", + "162.210.196.115", + "207.244.94.20", + "108.59.0.12", + "207.244.121.65", + "162.210.199.69", + "207.244.76.83", + "162.210.197.137", + "207.244.108.217", + "207.244.121.137", + "207.244.67.99", + "198.7.56.229", + "198.7.56.231", + "108.59.4.172", + "108.62.117.43", + "108.59.4.171", + "207.244.121.27", + "207.244.71.67", + "207.244.121.70", + "199.58.84.25", + "207.244.67.98", + "162.210.196.116", + "207.244.73.10", + "207.244.110.3", + "108.59.4.173", + "108.59.0.8", + "207.244.71.88", + "207.244.121.73", + "207.244.69.231", + "108.59.0.2", + "207.244.121.74", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30", + "2001:502:1ca1::30", + "192.35.51.30", + "2001:503:d414::30", + "192.42.93.30", + "2001:503:eea3::30", + "192.54.112.30", + "2001:502:8cc::30", + "192.43.172.30", + "2001:503:39c1::30", + "192.48.79.30", + "2001:502:7094::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "196", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.619Z", + "dns": { + "answers": [ + { + "data": "tg3.dr.socdm.com", + "type": "CNAME" + }, + { + "data": "124.146.215.43", + "type": "A" + }, + { + "data": "202.241.208.53", + "type": "A" + }, + { + "data": "124.146.215.46", + "type": "A" + }, + { + "data": "202.241.208.52", + "type": "A" + }, + { + "data": "124.146.215.48", + "type": "A" + }, + { + "data": "124.146.215.45", + "type": "A" + }, + { + "data": "202.241.208.54", + "type": "A" + }, + { + "data": "124.146.215.47", + "type": "A" + }, + { + "data": "124.146.215.42", + "type": "A" + }, + { + "data": "124.146.215.44", + "type": "A" + }, + { + "data": "202.241.208.55", + "type": "A" + }, + { + "data": "202.241.208.56", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + } + ], + "question": { + "name": "tg.socdm.com", + "registered_domain": "socdm.com", + "subdomain": "tg", + "top_level_domain": "com" + }, + "resolved_ip": [ + "124.146.215.43", + "202.241.208.53", + "124.146.215.46", + "202.241.208.52", + "124.146.215.48", + "124.146.215.45", + "202.241.208.54", + "124.146.215.47", + "124.146.215.42", + "124.146.215.44", + "202.241.208.55", + "202.241.208.56", + "192.5.6.30", + "2001:503:a83e::2:30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776929800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tg3.dr.socdm.com", + "tg.socdm.com" + ], + "ip": [ + "124.146.215.43", + "202.241.208.53", + "124.146.215.46", + "202.241.208.52", + "124.146.215.48", + "124.146.215.45", + "202.241.208.54", + "124.146.215.47", + "124.146.215.42", + "124.146.215.44", + "202.241.208.55", + "202.241.208.56", + "192.5.6.30", + "2001:503:a83e::2:30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "197", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.620Z", + "dns": { + "answers": [ + { + "data": "prebid.appnexusgslb.net", + "type": "CNAME" + }, + { + "data": "68.67.153.75", + "type": "A" + } + ], + "question": { + "name": "prebid.adnxs.com", + "registered_domain": "adnxs.com", + "subdomain": "prebid", + "top_level_domain": "com" + }, + "resolved_ip": [ + "68.67.153.75" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776944Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "prebid.appnexusgslb.net", + "prebid.adnxs.com" + ], + "ip": [ + "68.67.153.75" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "198", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.811Z", + "dns": { + "answers": [ + { + "data": "tps.doubleverify.com", + "type": "CNAME" + }, + { + "data": "tps-geo.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "nycp-hlb.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "204.154.111.122", + "type": "A" + } + ], + "question": { + "name": "ul1.dvtps.com", + "registered_domain": "dvtps.com", + "subdomain": "ul1", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.154.111.122" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776960900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tps.doubleverify.com", + "tps-geo.dvgtm.akadns.net", + "nycp-hlb.dvgtm.akadns.net", + "ul1.dvtps.com" + ], + "ip": [ + "204.154.111.122" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "199", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:08.912Z", + "dns": { + "question": { + "name": "ul1.dvtps.com", + "registered_domain": "dvtps.com", + "subdomain": "ul1", + "top_level_domain": "com" + } + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776975700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ul1.dvtps.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RECORD_DOES_NOT_EXIST" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "200", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.016Z", + "dns": { + "answers": [ + { + "data": "tags.bluekai.com.edgekey.net", + "type": "CNAME" + }, + { + "data": "e13541.x.akamaiedge.net", + "type": "CNAME" + }, + { + "data": "23.3.125.199", + "type": "A" + } + ], + "question": { + "name": "tags.bluekai.com", + "registered_domain": "bluekai.com", + "subdomain": "tags", + "top_level_domain": "com" + }, + "resolved_ip": [ + "23.3.125.199" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.776990100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "tags.bluekai.com.edgekey.net", + "e13541.x.akamaiedge.net", + "tags.bluekai.com" + ], + "ip": [ + "23.3.125.199" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "201", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.048Z", + "dns": { + "answers": [ + { + "data": "104.19.195.151", + "type": "A" + }, + { + "data": "104.19.199.151", + "type": "A" + }, + { + "data": "104.19.198.151", + "type": "A" + }, + { + "data": "104.19.197.151", + "type": "A" + }, + { + "data": "104.19.196.151", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + } + ], + "question": { + "name": "cdnjs.cloudflare.com", + "registered_domain": "cloudflare.com", + "subdomain": "cdnjs", + "top_level_domain": "com" + }, + "resolved_ip": [ + "104.19.195.151", + "104.19.199.151", + "104.19.198.151", + "104.19.197.151", + "104.19.196.151", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777004300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cdnjs.cloudflare.com" + ], + "ip": [ + "104.19.195.151", + "104.19.199.151", + "104.19.198.151", + "104.19.197.151", + "104.19.196.151", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "202", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.051Z", + "dns": { + "answers": [ + { + "data": "85.194.243.23", + "type": "A" + }, + { + "data": "85.194.243.239", + "type": "A" + }, + { + "data": "85.194.240.137", + "type": "A" + }, + { + "data": "85.194.242.103", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + } + ], + "question": { + "name": "pixel.onaudience.com", + "registered_domain": "onaudience.com", + "subdomain": "pixel", + "top_level_domain": "com" + }, + "resolved_ip": [ + "85.194.243.23", + "85.194.243.239", + "85.194.240.137", + "85.194.242.103", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777018400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pixel.onaudience.com" + ], + "ip": [ + "85.194.243.23", + "85.194.243.239", + "85.194.240.137", + "85.194.242.103", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "203", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.054Z", + "dns": { + "answers": [ + { + "data": "ocsp.digicert.com", + "type": "CNAME" + }, + { + "data": "cs9.wac.phicdn.net", + "type": "CNAME" + }, + { + "data": "72.21.91.29", + "type": "A" + } + ], + "question": { + "name": "status.geotrust.com", + "registered_domain": "geotrust.com", + "subdomain": "status", + "top_level_domain": "com" + }, + "resolved_ip": [ + "72.21.91.29" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777032700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "ocsp.digicert.com", + "cs9.wac.phicdn.net", + "status.geotrust.com" + ], + "ip": [ + "72.21.91.29" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "204", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.126Z", + "dns": { + "answers": [ + { + "data": "t3j2g9x7.stackpathcdn.com", + "type": "CNAME" + }, + { + "data": "151.139.128.14", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "ocsp.trust-provider.com", + "registered_domain": "trust-provider.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777046600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "t3j2g9x7.stackpathcdn.com", + "ocsp.trust-provider.com" + ], + "ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "205", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.184Z", + "dns": { + "answers": [ + { + "data": "t3j2g9x7.stackpathcdn.com", + "type": "CNAME" + }, + { + "data": "151.139.128.14", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "ocsp.comodoca4.com", + "registered_domain": "comodoca4.com", + "subdomain": "ocsp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777060700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "t3j2g9x7.stackpathcdn.com", + "ocsp.comodoca4.com" + ], + "ip": [ + "151.139.128.14", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "206", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.322Z", + "dns": { + "answers": [ + { + "data": "td.crwdcntrl.net", + "type": "CNAME" + }, + { + "data": "nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com", + "type": "CNAME" + }, + { + "data": "52.4.111.14", + "type": "A" + }, + { + "data": "52.205.68.184", + "type": "A" + }, + { + "data": "52.0.28.154", + "type": "A" + }, + { + "data": "34.225.82.232", + "type": "A" + }, + { + "data": "18.213.13.245", + "type": "A" + }, + { + "data": "52.22.171.66", + "type": "A" + }, + { + "data": "52.207.199.229", + "type": "A" + }, + { + "data": "52.72.57.144", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + } + ], + "question": { + "name": "sync.crwdcntrl.net", + "registered_domain": "crwdcntrl.net", + "subdomain": "sync", + "top_level_domain": "net" + }, + "resolved_ip": [ + "52.4.111.14", + "52.205.68.184", + "52.0.28.154", + "34.225.82.232", + "18.213.13.245", + "52.22.171.66", + "52.207.199.229", + "52.72.57.144", + "192.5.6.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777079700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "td.crwdcntrl.net", + "nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com", + "sync.crwdcntrl.net" + ], + "ip": [ + "52.4.111.14", + "52.205.68.184", + "52.0.28.154", + "34.225.82.232", + "18.213.13.245", + "52.22.171.66", + "52.207.199.229", + "52.72.57.144", + "192.5.6.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "207", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:09.730Z", + "dns": { + "answers": [ + { + "data": "cpe.us.dotomi.weighted.com.akadns.net", + "type": "CNAME" + }, + { + "data": "cpe.us.iad.dotomi.weighted.com.akadns.net", + "type": "CNAME" + }, + { + "data": "iad04-convex.dotomi.com", + "type": "CNAME" + }, + { + "data": "159.127.42.114", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + } + ], + "question": { + "name": "match.sync.ad.cpe.dotomi.com", + "registered_domain": "dotomi.com", + "subdomain": "match.sync.ad.cpe", + "top_level_domain": "com" + }, + "resolved_ip": [ + "159.127.42.114", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777088100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cpe.us.dotomi.weighted.com.akadns.net", + "cpe.us.iad.dotomi.weighted.com.akadns.net", + "iad04-convex.dotomi.com", + "match.sync.ad.cpe.dotomi.com" + ], + "ip": [ + "159.127.42.114", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "208", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.627Z", + "dns": { + "answers": [ + { + "data": "nycp-hlb.doubleverify.com", + "type": "CNAME" + }, + { + "data": "nycp-hlb.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "204.154.111.122", + "type": "A" + } + ], + "question": { + "name": "tps10230.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps10230", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.154.111.122" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777094600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "nycp-hlb.doubleverify.com", + "nycp-hlb.dvgtm.akadns.net", + "tps10230.doubleverify.com" + ], + "ip": [ + "204.154.111.122" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "209", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:10.650Z", + "dns": { + "answers": [ + { + "data": "nycp-hlb.doubleverify.com", + "type": "CNAME" + }, + { + "data": "nycp-hlb.dvgtm.akadns.net", + "type": "CNAME" + }, + { + "data": "204.154.111.122", + "type": "A" + } + ], + "question": { + "name": "tps10221.doubleverify.com", + "registered_domain": "doubleverify.com", + "subdomain": "tps10221", + "top_level_domain": "com" + }, + "resolved_ip": [ + "204.154.111.122" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777102400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "nycp-hlb.doubleverify.com", + "nycp-hlb.dvgtm.akadns.net", + "tps10221.doubleverify.com" + ], + "ip": [ + "204.154.111.122" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "210", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.329Z", + "dns": { + "answers": [ + { + "data": "star-mini.c10r.facebook.com", + "type": "CNAME" + }, + { + "data": "31.13.71.36", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + }, + { + "data": "192.12.94.30", + "type": "A" + } + ], + "question": { + "name": "www.facebook.com", + "registered_domain": "facebook.com", + "subdomain": "www", + "top_level_domain": "com" + }, + "resolved_ip": [ + "31.13.71.36", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777108200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "star-mini.c10r.facebook.com", + "www.facebook.com" + ], + "ip": [ + "31.13.71.36", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30", + "192.12.94.30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "212", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.386Z", + "dns": { + "answers": [ + { + "data": "cs472.wac.edgecastcdn.net", + "type": "CNAME" + }, + { + "data": "cs1-apr-8315.wac.edgecastcdn.net", + "type": "CNAME" + }, + { + "data": "wac.apr-8315.edgecastdns.net", + "type": "CNAME" + }, + { + "data": "cs1-lb-us.8315.ecdns.net", + "type": "CNAME" + }, + { + "data": "cs491.wac.edgecastcdn.net", + "type": "CNAME" + }, + { + "data": "192.229.163.25", + "type": "A" + } + ], + "question": { + "name": "platform.twitter.com", + "registered_domain": "twitter.com", + "subdomain": "platform", + "top_level_domain": "com" + }, + "resolved_ip": [ + "192.229.163.25" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777117700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "cs472.wac.edgecastcdn.net", + "cs1-apr-8315.wac.edgecastcdn.net", + "wac.apr-8315.edgecastdns.net", + "cs1-lb-us.8315.ecdns.net", + "cs491.wac.edgecastcdn.net", + "platform.twitter.com" + ], + "ip": [ + "192.229.163.25" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "213", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:16.482Z", + "dns": { + "answers": [ + { + "data": "104.244.42.8", + "type": "A" + }, + { + "data": "104.244.42.200", + "type": "A" + }, + { + "data": "104.244.42.136", + "type": "A" + }, + { + "data": "104.244.42.72", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + }, + { + "data": "192.31.80.30", + "type": "A" + }, + { + "data": "2001:500:856e::30", + "type": "AAAA" + } + ], + "question": { + "name": "syndication.twitter.com", + "registered_domain": "twitter.com", + "subdomain": "syndication", + "top_level_domain": "com" + }, + "resolved_ip": [ + "104.244.42.8", + "104.244.42.200", + "104.244.42.136", + "104.244.42.72", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777144300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "syndication.twitter.com" + ], + "ip": [ + "104.244.42.8", + "104.244.42.200", + "104.244.42.136", + "104.244.42.72", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30", + "192.31.80.30", + "2001:500:856e::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "214", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:19.578Z", + "dns": { + "answers": [ + { + "data": "pagead.l.doubleclick.net", + "type": "CNAME" + }, + { + "data": "172.217.10.34", + "type": "A" + } + ], + "question": { + "name": "ade.googlesyndication.com", + "registered_domain": "googlesyndication.com", + "subdomain": "ade", + "top_level_domain": "com" + }, + "resolved_ip": [ + "172.217.10.34" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777156200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 2736 + }, + "related": { + "hosts": [ + "pagead.l.doubleclick.net", + "ade.googlesyndication.com" + ], + "ip": [ + "172.217.10.34" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "215", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:34:31.219Z", + "dns": { + "answers": [ + { + "data": "ie9comview.vo.msecnd.net", + "type": "CNAME" + }, + { + "data": "cs9.wpc.v0cdn.net", + "type": "CNAME" + }, + { + "data": "72.21.81.200", + "type": "A" + } + ], + "question": { + "name": "iecvlist.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "iecvlist", + "top_level_domain": "com" + }, + "resolved_ip": [ + "72.21.81.200" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777163100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 + }, + "related": { + "hosts": [ + "ie9comview.vo.msecnd.net", + "cs9.wpc.v0cdn.net", + "iecvlist.microsoft.com" + ], + "ip": [ + "72.21.81.200" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "216", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:02.752Z", + "dns": { + "answers": [ + { + "data": "tsfe.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "40.77.232.95", + "type": "A" + } + ], + "question": { + "name": "tsfe.trafficshaping.dsp.mp.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "tsfe.trafficshaping.dsp.mp", + "top_level_domain": "com" + }, + "resolved_ip": [ + "40.77.232.95" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.777205500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 844 + }, + "related": { + "hosts": [ + "tsfe.trafficmanager.net", + "tsfe.trafficshaping.dsp.mp.microsoft.com" + ], + "ip": [ + "40.77.232.95" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "220", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:20.413Z", + "dns": { + "question": { + "name": "isatap.local.crowbird.com", + "registered_domain": "crowbird.com", + "subdomain": "isatap.local", + "top_level_domain": "com" + } + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.778350300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 844 + }, + "related": { + "hosts": [ + "isatap.local.crowbird.com" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "221", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:39:40.504Z", + "dns": { + "question": { + "name": "puppet" + } + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.778386300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", + "executable": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe", + "name": "ruby.exe", + "pid": 676 + }, + "related": { + "hosts": [ + "puppet" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "230", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:40:40.433Z", + "dns": { + "question": { + "name": "wpad" + } + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.778398900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 636 + }, + "related": { + "hosts": [ + "wpad" + ] + }, + "sysmon": { + "dns": { + "status": "DNS_ERROR_RCODE_NAME_ERROR" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "231", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:42:54.033Z", + "dns": { + "answers": [ + { + "data": "v10-win.vortex.data.microsoft.com.akadns.net", + "type": "CNAME" + }, + { + "data": "geo.vortex.data.microsoft.com.akadns.net", + "type": "CNAME" + }, + { + "data": "bn2.vortex.data.microsoft.com.akadns.net", + "type": "CNAME" + }, + { + "data": "65.55.44.109", + "type": "A" + } + ], + "question": { + "name": "v10.vortex-win.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "v10.vortex-win.data", + "top_level_domain": "com" + }, + "resolved_ip": [ + "65.55.44.109" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.778411100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 1788 + }, + "related": { + "hosts": [ + "v10-win.vortex.data.microsoft.com.akadns.net", + "geo.vortex.data.microsoft.com.akadns.net", + "bn2.vortex.data.microsoft.com.akadns.net", + "v10.vortex-win.data.microsoft.com" + ], + "ip": [ + "65.55.44.109" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "232", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:43:04.400Z", + "dns": { + "answers": [ + { + "data": "settingsfd-geo.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "20.36.218.63", + "type": "A" + } + ], + "question": { + "name": "settings-win.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "settings-win.data", + "top_level_domain": "com" + }, + "resolved_ip": [ + "20.36.218.63" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.778423200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 1788 + }, + "related": { + "hosts": [ + "settingsfd-geo.trafficmanager.net", + "settings-win.data.microsoft.com" + ], + "ip": [ + "20.36.218.63" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "233", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-07-18T03:49:51.154Z", + "dns": { + "answers": [ + { + "data": "wd-prod-ss.trafficmanager.net", + "type": "CNAME" + }, + { + "data": "wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com", + "type": "CNAME" + }, + { + "data": "40.121.17.79", + "type": "A" + }, + { + "data": "192.5.6.30", + "type": "A" + }, + { + "data": "2001:503:a83e::2:30", + "type": "AAAA" + }, + { + "data": "192.33.14.30", + "type": "A" + }, + { + "data": "2001:503:231d::2:30", + "type": "AAAA" + }, + { + "data": "192.26.92.30", + "type": "A" + }, + { + "data": "2001:503:83eb::30", + "type": "AAAA" + } + ], + "question": { + "name": "c.urs.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "c.urs", + "top_level_domain": "com" + }, + "resolved_ip": [ + "40.121.17.79", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "ingested": "2022-06-08T05:43:58.778435Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "vagrant-2016" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", + "name": "iexplore.exe", + "pid": 356 + }, + "related": { + "hosts": [ + "wd-prod-ss.trafficmanager.net", + "wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com", + "c.urs.microsoft.com" + ], + "ip": [ + "40.121.17.79", + "192.5.6.30", + "2001:503:a83e::2:30", + "192.33.14.30", + "2001:503:231d::2:30", + "192.26.92.30", + "2001:503:83eb::30" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2016", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 2828, + "thread": { + "id": 1684 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "234", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json new file mode 100644 index 000000000000..fd3bd910927d --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json @@ -0,0 +1,251 @@ +[ + { + "@timestamp": "2020-05-07T08:14:44.489Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "23", + "ingested": "2022-06-08T05:43:59.441187600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001", + "extension": "exe", + "name": "test.test.exe", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", + "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", + "hash": { + "md5": "199e1cf5b2250bd515ecccf4ca686301" + }, + "name": "go.exe", + "pe": { + "imphash": "d90d8c7812aec8da0fa173afa1293ab2" + }, + "pid": 2184 + }, + "related": { + "hash": [ + "199e1cf5b2250bd515ecccf4ca686301", + "d90d8c7812aec8da0fa173afa1293ab2" + ], + "user": [ + "vagrant" + ] + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": true + } + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "23", + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 2360 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "612", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-07T07:27:18.722Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "23", + "ingested": "2022-06-08T05:43:59.441228100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local", + "extension": "dat", + "name": "lastalive0.dat", + "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "sha1": "115106f5b338c87ae6836d50dd890de3da296367" + }, + "name": "svchost.exe", + "pid": 776 + }, + "related": { + "hash": [ + "115106f5b338c87ae6836d50dd890de3da296367" + ], + "user": [ + "LOCAL SERVICE" + ] + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "LOCAL SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "23", + "opcode": "Info", + "process": { + "pid": 664, + "thread": { + "id": 2360 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "11", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2020-05-12T06:48:27.084Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "23", + "ingested": "2022-06-08T05:43:59.441237800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\Windows\\System32\\LogFiles\\Scm", + "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", + "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", + "executable": "C:\\Windows\\system32\\svchost.exe", + "hash": { + "md5": "5a9bddf83be530b481f0fd24db28a6ff" + }, + "name": "svchost.exe", + "pid": 820 + }, + "related": { + "hash": [ + "5a9bddf83be530b481f0fd24db28a6ff" + ], + "user": [ + "SYSTEM" + ] + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "23", + "opcode": "Info", + "process": { + "pid": 1188, + "thread": { + "id": 1600 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2243", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json new file mode 100644 index 000000000000..7c3de49ee67e --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json @@ -0,0 +1,164 @@ +[ + { + "@timestamp": "2022-01-24T05:12:34.328Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "26", + "ingested": "2022-06-08T05:43:59.469107800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\Windows\\ServiceState\\EventLog\\Data", + "extension": "dat", + "name": "lastalive1.dat", + "path": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-a2b4-61ee-1b00-000000000700}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "hash": { + "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" + }, + "name": "svchost.exe", + "pid": 1264 + }, + "related": { + "hash": [ + "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" + ], + "user": [ + "LOCAL SERVICE" + ] + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "LOCAL SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "456", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2022-01-24T05:12:51.031Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "26", + "ingested": "2022-06-08T05:43:59.469128600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "deletion" + ] + }, + "file": { + "directory": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache", + "extension": "000", + "name": "OLDCACHE.000", + "path": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{63a74932-3523-61ee-af00-000000000700}", + "executable": "C:\\Windows\\system32\\svchost.exe", + "hash": { + "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" + }, + "name": "svchost.exe", + "pid": 1364 + }, + "related": { + "hash": [ + "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" + ], + "user": [ + "SYSTEM" + ] + }, + "sysmon": { + "file": { + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_id": "26", + "opcode": "Info", + "process": { + "pid": 2764, + "thread": { + "id": 3792 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "457", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json new file mode 100644 index 000000000000..3202da160c89 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json @@ -0,0 +1,367 @@ +[ + { + "@timestamp": "2020-05-05T14:57:40.589Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "configuration", + "registry" + ], + "code": "13", + "ingested": "2022-06-08T05:43:59.481703200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "4" + ], + "type": "SZ_DWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", + "value": "Key 1" + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2682", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "configuration", + "registry" + ], + "code": "13", + "ingested": "2022-06-08T05:43:59.481743400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2686", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:44.714Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "configuration", + "registry" + ], + "code": "13", + "ingested": "2022-06-08T05:43:59.481754200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "executable": "C:\\Windows\\regedit.exe", + "name": "regedit.exe", + "pid": 6072 + }, + "registry": { + "data": { + "strings": [ + "5" + ], + "type": "SZ_QWORD" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", + "value": "Key 2" + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2687", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "configuration", + "registry" + ], + "code": "13", + "ingested": "2022-06-08T05:43:59.481765Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", + "value": "ertrqvg.rkr" + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2690", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + }, + { + "@timestamp": "2020-05-05T14:57:46.808Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "configuration", + "registry" + ], + "code": "13", + "ingested": "2022-06-08T05:43:59.481866400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "executable": "C:\\Windows\\Explorer.EXE", + "name": "Explorer.EXE", + "pid": 4320 + }, + "registry": { + "data": { + "strings": [ + "Binary Data" + ], + "type": "REG_BINARY" + }, + "hive": "HKU", + "key": "S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "path": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "value": "HRZR_PGYFRFFVBA" + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "EventType": "SetValue" + }, + "event_id": "13", + "opcode": "Info", + "process": { + "pid": 5496, + "thread": { + "id": 876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2691", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 2 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json new file mode 100644 index 000000000000..3bec5596d5c1 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json @@ -0,0 +1,100 @@ +[ + { + "@timestamp": "2020-10-28T02:39:26.374Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "7", + "ingested": "2022-06-08T05:43:59.511582Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "code_signature": { + "status": "Valid", + "subject_name": "Microsoft Windows", + "valid": true + }, + "directory": "C:\\Windows\\System32", + "extension": "dll", + "hash": { + "md5": "c7c45610f644906e6f7d664ef2e45b08", + "sha1": "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", + "sha256": "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e" + }, + "name": "IDStore.dll", + "path": "C:\\Windows\\System32\\IDStore.dll", + "pe": { + "company": "Microsoft Corporation", + "description": "Identity Store", + "file_version": "10.0.17763.1 (WinBuild.160101.0800)", + "imphash": "194f3797b52231028c718b6d776c6853", + "original_file_name": "IdStore.dll", + "product": "Microsoft® Windows® Operating System" + } + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", + "executable": "C:\\Windows\\System32\\dllhost.exe", + "name": "dllhost.exe", + "pid": 5184 + }, + "related": { + "hash": [ + "4808f1101f4e42387d8ddb7a355668bae3bf6f781c42d3bcd82e23446b1deb3e", + "9955a1c071c44a7ceecc0d928a9cfb7f64cc3f93", + "c7c45610f644906e6f7d664ef2e45b08", + "194f3797b52231028c718b6d776c6853" + ] + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Identity Store", + "FileVersion": "10.0.17763.1 (WinBuild.160101.0800)", + "Product": "Microsoft® Windows® Operating System", + "Signature": "Microsoft Windows", + "SignatureStatus": "Valid", + "Signed": "true" + }, + "event_id": "7", + "opcode": "Info", + "process": { + "pid": 1676, + "thread": { + "id": 4796 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "10685", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json new file mode 100644 index 000000000000..7768f215d471 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json @@ -0,0 +1,106 @@ +[ + { + "@timestamp": "2020-10-27T20:00:14.320Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "ingested": "2022-06-08T05:43:59.519128600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\notepad.exe" + ], + "args_count": 1, + "command_line": "\"C:\\Windows\\system32\\notepad.exe\" ", + "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", + "executable": "C:\\Windows\\System32\\notepad.exe", + "hash": { + "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" + }, + "name": "notepad.exe", + "parent": { + "args": [ + "C:\\Windows\\Explorer.EXE" + ], + "args_count": 1, + "command_line": "C:\\Windows\\Explorer.EXE", + "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}", + "executable": "C:\\Windows\\explorer.exe", + "name": "explorer.exe", + "pid": 4212 + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Notepad", + "file_version": "10.0.17763.475 (WinBuild.160101.0800)", + "original_file_name": "NOTEPAD.EXE", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 3616, + "working_directory": "C:\\Users\\vagrant\\" + }, + "related": { + "hash": [ + "b6d237154f2e528f0b503b58b025862d66b02b73" + ], + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Notepad", + "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)", + "IntegrityLevel": "Medium", + "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", + "LogonId": "0x2c9e7", + "Product": "Microsoft® Windows® Operating System", + "TerminalSessionId": "1" + }, + "event_id": "1", + "opcode": "Info", + "process": { + "pid": 7144, + "thread": { + "id": 6876 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "20", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json new file mode 100644 index 000000000000..b8bf9c88b0db --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json @@ -0,0 +1,73 @@ +[ + { + "@timestamp": "2021-02-25T15:04:48.592Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "code": "24", + "ingested": "2022-06-08T05:43:59.529777700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", + "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "hash": { + "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + }, + "name": "vmtoolsd.exe", + "pid": 2144 + }, + "related": { + "hash": [ + "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" + ] + }, + "sysmon": { + "file": { + "archived": true + } + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_data": { + "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", + "Session": "1" + }, + "event_id": "24", + "opcode": "Info", + "process": { + "pid": 3800, + "thread": { + "id": 6444 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "10757412", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json new file mode 100644 index 000000000000..039fa1ab72ae --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json @@ -0,0 +1,60 @@ +[ + { + "@timestamp": "2021-02-25T14:43:23.550Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "25", + "ingested": "2022-06-08T05:43:59.536869500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "DESKTOP-I9CQVAQ" + }, + "log": { + "level": "information" + }, + "message": "Image is replaced", + "process": { + "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", + "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", + "name": "git.exe", + "pid": 2628 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "DESKTOP-I9CQVAQ", + "event_id": "25", + "opcode": "Info", + "process": { + "pid": 3800, + "thread": { + "id": 5080 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "10737797", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json new file mode 100644 index 000000000000..b7f7a5b55955 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json @@ -0,0 +1,2473 @@ +[ + { + "@timestamp": "2019-03-18T16:57:37.933Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "configuration" + ], + "code": "16", + "ingested": "2022-06-08T05:43:59.545036400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "user": { + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Configuration": "C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n" + }, + "event_id": "16", + "opcode": "Info", + "process": { + "pid": 4616, + "thread": { + "id": 4724 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "1", + "user": { + "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.011Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "4", + "ingested": "2022-06-08T05:43:59.545055Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "SchemaVersion": "4.20", + "State": "Started", + "Version": "9.01" + }, + "event_id": "4", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "2", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:37.949Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "ingested": "2022-06-08T05:43:59.545067Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\Sysmon.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\Sysmon.exe", + "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", + "executable": "C:\\Windows\\Sysmon.exe", + "hash": { + "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + }, + "name": "Sysmon.exe", + "parent": { + "args": [ + "C:\\Windows\\system32\\services.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\system32\\services.exe", + "entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 488 + }, + "pe": { + "company": "Sysinternals - www.sysinternals.com", + "description": "System activity monitor", + "file_version": "9.01", + "product": "Sysinternals Sysmon" + }, + "pid": 4860, + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Sysinternals - www.sysinternals.com", + "Description": "System activity monitor", + "FileVersion": "9.01", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", + "Product": "Sysinternals Sysmon", + "TerminalSessionId": "0" + }, + "event_id": "1", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "3", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:37.964Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "ingested": "2022-06-08T05:43:59.545078400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wbem\\unsecapp.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding", + "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", + "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", + "hash": { + "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" + }, + "name": "unsecapp.exe", + "parent": { + "args": [ + "C:\\Windows\\system32\\svchost.exe", + "-k", + "DcomLaunch" + ], + "args_count": 3, + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 560 + }, + "pe": { + "company": "Microsoft Corporation", + "description": "Sink to receive asynchronous callbacks for WMI client application", + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 5028, + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "6df8163a6320b80b60733f9d62e2f39b4b16b678" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "Sink to receive asynchronous callbacks for WMI client application", + "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", + "Product": "Microsoft® Windows® Operating System", + "TerminalSessionId": "0" + }, + "event_id": "1", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "4", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "5", + "ingested": "2022-06-08T05:43:59.545089900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", + "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4616 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "5", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:38.981Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "5", + "ingested": "2022-06-08T05:43:59.545101100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", + "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", + "name": "Sysmon.exe", + "pid": 4648 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "6", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:39.012Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "1", + "ingested": "2022-06-08T05:43:59.545112500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "args": [ + "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", + "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", + "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "hash": { + "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + }, + "name": "WmiPrvSE.exe", + "parent": { + "args": [ + "C:\\Windows\\system32\\svchost.exe", + "-k", + "DcomLaunch" + ], + "args_count": 3, + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 560 + }, + "pe": { + "company": "Microsoft Corporation", + "description": "WMI Provider Host", + "file_version": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "product": "Microsoft® Windows® Operating System" + }, + "pid": 4508, + "working_directory": "C:\\Windows\\system32\\" + }, + "related": { + "hash": [ + "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" + ], + "user": [ + "SYSTEM" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "Company": "Microsoft Corporation", + "Description": "WMI Provider Host", + "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", + "IntegrityLevel": "System", + "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonId": "0x3e7", + "Product": "Microsoft® Windows® Operating System", + "TerminalSessionId": "0" + }, + "event_id": "1", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "7", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:47.847Z", + "destination": { + "ip": "a00:203:3000:3000:3000:3000:3000:3300", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545123700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:EQDBfI6vAylArTBQHY8kNmaweOA=", + "direction": "egress", + "protocol": "domain", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "a00:20f:0:0:18a2:6e00:e0:ffff", + "a00:203:3000:3000:3000:3000:3000:3300" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", + "port": 62141 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NETWORK SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "8", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.070Z", + "destination": { + "ip": "10.0.2.3", + "port": 53 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545135100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:TXczQujzvcGYSvZ/CKEBu1p2riE=", + "direction": "ingress", + "protocol": "domain", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 62141 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NETWORK SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "9", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.148Z", + "destination": { + "ip": "40.77.226.250", + "port": 443 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545143100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:W2ZbP8nXMY+YAGYw2h/3Sa8Gu/w=", + "direction": "egress", + "protocol": "https", + "transport": "tcp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "related": { + "ip": [ + "10.0.2.15", + "40.77.226.250" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1138 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "10", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.214Z", + "destination": { + "ip": "40.77.226.250", + "port": 443 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545149Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:5MsyqYltV9KkhIFGPWiByzQqHDo=", + "direction": "egress", + "protocol": "https", + "transport": "tcp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "related": { + "ip": [ + "10.0.2.15", + "40.77.226.250" + ], + "user": [ + "vagrant" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 1139 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-18", + "name": "vagrant" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "11", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "ip": "10.0.2.255", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545153600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.255" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "12", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545160600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", + "direction": "ingress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.255", + "10.0.2.15" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "10.0.2.255", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "13", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545170500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:4DSgubObvMEI9IKNWPDqltrux+k=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "fe80:0:0:0:e488:b85c:5262:ff86", + "ff02:0:0:0:0:0:1:3" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "fe80:0:0:0:e488:b85c:5262:ff86", + "port": 55542 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NETWORK SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "14", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "ip": "e000:fc:4300:6800:7200:6f00:6d00:6500", + "port": 5355 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545180100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:sejGGvgk92xTvKdzlFitndKqdWw=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "a00:20f:0:0:18a2:6e00:e0:ffff", + "e000:fc:4300:6800:7200:6f00:6d00:6500" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "a00:20f:0:0:18a2:6e00:e0:ffff", + "port": 55542 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NETWORK SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "15", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.250Z", + "destination": { + "ip": "169.254.255.255", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545191700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "169.254.180.25", + "169.254.255.255" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "169.254.180.25", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "16", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "169.254.180.25", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545202500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", + "direction": "ingress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "169.254.255.255", + "169.254.180.25" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "ip": "169.254.255.255", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "17", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "ff02:0:0:0:0:0:1:3", + "port": 5355 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545207800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:Zt/ImHlMNf4MciHXlRDkivgw2jY=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "fe80:0:0:0:616f:32fa:b04f:b419", + "ff02:0:0:0:0:0:1:3" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "fe80:0:0:0:616f:32fa:b04f:b419", + "port": 55717 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NETWORK SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "18", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.251Z", + "destination": { + "ip": "e000:fc:0:0:0:0:0:0", + "port": 5355 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545212500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:SHkoHfPFDYWai8qQBwIiRxvCPZw=", + "direction": "egress", + "protocol": "llmnr", + "transport": "udp", + "type": "ipv6" + }, + "process": { + "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 924 + }, + "related": { + "ip": [ + "a9fe:b419:0:0:f880:2301:e0:ffff", + "e000:fc:0:0:0:0:0:0" + ], + "user": [ + "NETWORK SERVICE" + ] + }, + "source": { + "ip": "a9fe:b419:0:0:f880:2301:e0:ffff", + "port": 55717 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "NETWORK SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "19", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.264Z", + "destination": { + "ip": "40.77.226.250", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545217900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:DI+g4BImhWaUwPmLEjdMMQVYPLs=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "40.77.226.250" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "20", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:48.276Z", + "destination": { + "ip": "10.0.2.3", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545228Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:okFVyky/zOY2Q0BATy37YsbiveA=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "10.0.2.3" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "21", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.213Z", + "destination": { + "ip": "169.254.255.255", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545239300Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:ZHyFuF2PjubLSbAh4zRQIZHOZK8=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "169.254.255.255" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "22", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:49.218Z", + "destination": { + "ip": "169.254.180.25", + "port": 137 + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "3", + "ingested": "2022-06-08T05:43:59.545244900Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "start", + "connection", + "protocol" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "network": { + "community_id": "1:r3C/WjbATNIislTQ0M+ySzwnuiw=", + "direction": "egress", + "protocol": "netbios-ns", + "transport": "udp", + "type": "ipv4" + }, + "process": { + "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "executable": "System", + "pid": 4 + }, + "related": { + "ip": [ + "10.0.2.15", + "169.254.180.25" + ], + "user": [ + "SYSTEM" + ] + }, + "source": { + "domain": "vagrant-2012-r2.local.crowbird.com", + "ip": "10.0.2.15", + "port": 137 + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "3", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4492 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "23", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.350Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "5", + "ingested": "2022-06-08T05:43:59.545253700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccc6-5c8f-0000-001005082900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 4832 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "24", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.364Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "5", + "ingested": "2022-06-08T05:43:59.545265200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 3208 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "25", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.387Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "2", + "ingested": "2022-06-08T05:43:59.545276400Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "fe823684-c940-49f2-a940-14b02cbafba9.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.387" + }, + "event_id": "2", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "26", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "2", + "ingested": "2022-06-08T05:43:59.545287700Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data", + "extension": "tmp", + "name": "162d4140-cfab-4d05-9c92-bca60515a622.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:04.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": "2", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "27", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "2", + "ingested": "2022-06-08T05:43:59.545299200Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.028", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402" + }, + "event_id": "2", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "28", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.417Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "2", + "ingested": "2022-06-08T05:43:59.545310500Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default", + "extension": "tmp", + "name": "37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:51:54.980", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "29", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "process" + ], + "code": "5", + "ingested": "2022-06-08T05:43:59.545321800Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 2680 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": "5", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "30", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 3 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "2", + "ingested": "2022-06-08T05:43:59.545333100Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def", + "extension": "tmp", + "name": "ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:08.496", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "31", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + }, + { + "@timestamp": "2019-03-18T16:57:52.433Z", + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "file" + ], + "code": "2", + "ingested": "2022-06-08T05:43:59.545344600Z", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "change" + ] + }, + "file": { + "directory": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def", + "extension": "tmp", + "name": "ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", + "path": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "name": "chrome.exe", + "pid": 1600 + }, + "user": { + "id": "S-1-5-18" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_data": { + "CreationUtcTime": "2019-03-18 16:52:05.339", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417" + }, + "event_id": "2", + "opcode": "Info", + "process": { + "pid": 4860, + "thread": { + "id": 4516 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "32", + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 4 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/testing.go b/x-pack/winlogbeat/module/testing.go new file mode 100644 index 000000000000..69490fa3f91c --- /dev/null +++ b/x-pack/winlogbeat/module/testing.go @@ -0,0 +1,334 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package module + +import ( + "encoding/json" + "flag" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "reflect" + "regexp" + "strings" + "sync" + "testing" + "time" + + "github.com/pmezard/go-difflib/difflib" + "github.com/stretchr/testify/assert" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" + "github.com/elastic/beats/v7/libbeat/mapping" + "github.com/elastic/beats/v7/libbeat/version" + "github.com/elastic/beats/v7/winlogbeat/module" + "github.com/elastic/beats/v7/x-pack/winlogbeat/module/wintest" + "github.com/elastic/elastic-agent-libs/mapstr" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" +) + +var update = flag.Bool("update", false, "update golden files") + +// Option configures the test behavior. +type Option func(*params) + +type params struct { + ignoreFields []string +} + +// WithFieldFilter filters the specified fields from the event prior to +// comparison of values, but retains them in the written golden files. +func WithFieldFilter(filter []string) Option { + return func(p *params) { + p.ignoreFields = filter + } +} + +// TestIngestPipeline tests the partial pipeline by reading events from the .json files +// and processing them the ingest pipeline. Then it compares the results against +// a saved golden file. Use -update to regenerate the golden files. +func TestIngestPipeline(t *testing.T, pipeline, json string, opts ...Option) { + var p params + for _, o := range opts { + o(&p) + } + testIngestPipeline(t, pipeline, json, &p) +} + +func testIngestPipeline(t *testing.T, pipeline, pattern string, p *params) { + const ( + host = "http://localhost:9200" + user = "admin" + pass = "testing" + indexPrefix = "winlogbeat-test" + ) + + paths, err := filepath.Glob(pattern) + if err != nil { + t.Fatalf("failed to expand glob pattern %q", pattern) + } + if len(paths) == 0 { + t.Fatal("glob", pattern, "didn't match any files") + } + + done, _, err := wintest.Docker(".", "test", testing.Verbose()) + if err != nil { + t.Fatal(err) + } + if *wintest.KeepRunning { + fmt.Fprintln(os.Stdout, "Use this to manually cleanup containers: docker-compose", "-p", devtools.DockerComposeProjectName(), "rm", "--stop", "--force") + } + t.Cleanup(func() { + stop := !*wintest.KeepRunning + err = done(stop) + if err != nil { + t.Errorf("unexpected error during cleanup: %v", err) + } + }) + + // Currently we are using mixed API because beats is using the old ES API package, + // while SimulatePipeline is using the official v8 client package. + conn, err := eslegclient.NewConnection(eslegclient.ConnectionSettings{ + URL: host, + Username: user, + Password: pass, + CompressionLevel: 3, + Transport: httpcommon.HTTPTransportSettings{Timeout: time.Minute}, + }) + if err != nil { + t.Fatalf("unexpected error making connection: %v", err) + } + defer conn.Close() + + err = conn.Connect() + if err != nil { + t.Fatalf("unexpected error making connection: %v", err) + } + + info := beat.Info{ + IndexPrefix: indexPrefix, + Version: version.GetDefaultVersion(), + } + loaded, err := module.UploadPipelines(info, conn, true) + if err != nil { + t.Errorf("unexpected error uploading pipelines: %v", err) + } + wantPipelines := []string{ + "powershell", + "powershell_operational", + "routing", + "security", + "sysmon", + } + if len(loaded) != len(wantPipelines) { + t.Fatalf("unexpected number of loaded pipelines: got:%d want:%d", len(loaded), len(wantPipelines)) + } + want := regexp.MustCompile(`^` + indexPrefix + `-.*-(` + strings.Join(wantPipelines, "|") + `)$`) + pipelines := make(map[string]string) + for _, p := range loaded { + m := want.FindAllStringSubmatch(p, -1) + pipelines[m[0][1]] = p + } + _, ok := pipelines[pipeline] + if !ok { + t.Fatalf("failed to upload %q", pipeline) + } + + cases, err := wintest.SimulatePipeline(host, user, pass, pipelines[pipeline], paths) + if err != nil { + t.Fatalf("unexpected error running simulate: %v", err) + } + for _, k := range cases { + name := filepath.Base(k.Path) + t.Run(name, func(t *testing.T) { + if k.Err != nil { + t.Errorf("unexpected error: %v", k.Err) + } + + var events []mapstr.M + //nolint:errcheck // All the errors returned here are from mapstr.M queries and may be ignored. + for i, p := range k.Processed { + err = wintest.ErrorMessage(p) + if err != nil { + t.Errorf("unexpected ingest error for event %d: %v", i, err) + } + + var event mapstr.M + err = json.Unmarshal(p, &event) + if err != nil { + t.Fatalf("failed to unmarshal event into mapstr: %v", err) + } + + // Validate fields in event against fields.yml. + assertFieldsAreDocumented(t, event) + + event.Delete("event.created") + event.Delete("log.file") + + // Enrichment based on user.identifier varies based on the host + // where this is execute so remove it. + if userType, _ := event.GetValue("winlog.user.type"); userType != "Well Known Group" { + event.Delete("winlog.user.type") + event.Delete("winlog.user.name") + event.Delete("winlog.user.domain") + } + + events = append(events, event) + } + + path, err := filepath.Abs(k.Path) + if err != nil { + t.Fatal(err) + } + path = strings.TrimSuffix(path, ".evtx.golden.json") + + if *update { + writeGolden(t, path, "testdata/ingest", events) + return + } + + expected := readGolden(t, path, "testdata/ingest") + if !assert.Len(t, events, len(expected)) { + return + } + for i, e := range events { + assertEqual(t, filterEvent(expected[i], p.ignoreFields), normalize(t, filterEvent(e, p.ignoreFields))) + } + }) + } +} + +// assertEqual asserts that the two objects are deeply equal. If not it will +// error the test and output a diff of the two objects' JSON representation. +func assertEqual(t testing.TB, expected, actual interface{}) bool { + t.Helper() + + if reflect.DeepEqual(expected, actual) { + return true + } + + expJSON, _ := json.MarshalIndent(expected, "", " ") + actJSON, _ := json.MarshalIndent(actual, "", " ") + + diff, _ := difflib.GetUnifiedDiffString(difflib.UnifiedDiff{ + A: difflib.SplitLines(string(expJSON)), + B: difflib.SplitLines(string(actJSON)), + FromFile: "Expected", + ToFile: "Actual", + Context: 1, + }) + t.Errorf("Expected and actual are different:\n%s", diff) + return false +} + +func writeGolden(t testing.TB, source, dir string, events []mapstr.M) { + data, err := json.MarshalIndent(events, "", " ") + if err != nil { + t.Fatal(err) + } + + if err := os.MkdirAll(dir, 0755); err != nil { + t.Fatal(err) + } + + outPath := filepath.Join(dir, filepath.Base(source)+".golden.json") + if err := ioutil.WriteFile(outPath, data, 0o644); err != nil { + t.Fatal(err) + } +} + +func readGolden(t testing.TB, source, dir string) []mapstr.M { + inPath := filepath.Join(dir, filepath.Base(source)+".golden.json") + + data, err := ioutil.ReadFile(inPath) + if err != nil { + t.Fatal(err) + } + + var events []mapstr.M + if err = json.Unmarshal(data, &events); err != nil { + t.Fatal(err) + } + + for _, e := range events { + lowercaseGUIDs(e) + } + return events +} + +func normalize(t testing.TB, m mapstr.M) mapstr.M { + data, err := json.Marshal(m) + if err != nil { + t.Fatal(err) + } + + var out mapstr.M + if err = json.Unmarshal(data, &out); err != nil { + t.Fatal(err) + } + + // Lowercase the GUIDs in case tests are run Windows < 2019. + return lowercaseGUIDs(out) +} + +func filterEvent(m mapstr.M, ignores []string) mapstr.M { + for _, f := range ignores { + m.Delete(f) //nolint:errcheck // Deleting a thing that doesn't exist is ok. + } + return m +} + +var uppercaseGUIDRegex = regexp.MustCompile(`^{[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}}$`) + +// lowercaseGUIDs finds string fields that look like GUIDs and converts the hex +// from uppercase to lowercase. Prior to Windows 2019, GUIDs used uppercase hex +// (contrary to RFC 4122). +func lowercaseGUIDs(m mapstr.M) mapstr.M { + for k, v := range m.Flatten() { + str, ok := v.(string) + if !ok { + continue + } + if uppercaseGUIDRegex.MatchString(str) { + m.Put(k, strings.ToLower(str)) //nolint:errcheck // Can't fail because k has been obtained from m. + } + } + return m +} + +var ( + loadDocumentedFieldsOnce sync.Once + documentedFields []string +) + +// assertFieldsAreDocumented validates that all fields contained in the event +// are documented in a fields.yml file. +func assertFieldsAreDocumented(t testing.TB, m mapstr.M) { + t.Helper() + + loadDocumentedFieldsOnce.Do(func() { + fieldsYml, err := mapping.LoadFieldsYaml("../../../build/fields/fields.all.yml") + if err != nil { + t.Fatal("Failed to load generated fields.yml data. Try running 'mage update'.", err) + } + documentedFields = fieldsYml.GetKeys() + }) + + for eventFieldName := range m.Flatten() { + found := false + for _, documentedFieldName := range documentedFields { + if strings.HasPrefix(eventFieldName, documentedFieldName) { + found = true + break + } + } + if !found { + assert.Fail(t, "Field not documented", "Key '%v' found in event is not documented.", eventFieldName) + } + } +} diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index ded909da37bd..607ec9454bd1 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -5,22 +5,13 @@ package module import ( - "encoding/json" - "flag" "io" - "io/ioutil" - "os" "path/filepath" - "reflect" - "regexp" "strings" - "sync" "testing" - "github.com/pmezard/go-difflib/difflib" "github.com/stretchr/testify/assert" - "github.com/elastic/beats/v7/libbeat/mapping" "github.com/elastic/beats/v7/winlogbeat/checkpoint" "github.com/elastic/beats/v7/winlogbeat/eventlog" "github.com/elastic/elastic-agent-libs/config" @@ -28,23 +19,6 @@ import ( "github.com/elastic/go-sysinfo/providers/windows" ) -var update = flag.Bool("update", false, "update golden files") - -// Option configures the test behavior. -type Option func(*params) - -type params struct { - ignoreFields []string -} - -// WithFieldFilter filters the specified fields from the event prior to -// comparison of values, but retains them in the written golden files. -func WithFieldFilter(filter []string) Option { - return func(p *params) { - p.ignoreFields = filter - } -} - // TestCollectionPipeline tests the partial pipeline by reading events from the .evtx files // and processing them with a basic enrichment. Then it compares the results against // a saved golden file. Use -update to regenerate the golden files. @@ -144,11 +118,11 @@ func testCollectionPipeline(t testing.TB, evtx string, p *params) { } if *update { - writeGolden(t, path, events) + writeGolden(t, path, "testdata/collection", events) return } - expected := readGolden(t, path) + expected := readGolden(t, path, "testdata/collection") if !assert.Len(t, events, len(expected)) { return } @@ -156,133 +130,3 @@ func testCollectionPipeline(t testing.TB, evtx string, p *params) { assertEqual(t, filterEvent(expected[i], p.ignoreFields), normalize(t, filterEvent(e, p.ignoreFields))) } } - -// assertEqual asserts that the two objects are deeply equal. If not it will -// error the test and output a diff of the two objects' JSON representation. -func assertEqual(t testing.TB, expected, actual interface{}) bool { - t.Helper() - - if reflect.DeepEqual(expected, actual) { - return true - } - - expJSON, _ := json.MarshalIndent(expected, "", " ") - actJSON, _ := json.MarshalIndent(actual, "", " ") - - diff, _ := difflib.GetUnifiedDiffString(difflib.UnifiedDiff{ - A: difflib.SplitLines(string(expJSON)), - B: difflib.SplitLines(string(actJSON)), - FromFile: "Expected", - ToFile: "Actual", - Context: 1, - }) - t.Errorf("Expected and actual are different:\n%s", diff) - return false -} - -func writeGolden(t testing.TB, source string, events []mapstr.M) { - data, err := json.MarshalIndent(events, "", " ") - if err != nil { - t.Fatal(err) - } - - if err := os.MkdirAll("testdata/collection", 0755); err != nil { - t.Fatal(err) - } - - outPath := filepath.Join("testdata/collection", filepath.Base(source)+".golden.json") - if err := ioutil.WriteFile(outPath, data, 0o644); err != nil { - t.Fatal(err) - } -} - -func readGolden(t testing.TB, source string) []mapstr.M { - inPath := filepath.Join("testdata/collection", filepath.Base(source)+".golden.json") - - data, err := ioutil.ReadFile(inPath) - if err != nil { - t.Fatal(err) - } - - var events []mapstr.M - if err = json.Unmarshal(data, &events); err != nil { - t.Fatal(err) - } - - for _, e := range events { - lowercaseGUIDs(e) - } - return events -} - -func normalize(t testing.TB, m mapstr.M) mapstr.M { - data, err := json.Marshal(m) - if err != nil { - t.Fatal(err) - } - - var out mapstr.M - if err = json.Unmarshal(data, &out); err != nil { - t.Fatal(err) - } - - // Lowercase the GUIDs in case tests are run Windows < 2019. - return lowercaseGUIDs(out) -} - -func filterEvent(m mapstr.M, ignores []string) mapstr.M { - for _, f := range ignores { - m.Delete(f) //nolint:errcheck // Deleting a thing that doesn't exist is ok. - } - return m -} - -var uppercaseGUIDRegex = regexp.MustCompile(`^{[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}}$`) - -// lowercaseGUIDs finds string fields that look like GUIDs and converts the hex -// from uppercase to lowercase. Prior to Windows 2019, GUIDs used uppercase hex -// (contrary to RFC 4122). -func lowercaseGUIDs(m mapstr.M) mapstr.M { - for k, v := range m.Flatten() { - str, ok := v.(string) - if !ok { - continue - } - if uppercaseGUIDRegex.MatchString(str) { - m.Put(k, strings.ToLower(str)) //nolint:errcheck // Can't fail because k has been obtained from m. - } - } - return m -} - -var ( - loadDocumentedFieldsOnce sync.Once - documentedFields []string -) - -// assertFieldsAreDocumented validates that all fields contained in the event -// are documented in a fields.yml file. -func assertFieldsAreDocumented(t testing.TB, m mapstr.M) { - t.Helper() - - loadDocumentedFieldsOnce.Do(func() { - fieldsYml, err := mapping.LoadFieldsYaml("../../../build/fields/fields.all.yml") - if err != nil { - t.Fatal("Failed to load generated fields.yml data. Try running 'mage update'.", err) - } - documentedFields = fieldsYml.GetKeys() - }) - - for eventFieldName := range m.Flatten() { - found := false - for _, documentedFieldName := range documentedFields { - if strings.HasPrefix(eventFieldName, documentedFieldName) { - found = true - break - } - } - if !found { - assert.Fail(t, "Field not documented", "Key '%v' found in event is not documented.", eventFieldName) - } - } -} diff --git a/x-pack/winlogbeat/module/wintest/doc.go b/x-pack/winlogbeat/module/wintest/doc.go new file mode 100644 index 000000000000..8606e10f9ff7 --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/doc.go @@ -0,0 +1,6 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Package wintest provides support for testing ingest node pipelines for Windows. +package wintest diff --git a/x-pack/winlogbeat/module/wintest/docker.go b/x-pack/winlogbeat/module/wintest/docker.go new file mode 100644 index 000000000000..36552aecb79d --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/docker.go @@ -0,0 +1,153 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package wintest + +import ( + "fmt" + "io" + "os" + "path/filepath" + "time" + + "github.com/magefile/mage/sh" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" +) + +// Docker starts docker-compose and waits for the services to be healthy. It returns +// a clean-up function that will conditionally stop the services, and log the docker-compose +// output to the directory specified by root, with filename TEST-elasticsearch-.log. +// If verbose is true, stderr from docker-compose is passed to the test process' stderr. +// Docker is aware of STACK_ENVIRONMENT, DOCKER_NOCACHE and DOCKER_PULL. +func Docker(root, target string, verbose bool) (done func(stop bool) error, env map[string]string, _ error) { + esBeatsDir, err := devtools.ElasticBeatsDir() + if err != nil { + return nil, nil, err + } + env = map[string]string{ + "ES_BEATS": esBeatsDir, + "STACK_ENVIRONMENT": devtools.StackEnvironment, + } + + err = os.WriteFile(composeFile, []byte(compose), 0o644) + if err != nil { + return nil, nil, err + } + + err = dockerCompose(env, verbose) + if err != nil { + return nil, nil, err + } + + err = devtools.StartIntegTestContainers() + if err != nil { + return nil, nil, fmt.Errorf("starting containers: %w", err) + } + + return func(stop bool) error { + defer os.Remove(composeFile) + + err = saveLogs(env, root, target) + if err != nil { + fmt.Fprintf(os.Stdout, "failed to save docker-compose logs: %s\n", err) + } + if !stop { + return nil + } + return devtools.StopIntegTestContainers() + }, env, nil +} + +func saveLogs(env map[string]string, root, target string) error { + dir := filepath.Join(root, "build") + logFile := filepath.Join(dir, "TEST-elasticsearch-"+target+".log") + err := os.MkdirAll(dir, os.ModeDir|0o770) + if err != nil { + return fmt.Errorf("creating docker log dir: %w", err) + } + + f, err := os.Create(logFile) + if err != nil { + return fmt.Errorf("creating docker log file: %w", err) + } + defer f.Close() + + _, err = sh.Exec( + env, + f, // stdout + f, // stderr + "docker-compose", + "-p", devtools.DockerComposeProjectName(), + "logs", + "--no-color", + ) + if err != nil { + return fmt.Errorf("executing docker-compose logs: %w", err) + } + return nil +} + +const ( + composeFile = "docker-compose.yaml" + compose = `version: '2.3' +services: + # This is a proxy used to block beats until all services are healthy. + # See: https://github.com/docker/compose/issues/4369 + proxy_dep: + image: busybox + depends_on: + elasticsearch: { condition: service_healthy } + + elasticsearch: + extends: + file: ${ES_BEATS}/testing/environments/${STACK_ENVIRONMENT}.yml + service: elasticsearch + healthcheck: + test: ["CMD-SHELL", "curl -u admin:testing -s http://localhost:9200/_cat/health?h=status | grep -q green"] + retries: 300 + interval: 1s + ports: + - 9200:9200 +` +) + +// dockerCompose runs docker-compose with the provided environment. +// It is aware of DOCKER_NOCACHE and DOCKER_PULL. If verbose is true +// the stderr output of docker-compose is written to the terminal. +func dockerCompose(env map[string]string, verbose bool) error { + args := []string{ + "-p", devtools.DockerComposeProjectName(), + "build", + "--force-rm", + } + if _, noCache := os.LookupEnv("DOCKER_NOCACHE"); noCache { + args = append(args, "--no-cache") + } + if _, forcePull := os.LookupEnv("DOCKER_PULL"); forcePull { + args = append(args, "--pull") + } + + out := io.Discard + if verbose { + out = os.Stderr + } + var err error + const retries = 2 + for n := 0; n < retries; n++ { + _, err = sh.Exec( + env, + out, + os.Stderr, + "docker-compose", args..., + ) + if err == nil { + break + } + // This sleep is to avoid hitting the docker build + // issues when resources are not available. + time.Sleep(10 * time.Nanosecond) + } + return err +} diff --git a/x-pack/winlogbeat/module/wintest/docker_test.go b/x-pack/winlogbeat/module/wintest/docker_test.go new file mode 100644 index 000000000000..c05ef97e45e6 --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/docker_test.go @@ -0,0 +1,127 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Windows is excluded not because the tests won't pass on Windows in general, +// but because they won't pass on Windows in a VM — where we are using this — due +// to the VM inception problem. +// +//go:build !windows +// +build !windows + +package wintest_test + +import ( + "bytes" + "context" + "io" + "net/http" + "regexp" + "strings" + "testing" + "time" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" + "github.com/elastic/beats/v7/libbeat/version" + "github.com/elastic/beats/v7/winlogbeat/module" + "github.com/elastic/beats/v7/x-pack/winlogbeat/module/wintest" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" + + // Enable pipelines. + _ "github.com/elastic/beats/v7/x-pack/winlogbeat/module" +) + +func TestDocker(t *testing.T) { + const ( + host = "http://localhost:9200" + user = "admin" + pass = "testing" + indexPrefix = "winlogbeat-test" + ) + + done, _, err := wintest.Docker(".", "test", testing.Verbose()) + if err != nil { + t.Fatal(err) + } + t.Cleanup(func() { + const stop = false + err = done(stop) + if err != nil { + t.Errorf("unexpected error during cleanup: %v", err) + } + }) + + resp, err := getStatus(host, user, pass) + if err != nil { + t.Errorf("unexpected error querying elasticsearch:%v", err) + } + defer resp.Body.Close() + + var buf bytes.Buffer + _, err = io.Copy(&buf, resp.Body) + if err != nil { + t.Errorf("unexpected error copying buffer: %v", err) + } + + got := buf.String() + want := "green" + if !strings.Contains(got, want) { + t.Fatalf("unexpected response from elasticsearch: got:%s want:%s", got, want) + } + + t.Run("UploadPipelines", func(t *testing.T) { + conn, err := eslegclient.NewConnection(eslegclient.ConnectionSettings{ + URL: host, + Username: user, + Password: pass, + CompressionLevel: 3, + Transport: httpcommon.HTTPTransportSettings{Timeout: time.Minute}, + }) + if err != nil { + t.Fatalf("unexpected error making connection: %v", err) + } + defer conn.Close() + + err = conn.Connect() + if err != nil { + t.Fatalf("unexpected error making connection: %v", err) + } + + info := beat.Info{ + IndexPrefix: indexPrefix, + Version: version.GetDefaultVersion(), + } + loaded, err := module.UploadPipelines(info, conn, true) + if err != nil { + t.Errorf("unexpected error uploading pipelines: %v", err) + } + wantPipelines := []string{ + "powershell", + "powershell_operational", + "routing", + "security", + "sysmon", + } + if len(loaded) != len(wantPipelines) { + t.Errorf("unexpected number of loaded pipelines: got:%d want:%d", len(loaded), len(wantPipelines)) + } + want := regexp.MustCompile(`^` + indexPrefix + `-.*-(?:` + strings.Join(wantPipelines, "|") + `)$`) + for _, p := range loaded { + if !want.MatchString(p) { + t.Errorf("unexpected pipeline ID: %v", p) + } + } + }) +} + +func getStatus(host, user, pass string) (*http.Response, error) { + // To match the condition in the docker-compose file: + // curl -u admin:testing -s http://localhost:9200/_cat/health?h=status | grep -q green + req, err := http.NewRequestWithContext(context.Background(), "GET", host+"/_cat/health?h=status", nil) + if err != nil { + return nil, err + } + req.SetBasicAuth(user, pass) + return http.DefaultClient.Do(req) +} diff --git a/x-pack/winlogbeat/module/wintest/simulate.go b/x-pack/winlogbeat/module/wintest/simulate.go new file mode 100644 index 000000000000..8212cbf8e0ec --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/simulate.go @@ -0,0 +1,282 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package wintest + +import ( + "bytes" + "encoding/json" + "errors" + "flag" + "fmt" + "io" + "net/http" + "os" + + "github.com/elastic/go-elasticsearch/v8" + "github.com/elastic/go-elasticsearch/v8/esapi" +) + +var KeepRunning = flag.Bool("keep-running", false, "don't tear down simulate docker (will print command to manually stop instance)") + +// TestCase is a file input and Elasticsearch response set returned by SimulatePipeline. +type TestCase struct { + Path string + Collected []json.RawMessage + Processed []json.RawMessage + Err error +} + +// SimulatePipeline runs the Elasticsearch simulate pipeline on the provided host using +// user and pass as authentication. The pipeline used must already exist in the elasticsearch +// instance. The paths is the set of JSON documents to send to simulate. +// +// The returned test cases will contain the name of the input file, the input data, +// the resulting processed documents and any Elasticsearch error messages. If error +// is non-nil, the returned test cases are not valid. +func SimulatePipeline(host, user, pass, pipeline string, paths []string) ([]TestCase, error) { + if host == "" { + return nil, errors.New("missing required host name") + } + + cases, err := readRawTestData(paths) + if err != nil { + return nil, err + } + + config := elasticsearch.Config{ + Addresses: []string{host}, + Username: user, + Password: pass, + } + client, err := elasticsearch.NewClient(config) + if err != nil { + return nil, fmt.Errorf("failed to make client: %w", err) + } + + for i, k := range cases { + cases[i].Processed, cases[i].Err = simulatePipeline(client.API, pipeline, k.Collected) + for j := range k.Collected { + cases[i].Collected[j], err = marshalNormalizedJSON(cases[i].Collected[j]) + if err != nil { + return nil, err + } + } + for j := range cases[i].Processed { + cases[i].Processed[j], err = marshalNormalizedJSON(cases[i].Processed[j]) + if err != nil { + return nil, err + } + } + } + return cases, nil +} + +// readRawTestData loads the unprocessed data held in the provided paths. +func readRawTestData(paths []string) ([]TestCase, error) { + var cases []TestCase + for _, path := range paths { + events, err := readEvents(path) + if err != nil { + return nil, err + } + cases = append(cases, TestCase{ + Path: path, + Collected: events, + }) + } + return cases, nil +} + +func readEvents(path string) ([]json.RawMessage, error) { + b, err := os.ReadFile(path) + if err != nil { + return nil, err + } + var events []json.RawMessage + err = json.Unmarshal(b, &events) + return events, err +} + +// simulatePipeline runs a single simulate query on the specified pipeline +// with the provided documents. +func simulatePipeline(api *esapi.API, pipeline string, docs []json.RawMessage) ([]json.RawMessage, error) { + var request simulatePipelineRequest + for _, event := range docs { + request.Docs = append(request.Docs, pipelineDocument{ + Source: event, + }) + } + requestBody, err := json.Marshal(request) + if err != nil { + return nil, fmt.Errorf("marshaling simulate request failed: %w", err) + } + + resp, err := api.Ingest.Simulate(bytes.NewReader(requestBody), func(request *esapi.IngestSimulateRequest) { + request.PipelineID = pipeline + }) + if err != nil { + return nil, fmt.Errorf("failed to simulate %q pipeline: %w", pipeline, err) + } + defer resp.Body.Close() + body, err := io.ReadAll(resp.Body) + if err != nil { + return nil, fmt.Errorf("failed to read simulate response: %w", err) + } + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("unexpected response status for simulate: %s (%d): %w", resp.Status(), resp.StatusCode, newError(body)) + } + + var response simulatePipelineResponse + err = json.Unmarshal(body, &response) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal simulate response: %w", err) + } + var events []json.RawMessage + for _, doc := range response.Docs { + events = append(events, doc.Doc.Source) + } + return events, nil +} + +type simulatePipelineRequest struct { + Docs []pipelineDocument `json:"docs"` +} + +type simulatePipelineResponse struct { + Docs []pipelineIngestedDocument `json:"docs"` +} + +type pipelineIngestedDocument struct { + Doc pipelineDocument `json:"doc"` +} + +type pipelineDocument struct { + Source json.RawMessage `json:"_source"` +} + +// newError returns a new error constructed from the given response body. +// This assumes the body contains a JSON encoded error. If the body cannot +// be parsed then an error is returned that contains the raw body. +func newError(body []byte) error { + var msg struct { + Error struct { + RootCause []struct { + Type string `json:"type"` + Reason string `json:"reason"` + ProcessorType string `json:"processor_type,omitempty"` + ScriptStack []string `json:"script_stack,omitempty"` + Script string `json:"script,omitempty"` + Lang string `json:"lang,omitempty"` + Position struct { + Offset int `json:"offset"` + Start int `json:"start"` + End int `json:"end"` + } `json:"position,omitempty"` + Suppressed []struct { + Type string `json:"type"` + Reason string `json:"reason"` + ProcessorType string `json:"processor_type"` + } `json:"suppressed,omitempty"` + } `json:"root_cause,omitempty"` + Type string `json:"type"` + Reason string `json:"reason"` + ProcessorType string `json:"processor_type,omitempty"` + ScriptStack []string `json:"script_stack,omitempty"` + Script string `json:"script,omitempty"` + Lang string `json:"lang,omitempty"` + Position struct { + Offset int `json:"offset"` + Start int `json:"start"` + End int `json:"end"` + } `json:"position,omitempty"` + CausedBy struct { + Type string `json:"type"` + Reason string `json:"reason"` + CausedBy struct { + Type string `json:"type"` + Reason interface{} `json:"reason"` + } `json:"caused_by,omitempty"` + } `json:"caused_by,omitempty"` + Suppressed []struct { + Type string `json:"type"` + Reason string `json:"reason"` + ProcessorType string `json:"processor_type"` + } `json:"suppressed,omitempty"` + } `json:"error"` + Status int `json:"status"` + } + + err := json.Unmarshal(body, &msg) + if err != nil { + // Fall back to including to raw body if it cannot be parsed. + return fmt.Errorf("elasticsearch error: %s", body) + } + if len(msg.Error.RootCause) > 0 { + cause, _ := json.MarshalIndent(msg.Error.RootCause, "", " ") + return fmt.Errorf("elasticsearch error (type=%s): %s\nRoot cause:\n%s", msg.Error.Type, msg.Error.Reason, cause) + } + return fmt.Errorf("elasticsearch error (type=%s): %s", msg.Error.Type, msg.Error.Reason) +} + +// marshalNormalizedJSON marshals test results ensuring that field +// order remains consistent independent of field order returned by +// ES to minimize diff noise during changes. +func marshalNormalizedJSON(v interface{}) ([]byte, error) { + msg, err := json.Marshal(v) + if err != nil { + return msg, err + } + var obj interface{} + err = jsonUnmarshalUsingNumber(msg, &obj) + if err != nil { + return msg, err + } + return json.MarshalIndent(obj, "", " ") +} + +// jsonUnmarshalUsingNumber is a drop-in replacement for json.Unmarshal that +// does not default to unmarshaling numeric values to float64 in order to +// prevent low bit truncation of values greater than 1<<53. +// See https://golang.org/cl/6202068 for details. +func jsonUnmarshalUsingNumber(data []byte, v interface{}) error { + dec := json.NewDecoder(bytes.NewReader(data)) + dec.UseNumber() + err := dec.Decode(v) + if err != nil { + if err == io.EOF { //nolint:errorlint // Bad linter! // io.EOF is never wrapped. + return errors.New("unexpected end of JSON input") + } + return err + } + // Make sure there is no more data after the message + // to approximate json.Unmarshal's behaviour. + if dec.More() { + return fmt.Errorf("more data after top-level value") + } + return nil +} + +// ErrorMessage returns any Elasticsearch error.message in the provided +// JSON data. +func ErrorMessage(msg json.RawMessage) error { + var event struct { + Error struct { + Message interface{} + } + } + err := json.Unmarshal(msg, &event) + if err != nil { + return fmt.Errorf("can't unmarshal event to check pipeline error: %#q: %w", msg, err) + } + + switch m := event.Error.Message.(type) { + case nil: + return nil + case string, []string: + return fmt.Errorf("unexpected pipeline error: %s", m) + default: + return fmt.Errorf("unexpected pipeline error (unexpected error.message type %T): %[1]v", m) + } +} diff --git a/x-pack/winlogbeat/module/wintest/simulate_test.go b/x-pack/winlogbeat/module/wintest/simulate_test.go new file mode 100644 index 000000000000..eb660fa39b95 --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/simulate_test.go @@ -0,0 +1,156 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Windows is excluded not because the tests won't pass on Windows in general, +// but because they won't pass on Windows in a VM — where we are using this — due +// to the VM inception problem. +// +//go:build !windows +// +build !windows + +package wintest_test + +import ( + "encoding/json" + "fmt" + "os" + "path/filepath" + "regexp" + "strings" + "testing" + "time" + + devtools "github.com/elastic/beats/v7/dev-tools/mage" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/esleg/eslegclient" + "github.com/elastic/beats/v7/libbeat/version" + "github.com/elastic/beats/v7/winlogbeat/module" + "github.com/elastic/beats/v7/x-pack/winlogbeat/module/wintest" + "github.com/elastic/elastic-agent-libs/transport/httpcommon" +) + +// ecsVersion is the expected ECS version for testing purposes. +// Change this when ECS version is bumped. +const ecsVersion = "1.12.0" + +func TestSimulate(t *testing.T) { + const ( + host = "http://localhost:9200" + user = "admin" + pass = "testing" + indexPrefix = "winlogbeat-test" + pipeline = "powershell" + pattern = "testdata/*.evtx.json" + ) + + done, _, err := wintest.Docker(".", "test", testing.Verbose()) + if err != nil { + t.Fatal(err) + } + if *wintest.KeepRunning { + fmt.Fprintln(os.Stdout, "docker-compose", "-p", devtools.DockerComposeProjectName(), "rm", "--stop", "--force") + } + t.Cleanup(func() { + stop := !*wintest.KeepRunning + err = done(stop) + if err != nil { + t.Errorf("unexpected error during cleanup: %v", err) + } + }) + + // Currently we are using mixed API because beats is using the old ES API package, + // while SimulatePipeline is using the official v8 client package. + conn, err := eslegclient.NewConnection(eslegclient.ConnectionSettings{ + URL: host, + Username: user, + Password: pass, + CompressionLevel: 3, + Transport: httpcommon.HTTPTransportSettings{Timeout: time.Minute}, + }) + if err != nil { + t.Fatalf("unexpected error making connection: %v", err) + } + defer conn.Close() + + err = conn.Connect() + if err != nil { + t.Fatalf("unexpected error making connection: %v", err) + } + + info := beat.Info{ + IndexPrefix: indexPrefix, + Version: version.GetDefaultVersion(), + } + loaded, err := module.UploadPipelines(info, conn, true) + if err != nil { + t.Errorf("unexpected error uploading pipelines: %v", err) + } + wantPipelines := []string{ + "powershell", + "powershell_operational", + "routing", + "security", + "sysmon", + } + if len(loaded) != len(wantPipelines) { + t.Fatalf("unexpected number of loaded pipelines: got:%d want:%d", len(loaded), len(wantPipelines)) + } + want := regexp.MustCompile(`^` + indexPrefix + `-.*-(` + strings.Join(wantPipelines, "|") + `)$`) + pipelines := make(map[string]string) + for _, p := range loaded { + m := want.FindAllStringSubmatch(p, -1) + pipelines[m[0][1]] = p + } + _, ok := pipelines[pipeline] + if !ok { + t.Fatalf("failed to upload %q", pipeline) + } + + paths, err := filepath.Glob(pattern) + if err != nil { + t.Fatalf("failed to expand glob pattern %q", pattern) + } + cases, err := wintest.SimulatePipeline(host, user, pass, pipelines[pipeline], paths) + if err != nil { + t.Fatalf("unexpected error running simulate: %v", err) + } + for _, k := range cases { + name := filepath.Base(k.Path) + t.Run(name, func(t *testing.T) { + if k.Err != nil { + t.Errorf("unexpected error: %v", k.Err) + return + } + for i := range k.Collected { + t.Logf("%s %d:\ncollected:\n%s\n\nprocessed:\n%s\n\n", name, i, k.Collected[i], k.Processed[i]) + + // Check that the ECS version is in place in the processed event. + // This is not present in the original evtx.json files and so is + // a robust indicator that the event has passed through the + // processor pipeline. + var event struct { + ECS struct { + Version string + } + } + err := json.Unmarshal(k.Processed[i], &event) + if err != nil { + t.Errorf("unexpected error unmarshaling ECS version: %v", err) + continue + } + if event.ECS.Version != ecsVersion { + t.Errorf("unexpected ECS version: want:%q got:%q", ecsVersion, event.ECS.Version) + } + + // Check for errors. There are none in this set of events and we cannot + // guarantee that later changes in the pipelines will not remove errors; + // that being the point of this game. + err = wintest.ErrorMessage(k.Processed[i]) + if err != nil { + t.Errorf("unexpected ingest error for event %d: %v", i, err) + } + } + }) + } +} diff --git a/x-pack/winlogbeat/module/wintest/testdata/400.evtx.json b/x-pack/winlogbeat/module/wintest/testdata/400.evtx.json new file mode 100644 index 000000000000..cbc039317126 --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/testdata/400.evtx.json @@ -0,0 +1,138 @@ +[ + { + "@timestamp": "2020-05-14T07:00:30.8914235Z", + "event": { + "action": "Engine Lifecycle", + "code": "400", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1492, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-14T07:01:14.3715076Z", + "event": { + "action": "Engine Lifecycle", + "code": "400", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1511, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-14T11:32:51.9892568Z", + "event": { + "action": "Engine Lifecycle", + "code": "400", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1579, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-06-04T07:20:27.7472275Z", + "event": { + "action": "Engine Lifecycle", + "code": "400", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Available", + "param2": "None", + "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "400", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 18591, + "task": "Engine Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/wintest/testdata/403.evtx.json b/x-pack/winlogbeat/module/wintest/testdata/403.evtx.json new file mode 100644 index 000000000000..f2841989e1e5 --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/testdata/403.evtx.json @@ -0,0 +1,138 @@ +[ + { + "@timestamp": "2020-05-14T15:31:22.4269238Z", + "event": { + "action": "Engine Lifecycle", + "code": "403", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1687, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-15T08:11:47.932007Z", + "event": { + "action": "Engine Lifecycle", + "code": "403", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1706, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-05-15T08:28:53.6266982Z", + "event": { + "action": "Engine Lifecycle", + "code": "403", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1766, + "task": "Engine Lifecycle" + } + }, + { + "@timestamp": "2020-06-04T07:20:28.6861939Z", + "event": { + "action": "Engine Lifecycle", + "code": "403", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Stopped", + "param2": "Available", + "param3": "\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "403", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 18592, + "task": "Engine Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/wintest/testdata/600.evtx.json b/x-pack/winlogbeat/module/wintest/testdata/600.evtx.json new file mode 100644 index 000000000000..e11d977fa870 --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/testdata/600.evtx.json @@ -0,0 +1,104 @@ +[ + { + "@timestamp": "2020-05-13T13:21:43.1831809Z", + "event": { + "action": "Provider Lifecycle", + "code": "600", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Certificate", + "param2": "Started", + "param3": "\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1089, + "task": "Provider Lifecycle" + } + }, + { + "@timestamp": "2020-05-13T13:25:04.6564269Z", + "event": { + "action": "Provider Lifecycle", + "code": "600", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Provider \"Registry\" is Started. \n\nDetails: \n\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Registry", + "param2": "Started", + "param3": "\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 1266, + "task": "Provider Lifecycle" + } + }, + { + "@timestamp": "2020-06-04T07:25:04.8574302Z", + "event": { + "action": "Provider Lifecycle", + "code": "600", + "kind": "event", + "provider": "PowerShell" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", + "winlog": { + "api": "wineventlog", + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_data": { + "param1": "Certificate", + "param2": "Started", + "param3": "\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=" + }, + "event_id": "600", + "keywords": [ + "Classic" + ], + "opcode": "Info", + "provider_name": "PowerShell", + "record_id": 18640, + "task": "Provider Lifecycle" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/wintest/testdata/README b/x-pack/winlogbeat/module/wintest/testdata/README new file mode 100644 index 000000000000..2629f43d2657 --- /dev/null +++ b/x-pack/winlogbeat/module/wintest/testdata/README @@ -0,0 +1,3 @@ +The test files here are from the powershell module tests and were chosen +because they do not fail the tests without modification, so they can be +used to test the testing infrastructure.