diff --git a/NOTICE.txt b/NOTICE.txt index 93998dfa106f..c65ef90350b7 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1563,7 +1563,7 @@ Everyone is permitted to copy and distribute copies of this Agreement, but in or This Agreement is governed by the laws of the State of New York and the intellectual property laws of the United States of America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of action arose. Each party waives its rights to a jury trial in any resulting litigation. -------------------------------------------------------------------- Dependency: github.com/elastic/ecs -Version: v1.4.0 +Version: v1.5.0 License type (autodetected): Apache-2.0 ./vendor/github.com/elastic/ecs/LICENSE.txt: -------------------------------------------------------------------- diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 310e96c60313..8d5c1058beae 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2949,7 +2949,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -3404,7 +3404,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3510,6 +3510,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -3538,7 +3602,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -3897,7 +3961,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3921,6 +3985,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -4222,7 +4469,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -4272,7 +4519,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -4341,7 +4588,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -4386,7 +4633,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -4406,6 +4656,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -4429,7 +4691,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -4482,6 +4744,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -4511,6 +4785,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -4645,6 +4977,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -4705,6 +5046,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -5073,7 +5469,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -5082,7 +5478,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -5277,7 +5673,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5442,6 +5838,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -5679,6 +6114,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -5738,6 +6204,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -5745,6 +6233,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -5844,10 +6407,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -5856,7 +6494,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -6277,6 +6915,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -6308,6 +7007,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -6327,6 +7084,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -6436,6 +7206,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -6455,6 +7283,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -6485,6 +7326,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -6622,6 +7499,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -6830,8 +7762,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -6858,6 +7799,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -6891,6 +7843,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -7272,7 +8235,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7712,7 +8675,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8429,7 +9392,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8591,6 +9554,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index a88a625f94dd..8eed66feecb0 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index e37b70dc0dbf..a0e9bca8d1ea 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -5340,7 +5340,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -5795,7 +5795,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5901,6 +5901,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -5929,7 +5993,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -6288,7 +6352,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6312,6 +6376,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -6613,7 +6860,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -6663,7 +6910,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -6732,7 +6979,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -6777,7 +7024,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -6797,6 +7047,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -6820,7 +7082,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -6873,6 +7135,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -6902,6 +7176,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -7036,6 +7368,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -7096,31 +7437,86 @@ type: text -- -*`file.size`*:: +*`file.pe.company`*:: + -- -File size in bytes. -Only relevant when `file.type` is "file". +Internal company name of the file, provided at compile-time. -type: long +type: keyword -example: 16384 +example: Microsoft Corporation -- -*`file.target_path`*:: +*`file.pe.description`*:: + -- -Target path for symlinks. +Internal description of the file, provided at compile-time. type: keyword +example: Paint + -- -*`file.target_path.text`*:: +*`file.pe.file_version`*:: + -- -type: text +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + +*`file.size`*:: ++ +-- +File size in bytes. +Only relevant when `file.type` is "file". + +type: long + +example: 16384 + +-- + +*`file.target_path`*:: ++ +-- +Target path for symlinks. + +type: keyword + +-- + +*`file.target_path.text`*:: ++ +-- +type: text -- @@ -7464,7 +7860,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -7473,7 +7869,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -7668,7 +8064,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7833,6 +8229,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -8070,6 +8505,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -8129,6 +8595,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -8136,6 +8624,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -8235,10 +8798,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -8247,7 +8885,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -8556,146 +9194,265 @@ example: 68b329da9893e34099c7d8ad5cb9c940 -- -*`package.description`*:: +*`package.description`*:: ++ +-- +Description of the package. + +type: keyword + +example: Open source programming language to build simple/reliable/efficient software. + +-- + +*`package.install_scope`*:: ++ +-- +Indicating how the package was installed, e.g. user-local, global. + +type: keyword + +example: global + +-- + +*`package.installed`*:: ++ +-- +Time when package was installed. + +type: date + +-- + +*`package.license`*:: ++ +-- +License under which the package was released. +Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). + +type: keyword + +example: Apache License 2.0 + +-- + +*`package.name`*:: ++ +-- +Package name + +type: keyword + +example: go + +-- + +*`package.path`*:: ++ +-- +Path where the package is installed. + +type: keyword + +example: /usr/local/Cellar/go/1.12.9/ + +-- + +*`package.reference`*:: ++ +-- +Home page or reference URL of the software in this package, if available. + +type: keyword + +example: https://golang.org + +-- + +*`package.size`*:: ++ +-- +Package size in bytes. + +type: long + +example: 62231 + +format: string + +-- + +*`package.type`*:: ++ +-- +Type of package. +This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. + +type: keyword + +example: rpm + +-- + +*`package.version`*:: + -- -Description of the package. +Package version type: keyword -example: Open source programming language to build simple/reliable/efficient software. +example: 1.12.9 -- -*`package.install_scope`*:: +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: + -- -Indicating how the package was installed, e.g. user-local, global. +Internal company name of the file, provided at compile-time. type: keyword -example: global +example: Microsoft Corporation -- -*`package.installed`*:: +*`pe.description`*:: + -- -Time when package was installed. +Internal description of the file, provided at compile-time. -type: date +type: keyword + +example: Paint -- -*`package.license`*:: +*`pe.file_version`*:: + -- -License under which the package was released. -Use a short name, e.g. the license identifier from SPDX License List where possible (https://spdx.org/licenses/). +Internal version of the file, provided at compile-time. type: keyword -example: Apache License 2.0 +example: 6.3.9600.17415 -- -*`package.name`*:: +*`pe.original_file_name`*:: + -- -Package name +Internal name of the file, provided at compile-time. type: keyword -example: go +example: MSPAINT.EXE -- -*`package.path`*:: +*`pe.product`*:: + -- -Path where the package is installed. +Internal product name of the file, provided at compile-time. type: keyword -example: /usr/local/Cellar/go/1.12.9/ +example: Microsoft® Windows® Operating System -- -*`package.reference`*:: +[float] +=== process + +These fields contain information about a process. +These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. + + +*`process.args`*:: + -- -Home page or reference URL of the software in this package, if available. +Array of process arguments, starting with the absolute path to the executable. +May be filtered to protect sensitive information. type: keyword -example: https://golang.org +example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] -- -*`package.size`*:: +*`process.args_count`*:: + -- -Package size in bytes. +Length of the process.args array. +This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. type: long -example: 62231 - -format: string +example: 4 -- -*`package.type`*:: +*`process.code_signature.exists`*:: + -- -Type of package. -This should contain the package file type, rather than the package manager name. Examples: rpm, dpkg, brew, npm, gem, nupkg, jar. +Boolean to capture if a signature is present. -type: keyword +type: boolean -example: rpm +example: true -- -*`package.version`*:: +*`process.code_signature.status`*:: + -- -Package version +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. type: keyword -example: 1.12.9 +example: ERROR_UNTRUSTED_ROOT -- -[float] -=== process +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer -These fields contain information about a process. -These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. +type: keyword +example: Microsoft Corporation -*`process.args`*:: +-- + +*`process.code_signature.trusted`*:: + -- -Array of process arguments, starting with the absolute path to the executable. -May be filtered to protect sensitive information. +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. -type: keyword +type: boolean -example: ['/usr/bin/ssh', '-l', 'user', '10.0.0.16'] +example: true -- -*`process.args_count`*:: +*`process.code_signature.valid`*:: + -- -Length of the process.args array. -This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. -type: long +type: boolean -example: 4 +example: true -- @@ -8718,6 +9475,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -8827,6 +9597,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -8846,6 +9674,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -8876,6 +9717,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -9013,6 +9890,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -9221,8 +10153,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -9249,6 +10190,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -9282,6 +10234,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -9663,7 +10626,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -10103,7 +11066,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -10820,7 +11783,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -10982,6 +11945,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index c88ec996f42c..839cce5e1514 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/go.mod b/go.mod index 4b8aafc664b7..3d3297bd0bfa 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 - github.com/elastic/ecs v1.4.0 + github.com/elastic/ecs v1.5.0 github.com/elastic/go-libaudit v0.4.0 github.com/elastic/go-licenser v0.2.1 github.com/elastic/go-lookslike v0.3.0 diff --git a/go.sum b/go.sum index 063ef12fa813..4c69950e4c79 100644 --- a/go.sum +++ b/go.sum @@ -212,8 +212,8 @@ github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 h1:DW6W github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= -github.com/elastic/ecs v1.4.0 h1:BGIUwWJhThRO2IQxzm7ekV9TMUGwZoYyevT5/1xmMf0= -github.com/elastic/ecs v1.4.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= +github.com/elastic/ecs v1.5.0 h1:/VEIBsRU4ecq2+U3RPfKNc6bFyomP6qnthYEcQZu8GU= +github.com/elastic/ecs v1.5.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= github.com/elastic/go-libaudit v0.4.0 h1:pxLCycMJKW91W8ZmZT74DQmryTZuXryKESo6sXdu1XY= diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index fab3155994cc..b288eec1788c 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -382,7 +382,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -837,7 +837,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -943,6 +943,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -971,7 +1035,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1330,7 +1394,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1354,6 +1418,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -1655,7 +1902,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -1705,7 +1952,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -1774,7 +2021,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -1819,7 +2066,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -1839,6 +2089,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -1862,7 +2124,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -1915,6 +2177,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -1944,6 +2218,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -2078,6 +2410,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2138,6 +2479,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -2506,7 +2902,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -2515,7 +2911,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -2710,7 +3106,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2875,6 +3271,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -3112,6 +3547,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3171,6 +3637,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3178,6 +3666,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3277,10 +3840,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3289,7 +3927,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -3710,6 +4348,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -3741,6 +4440,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -3760,6 +4517,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -3869,6 +4639,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -3888,6 +4716,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -3918,6 +4759,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -4055,6 +4932,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4263,8 +5195,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4291,6 +5232,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4324,6 +5276,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -4705,7 +5668,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5145,7 +6108,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5862,7 +6825,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6024,6 +6987,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 939dd4872b2a..e21fe351e87f 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 0a54ce57217d..b568e32ed978 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -949,7 +949,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -1404,7 +1404,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1510,6 +1510,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -1538,7 +1602,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1897,7 +1961,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1921,6 +1985,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -2222,7 +2469,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -2272,7 +2519,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -2341,7 +2588,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -2386,7 +2633,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -2406,6 +2656,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -2429,7 +2691,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -2482,6 +2744,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -2511,6 +2785,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -2645,6 +2977,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2705,6 +3046,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -3073,7 +3469,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -3082,7 +3478,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -3277,7 +3673,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3442,6 +3838,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -3679,6 +4114,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3738,6 +4204,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3745,6 +4233,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3844,10 +4407,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3856,7 +4494,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -4277,6 +4915,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -4308,6 +5007,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -4327,6 +5084,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -4436,6 +5206,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -4455,6 +5283,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -4485,6 +5326,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -4622,6 +5499,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4830,8 +5762,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4858,6 +5799,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4891,6 +5843,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -5272,7 +6235,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5712,7 +6675,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6429,7 +7392,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6591,6 +7554,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index 45161a4a9fe4..5d1d9a80b6ac 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index 94c05de3d40f..9032aafba001 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.4.0. +# based on ECS version 1.5.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -30,7 +30,7 @@ All values are stored as keyword. Example: `docker` and `k8s` labels.' - example: '{ "application": "foo-bar", "env": "production" }' + example: '{"application": "foo-bar", "env": "production"}' - name: message level: core type: text @@ -358,7 +358,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -427,6 +427,54 @@ ignore_above: 1024 description: Region in which this host is running. example: us-east-1 + - name: code_signature + title: Code Signature + group: 2 + description: These fields contain information about binary code signatures. + type: group + fields: + - name: exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: container title: Container group: 2 @@ -450,7 +498,7 @@ level: extended type: keyword ignore_above: 1024 - description: Container image tag. + description: Container image tags. - name: labels level: extended type: object @@ -678,7 +726,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -690,6 +738,140 @@ default_field: false description: Short name or login of the user. example: albert + - name: dll + title: DLL + group: 2 + description: 'These fields contain information about code libraries dynamically + loaded into processes. + + + Many operating systems refer to "shared code libraries" with different names, + but this field set refers to all of the following: + + * Dynamic-link library (`.dll`) commonly used on Windows + + * Shared Object (`.so`) commonly used on Unix-like operating systems + + * Dynamic library (`.dylib`) commonly used on macOS' + type: group + fields: + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false + - name: hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the library. + + This generally maps to the name of the file on disk.' + example: kernel32.dll + default_field: false + - name: path + level: extended + type: keyword + ignore_above: 1024 + description: Full file path of the library. + example: C:\Windows\System32\kernel32.dll + default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: dns title: DNS group: 2 @@ -932,9 +1114,10 @@ events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or - more numerical or categorical measurements and the time at which the measurement - was taken. Examples of metric events include memory pressure measured on a host, - or vulnerabilities measured on a scanned host.' + more numerical measurements and the time at which the measurement was taken. + Examples of metric events include memory pressure measured on a host and device + temperature. See the `event.kind` definition in this section for additional + details about metric and state events.' type: group fields: - name: action @@ -987,7 +1170,7 @@ your agent''s or pipeline''s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.' - example: 2016-05-23 08:05:34.857000 + example: '2016-05-23T08:05:34.857Z' - name: dataset level: core type: keyword @@ -1041,7 +1224,7 @@ In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` < `event.created` < `event.ingested`.' - example: 2016-05-23 08:05:35.101000 + example: '2016-05-23T08:05:35.101Z' default_field: false - name: kind level: core @@ -1086,9 +1269,21 @@ description: 'This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. - `event.outcome` simply denotes whether the event represent a success or a - failure. Note that not all events will have an associated outcome. For example, - this field is generally not populated for metric events or events with `event.type:info`.' + `event.outcome` simply denotes whether the event represents a success or a + failure from the perspective of the entity that produced the event. + + Note that when a single transaction is described in multiple events, each + event may populate different values of `event.outcome`, according to their + perspective. + + Also note that in the case of a compound event (a single event that contains + multiple logical events), this field should be populated with the value that + best captures the overall success or failure from the perspective of the event + producer. + + Further note that not all events will have an associated outcome. For example, + this field is generally not populated for metric events, events with `event.type:info`, + or any events for which an outcome does not make logical sense.' example: success - name: provider level: extended @@ -1101,6 +1296,16 @@ the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).' example: kernel + - name: reference + level: extended + type: keyword + ignore_above: 1024 + description: 'Reference URL linking to additional information about this event. + + This URL links to a static definition of the this event. Alert events, indicated + by `event.kind:alert`, are a common use case for this field.' + example: https://system.vendor.com/event/#0001234 + default_field: false - name: risk_score level: core type: float @@ -1121,7 +1326,7 @@ description: 'Sequence number of the event. The sequence number is a value published by some event sources, to make the - exact ordering of events unambiguous, regarless of the timestamp precision.' + exact ordering of events unambiguous, regardless of the timestamp precision.' - name: severity level: core type: long @@ -1165,6 +1370,18 @@ This field is an array. This will allow proper categorization of some events that fall in multiple event types.' + - name: url + level: extended + type: keyword + ignore_above: 1024 + description: 'URL linking to an external system to continue investigation of + this event. + + This URL links to another system where in-depth investigation of the specific + occurence of this event can take place. Alert events, indicated by `event.kind:alert`, + are a common use case for this field.' + example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + default_field: false - name: file title: File group: 2 @@ -1194,6 +1411,48 @@ execute, hidden, read, readonly, system, write.' example: '["readonly", "system"]' default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: created level: extended type: date @@ -1274,6 +1533,15 @@ ignore_above: 1024 description: Inode representing the file in the filesystem. example: '256383' + - name: mime_type + level: extended + type: keyword + ignore_above: 1024 + description: MIME type should identify the format of the file or stream of bytes + using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + official types], where possible. When more than one type is applicable, the + most specific type should be used. + default_field: false - name: mode level: extended type: keyword @@ -1308,6 +1576,41 @@ description: Full path to the file, including the file name. It should include the drive letter, when appropriate. example: /home/alice/example.png + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: size level: extended type: long @@ -1553,12 +1856,12 @@ - name: ip level: core type: ip - description: Host ip address. + description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 - description: Host mac address. + description: Host mac addresses. - name: name level: core type: keyword @@ -1681,7 +1984,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -1773,6 +2076,39 @@ ignore_above: 1024 description: HTTP version. example: 1.1 + - name: interface + title: Interface + group: 2 + description: The interface fields are used to record ingress and egress interface + information when reported by an observer (e.g. firewall, router, load balancer) + in the context of the observer handling a network connection. In the case of + a single observer interface (e.g. network sensor on a span port) only the observer.ingress + information should be populated. + type: group + fields: + - name: alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false - name: log title: Log group: 2 @@ -1956,6 +2292,30 @@ Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. example: 6 + - name: inner + level: extended + type: object + object_type: keyword + description: Network.inner fields are added in addition to network.vlan fields + to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed + fields include vlan.id and vlan.name. Inner vlan fields are typically used + when sending traffic with multiple 802.1q encapsulations to a network sensor + (e.g. Zeek, Wireshark.) + default_field: false + - name: inner.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: inner.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false - name: name level: extended type: keyword @@ -1999,6 +2359,20 @@ The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".' example: ipv4 + - name: vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false - name: observer title: Observer group: 2 @@ -2016,6 +2390,61 @@ are not considered observers in ECS.' type: group fields: + - name: egress + level: extended + type: object + object_type: keyword + description: Observer.egress holds information like interface number and name, + vlan, and zone information to classify egress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + default_field: false + - name: egress.interface.alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: egress.interface.id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: egress.interface.name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false + - name: egress.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: egress.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: egress.zone + level: extended + type: keyword + ignore_above: 1024 + description: Network zone of outbound traffic as reported by the observer to + categorize the destination area of egress traffic, e.g. Internal, External, + DMZ, HR, Legal, etc. + example: Public_Internet + default_field: false - name: geo.city_name level: core type: keyword @@ -2074,15 +2503,70 @@ type: keyword ignore_above: 1024 description: Hostname of the observer. + - name: ingress + level: extended + type: object + object_type: keyword + description: Observer.ingress holds information like interface number and name, + vlan, and zone information to classify ingress traffic. Single armed monitoring + such as a network sensor on a span port should only use observer.ingress + to categorize traffic. + default_field: false + - name: ingress.interface.alias + level: extended + type: keyword + ignore_above: 1024 + description: Interface alias as reported by the system, typically used in firewall + implementations for e.g. inside, outside, or dmz logical interface naming. + example: outside + default_field: false + - name: ingress.interface.id + level: extended + type: keyword + ignore_above: 1024 + description: Interface ID as reported by an observer (typically SNMP interface + ID). + example: 10 + default_field: false + - name: ingress.interface.name + level: extended + type: keyword + ignore_above: 1024 + description: Interface name as reported by the system. + example: eth0 + default_field: false + - name: ingress.vlan.id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: ingress.vlan.name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false + - name: ingress.zone + level: extended + type: keyword + ignore_above: 1024 + description: Network zone of incoming traffic as reported by the observer to + categorize the source area of ingress traffic. e.g. internal, External, DMZ, + HR, Legal, etc. + example: DMZ + default_field: false - name: ip level: core type: ip - description: IP address of the observer. + description: IP addresses of the observer. - name: mac level: core type: keyword ignore_above: 1024 - description: MAC address of the observer + description: MAC addresses of the observer - name: name level: extended type: keyword @@ -2346,6 +2830,47 @@ ignore_above: 1024 description: Package version example: 1.12.9 + - name: pe + title: PE Header + group: 2 + description: These fields contain Windows Portable Executable (PE) metadata. + type: group + fields: + - name: company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: process title: Process group: 2 @@ -2379,6 +2904,48 @@ indication of suspicious activity.' example: 4 default_field: false + - name: code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: command_line level: extended type: keyword @@ -2393,6 +2960,21 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false - name: executable level: extended type: keyword @@ -2469,6 +3051,48 @@ indication of suspicious activity.' example: 4 default_field: false + - name: parent.code_signature.exists + level: core + type: boolean + description: Boolean to capture if a signature is present. + example: 'true' + default_field: false + - name: parent.code_signature.status + level: extended + type: keyword + ignore_above: 1024 + description: 'Additional information about the certificate status. + + This is useful for logging cryptographic errors with the certificate validity + or trust status. Leave unpopulated if the validity or trust of the certificate + was unchecked.' + example: ERROR_UNTRUSTED_ROOT + default_field: false + - name: parent.code_signature.subject_name + level: core + type: keyword + ignore_above: 1024 + description: Subject name of the code signer + example: Microsoft Corporation + default_field: false + - name: parent.code_signature.trusted + level: extended + type: boolean + description: 'Stores the trust status of the certificate chain. + + Validating the trust of the certificate chain may be complicated, and this + field should only be populated by tools that actively check the status.' + example: 'true' + default_field: false + - name: parent.code_signature.valid + level: extended + type: boolean + description: 'Boolean to capture if the digital signature is verified against + the binary content. + + Leave unpopulated if a certificate was unchecked.' + example: 'true' + default_field: false - name: parent.command_line level: extended type: keyword @@ -2483,6 +3107,21 @@ Some arguments may be filtered to protect sensitive information.' example: /usr/bin/ssh -l user 10.0.0.16 default_field: false + - name: parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false - name: parent.executable level: extended type: keyword @@ -2503,6 +3142,30 @@ start).' example: 137 default_field: false + - name: parent.hash.md5 + level: extended + type: keyword + ignore_above: 1024 + description: MD5 hash. + default_field: false + - name: parent.hash.sha1 + level: extended + type: keyword + ignore_above: 1024 + description: SHA1 hash. + default_field: false + - name: parent.hash.sha256 + level: extended + type: keyword + ignore_above: 1024 + description: SHA256 hash. + default_field: false + - name: parent.hash.sha512 + level: extended + type: keyword + ignore_above: 1024 + description: SHA512 hash. + default_field: false - name: parent.name level: extended type: keyword @@ -2586,6 +3249,41 @@ description: The working directory of the process. example: /home/alice default_field: false + - name: pe.company + level: extended + type: keyword + ignore_above: 1024 + description: Internal company name of the file, provided at compile-time. + example: Microsoft Corporation + default_field: false + - name: pe.description + level: extended + type: keyword + ignore_above: 1024 + description: Internal description of the file, provided at compile-time. + example: Paint + default_field: false + - name: pe.file_version + level: extended + type: keyword + ignore_above: 1024 + description: Internal version of the file, provided at compile-time. + example: 6.3.9600.17415 + default_field: false + - name: pe.original_file_name + level: extended + type: keyword + ignore_above: 1024 + description: Internal name of the file, provided at compile-time. + example: MSPAINT.EXE + default_field: false + - name: pe.product + level: extended + type: keyword + ignore_above: 1024 + description: Internal product name of the file, provided at compile-time. + example: "Microsoft\xAE Windows\xAE Operating System" + default_field: false - name: pgid level: extended type: long @@ -2728,9 +3426,17 @@ A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where - it appeared, by querying `related.ip:a.b.c.d`.' + it appeared, by querying `related.ip:192.0.2.15`.' type: group fields: + - name: hash + level: extended + type: keyword + ignore_above: 1024 + description: All the hashes seen on your event. Populating this field, then + using it to search for hashes can help in situations where you're unsure what + the hash algorithm is (and therefore which key name to search). + default_field: false - name: ip level: extended type: ip @@ -2753,6 +3459,15 @@ etc.' type: group fields: + - name: author + level: extended + type: keyword + ignore_above: 1024 + description: Name, organization, or pseudonym of the author or authors who created + the rule used to generate this event. + example: + - Star-Lord + default_field: false - name: category level: extended type: keyword @@ -2776,6 +3491,14 @@ or other entity using the rule for detection of this event. example: 101 default_field: false + - name: license + level: extended + type: keyword + ignore_above: 1024 + description: Name of the license under which the rule used to generate this + event is made available. + example: Apache 2.0 + default_field: false - name: name level: extended type: keyword @@ -3043,7 +3766,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -3354,7 +4077,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: user.name level: core type: keyword @@ -3904,7 +4627,7 @@ level: core type: keyword ignore_above: 1024 - description: One or multiple unique identifiers of the user. + description: Unique identifiers of the user. - name: name level: core type: keyword @@ -3999,6 +4722,41 @@ ignore_above: 1024 description: Version of the user agent. example: 12.0 + - name: vlan + title: VLAN + group: 2 + description: 'The VLAN fields are used to identify 802.1q tag(s) of a packet, + as well as ingress and egress VLAN associations of an observer in relation to + a specific packet or connection. + + Network.vlan fields are used to record a single VLAN tag, or the outer tag in + the case of q-in-q encapsulations, for a packet or connection as observed, typically + provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. + + Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple + 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. + Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should + only be used in addition to network.vlan fields to indicate q-in-q tagging. + + Observer.ingress and observer.egress VLAN values are used to record observer + specific information when observer events contain discrete ingress and egress + VLAN information, typically provided by firewalls, routers, or load balancers.' + type: group + fields: + - name: id + level: extended + type: keyword + ignore_above: 1024 + description: VLAN ID as reported by the observer. + example: 10 + default_field: false + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Optional VLAN name as reported by the observer. + example: outside + default_field: false - name: vulnerability title: Vulnerability group: 2 diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index e6864252d57a..b52285f49e07 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -165,10 +165,10 @@ def fields_to_asciidoc(input, output, beat): es_beats = args.es_beats # Read fields.yml - with open(fields_yml) as f: + with open(fields_yml, encoding='utf-8') as f: fields = f.read() - output = open(os.path.join(args.output_path, "docs/fields.asciidoc"), 'w') + output = open(os.path.join(args.output_path, "docs/fields.asciidoc"), 'w', encoding='utf-8') try: fields_to_asciidoc(fields, output, beat_title) diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index d8c7e6d12fc0..13b3e8512532 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -7457,7 +7457,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -7912,7 +7912,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8018,6 +8018,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -8046,7 +8110,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -8405,7 +8469,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -8429,6 +8493,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -8730,7 +8977,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -8780,7 +9027,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -8849,7 +9096,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -8894,7 +9141,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -8914,6 +9164,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -8937,7 +9199,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -8990,6 +9252,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -9019,6 +9293,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -9153,6 +9485,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -9213,6 +9554,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -9581,7 +9977,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -9590,7 +9986,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -9785,7 +10181,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -9950,6 +10346,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -10187,6 +10622,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -10246,6 +10712,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -10253,6 +10741,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -10352,10 +10915,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -10364,7 +11002,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -10785,6 +11423,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -10816,6 +11515,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -10835,6 +11592,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -10944,6 +11714,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -10963,6 +11791,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -10993,6 +11834,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -11130,6 +12007,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -11338,8 +12270,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -11366,6 +12307,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -11399,6 +12351,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -11780,7 +12743,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -12220,7 +13183,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -12937,7 +13900,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -13099,6 +14062,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/metricbeat/include/fields/fields.go b/metricbeat/include/fields/fields.go index bbb4f4bd0f1d..6b3c153623f3 100644 --- a/metricbeat/include/fields/fields.go +++ b/metricbeat/include/fields/fields.go @@ -32,5 +32,5 @@ func init() { // AssetLibbeatFieldsYml returns asset data. // This is the base64 encoded gzipped contents of ../libbeat/fields.yml. func AssetLibbeatFieldsYml() string { - return "" + return "" } diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 4ccce67f3347..1089bf929a8b 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -2162,7 +2162,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -2617,7 +2617,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2723,6 +2723,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -2751,7 +2815,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -3110,7 +3174,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -3134,6 +3198,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -3435,7 +3682,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -3485,7 +3732,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -3554,7 +3801,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -3599,7 +3846,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -3619,6 +3869,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -3642,7 +3904,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -3695,6 +3957,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -3724,6 +3998,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -3858,6 +4190,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -3918,6 +4259,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -4286,7 +4682,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -4295,7 +4691,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -4490,7 +4886,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -4655,6 +5051,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -4892,6 +5327,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -4951,6 +5417,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -4958,6 +5446,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -5057,10 +5620,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -5069,7 +5707,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -5490,6 +6128,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -5521,6 +6220,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -5540,6 +6297,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -5649,6 +6419,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -5668,6 +6496,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -5698,6 +6539,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -5835,6 +6712,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -6043,8 +6975,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -6071,6 +7012,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -6104,6 +7056,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -6485,7 +7448,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -6925,7 +7888,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7642,7 +8605,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -7804,6 +8767,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index 1a8b22f1572d..68beee23b266 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/code_signature.go b/vendor/github.com/elastic/ecs/code/go/ecs/code_signature.go new file mode 100644 index 000000000000..df61c3b9355d --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/code_signature.go @@ -0,0 +1,46 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain information about binary code signatures. +type CodeSignature struct { + // Boolean to capture if a signature is present. + Exists bool `ecs:"exists"` + + // Subject name of the code signer + SubjectName string `ecs:"subject_name"` + + // Boolean to capture if the digital signature is verified against the + // binary content. + // Leave unpopulated if a certificate was unchecked. + Valid bool `ecs:"valid"` + + // Stores the trust status of the certificate chain. + // Validating the trust of the certificate chain may be complicated, and + // this field should only be populated by tools that actively check the + // status. + Trusted bool `ecs:"trusted"` + + // Additional information about the certificate status. + // This is useful for logging cryptographic errors with the certificate + // validity or trust status. Leave unpopulated if the validity or trust of + // the certificate was unchecked. + Status string `ecs:"status"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/container.go b/vendor/github.com/elastic/ecs/code/go/ecs/container.go index be47d0ce940c..34c5698ba506 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/container.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/container.go @@ -32,7 +32,7 @@ type Container struct { // Name of the image the container was built on. ImageName string `ecs:"image.name"` - // Container image tag. + // Container image tags. ImageTag string `ecs:"image.tag"` // Container name. diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/dll.go b/vendor/github.com/elastic/ecs/code/go/ecs/dll.go new file mode 100644 index 000000000000..3671e7096e65 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/dll.go @@ -0,0 +1,37 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain information about code libraries dynamically loaded +// into processes. +// +// Many operating systems refer to "shared code libraries" with different +// names, but this field set refers to all of the following: +// * Dynamic-link library (`.dll`) commonly used on Windows +// * Shared Object (`.so`) commonly used on Unix-like operating systems +// * Dynamic library (`.dylib`) commonly used on macOS +type Dll struct { + // Name of the library. + // This generally maps to the name of the file on disk. + Name string `ecs:"name"` + + // Full file path of the library. + Path string `ecs:"path"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/event.go b/vendor/github.com/elastic/ecs/code/go/ecs/event.go index e9c5da72bceb..410d49a0c975 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/event.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/event.go @@ -30,9 +30,10 @@ import ( // log events include a process starting on a host, a network packet being sent // from a source to a destination, or a network connection between a client and // a server being initiated or closed. A metric is defined as an event -// containing one or more numerical or categorical measurements and the time at -// which the measurement was taken. Examples of metric events include memory -// pressure measured on a host, or vulnerabilities measured on a scanned host. +// containing one or more numerical measurements and the time at which the +// measurement was taken. Examples of metric events include memory pressure +// measured on a host and device temperature. See the `event.kind` definition +// in this section for additional details about metric and state events. type Event struct { // Unique ID to describe the event. ID string `ecs:"id"` @@ -73,10 +74,19 @@ type Event struct { // This is one of four ECS Categorization Fields, and indicates the lowest // level in the ECS category hierarchy. - // `event.outcome` simply denotes whether the event represent a success or - // a failure. Note that not all events will have an associated outcome. For - // example, this field is generally not populated for metric events or - // events with `event.type:info`. + // `event.outcome` simply denotes whether the event represents a success or + // a failure from the perspective of the entity that produced the event. + // Note that when a single transaction is described in multiple events, + // each event may populate different values of `event.outcome`, according + // to their perspective. + // Also note that in the case of a compound event (a single event that + // contains multiple logical events), this field should be populated with + // the value that best captures the overall success or failure from the + // perspective of the event producer. + // Further note that not all events will have an associated outcome. For + // example, this field is generally not populated for metric events, events + // with `event.type:info`, or any events for which an outcome does not make + // logical sense. Outcome string `ecs:"outcome"` // This is one of four ECS Categorization Fields, and indicates the third @@ -136,7 +146,7 @@ type Event struct { // Sequence number of the event. // The sequence number is a value published by some event sources, to make - // the exact ordering of events unambiguous, regarless of the timestamp + // the exact ordering of events unambiguous, regardless of the timestamp // precision. Sequence int64 `ecs:"sequence"` @@ -185,4 +195,16 @@ type Event struct { // chronologically look like this: `@timestamp` < `event.created` < // `event.ingested`. Ingested time.Time `ecs:"ingested"` + + // Reference URL linking to additional information about this event. + // This URL links to a static definition of the this event. Alert events, + // indicated by `event.kind:alert`, are a common use case for this field. + Reference string `ecs:"reference"` + + // URL linking to an external system to continue investigation of this + // event. + // This URL links to another system where in-depth investigation of the + // specific occurence of this event can take place. Alert events, indicated + // by `event.kind:alert`, are a common use case for this field. + Url string `ecs:"url"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/file.go b/vendor/github.com/elastic/ecs/code/go/ecs/file.go index 4b85809d3e32..1dc53d28b07a 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/file.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/file.go @@ -102,4 +102,11 @@ type File struct { // Last time the file was accessed. // Note that not all filesystems keep track of access time. Accessed time.Time `ecs:"accessed"` + + // MIME type should identify the format of the file or stream of bytes + // using + // https://www.iana.org/assignments/media-types/media-types.xhtml[IANA + // official types], where possible. When more than one type is applicable, + // the most specific type should be used. + MimeType string `ecs:"mime_type"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/host.go b/vendor/github.com/elastic/ecs/code/go/ecs/host.go index 44e52b6c8acc..1d66d78832fb 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/host.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/host.go @@ -41,10 +41,10 @@ type Host struct { // Example: The current usage of `beat.name`. ID string `ecs:"id"` - // Host ip address. + // Host ip addresses. IP string `ecs:"ip"` - // Host mac address. + // Host mac addresses. MAC string `ecs:"mac"` // Type of host. @@ -61,7 +61,7 @@ type Host struct { // Name of the domain of which the host is a member. // For example, on Windows this could be the host's Active Directory domain - // or NetBIOS domain name. For Linux this could be the domain of the - // host's LDAP provider. + // or NetBIOS domain name. For Linux this could be the domain of the host's + // LDAP provider. Domain string `ecs:"domain"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/interface.go b/vendor/github.com/elastic/ecs/code/go/ecs/interface.go new file mode 100644 index 000000000000..56b2e65e534a --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/interface.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// The interface fields are used to record ingress and egress interface +// information when reported by an observer (e.g. firewall, router, load +// balancer) in the context of the observer handling a network connection. In +// the case of a single observer interface (e.g. network sensor on a span port) +// only the observer.ingress information should be populated. +type Interface struct { + // Interface ID as reported by an observer (typically SNMP interface ID). + ID string `ecs:"id"` + + // Interface name as reported by the system. + Name string `ecs:"name"` + + // Interface alias as reported by the system, typically used in firewall + // implementations for e.g. inside, outside, or dmz logical interface + // naming. + Alias string `ecs:"alias"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/network.go b/vendor/github.com/elastic/ecs/code/go/ecs/network.go index 1175227f36b1..e47d15abd294 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/network.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/network.go @@ -92,4 +92,11 @@ type Network struct { // If `source.packets` and `destination.packets` are known, // `network.packets` is their sum. Packets int64 `ecs:"packets"` + + // Network.inner fields are added in addition to network.vlan fields to + // describe the innermost VLAN when q-in-q VLAN tagging is present. + // Allowed fields include vlan.id and vlan.name. Inner vlan fields are + // typically used when sending traffic with multiple 802.1q encapsulations + // to a network sensor (e.g. Zeek, Wireshark.) + Inner map[string]interface{} `ecs:"inner"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/observer.go b/vendor/github.com/elastic/ecs/code/go/ecs/observer.go index c7b65f84af46..a7459aa11a97 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/observer.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/observer.go @@ -32,10 +32,10 @@ package ecs // and ETL components used in processing events or metrics are not considered // observers in ECS. type Observer struct { - // MAC address of the observer + // MAC addresses of the observer MAC string `ecs:"mac"` - // IP address of the observer. + // IP addresses of the observer. IP string `ecs:"ip"` // Hostname of the observer. @@ -65,4 +65,26 @@ type Observer struct { // `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM // server`. Type string `ecs:"type"` + + // Observer.ingress holds information like interface number and name, vlan, + // and zone information to classify ingress traffic. Single armed + // monitoring such as a network sensor on a span port should only use + // observer.ingress to categorize traffic. + Ingress map[string]interface{} `ecs:"ingress"` + + // Network zone of incoming traffic as reported by the observer to + // categorize the source area of ingress traffic. e.g. internal, External, + // DMZ, HR, Legal, etc. + IngressZone string `ecs:"ingress.zone"` + + // Observer.egress holds information like interface number and name, vlan, + // and zone information to classify egress traffic. Single armed + // monitoring such as a network sensor on a span port should only use + // observer.ingress to categorize traffic. + Egress map[string]interface{} `ecs:"egress"` + + // Network zone of outbound traffic as reported by the observer to + // categorize the destination area of egress traffic, e.g. Internal, + // External, DMZ, HR, Legal, etc. + EgressZone string `ecs:"egress.zone"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/pe.go b/vendor/github.com/elastic/ecs/code/go/ecs/pe.go new file mode 100644 index 000000000000..983585597a78 --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/pe.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// These fields contain Windows Portable Executable (PE) metadata. +type Pe struct { + // Internal name of the file, provided at compile-time. + OriginalFileName string `ecs:"original_file_name"` + + // Internal version of the file, provided at compile-time. + FileVersion string `ecs:"file_version"` + + // Internal description of the file, provided at compile-time. + Description string `ecs:"description"` + + // Internal product name of the file, provided at compile-time. + Product string `ecs:"product"` + + // Internal company name of the file, provided at compile-time. + Company string `ecs:"company"` +} diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/process.go b/vendor/github.com/elastic/ecs/code/go/ecs/process.go index 64767d8992d9..568a3cb584bc 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/process.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/process.go @@ -34,6 +34,26 @@ type Process struct { // Process id. ParentPID int64 `ecs:"parent.pid"` + // Unique identifier for the process. + // The implementation of this is specified by the data source, but some + // examples of what could be used here are a process-generated UUID, Sysmon + // Process GUIDs, or a hash of some uniquely identifying components of a + // process. + // Constructing a globally unique identifier is a common practice to + // mitigate PID reuse as well as to identify a specific process over time, + // across multiple monitored hosts. + EntityID string `ecs:"entity_id"` + + // Unique identifier for the process. + // The implementation of this is specified by the data source, but some + // examples of what could be used here are a process-generated UUID, Sysmon + // Process GUIDs, or a hash of some uniquely identifying components of a + // process. + // Constructing a globally unique identifier is a common practice to + // mitigate PID reuse as well as to identify a specific process over time, + // across multiple monitored hosts. + ParentEntityID string `ecs:"parent.entity_id"` + // Process name. // Sometimes called program name or similar. Name string `ecs:"name"` diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/related.go b/vendor/github.com/elastic/ecs/code/go/ecs/related.go index 492701d02917..8facf9bcec0b 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/related.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/related.go @@ -26,11 +26,16 @@ package ecs // A concrete example is IP addresses, which can be under host, observer, // source, destination, client, server, and network.forwarded_ip. If you append // all IPs to `related.ip`, you can then search for a given IP trivially, no -// matter where it appeared, by querying `related.ip:a.b.c.d`. +// matter where it appeared, by querying `related.ip:192.0.2.15`. type Related struct { // All of the IPs seen on your event. IP string `ecs:"ip"` // All the user names seen on your event. User string `ecs:"user"` + + // All the hashes seen on your event. Populating this field, then using it + // to search for hashes can help in situations where you're unsure what the + // hash algorithm is (and therefore which key name to search). + Hash string `ecs:"hash"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/rule.go b/vendor/github.com/elastic/ecs/code/go/ecs/rule.go index 708c922fbd30..ae07c808f54b 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/rule.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/rule.go @@ -22,7 +22,7 @@ package ecs // Rule fields are used to capture the specifics of any observer or agent rules // that generate alerts or other notable events. // Examples of data sources that would populate the rule fields include: -// network admission control platforms, network or host IDS/IPS, network +// network admission control platforms, network or host IDS/IPS, network // firewalls, web application firewalls, url filters, endpoint detection and // response (EDR) systems, etc. type Rule struct { @@ -57,4 +57,12 @@ type Rule struct { // that's not available, it can also be a link to a more general page // describing this type of alert. Reference string `ecs:"reference"` + + // Name, organization, or pseudonym of the author or authors who created + // the rule used to generate this event. + Author string `ecs:"author"` + + // Name of the license under which the rule used to generate this event is + // made available. + License string `ecs:"license"` } diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/user.go b/vendor/github.com/elastic/ecs/code/go/ecs/user.go index e80effb7710a..d010a054c948 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/user.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/user.go @@ -24,7 +24,7 @@ package ecs // Fields can have one entry or multiple entries. If a user has more than one // id, provide an array that includes all of them. type User struct { - // One or multiple unique identifiers of the user. + // Unique identifiers of the user. ID string `ecs:"id"` // Short name or login of the user. diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/version.go b/vendor/github.com/elastic/ecs/code/go/ecs/version.go index ac59bfa32e12..c9f77f3d6ec5 100644 --- a/vendor/github.com/elastic/ecs/code/go/ecs/version.go +++ b/vendor/github.com/elastic/ecs/code/go/ecs/version.go @@ -20,4 +20,4 @@ package ecs // Version is the Elastic Common Schema version from which this was generated. -const Version = "1.4.0" +const Version = "1.5.0" diff --git a/vendor/github.com/elastic/ecs/code/go/ecs/vlan.go b/vendor/github.com/elastic/ecs/code/go/ecs/vlan.go new file mode 100644 index 000000000000..d4a1e69fdf9e --- /dev/null +++ b/vendor/github.com/elastic/ecs/code/go/ecs/vlan.go @@ -0,0 +1,44 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by scripts/gocodegen.go - DO NOT EDIT. + +package ecs + +// The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as +// ingress and egress VLAN associations of an observer in relation to a +// specific packet or connection. +// Network.vlan fields are used to record a single VLAN tag, or the outer tag +// in the case of q-in-q encapsulations, for a packet or connection as +// observed, typically provided by a network sensor (e.g. Zeek, Wireshark) +// passively reporting on traffic. +// Network.inner VLAN fields are used to report inner q-in-q 802.1q tags +// (multiple 802.1q encapsulations) as observed, typically provided by a +// network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +// Network.inner VLAN fields should only be used in addition to network.vlan +// fields to indicate q-in-q tagging. +// Observer.ingress and observer.egress VLAN values are used to record observer +// specific information when observer events contain discrete ingress and +// egress VLAN information, typically provided by firewalls, routers, or load +// balancers. +type Vlan struct { + // VLAN ID as reported by the observer. + ID string `ecs:"id"` + + // Optional VLAN name as reported by the observer. + Name string `ecs:"name"` +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 9bed6e67fc09..e2b9d760603b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -405,7 +405,7 @@ github.com/eapache/queue # github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 github.com/eclipse/paho.mqtt.golang github.com/eclipse/paho.mqtt.golang/packets -# github.com/elastic/ecs v1.4.0 +# github.com/elastic/ecs v1.5.0 github.com/elastic/ecs/code/go/ecs # github.com/elastic/go-libaudit v0.4.0 github.com/elastic/go-libaudit diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 989bb7fba4bf..ba31d8334431 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -254,7 +254,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -709,7 +709,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -815,6 +815,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -843,7 +907,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1202,7 +1266,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1226,6 +1290,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -1527,7 +1774,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -1577,7 +1824,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -1646,7 +1893,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -1691,7 +1938,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -1711,6 +1961,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -1734,7 +1996,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -1787,6 +2049,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -1816,6 +2090,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -1950,6 +2282,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2010,6 +2351,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -2378,7 +2774,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -2387,7 +2783,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -2582,7 +2978,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2747,6 +3143,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -2984,6 +3419,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3043,6 +3509,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3050,6 +3538,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3149,10 +3712,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3161,7 +3799,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -3582,6 +4220,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -3613,6 +4312,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -3632,6 +4389,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -3741,6 +4511,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -3760,6 +4588,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -3790,6 +4631,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -3927,6 +4804,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4135,8 +5067,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4163,6 +5104,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4196,6 +5148,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -4577,7 +5540,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5017,7 +5980,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5734,7 +6697,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5896,6 +6859,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index d1ecb92d9c7b..896d4ad5d5a3 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "eJzsvWtzGzmyIPq9fwWuJmJlzVIUqZdl7+04K0tyt2L80Fjq6TMznhDBKpBEqwqoBlCi2Rv3v99AJoBCPSRRtmjLvZozZyySVUAikcg3Mv9Cfj388O703U//DzmWREhDWMoNMTOuyYRnjKRcscRkix7hhsypJlMmmKKGpWS8IGbGyMnROSmU/I0lpvfDX8iYapYSKeD7a6Y0l4IM+7v9Qf+Hv5CzjFHNyDXX3JCZMYV+ubU15WZWjvuJzLdYRrXhyRZLNDGS6HI6ZdqQZEbFlMFXdtgJZ1mq+z/8sEmu2OIlYYn+gRDDTcZe2gd+ICRlOlG8MFwK+Iq8du8Q9/bLHwjZJILm7CVZ/9+G50wbmhfrPxBCSMauWfaSJFIx+KzY7yVXLH1JjCrxK7Mo2EuSUoMfa/OtH1PDtuyYZD5jAtDErpkwRCo+5cKir/8DvEfIhcU11/BQGt5jn4yiiUXzRMm8GqFnJ+YJzbIFUaxQTDNhuJjCRG7EarrODdOyVAkL859OohfwNzKjmgjpoc1IQE8PSeOaZiUDoAMwhSzKzE7jhnWTTbjSBt5vgKVYwvh1BVXBC5ZxUcH1weEc94tMpCI0y3AE3cd9Yp9oXthNX98eDPc3B3ub2zsXg4OXg72XO7v9g72df61H25zRMct05wbjbsqxpWL4Av+8xO+v2GIuVdqx0UelNjK3D2whTgrKlQ5rOKKCjBkp7ZEwktA0JTkzlHAxkSqndhD7vVsTOZ/JMkvhGCZSGMoFEUzbrUNwgHztfw6zDPdAE6oY0UZaRFHtIQ0AnHgEjVKZXDE1IlSkZHR1oEcOHS1M/h+yRosi4wmAt/aSrE2k3BxTtdYja0xc228KJdMygd/J/xejOGda0ym7BceGfTIdiHwtFcnk1KECKMKN5fbfIQR/sk+6n3tEFobn/I9AeZZSrjmb21PBBaHwtP2CqYAXO502qkxMaTGXyakmc25msjSEiorwazD0iDQzphwDIQlubiJFQg0TEe0baYHICSWzMqdiUzGa0nHGiC7znKoFkdGZiw9iXmaGF1lYuybsE9f20M/YopowH3PBUsKFkUSK8HRzK39mWSbJr1JlabRFhk5vOwMxrfOpkIpd0rG8Zi/JcLC92965N1wbux73ng7EbuiUMJrM/CrrVPbvmIaQsLbX/hOTEp0ygZTiGPth+GKqZFm8JNsddHQxY/hm2CV3kBx7pYSO7SYjI5yYuT0/loUaK+ImbiuoWFicU3sOs8yevB5JmcE/pCJyrJm6ttuD5Cotmc2k3SmpiKFXTJOcUV0qltsH3LDhseb51ISLJCtTRl4xajkBrFWTnC4IzbQkqhT2bTev0n2QabDQ/l/dUt2QembZ5JhVHBko28JPeaY97SGSVCmEPScSEWRhi9an3JDzGVMx/57RomCWAu1i4aSGpQJvtwgQjhonUhohjd1zv9iX5BSnS6wuICe4aDi39iD2Kvj6lhSI00XGjJp+dH4Pz96CVuJkZ31BbsdpUWzZpfCE9UlFGzH/TSXzqAPGC6oG4ROkFq6JlbDEzJQspzPye8lKO75eaMNyTTJ+xcjf6OSK9sgHlnKkj0LJhGnNxdRvintcl8nM8uk3cqoN1TOC6yDngG6HMjyIQOSIwqCwVKeDFTOWM0WzS+65jjvP7JNhIq14UetU33ium2fpxM9BeGqPyIQzheTDtUPkMz4BDgRsSm8EuvZqjRVmKgcFwetwNFFSW/mvDVX2PI1LQ0a43TwdwX7YnXDIiJjGAd2d7A0GkxoimssP7OyLlv6L4L9bDef+6w4S15IoEja8NwfRPmYEyJinNy4vrS3P/u8qFugUFzhfMUdo7aAmFJ9CdogiaMqvGWguVLjX8Gn384xlxaTM7CGyh9qtMAxs5pK8dgeacKENFYnTZBr8SNuJgSlZInHilFTilBVUwSkOY3NNBGMpmiDzGU9m7anCyU5kbiezGna07tOJ1X0954GlIkvyX8mJYYJkbGIIywuzaG/lRMraLtqNWsUuXiyKW7bPczs7AdGGLjSh2dz+E3BrtUE986SJ2+oUcnzXSvN+hRoReHbAavUskribYsyqR0CE8Ult46sdaxJAbfNzmsysVdBGcTyOx7OzN1eA6n84S7aO7AZM+/1Bf7Cpku1YjdE1HaY0Ushclpqcg0i4Q585FIRWr6AUIc8OzzfwYDrtxAGWSCEY2IynwjAlmCFnShqZyMxB+uz0bIMoWYLFWCg24Z+YJqVIGQpyqywpmdnBLHeTiuRSMSKYmUt1RWRhLUmprMLjzTw2o9nEvkCJlXcZIzTNueDa2JN57ZUrO1Yqc9TEqCHOcsVF5LkUPZJkjKpsEbA/ASU3QCsznixAsZwxq/rCAvtLC0xR5uOg0NwmKjMZpHZtK5xIwHGsKSoTUK4cRK1tcvpG+DoQvNtFN9Czw/N3G6SEwbNFJXE0Ks8B9XgmTmvrjkhvuDfcf1FbsFRTKvgfwB77bTHyJWoCmCmXMZYjVuftO9I2+QjoWCrXL8mEZrqSCCmb0DIzOGT9x9oevI/WBPO18PCTlJYG37w5is5gkvGGLXFUfXOLMXHo3rSHzdMj1Y4AueH2LCDp+21yR9CCN5Ge2pyRoNiUqhSUR6sbSqF70fOoOI45Oty4tNbnJJNzolhi7aqa6XpxdOZGRclUgdmCzX5hH48ggwOomQgmg33m/J/vSEGTK2ae6Y0+zILWbuFYSGsqdCxZ1a42qbd1FHjNmLZwOG3cY8koKjQFYPrkXOYs6MelRjvDMJWTNe8tk2qtsqwVm3hu5UARjQVqPHruZ2cH4s6OWbCDwA6MEOCOpQVLTP02V1PE8KNF64jIT2ClV6lLixA3amWAcWHB+60UuAFgj6GF5X2ZHYNV+BXStIa0ihXu1yacaO9ECq4nHG/LzxOchXB4UFWjaUo0y6kwPAHezz4Zp9WxT6iv91CJ8hxBB93OSHLN7XL5H6wyru1CmQKDW3NTUrcdpxOykKUKc0xolnni8xLBctOpVIuefdQrJdrwLCNMWPPS0S16KK3ikjJtLHlYlFqETXiWBYZGi0LJQnFqWLa4h2FF01QxrVdlUwG1oxXtaMtN6PSfwGbyMZ+WstTZAqkZ3gkMc27RomXOwDNLMq7Bb3V61iPUy1mpCLWC5RPR0tJJn5B/Vph1ahq4Dit+PWNE0bmHydP9qO++GCHK6lqmsEZ4pUSmJToPUTSO+rwYWVBGfQRr1CMpK5hInZqPOroUFRBg0rsdq7So/v91Apzq/pMMj6AaLwzTd6j20d6jh6f+Wg2QV/YH9O6EGIs7k44kkHW2t+pgtwYYEvYKjA7Hw3H8fm3OKZP9hJvF5YocBEdWZ+/cnbfWRmA0a4MjheGCCbMqmN5FzoowWQu+d1KZGTnMmeIJ7QCyFEYtLrmWl4lMV4I6nIKcnr8ndooWhEeHN4K1qt10IHVu6BEVNG1jCtjj3cb0lMnLQvIgm+rBASmm3JQpyuuMGvjQgmD9/5C1DGJNm893+vvD3YOdQY+sZdSsvSS7e/29wd6L4QFGmupAPixPbPgANVObXh5HP6HG79HTI84HglqYnJCpoqLMqOJmEQvWBUmsgAe1MxKgR15uBg8TUjhXqFElzEoMp3xPMimVEzw98KjMeKXaVhIKwctIMVtobv/wEY7EH2sdgfBOmiiQC/Ebjn6HHATklEm/2rYfZiy1kWIzTVp7o9iUS7HKk/YBZrjtoG3+/egmuFZ01BxMnSft7yUbszqieHEHDOGBOnGengUlzXNEEBYxZaEz1jtyfGjx9Ox6135xena9XymfDX0rp8kKcPP28OgmqEnN5236Tbx0HusbcHNhzUu0kk7P7ETOZsDUlHeHF8EAJ89Yf9p33iSaxY4CgtamdzTVQhvhrEQ2pzVqwf0opiSTNCVjmlGRwNGdcMXm1uQBG1/J0p7oBsbtogupzP0UXK/kaKN4t9YbY8OO/73gA23be+h7tVWf4dufpd1t1+Fo7ckySufN+3Hm9uAm4rfcSRumWHrZpVc+nHizxs2MT2dMm2hSjyOcuwcLKQqWepB1OfbqaNj/11WMB8VUNJyzRSdSQR5Jfwq6fT+R+RrhmqxFn5uhJ0yocSGllBmmchDFhWIJ19bWAj8KResXArGQSFSOM54QXU4m/FMYEZ55NjOmeLm1hY/gE9bG2uiTC7WwlGokOg4+cSv6ULyOF0TzvMgWxNCralfRWs6oNhDXwGwaNMyFNASMvjnLMlj7xZvjKvi7lsh+ebXWlqUVMmokYWRxCdv/FSiCTSb2AF8zO6vTadwePmMXb443ehjNuRJyLryXrAYWcajveXckoKigFdm78UBEtomnOW8Y1uKxwhBQz/dNNkAyN1FMtRHL0Q58XyObUjPVXy3FxBYZOq6lQnewnRxjVDkDN4mc3MQxqCBvjg/PIBUCV3wchopJZb29OpZTnq1ocVb9JzCB11n6bQAmZZZ1aJLfpWPGLnhdE7skmA4MDHpNeUbHWVuZPczGTBlywoU2zJFYDTfgZ/1mBAizr54CcZEry8Fp56FMXM4Vrs+HysEjuVVk1FgNpINQEc4VmsvxTuBkbSBmVM9WZq0jpoDv2HksT06kUsyqvrWErwk6xoFBCUKFFIs4fRSVuIhUftHMJbOMYBU8RYc2fLCrG4Ukw0SKCe4VzWpzUpFakVQFcojPC+4iqpXkNL1v2IFlk7SCTQYwtKF6OIP5m7G485nVvtHLAsmGXLQXHfE4CjyuFkmWJS4vBJL9FzfHkfHqAUFSDPEGGIpAcHSiaEhGrtIsMSCEOUrevIBMJXJjWuWEvGVG8QTTnXScTkUFOTnaxmQqS40TZpIZ0+BkikYn3GiXyVoBaSm5noBdy6TlOqTp1EFw46pSuBRZxXJpQlIPkaXRPGXRTE3IECZKXA6nX5AnMFG96hxk9VxxHLQaCJJV3eTeBLTDcl2B6hB2n5BhAu7b1UmB9YsKQTgXJOnGgRSehsRrd6IXJOWTCVOxAQ9uQA7pxlYu2mO4aZigwhAmrrmSIq/7kCraOvz1PEzO054P0gD9k/cffiKnKaZGQ9JAi7m0Fdb9/f3nz58fHBy8eNGIe6HKwTNuFpd/VJHBh8bqYTQPsfNYrGA4Emgajkp1iFrModSbjGqzOWx49Fw+2+rI4dTnMZ4ee+4FsPpD2ASUbw63d3b39p8fvBjQcZKyyaAb4hWqBwHmOOO0DXXkf4Qv24mTDwbRW88HohzKW9Fotvs5S3lZN84LJa95ulRg+otjXnDW/IR9fzjjm0B0rnuE/lEq1iPTpOiFgywVSfmUG5rJhFHRlnRzXVsWOslXtCjnI//M4xaLY2T0DvteJNe+vCW9KzxYT+FxyTWti1rRxZGCJXzCvYs8QIEZKs7t4ZyschIPEt36Y5r5eWcsKyJlFeQVOmfD0NpJQrGwCDI8WCPLCKiV6JNO4a4Wz9P6GeY5na6Up8RnAyYLkWEEaE41GZc8M1acd4Bm6HRFkFWU5eCi0zoA0VXE22ePriTecimxyWxhUne/rzbvCnejWnMV+wrcBEl2VewERyc5FXQK7ji4i+DhaXESvAoZsZEokSxmJMeNr29hJdGjtyccovYcPQ3BZAx2bNXvA3aMGeUY3pVdiNzHZRc+xvS3WvbeUjlwlRqLt4gfKAcuDAu5cE85cE85cP9358DFB9OHSl3JgOZ+fa1EuJgVPmXDPWXDPQxIT9lwy+PsKRvuKRvue8qGi4TY95YSVwOdrCYvjhd2tljS35EMxmpZYIXi19Qwcvz2XxtdeWBwasAOeVSpcJB7Fflm3ErBY1PhxkgyXgAmjhkUjnj4Fa4iue0eatvXy3C7kZa/dZpb2tIon3LdnnLdnnLdnnLdnnLdnnLdmgT3lOv2lOv2lOv2lOv2PbG4L851S0WtdNHxu3P4eEsU7HUt8mWVheN35+T3kinONNAFFXrOogKp9neX7OaiJ4xDAlEoV1HVFfJjLaz5aTmDJFNmsFoHDusGfTZKhYbUkZfw/GjDFSpc+Eni0UEG+HIXSLxVyUg3Ik4bAnkaVReqoSKtLwmFMGAOwJwp5jM1UsfHuMZx2lDiq6ON+8Tpait+8Ajy+qEgVCm68MhALLv3UWmjVksDMIh2lWUUM6USEXvxJYfdVatIe2UEZM0VWziUVdEzvze4BZr56re14OB4QU6OzqvSZB+wTA6ONaPXDEtXxYwpr5aDP/rJBZnbt06Ozt3wTX+g3WZLfuCDRKsaK8PBL/UAr33Okzk5NCTngudl3nNfhnH9ovJSm1qV0pGdZWSBg3TK1jKsnPeaSo/ktAhDUjtaMoOcE+OLZVNNCqk1H6P0T6HqCxUL+y/3hYbw4PooYDegVJMEqwbWosoNiuwnGV1Z/BjzICn6ysKG+Eh/ihTDobgkeniweFKL152+6wQ9yoVdicEJ0EbcEf0HjXrc7nAwiomo3quNrxZMpNprQpC5BgzLoyQe0K+9ZT0NB33/304srDKKcFE3iS3FRSlgDdBJgaWEdL04IyXJjKIwO3p3+PbEHogxs8iy72fXLO3FzGl9XZMRqi4VizFRNoEUvrilVaF0IS2KwW6uDgMMAueyT04Dr7KWrLN7m2P6AtIjKIHlQ9cjK3kYlH9vbct8Pu/f4BTxO2PMMgbgTW5Di3vIkwGP7jVobZZzw3oBAZ2bYLnmmJGEJrOYsbMJ8KVa1gPXCVUpS/vkX0xJn5doSdmP785AhL9xhTScoiPK3E2nK8wNvZhVeaGfyWKANGtwzxhNmbqcZL4A9wrO1yHIbDkh2yRjxjAFXBJnJjBzLbm7wHKRVQLpS3J42CMXRz3y4bhHPhz2yOFxjxwd98jx+xbJBm32w3H1Zz2auzJj0e6QXRp60mOjkWrNpyJqLKDkVNEcKTA0Q6jU7hlDtQxTXaKBIIes4FV2DDIH3XYP7G8Ph8PaumXREeV78MVjPU6rE9jJnBqFuakM/ZFXXIA7GxXYmk5LQtn42JcI9a6Nx11VgA/DvDgM6siAGShBH495I47+/svJh3/WcBQ441fTGFwpRSct0C65UzmoMfBVykUQiA3QYrkXQuKNSy5Cis1CcWGgJnIyo9A4RGnybMwyOSc725AGZyEgw+39jV5E+1LX3qh4ebCQsOQl0wkt7JmimpHhAETIFOb4eHx8vFGp4a9ockV0RvXMWXy/lxJSjMLIbqg+uaBj3SMJVYrTKXO2g0YdNeNRMtyEsTQeIZHimikXqvtoeuSjwrc+CqA/9CVnHXWZb5GxYZu/eWTqKRr1aKJRgSgC8ldJDGESMPEqz4JbYFWmuUWibUbhBpqBSei8YAA0MMIwU69CjS7H23adw77DCpBGr4bzCkLkQe5Meuu1GmOthyQiJDGK8gwqODPFZbfi2430p1ggsr+nWOC9YoEV/XwdA8HZSbcrFYeHh3XN2Nuql1+S0XPYctFlGTk9szocg/tVo9i1MWr4GPyPI+/qc7TDJxOelBl4kErNemTMElrqEPK4poozs/DGUUyoOTXaGoV2KAdWn5xgL7MKvijf3wNqsMWMJOAVjZAzqtRVaKvDTXBnYT2qlH2yb+eWSuKhUSXAl+B3RrVV640MI1YFjFFTscrtRLbvqgbrpuk6qX83bG4waMJfwxDwc3Un/r17f/Lhw/sPNehWeDbW48MRHPwkoQU02+o5RFudFOivLrygTnR1dy4KEEiRLcDpqqFCdBRaqJWMhscSxXxnPoBPVK2aJghbM0awLBQVAN7h78IBNSAa80OrGMBCwZRb/zNZoPc1W9ghtJRBrjhrDU/HRp8cihTuwCdSVIarw2r97N8cqPD+fGvHOZ7Q4qXB8Ru6DCW1EBC2VrwtBPSWGboZO6v9VUnnjV6+X8NdrTw6WjJ+WbOjqF0lyLGAX7sYTYzskxFLdN89NMJ4uwejYoKgGAHrKbXBBkEQe81aJdoJ+XXGBO4ZbCB2Rgr6GhcpT5gmm5vOSeoCGNBbzkiiMz6dmazron+0GnjfNfS0oGXMsmhrvylXCp6mv1lQfdJgMmM5beCf1FrWdZDOsD/oD2LKUUrWbuWehC9u795W3YpNoNWPDwbBgBrJdwF+jYDHX7BpQI76Az7nwkBFweB6VcawrIRFs2cEEBJPqJVCocHZD/HZ4kazbFIZ2lTg6PcI060o1RuQiU6fRjgBAbzVB/eQt387kjU6IIi7Qt4MRhT67lisd1bVBtaGJleXVrv4MyQlgQ1oV0RgRSH2Axi1xFpkECNknxo1I7+Soht2txe39XKlCajWtdoO7FPCiirvN2IVv9Fr2s+omPbflVl2JiEcceIfj3nIdaNry8n1kh0g8fx23er3HSi6L/Zn0psrWABA8aTGCwLLOYSmovW2MJY9NGVy1HQRbqrO8JzSqoeiR8+bqvkpCA7fENL4qA01IVQGlpaYVmNUfSTlJFqEG88PRX1fQgKt93xhIFfup2pi43zqaNCEJHM3po9/g+0Xp1H38LJtRyecMTNzq+bT0PLC6TNRi0mczDWRwc6SSSa1Xduh34m70Y0XO/w5htZVJV59y2BEbDECH+P2nABQN6Kjx9ywVYPLGtZjaqlQnrNcQsIK09DCxA2XRoivCO66zARTWJGGVx1E3cM6ocIuHfqH3qc40RLX1j5bzcfRg27v4wb1i+zOQREuZmHBhjijIWqRDfFVrnH3Ku1xRgUZ4QO+Ucyo8jqHjbBnfQQI2aRpOuqRkSP5TSB5Bl9NeMY2UUNPRxj28cGPGiMH1TzKN8E6E0UG1NBV0qjUTG0WVGuLzE3MKKqrAw701WwHtmuEMzAhE2vBWDXwyBG9u22MOVpoHIOCSQ3uSOXGAjvD+aLc1tiBPPBkxpmiKpktoh1u7k2lueF2r435lIxLuLiyZuGLRuRM1/1hkTKdGaYco2pM8dLt7IgsHJ8PGjaWWnMOKvdYGNOS7DU3Cxf2QqWYa2Q30FU9XANyM9pNGblGSPZJECY0vl+oy7EHq0n1YXxvgbl5wf1Fs0zOLYTWLEzqG+VEhltS5EWj2D/Jbk0wFSJMtq260syslhZdYL1ZPX04L8CpUw2TKEIZEuFcL/taF9UIc1GZCJ9tVerQN0mmTNcKnYVu2aWIakb0XMe1LN594NTY09uqIKX9QypilwcmGJhCKBTkNVMgEawBHrQdr5TxeEsY+ZWLVM41qijk9Li9Dbv7uwd15CMHuoMXpJUfoY5fdxpwkFZ1PrYFsmxuDUxTa7wPHfkD7IpR4G2+kSt2oVugA6TVk79J0ym34j9xt9D+NxTiMDQvQlOv6CsTV4k3sYM7SF6GjkKrqvlbbSGRpilSTgXJpTZRm7GeyxY0c0nCtO6gjVmHtYys339M4kSUWtv+hGYJlFpxV9oyyIhBnSZ2FLnkApcqiSReMYlYxYBtgVd9r3KljedULCW80VDXQ5JLwasWeyQaYn0dLFq/Y/ajL21nJLlirCBlgREAeCk+XHWsQoNXgLSORyta8cQlNOvFO1tFZqMk74jytwfD/c3B3ub2DhkcvBzsvdzZ7R/sPR8M6nk9KTVUs7uuIn751QmcppFTJmoYwagIxLBzrAlDBeaJOVPIav9SeXGDF2VpUpMzmZz2nOmWyelGL548SBEjnY6zqIrAROc1kXl0j73Zpxg2XbFE5jnwbGiSLKQJTikY3uo9tbnBSgv5bblMy6g3M16GmUgrmFDroSSVWA1UtIbpEDYFTWasH+EibG+plqmg0HHVtPEmF0VpLv2Pggrpkti8Jl2a+AGq3/Is453PYGwMaGTYSTjHbuqa+4tAEC9MW6ck5FOIdXvm8TOzFo9iLnxoqnhdLSWxixd5RgOzC/Qsuj3lrWs6TCyTb3WTSKlAbUmTpiBBerOC03/v1aoAuJU1EO6TY7D0GtXhVng/5meqZ+RZwdSMFtoePmy1P+FiyhRkymxA3I7OnSQz0m4AxZBS5LbJpYA2xgytffCZWs2xSfRVec2uvw5fHR1/NYfc6bFdTag9FhljDZg7u81bDOkv0EkugkwAughclSrFr33yJIMqHopmLhfUSNXSMEC3cGIalYFRJXBiXbxBl15dyBZEJkmpFEv7jlNWkjjTsjV6TZuKJ8gZxZYxzsbFyiMgr6OSdiQoUETTeacNfCqcUWlPF2beWzNM6xKa0AtJ7NrA2ukFTcHJXh9VmikpZCanqEhFokZe+Yg+1y9ruCL/b3Nx1Td+u0fLyOy9/nAw9DL7Fqemp6Ur3mRGj8zO9blXn2Xo2tWNXDDQDrTpR2m6FeFmiVcb4p9Nq6Cd57qYO2Nfdi64KIbmqz2FWGblN+m0oF1qr7dakN+h2j4tuZ4RmjFlvCIDZ6HmyWqkDKDQqo/W0FFxjWQm504ft6gCCGoXvSIBR2ZUpBmkBM7YAqJcc2sqCxMdU8XsmsHPWH2JaoZvW1+tmhsYBU46FFeF3CltLDHMZwxumIVkdKywDjE6AxG9aZlRFbLkK9NRWeWqQ+XJmCugEeIdsU61MkUWZ4muh0DCMqylqSm6gLYzH8BAQV5VFoVUzkWTSJGwArKVcGi0KLJyCppA25NSRdQpnAThtWfUhw9BFQT5u9Hz5wZHHjUyx2qmYBVFADegff4mPbOGdc/7V4H3D5aps08mOA8sOQvDVTh9vzjyv0VruMGItho7pLEw1O5SmVxGJZ1Trq1mkoJjFO/VgjnLLGdiaUX0Vvt3qTeQwGsUZ9felh5d4t50sPpzVpDhC8vmt/dfDgdYiPno5PXLwf/4y3B793+ds6S0C8BPxMysHIFaq0zhd8O+e3Q4cH9UWqDlBbqEczoprVzWRhYFS/0L+K9WyY/DQd/+35Ck2vy43R/2t/vbujA/Drd36gVrZGmsYfSohYs1nz5Xtrj1jXweXcoE5FDHnAslRu2WLCIZojCVyUh5VirWJ++kcRcEhLvP6E4vuEfgvqTVYLSWiQvAIBA3iBVTo+Bap/pGj/p6XKSymcEAjRysL63c6KBOt6waAay45vr6eUj86VLk0MUHBaOQefocxfOFdn6BtkfwjZxGHrAcRVmN7VXZRl5t9ie+ox4e0XJi5tQ3xe++1oI0gsz4fKFzKztnxhTpBnZqmKDn2pVydQO7OyVW7YDvw4jPrpgSLOuRtzxR0s6/6Za46TnE5mFpFVsx3WjvI75d20bF9dWljg7uTUd5kknamRrwgesrAiOAqFJcWjDqxjquXzsQiZZZCbp3dGnhF82cIw+WDK4053ZEhWfGVLOidYD90mr1S1DijYtYfwdmAf+DpTDsHQvqhXAgeKPDIgZW+gwHgw5TKqdcYM0yV9xhIUtwqNedW44QgKLwFpWOANJ1X6YdYu5MI80Yoc66gWUg1lw+k2U2OHTzyrBmv5eRs+PhCr2du4F9feIbTjIkXDQehawuhN87AcENplshiR54ZOlV/eYn+0QTa4emLm4V1N4oNuEiE1lU9K/ypgafVAtZ1yyqovkgpdrw3hGGyMME9eNDk8TFRoy81XX8a7jhGdTzMGJ8EzTKMsanvIfLR3polORoiRRStPrO3VkW3gqKIrFhIyDG7mblzDdQEpprE2fHOcKMjR7gqZa/dt7Gdpw9rGfMLJqhNvgok9O+ht/7/vd+IlM26nvx5r+uUpljv0Ilw7FSgpuihvdqO2oati81WJ3M0+Pzjb6/A1J7I5UMVU1H1dDoSc5FmBHzV63ZVCWmhnETWWD8++blRgHTsOC2GHhep2lDlyrzeLvHEt2hd/osXQZA7LWMKAK9l1WE7Aa3pT2nK+xJtB6ZBlFBjKBR1ZdkD0TFOOwOhwWhUeFSiBzMde9EphhNF46SnDfHE3rleoqkJB5ATxzY6GnOdXxWDhNrQaIj1U/qbwXA7WJqj78UkIFzeuwmXzsplSzY1mGuDVMpzdeiO4p0PFbsGnVS//j5xdoG5o+Tn39+mecVM+E0809tDvZeDgZrGw022s6Ve2SWg5lx9ZnZF5CoEGde0GZSwZoux5uYhrEGgr6HJIUpDZHsIFWEqJXageSJPL1HmLD7raNcDcdXUwh1yMgawUXBjaFC2S0FC8GV9/GXMZo1e79iFgXyCYtF1FQ8zUy48+a4PMTX/vMtaYiH8FYzZw0uV7ccgZAOqMnYSsF6VoBLq7O/QpKETwazY7sODR5TFqhQq8UJ2cieg+0E0x5R0QuZev4zFemWVNViSS282XO3hQsl0zJBnQimPPUODvK2ci/9+/Xp2/+4Z8HscyO6hnt6o48vuxRNZ9B1tEqhcB3M2pL28cZ6/KmN3P/O3rxf9z4Iun+BGFp/Q104wEUHMgaCxA9drybUsMOrrdQYpzeKJldgnaFB3xHno8YoPi5bvSBWUEgC8R7mi5l9+BJrqONhvKZqYWkj1OcjPzOF+QhwU519mtFSwwU/uGQoJ46T1M+m1dyYr0/ha264WIPlfvya9Ugic8isZGmvqohoOVKiFoWJfWPsE0tKw3pkxtOUiR7kveD/SpEtes5A6ZG54qbD3bj+7zX/7FqPrOHTa/9ZD7i7IxjSmetzPxqD8wLjANOwRLEsWVWNberv14kqWbJF031OQUU47mxSdLlDamT3ucDfQjEqGMZFPJDCygK0u1Fupxo5QWCtAavxj2AVo0iKYfYPJnZZLmwqXd8+2rPyJwnDeRnj4fbGkAWjga8UqoOv6ABi6fEbGsoFgFrOskbninAoVgVlKB0abtAEsedaC8X1kuKc9lTx68hdCsVqnDISKQitFW7NZM62aOYxH1Zqh7vEYb50sZ3EfayAZWFRnVtWW1dX4DKiYhm7ppH9KYX3DnaG16J8qqJgytq/qDDWlHqI2GRdTSiOluVKgJr2LbsHIw9gWWGS1l4WTtsM7ShWVi3oTPHcyiUsJGsNj59OjzduPUrrw8Fg2GixEvSIVUMYe3o7oWsfgBnVs36e7q0IvrfHezhFe1I9o8MVzXr+8+Hwlmm39/ZXN/H23v4tU++5JgormXpvuN0xNRery9Y+tWNXlqO/TYjcTYS/vcnRPCvbe/s7BzuNfimrg/atBTY6HhZEmRiaVSugnVfP1gf7u4MGmF+o9XQoPUFboRC/5hPe9CJ9pdrUDjdWYIT7oZ4bV0kmJq4n3kKZLwbTZNZyLlYWgENT1k6wDnmyqrN/UJsHFtQ8YE7hN7sH+rrMMlhLrAP3GhsJe4ulZFoKVmRKOUXrsxSsrZv2XvM/7hmz6TBl7CD24EJvwkgPeh+rTAgv3Nhy3i2uyZr92FEKZri/02hIaKiaMnP5J6GLC1gNUgY4zhZ5xsWV/mqXgWHfIJftGZJkyhX4pxwkGy1qCs6kUF19pRUhodC9Ve9+AfVOVWHf6KL6s/OG7oes5mYNMGqXBs84L+BP7uMtTsCfmIyrGSRUqQXmaqGHi1a5fb6nXHz/jHrFvB64BBMjakNX8yaGAlCYcYvBLZbMID24ylWwkJ2eRZdPMYNPbeqysJZ0ep8iB4+n8+aj77r5CDtuPrJum4++0+Yq64A+ddn8/C6bj7HD5iPortn2Xnj5Fb64WYJdhO47UTGNjtQFeEZXrvuGyytOYVi+BNSft53So+6h9JWM09A4qXUjzNHnz/7zHcVeZni5C8izosgqvwh+p9lUKm5meSj2wZULPEURVJalLpaFtWLyXEIN1RnzlzzfHu/1wC21AXReKOa4dZ8cpqkHYxICnpAl4YcYLyAvWCVUezOuDhwyYwtgCU/gtQVIB9SsoIoaGXq+UF2LpD/Tgl5hslSPYMrjjO5c7g2379NW5ms7EL++7/DbuA2/pscwnCepa9WTfvafb81agBSBZtaCS/CGgGtp8LaMNlREiXInR+dYmuav/hB05i9xM+uI8sOkUlR1d2K7J5Q5AlMTDJrO+jxxZR67VkzkaPhEZlSlc6pYj1xzZUqakZwmMy6Y7pFjmVwxFXo9KJem87dyDA2QIX8uDRU2lsotUMmMG5aY8s4c589qc9bI1a7N19IIPh3sX+7vfisJi7JQTqK986TmxexNMrYKl6HumcTqqx1kfV3fJH3DiFKRd8y8On1/3q7D/IaL8lPH2BXQ0UxhRJD7/ipCRxTu/buL9+fvA2buiMVNmew/IkMawHnsxjQC+egM6hisR2JUW5AevWFtgXwyrh+ncW335jEa2BFc39LIrmtdK4Jk/Wc3diyRagVhqrJ1IRt+7q9ljDxkIzBs7Pl1LVe8VQjy2KlDdxisD7MeZ62iHhBngx3qgEd/Q5Zmc7rQrpNrDy6GuFslwengeubBHSdXXomJa66kyBs3+Pz+QXegUoGZWPp7vaMxowbbtTWxUNyBhe4y/aCM8qK7tXZOkxWg9me3ld1zroo+391Km1FPAKTKiCIjSvxF8E/+vphjknBv+PeSZhBKD2NGepwvPgo3eFwHrFCzEdrduste0EMlZQlP4UKtVUWBjCrGDj0PGhsvdX9Cc56tKo/u/TnB8ckzH6BRLIX0/JSNORU9MlGMjXXaI3NUhduxNnyyBXeZPWDX+G8W+2yZOrjr9Zi4r9/ua2N3q7s0sfh+K3+j16yJreiW6gp2ubkGnC2ADaa2onN3Ya8F+W5/tz/YHA63N8Ee50kT+odVnh7bXsf5Kg5lN23ufzcx4z2dX2tn/XzuPFudT+oeKcelMOVtZ5iqOW+d4c5eCKsDfll6HA76w91+vevJyq5XuQo6DbFirfejTJZpMMS9j6C6Nu80GkxcgCpJI7Pdz1nKy3wElyWv80Zlg5oXIPiDamXP8Qo9eHdrPaaDDhJG7NJFGo3wiyWT0G7KqDkPXVydNhWuE6GLvb5tO9t79emtfPxWwRZI2VhlrAVWx3LKV8XWrVlJYIJubQsAsGK4w0L5LvmzXfC6xsb5TgxPqpbk7dZX2ZgpQ0640IY1mBvgBiNBf95oX7TIRx34i+D82jHABhArLA7pjU7gOxB9MxI7f0OF35iXT8CmQAYlCBVSLHL+R9zrB1AYPv4S6muMYBU8HVlKwQ/e8kb7J5FigntFG0XjROqKPIVh63V1a3haiVn+HpooVLdiyyZphaIVAEMbqoczL78ZizufSeUq5WL93ioMUC26los8xiJwwQ1kTC3Z4ueLizP4fHPw7bUPYYf8P/tSVK/e9Tkio1Jl/ha2ZliBxUQYtkCq0D1UMWiIuHzahX9hLNNFH7Jz76eZ+LIj8at15MaZvw0wCczaRO/BwfObQXTp9n8CwXrhnB248bdi5GeWZZLMpXKVFFuYWcG+XUhDs3rednP3nllggYlhz/kOE2e4u9O9mTkzM7kq+bheQylO1bh8F5U1wBY8YxbXNDIyJG9g3QLft61PzpmPFyZl7i+fhLG1a4Ozduor1lhb6+TovKsPMTM9UkA/nqI0nWhSbMKUWtndiw9u+KpXQ4y51m5aPqdfbm2NMzmNGwdvNWB3XeG/Nk9xbTGXZCoxkH9ernIbTm5mKx43X5uvOGg/j7E4oLWhptTLNmK9VwWtOk5xou7Y1e6gnnuxWqcOwHWTl2wITpsq4Xoaaypv3MdbsoSOWwk8oRxRJqdTy95ylsyo4Dp3+hN8GWomRlcZoEpqlTQEJQ1D6PLOxKHWdG7c0LoD6i740iZh/pvKJhOsbBUmwjpffkyIHcQFsP46qi3EvxXXa25VTGusUEgDi2BpPP5fR94hNS4NUdS5mXwpnr+OXPdK9D+dHJ079N0jNQkIbgXWw/p7XzrRIjLE0N1mtauiTzpqG7hWuejR0xD8DkMp4IylZRihcJkVU2FEVy0BG2lQQ6aSVYXaYBB0+sWdW1LJtFhfN6EZhxRRsVNfF60oTbyfgZos3Ye6bVAZINTcjKvGbbQaHNW6ls2pEqMeGTGl7D8c/qeyDGnWUU2t6rIaHeZpUzd4kH29aBQgxYkIF5qnWDu2KDLX7KkfKk+WugQyjwtcxaNg30hXbB+a/zllK8zQw8Z9WM6IJKU2Mu8O7Eg17bOMasMTLI7cH0tptFG06L/yf9WQhVU++3C7MONLFXWDcs4BwS0M2VEaRSfDlWDXozAidwhSub4veGqaJVyjI9MUJ9s3LmWFzpsmFTzQ4qLyL665FjDGZtFb+0JnOYSwvf3f6DXtREwpOhohrg4vbjpX9WYm0xYq7thfexo6FrKa8ub+uJq445aFzZc7p82mMKBQRk+EjR2zCXZuzLjBTGFDyqJWZq2gqtZY4BTzAhStmlCP3LDezYHIizMIqIjahdkR41q4HrVulF6tXUG8DL/YXmtBvvhyGBNrZLuqiVBTDu/2J76LNt6bxAgTE4mEsLRURLA58AVNFMvldXwIJEkyRgVUNa2D/KXV4omWrhi8FWtj5lrlV3OPfSQV7N0vLhoP6WkQenq7CBplyH4HQbjE0cPyde4r/HDZRdats+dEbSgwVS+YzGO1ArLErejOuYk50jWnbpg+OcuYtfI1Y+TD6yNN9na3d+1W7gz3d/sdS+tPaALN1vqrsDHWoxX6Yr1+wpZu1QzGhPUdxgVlq1VZGrLL6nV3paLCi7xQp3cQhrTvbu90NI/ZuRVHK5ZPvoYp+2Q2xxQaPy+LrMY6gKifd63FV+Z+8K1ubPMNFcA/f4tZNSTX5ID8tULO/wyaar/Oe6rK2NbcQP4eavNB9MSxZEc9gVBg5uGLYUephp29LrTWKgrfD7d3nphmeeu7T0xXGWVXPdniuGIYsalS3TtrTlxxGsBSo4QzlG7uxVaJNStawLuTOZWd5ZZvBT1UgPZGDq36d9aLQFtpcFsR6GY57KUqP3fyhLDhq8z7fgzEUC+FHkZdigig8cwNFBAZtd9w8yMoWvt+4mzUkHyKZWdjl9O76Ks7Lnv6orX1G2qYppPnpfDthqFICnTwRdWRVtfhsJNTXPzW3TDTNW+Oe+Kz7rP50RtNEZvleEOjj3vcKKus7FUdl0O0ZLCjE1QhiWd1fphCSSMTmdX71FI15kZRxSPCwU4SrhuMsYdFo46cQx8RVxC4BwopNOyyky3QEKge1leLInLJ8OT3npVcbCzlVY+YudXllC8KHbejtZZH1SM4qtx4zUQatdKFYjEAS1VCxUqhNJRMqfoEwJHaSpk25PQMq8foHoFmMD0SjTnnytc/f4SxJsrzGml1uPaX6S5xo1t/Hf366M8HjRsiS7AjY2nPDeTO2G2p89mR68EAb45AiRhZZFu7mUsRvvf9VHtk5A+r+wlVFV7thC7zDom032jIjRzELC5Xlqazfog5J1CWHN3BAu4i+cWR0zO8oe6oiWoyZ1nmmFxYjz9+1eWeOv+rPHCUGCmzTToVUhsr+QwVKVVp3EA9DDvJ6jVJ3zCqBHaJoSbE+qbczMoxRPksgUBf7a2AvE2ebloh06H0vZy9/5/63e7P//PtT3tv/7l1MDtV/332e7L7r7//MfixthWBNFbg7Vg79oN76e/ZtVF0MuFJ/6P4EHVVrqzrlx8F+RiQ85H8lXAxlqVIPwpC/kpkaaJP0D9Q0Aw/WQqqPpUCCPej+Ch+nTERj5nTooiK6APTQeHljJmoiR/EKD9BxLjwDcq9ryAeM3AuuMKqCVzvg8rbnM37CMMNE3vUSEUKpnjODFMISA3o5WCqAKlBYP8FlcdNFo8cJu2vtT1kgO0a3UykmlOVsvTyS+7qnJ75TM6q4YY7rtFPzl9WKPmpoyXwi+3+sD/s1720nAp6iebUihjM6eG7Q3LmucM7tNye+ZM7n8/7Foa+VNMtFMxWRugtz082Ebj2F/1PM5NnUTeQc8dHQF75Su7+Le34D82giRRwMNB43jHzOpNz7GINf7l0pzBuJqc+IFC6fKeuNbUQvl9D9KrzF1E5Gi9cuzSpNPbBQnFW3fj0cqkJ7U+QhvIrn/Aa2AVNrpi5hxDuErhukM8Sue7dDqFb/dIhdv2PlX7mBHC34N2uR8I91ayA16+/ee6ti0pm4sV/9qkPEq1HMqCo32hiNckQIg4a7uPT3EJyYcgf8VCvAoXnUJNGB1qOmBhq7ZDYTX3NGrvEv+E88TEkodNZwHBGF5Y5lWnRIyYpeoQX1/ubPMmLHmEm6W88PsybpIH4FV13OUWh8/78FIodZyhE5/G1FE/WbywW+xZ3u4jByEoqNEt6pOA5IPTxodMCHbkGXMstFfsG3sff3Va5RoTX2013CpZwmnkK7oWyoHhttGVSY2eHkESSMsMS0/PjY0QaE0vuHHGzLt+ccmW5Kzaq0fWqnuHiUQh1+4I1OCgVCcOrrm6pjeZBUkz4tFSVmJNElWJ5BIS+on1/SbpZQMf7qnSPzNkYtB9uzXcujCrh2hiii0uxVShYL4zrL/R6hbJSGX/wdCO0VG7YGKRoRojtZFJr0jW0xerh2VuHGt2PnDmeNGJvDsXOIDc4c3yfVdcXhk8IFQt/tADruE4d6EL7NCOkDV1pz7fgG1ZRuaVc9yLy1sVdfy9ZiQOTk4s3UH9JCmwn6Qw/15Q70tzDMKFSmGLg+oNOiCmz+oDHB2TGnByd38MD9VSo5qlQzf1BeipUszzOngrVPBWq+a4L1TTr1ATpW3eGfJ6HJvLA3Dr8agqrvD08umn6r+WAWD+qkiDbKIh0fO8AhgextxpGNuLQTnizFsiZsayYlFl84b2yKiZVKlfQzYK+RDEximWgdoQjLYhUUyra7T1PJ0TIOK8TkpwYS1nqOA9mbSFcGZsYwvLCLDrcy5fgijv/qbYRT6Vb3A+PrZzHU+mWp9ItT6VbHhj4Lynd4rr1rgjUi5nvHWxukFwNEPX2YFCDTzPFabba8In3NrnJnMJ7V4Odh0rCdjVqGphBX5vVyMFBlNvtniiZ1x3TylXKi0qSh7BMNRK0tu66feIDZ2pUuQ9HXrrDVZRUwz8F/AOSFv6QWcbgwgr6b+xflQ+mIx3Ij1lDaS0X4yGR+g8YeDmCO1/kVJiGltx5fh+mzILflIghVrn+la4E73pnaPP7O7Kl4nG844sJxZMZEhR4vGrlJ0IKUyLzggqvNVk1EAy5GjE28pni9CkdentbVRISy6hSVEzBfYm94nEcKF3glUTIbIe4Wr0IRQCjWs99Lrt9g7IrdXWXrMw0+HaiPqYtr65Vkq9GtkFMnYOYuoN0LyDyERpnuezibjKVDQm4fJmL79IqeDIJGji62ST4ju2BPwuHeGBj4Du2BB69GRBnoPjrfI57n0Vf3cq0K5l/M88GGa8NzfCOGgYb/awevlNT3dLzrUc6hvKv9UKKLhJYxDg0/yMeFfKLw9AOEBzTxf2qsaCnLxQvSCIh/mVdPx6uXTiu/N4NP8Ylz9LL1VLj+mGacrw/cIPQBiiqbUK9PJBF4DOBKsI3Ua2GkB2WyDznhpz/fIjhEYFBdwbJkn6Ijtzfye7kOTt4kab7w/HgxcHBeLjN2GAwGL84eLG/f7D//PlwkFQXDu9o35HMWHKly1XxpiM3fAtZfoWgd14zFS6kthPkDsY72y9S+uLgxQ7b2R28eJE8Tw9oupeMXyQvduu2djT5ilZ0XA9rQSZlnQsEyN8XTIQrN0pOFc3BCM6omJZ27UY6ktLcvrGlWMbpOGNbbDLhCa8i7KTKb6jbB4jOS53IlTXPPRUpbI2YkpmcxwuGK6lhR133LmjGCrG0HplmckyzFl7w666FsGXsnZs6ml9Yxgd5r53w1TGX8YQJvbJQxxsc3tVGqVoHxZD5w16vxEgo0aGIn8MpBEvdiLHJpmROzs+O/5v46d5wbfCqSMWMpNZ8nLEqmVYX6SdIpHVD6q2NNp85LGgyY2Hg7f5ghZpep4iIpqgoR9YVqwftj92AwsyiSzd+33iLoOIW5KVWW0D6W0csy6jamsqtYX+43X/RLCsGt+uSVaHwZ5lbkNFnESYjv3x4E8JdXoPhAiPiQSXhVTWCmy8YhxsV0vIyS0zLypv7t2C/+/Kxp5hGZ/YGzPvb2zt31fx+wLubziHa1gUgXOnu5Hl9MyaxiW9W3vMFlMyM1h/JqaBVMRfiEoN94ttLooq8R9LiatojY8XmPSLsF1OW94go4evfaEfnL1Xky27jajUxv6H1WeIyYNv9Fz/UIgAJ0zXXzVn01e3OxqW0fz9Ft6swoaJyF1Y1eV02W208vD/phyM83Yr4nLu7UqvmAV6lkZ++gNq8E2MVC0MXmjjiwakIN5plE0JFwLddVcExHxQqF4Ps9ddawEWB4FapKsuZCtNlqul9nhquFF24WxmAJKqmkK9rjRxDFagigEe7IDrWMisNw5uzRlZegRkj7BNLStO4Ef2WLsiYOV8uYqZQ0hojkMvJoT52tGetgxJ8EcDwx1xs6VD2eZNsZuFPqwuFD8NB3/7fcL+FyEvIZbsfV2yoG0xMzSzoo45Y7NjgvV50V2VxuQklln+Oc6XdtSmLAvtpXCZXzNrANFtoDt1uZnIehsypWFSbROYMGszCZfIUi/xSFZ8h8hYu5oUXctyQqGYNdzon6ti61AVPuCx1VVS4xbx2l7Z4sInU5ZKFs76Ns6q+va/LLAvNr6BUF2TFAF5dQSaH26Yv0p+OyDaFU9I4HZiDTLOs2pVm0bfWdn3++amdG7KZYany+vlYYiMr8B/tNi7vczxssLF4U2ts7BZUNrDDzWdUDm3H4uxA6Mius5cqmxJv6zLLK6Lk8M77R1GBnjG0u8YSRyEIXE3m41FY6ADrTcRy3v4HDkCH8TJ0BVWXICJoPvy1u0fDN1+/hbSf9hv0kfZTf7Vm0n+6oMS602hdOKnGnA3PmdVC0bGGniaXO6CI5jnPutT9JscoqLLH9tuodivRz+6vli3BMSI0PSluX1Nxc4h/0t/+JPqb28/vQI1bjaZ2HxQ96XLLY+tRC/yvJNOXx1YxXSrJ7F4O2dMqRhE3zIoEP9O1Y4P16jUxsn9f8O9sJXU/V3Lwy3UUrt7dvi9wLegewtmtXJF5C+g6KbpBHd4TVDh+S8B6Y/BtxjDzIN5WJ+Datxe3B8P9zcHe5vbOxeDg5WDv5c5u/2Bv51/r94TazBSj6XLd6e6F5QsYmJwePwQZOChXGDNz4HZmmuHsm4P7As3N9yKRAxsFmBuyytIifN/D4tfIV8OVL6oDtWIU5YgKTLcZs6oM5sswZHSxjFAyVnKuIeve1wx3QHi9AEoN0Gno1p5B5R0RuuItvx8P2mvVL3mpdqvLwziX6oqL6WVoVPl90I8lEwd61GOzYZO11LmZzNkWzXjClsbSYxS1AbivL0jD1N9aTIbg9CMSgoG4v6GIa8DwGARYAOlRi6fPcOt9f7LL4+fbSSYPwfcjd5YnjAcQSlW60ZRr47Di8iM+xN/dp7frr5g9HgbwN1mgNB9ZMn0gpYYu3ZLvy7p5YRnfueLGMJd+Maaa7e+GXieNPF2/QNVeYJVkfc7MP2hWspNP4Hn7wKZ/L5lauO8anb0gxUIXSOOyuokGRWBYSsYLMsqKS/vdqCqA62uZQ6k6X5s9jDlmxjBFFEvkNVN0jK0QoDxlR7lve/I/nPx0+er03eGHf+LKQ4XYthfhX39/VR4eDQ7/8fdXF4eHh4fwGf/z47LKDmwxSp+76kJ+XjEJ7HOJCZ92e+EaAcznrotW23oWEEE1lAWHMETXm7Avbo88AWCrPc3FNCom4Z4PRAJTkmcWyef/6gGyT/777PDd8eX5vzZcj5JadxIHAw8ZjATuDroLDzgl+71kIsGukm5CIGA7+ttf3lycwlwwth8OaoOFEa+pgoRikkGcAYf1vQTsWiuKtmMe//r+wzES9MlPl3+3n2qgR9TXLD8GRM0SntOMKFYopn2BPfD3kdHacG3U4d5b//fa0cuPytCPiqWXxhQfx1x8zBe0KPrsE1v7z9J2EhDciu44+6Kx9f1Ggeo7JrnGq7q5QiSJZVcx49erWMDheKzYNV55BSeid8na+drdVP/25u2yAF+xxQrg/ZlfMyxByK+dp11O7EhtmXf+/vXFr4cfTj6+hbr8cmI+ehb+7uLjEeou/8BMwo+nuVVoXvOMkRNw1VsCfQ+T6o9zLiyglu6WN3ybGcgPsnwIGNmx43iQ3aqeHQ5OaNyPo7ZxH78YIeGYdyDm4zEbl9O4k+BdmaIRnKsqbYfFQJ2MbxHIchBXylJV9zLoStVXt+aShgCtZsaK8JxRAa3hXK8iahgp+LUEiUOVLEVKKCk4gxaiHj7Lx7zsgtAdPABCIM4kdUFgbZVkLjCWW2Q0wa6hFMoj+jaFFzEIbmjsNQlFGZAX5D28015JJzmBmCJM4arJo2zkKlJqKvvSNXsTZOSw2K8azR5aBpkoZkIFB4uhqigW072oW97YX52YQU9xX/ug567T9CqK8IWeeyTJODTC8Y/aU+Jr/8b11X0XVQLNUzBsenrm+baRFfS8GFW9ZYxVFxBpgDHqylGdnhGj+DWnWbboESFJTkE1i69hcAOTUcXSnlX3Qrg+muol7Y/7ST8d3ac+QLGE/txdjuwwC/1tT8807rEUUZ/Yunsoypl4aF3dQmLBgCiyne1maO4+vWVWuwP6wX++5dzaZ+I2zqEHMy1M6e5/+NbIcArtSQulSUL5Dzq16qgFQLsGvnAD1DBCM6awvin2PRYSIsSu7mk4IaFwrZy4ChNA6240rKEcNSdgMJcH3BW7rbcpIoSmOddwWxE6VcosXA6OStpKPGbk9Ph86/TsvPqhXjPXD9ld4rZUmUsp0D3CRIqdEkJNXTiNVVf0k+MPG6EArmfYJrkH6SfUsOmDmvp1ovQT+EoRKGPcUEgjY6wq4gqMVFXEAxES53SpsCBdmL27d+qhMSwvrI52GjH6N4xeLa0Er/z+IzYMb92BBFp0FO/x0L3IV5lMroiyto02IFCgHVlCjt+dY+erny8uzs7JFrl4c151ZlgWAysrmXKIazw9xvPINSmxiIq1f9w1DLiHiSwC+UEkuiozz/OBTsK5F8EMB0vHeVfqvK03EYZlgMk8FRRY6HKE8eb90d8uj9+dX1oquLx4c77s2lZ9n279Q+0OnZFWabn9qjjgwEmSsPNBIsRbGn61aLTDW2UDuadzRGCVqfV1Xa9c35itj/3zqFlfr9xEQprqGl/PddYNPmJKMi6uYD3YLMkXLQC3ryuSi5sWubN8rS8Qa91NHvTLrS0m+nN+xQuWcuzbYj9tfdb2WpnKVlXg7V2DcjWDJkAZTxY9lEFQ/BxDnEHsWC0X1NUKLY1d79ptTK/KWWcnGO9kuPQtYy5fozxdFk9l+UiYH9g/UoVQZMAR8MSq8ryCtnMxN+RML8UPw4g38MXhYID/v7SZutILjRdRWaAtotg1103ZOWZ21UA7YF24lN320vp3rCkqO9hoSXG+XEMK91xHq0pn8NnfRNRjK5FCuO2ZBHXYFfVXbEqxta9moIjqXvQ87v+Yh/Y+NINebuDXVmmlG7+WilwcnblRscBu1TQDYUsYv67C4Fxww2lGzv/5znUWeqY33I9uUDtgBQs6R5EWg9bRnMkxyGzRwscPFReI2rIJTd3gYMk7jZfQxJS+dDg2l2EqJ2thvDVogGGFTjSsh0I0AIemVeFnZw/4CuftJp/e/MeKOxY8MfUbXE0Rr8M5Ec5rE6ClVEa9ViuPMAdz47dSJNWdV7TO3dtdg1WoFdK0hpwAC7bbuIll4xvG0xEOv+WXUPdB4xVdmqZEs5wKwxPf781Vk2afkhkVU9arMXWuQ0FpI8k1t8vlf7ColqAgCVNwabjq1en9CyrMMbEmkh9T+JLWKEjQweBCA9rwLCNMaLQ7qbmp26JF2IRHBTNoUShZKE4Nyxb3uciL3pdVKU5YsRMb+uLGBHcPtv33DCYf82kpS50tkJrj/iIE4xo6ZMVCfVAqyOlZj1CSytxuALhkSsE/ES0tnfQJ+WeFWZrN6UKjg6susum86oyHdD/quy9GiLK6jiasFlWFctISzWGU+aM+L0YWlFEfwRr1SMoKBl4yIp3OQKSogOBWnDZC6lT3ly4Xe1NU3ZV4dE3QaQb1oKqL4LQ0UshcltpXIAS8V18HAH0RNNeT7/D83YaT/tmiKkeiCaPJrPIpICpPoZkk65DQe8P9F80112pPPuo07i8sN1lDxU9STjNG3rypN1546La2ryAQDon6VUdgV14XSQJZdHurDuq1uJCw74Dss6JsCA2OX3c/PjXveWrec3+QOjf0qXnPU/Me8tS859s07/nM3jnr7eY5rb4xRxg2bBTgJqdn17v2i9Oz6/1K+WzoW1+t505Xwx9BTf8LAnnrF9bMdIYXJH7HhgL23n53eBHsb3f/jjvNrDqzkhSKX1PDyPHbf8U9TOtnBay5TNKUjGlGRQKnNQoESUWULO0hbiDZrrPd6/XLE5ljBEB/1seLgi/rk3zmGiR/jg7XyLi/u+Xu/bLtHdpvInFMm2KKpZdd2uMDll2DlKbpjGkTTepxhHP3YCFFwdIAcjn2SmfY8qhkay9KB4ThnMU5kYqsTaTsT0GD7ycyXyNck7Xoc/MCP4YRXYpDyvCmLdzwZAnX1qJyFcLAxs34lbtMgCEyXU4m/FMYEZ6Buo4vt7bwEXzCWlIbfXKBSQZGonvgE8+DO3q8wKKjC2LoVbWraBNnVBti5pJkdMwyjea3kAYSkrErul37xZtjHfIH1xLZL686euVWyKiRhJHFJWz/V6AINpmwBDLJjCyc5uL28Bm7eHO80cOQCLQH976wGljEob7n3Y2AooJWZO/Gw0T8FvE05w3DWjxWGALq+b7JBkjmJoqpNmI52oHva2RTaqb6q6WY2O6qMu9DhkoUwiFychPHoIK8OT48s6LgEFd8HIaKSWW9vTqWU76q+v9WyScwgddM2mk+0L+tQ1/8Lt0vdsHrGvpPuIq6fHJLYdPDbMyUISfQGr5RCx9wA97Ub0aAGFBbOQXiIr9B8xkXMHTxRPA7bvmEpQ5CRThXaBTHO4GTtYGYUb2qIsTrDlPAd+w8kJYW6ovGmQeYkYgMShAqpFjk/I+oKD2iMHz8BWsH8QkZwSqgrqhyH+zqRqEcKjRnh71qZjsIKEVUhWuIq0rUuiGGM6zAxHrfsPbKJmkFywtgaEP1cGbxN2Nx56FcOLZ9mHLRXnTE4yjwuEak2F9jjkLF/qs7enW5t1uBRxP/JhW0z7I2S1UMPaWGOuDmVJNEZhlLTFQQvbsf14SLFGkvnIRMTrU7Aj5TM8wNyfKuXcvycTFWzFjOFM0uV8YG10/8HDEr9AlfHvxnfAI+DfaJa6M3Wo1yUyAesE0xhKkJTZTUmigGV491D26QjdyAcNJTybRVz9oa1wHdnewNBpMaMlZydNfbYiDkQwiBGQMIMSY2VdSE7QQLxXXE3+QEU+CFTJlzH9aWXEXswv1ZIBjQU9Oag9Aj1r3SjHUtYmDcfb2cXjFNuKnK7cecutK8LZ1agvSloeFgCNai2noiuT0w1tbgSZlRBfCGIVnOjS8i1swoeyeNCyNzzHgXzBV2Y6x6QeO5rIEB+cCyhvYqgTEKWLuGeNIFtUf2PSc+rDSBjxb7oE/RtE1v6c5ztsfGEzagbD/ZffF8Ox2zF5PB8PkuHe7vPB+PD7Z3n0/2G56klfgya4qXJ7aqgaXjTh09LGvZjxGVhpMJchmuCzh6oVkm57j9KddG8XFpImJ2Y7jUb1VCMnwQcharuq4KoIPCZ19oQ+HaIHi+qhMigtM97mON3yZUwwpOrBHHE3fPoXaKvFbQLFyfZKU2rWr0Vhd9xajRXYOgJekEHKEkkUW42xwetRs5qvQXvFsCXbeFa7ftyJV10BWL17HpjludiGTKVhpQ8dREA0nAlA0+E1GCmUvkRbWm5P5lzxW9dmx/g2MaJZjG9/7hsl8fW6xOpGK9aBP80gNbrOIhY69EhUGdOAmQ+YsvfrTlaKnBkiMQ2hTVAED4LnpxtmGdUB0N9i0Idnod9e4IJ1kyLdbXK61rRq99KyaRsML4PkxuNoQYUOyVKweku6cS1eGsTpmRcKK5mJZcz8KuVYcSjrSVF6QsaqLeyTmpLagk1qrd7W+HF8G092AHllAN3+BCdaqpGIynng2yiVwh4NgtKqcCU9Q061AT/HybA/efRll7HV00e9DILt5exPEba/023Y7vJSfgxYhqIE0YbN4OfbamJwQJHSnmfiXRJCd+g04nOIg1jtwYVLEGdM0TegPrnXvNaVTjqh1Nkmu/17Zjdf2I1/9R78fmNyQk6dVsi/auVDzYSJJJeUWoFUl4A4sZIkW2aNoWUQu4wN07erX1t/u7sZ0FuXw1M6v65hYrC5+6O7PTJwsCVBhq2qqrhPWRohTOO5I343Cay+B8lCmGLlnyKcXwKcXwKcXwkaQY4pn0dW8qRvIN8wwRpKc8w6c8w4cB6SnPcHmcPeUZPuUZfld5hiAsvrs8Qwc1WWWeoRPtd+TX0cwlpVWnVobUu84cu+hqGzGKgrElpo8+5/BGdPS/EB+PMOdweaXuKyYedtD8N088jFXNp8TDp8TDp8TDp8TDp8TDp8TDJsE9JR4+JR4+JR4+JR5+TyzuixMPobMDAuMCYhfVN7cExFxVekuTGdWaTxY+kwnbIEK5RZokEivPQH0rnIsY+kkKmXsXklcELMxvuVGMHF5c/I+jv5GJojmD0qGdyYhQf0MqWGcdEDc7tvIPNTa5CtUcwRZ0Y54en/fIu59e/9qD6ocbPsGBQrdIy44cuBg5wTX0DU0MT/p/BSh8jVk3Yly00tojTvkLZavc/jhsoF26xvOCJmZtoz4LS2ZA1P2/enOsWnuobOvnw6DTFRdg24D6RpMZFIoKpRLBp2YgDOvpHKbqwQ4licyLjGvMOppKmnnwomqSwrICa2tjzHVt4x5xyLClX4FnO/yGKUO0f1IqqDAUqkuiD9eTT02txX2G38NmhBxJZk1pyPuD3SKvw1RuLF7zMxOvw4f+rpCABWW1xDSU4iTMKvxYKt8QLqbWnjXcqi9SEcWMkrpATTqLgKXTKS7PV+VpnPy3pxcfTtzRqhtjSMork/iWnjma24jMGjV63P3Tlfj11ZhiThAW+ZYaxT+RCxynXh20F/dW6ZNn7FM/1MGjxtDkqp/bMaEOHkKity4OB4PdwVaYYKOJNXygC19fSfMIeS7L465CV8xNvz7ukKV14W7VxSIv4HT6epGlyr5TDN5rhErf8ELjaxzpwBTreMV97j7VYb0PjlcPjN66GO6+eHHbuba/34C2P4n1W0uK/k636Wa144a9+zacZWns1nSLFTGX5bF7rzECrl0ZPW8tuBqy9+lfRaGsdFz2sabYT2RSau8IqGrU+oKQhBvNsgnoZBz6vUDRymxB6LXkUId9M2WFmUU99ye17PxP/b3BC6+sM2VQUYNqfuweHbQSXsxWVpH/HHsN+Wb+rhorTolklpYqfO1SciOUthjem/PLk6Pjn08uP5wfXv56evHz5eHJ+eVw++Dy6NXR5fnPh9t7S7eNdxUuItytCAtnJ283facsbahIN2kmBavtmoRk+1AK3sEGrvNA+mADYZZlXmLdz032KclKza+BQY7aS7pMZpSLEdFcJM4DHjdSIRg2wDthoaRkxnU7b+ft6Wm/v3RX7ZsgWRGKD32bkRjX0eStbPka9ivTZgbZmTfvxWftQZUA7XeBGhcPqV8mm3ClTY0s/M2YWUgwq3YkiOHazmx+3kbNqJ7183RvRftzVGNQYspUoaxErEo0vz3eIykHM1FOyPHJh7CN9YxvuKC3xMl5jbcsNNeGicRFl7AoL/ghsQ1NL5JlIUhVbQp6Cqt+b2VRMAW3UgBfzSMyeP18/+j56+2jvb1Xr4+fHx+cHLw6eL376vWr14OjFydHn7MnekaH32xTzn8+HH73u/LiZOfFzvGLneHOwcHBwfH2wcH2/v7R9vGL4d72cPd4eDw8Ojp5tX34mbtTSZxvsj/be/vdOxRwGN0x+PIdqkbFnXqYc7N/8Pz1/v7+4WBv9+T18Pnh4OBk+/X2cH/75PDV7tGro8Hx9v7eyfD4+cHzvVcnz3dfvd45ej7cPjp8sX18+HrpjvRujVzrcmUqz3F1Z8u3yLP6fjn+jSUh1I4Q+E+gyXXKI1d6urVLTQQevfvx7eIYQ2IfpDTk6LBH3v/y46mYKKqNKhPwrV4wmvfI8dGP+cInkhwf/ejzGpZH4G90Z1Vy3AWJ4Kpxla6P87p7qFapnsk55mwWTFlis0R2fv5mq1K0CZlRkeoZvWrHSNNdtjceHqT747295Plw+/n2wYud7e1h8mJ/TLd370tPQppLOjFLkdRNHb+PqWFbFzxnsbIMjUVdvfOaVqCJkJDfxNxhTe1Rjs9mR5fy9e3B9nBzYP97MRi8hP/2B4PBv5bujBmtdwxXQb/igp1utPRihy+eDx5isVjx7YGTCRpty7QkCc0yyy4FOX936riqYVlWK6ePsZGZ1Ab4ipEdnUMc9rgmFJtAucCVs6r65FeL44hr2ydrjV0aLVqnzKK94O7SUJyj564NtZA/n8/77gZfP5H3RTiyym/JnlsMuWLEAS13MuR84fsIvv/lx+Nav52H4sO6LDB4c4km9aquxgXryk3TrTvUbHn8ZsayTN5ot9xgzW/v7V/+dPTWWvM7B7sdT58cHS/x/Hq/31/+sJeq2S531U4QO2PVpgVClXAbHnHcQ17oeuR1JfpolhTbe/tq6c40TBs6zoDwl1jpWMqMUdG1oFf4E5lktLYsPvHOLiLYVBqO1D6nkCeXMK0nZUaoiO64Kyo09L9yPjVBmEjUAlrXmVIIli1tyAr2yVx699pX3crg08PWOwg3S/vkjOHGupanUdIk3Dc8fHdY9YF+5v2YlnlyKrDVFdWaT4XlHHrLZHoTVmK1ebuGTRz3xh/6n2Ymz/5Cs0Jsehg3eao3GvaV6wheqe+ZnENkWbepzkK5dWfroDhvWpf5SgmO64YjFgjOzQvpE5WvS6Cny77boNKlycxVpX2UXkMH2329hu0lfSuv4U2QrFqurcBrGO/FZ+3Bo/YaOnD/NF5Dv1vfs9cw3pM/h9fwW+7KQ3sNG7vzJ/EaLrlDsbH+3XkN3RpX6jU8v5d/sOUXrERFVDP/G/gH3fS/0Z2VmaLdDkLXBfShHIQ7L3Z3d4d0vL/3fG+XbW8Pno+HbDje3Xs+3tnfHab3xMdDOAgveG4NuLxo+cucc+gxOAij9X6xg/C+C/7qDkK32NX6q86X9kw1WHIHC7CWpT/Z/UTmK2EBq+1/+66EuiG1e4teUhVUaV+PzH4vFZ9yQTNn33ZQQH976c12k6zawfAOCn3yP1iKRjhIv+BfAHdlvMy7lmjuancf8qEUTfxlSJ8TFX11c17UcVV01A/SXcMW0pj+YJ4fUzRplCynM1n600NJzhMlQ8Vllcy4YUiZNMusYWNN4GvO5pVlVSX8u0MQAU6iqxNEsd9LZi3WzYpIfHffORv73735NFFSmE0m0katvE27nN9LpqzgyWka1lFd4hnT5Cp+8x75WBb6FSa93lwsGSeu7lcd4jcIrq7W5i7I4A3dqjGxs5XHzEodYuSUWe0PNMMwZHWzD+95eYRbQZzh5kWFKA1Tm86rwyJMtq7Y7o4nL7YnO3vPn493dlO6T3cS9mL7RTpgA7b7fGe/id7QSvnbIDlM30C1/97fz/ZFAELdGriTkTOqS+XKOMAFn1DoWZdRKMhq0AG/kK3o5EILfYPBZLD/nNLBmL4YbI+fR1yhVFnMEX758OYObvDLhzc+/9GXGnUxCnBywzllhrk2+HDwfvnwRvcgDdI96TmWxcFYMbikTVI5F5YkJNHJjOWsFyohFNTM3PuSeD/eMgdttTdgnbLtb7GprFfdFa+Hx9bqdW+1zJmrPEsBnzldYLKuc5CfntnVblkUWrzi9dps0QOKkKUJVQbDqHij/9RF/ezYeKU/qlGDlTmn0lfiGLnQnisq2CKajghfCDN4T/SqUHsxc0m2/n6ndm4wy5z85B1qgDsNAS2lyhpVVRtDcI01OzWDuufcOI9nz+6ikMayQrWA/OkZnLf6+43BM0bhEmHBFJcpyUttYJCx5XVJVqYs7Si7gDYyPDxmZK0Q07XKz2FfX+vb79o7VDgJGF1am+ZVsZgH35UzqUxUPNUiBUweJKe/jCL6N7JYayBn9JcRGi31khQe6MZt3EmZPaAC9s3uNpxO8Fa/ZYFwGZLn9ki7C5HQ+L3UrDqwi8hXAsVBKxuHCzKy9GzHG0HsEHwvcOBdwXNNFLPWEaj61khW3nbwCk+9jmlcBacj3b7OAV7u7u5sYbXe//r9x1r13r8YWdR2zx/IP8EOrv8icplC5fiKzwDpa6IZEzXMtiuARW0VRKhGmkvBjbTqPHIAOQbJnQZhMGaW1TjC6WF9cqpjUqAQbIW6zTiGfRVuEBgmyG8llBaqDEfgXVaONmu2BMoJt3TDa2FYCpr+nOoAaK8m5zubg3wWEdnRbvi5Rl8F1TqimgePy7nhG1ZFvwGDWVVJhTNqZo25I97qELTWAGcFlcviilktOHZ3d1qcY3d3pwaUNaEWq1QSYAJHxKEGI8CLv7i4d9caYj16rUFsLdn1XyC7IJ6Xxg6IeBaoyY8KXdBahLTvwgmNLqqh7y6C3betUZirBfONSxOe6kWT4WJRTQkjYmElQVhemAoeAB2fHLm3GwXlax0gyJiZOWP1FAYzl6irNgT0t66WZlnwU6m0x1MqDY22VRHBOYx+M08EabPWkLt4C3L0slPvRHhvkFt1f8JTETjyVATus4rArTCl+Bc3fIeOEkNQc+74z3d06QPHXbODRK2mUugiAY+iegs3Z9k1DfaF8zPUu0q4S7aWPqClDrSrg8LYcYUk+w1n2klUX1mK5BKq1VB0EfPUm8neEUUFoZDv4xRukNY68g/n9ygB86et3/ctS/c9Ve3rrNr3Zy/Y9x3U6vvWZfqeKvTdWaHv0RXne6rLh0rGJZ16t2KkapDq2yUUDhzDqx1Vn1qZM1cgj4yVnEcxxbja3sI5vvRMzollZgLCvT7KDO3NEplbZTHY7i7KXgZQvd18Dx2BhUaVX4FruNmaW8LPZr6B082EuRKAKtS1gDqnE6p4DahH7xRuyJSIPi5r9NFc61v5B88yurXXH5BnuBv/ixyd/eJ2hrw/J8PtyyEaO29pYr/47w1yWBQZ+5WN/8bN1v5grz/sD/cCeM/+9vPF2zc9fOcnllzJDeKa120Nt/sD8laOeca2hnsnw90Dh+6t/cGuu7cRkK77E5rzbFVeuPfnBMcnz7yNpFg6o6ZHUjbmVPTIRDE21mmPzLlI5VxvtC/rwpMtuP8cIaD3BVM0KpzodUWwTny+bkjFVdBG5Ya2T0g6b+Vv9Jo1sXXFlGCrUutba8DZAtiYikDnN52Q3f5uf7A5HG5vTplgiidN6P8kJsENe+3D9tFO37S5/93EjNdWv9bO+vnceU6YMFL3SDkuhSlvO8NUzXnrDK82VbAF/LL0OBz0h01OuVpQG41Hb5GclrtH+tV1mQmm6JhnvpmVU7H+0frhZi3LKlm1gZZw79COqUnL1+OvdF6HpSxVkcyVGF6VwRM33nWkYQ2bONcQFmJaeKHg9wtVaX0pZxeU9YdjM3R3fTaJreNjEGR2rvNfzk827B/A8GgGD4ZBqxeooWNoga3Ia9egZ6Pmla1ujf5e0myhpyVVaR//7icy3/p9zsYzlhVbE3kJuQXZ1pWQ84ylU2aH3qot8NJX7GO6PzP5v/8OAwXA6sionv3PRmfc2CeteMdb2y+6/u81v661/9yjMENHWeJVlEisTxTSjWtY0IlUFY+pbU6lrsXhbkhTh7u9ybXWW61yhkf/OD9fFhMRxI9WPraw2ujU10YpHD7ntdWEpinH2ojgLIhn63r7huORXLOoMiTwsK0J/R3IPPtLcs0uwc98GQGnLxPFqGHpv4+ghHqYNuatnGGp+JNPhdSWcxz94yRe4X9a+3sqSE6T9+cEL0iQ7f5wu7/fiwO8dXS4FJIPZ0f3uJ/JRJmD+FvpAfFcNPKtRQUNuL5la9qHo2uLOk7HybIoWHHdYFyxYw3PTo83fEjN9R4uqny4bmFJMLTRJ6dxNKLpYnITuEG957KN16b0WJb05zNqLrm+tEeApxuO1ps0HkZv0frp8X869mhzezB8AS3971EoYLU1bw+JYr7b3E0MJtJzep7bYG5xzg2fwg8VLvxmBOpPG/vSREz3jiRTvjnmwn4Lhl0y5f9l//gx4HF/OLwHGi3hXa6U+HEOq5XohIpuUm0t3q5kOBge9O9DFHZ8wVT/molUruru5UW9sWtLwAMIBEFoV6Rlgo4ztvyCpGJ9q3ktsZhJJmln2971czsMBkoVFVPnBB30B1bjHg76AzQr4U9flWTGSC61IZpdMxVnIb6yKqZ2I8pra3tYI0kzrXPwugLXLjLJjUdKzoziiSbPsOgyuYYgT5WYjAmAn6ClbaH4Nc/YlLk0fxc/MEzhfYeNnquxX40aRwPsGGFc+9pUwbDQoAXjaQDThrsEkMiC3aAEdKhfXlUH0t1MXZWmjZamutffu98WM3HNlYTKLUs5Nb/SXp/EYN216VQsSEhvBSpxO9Qjn7ND4JrnikE1m0ewRYblhVSPaXcuHER3bQx4AXNqSkS0RWnqii39/8w9W3MbqdLv36+gvA/rbFkqX5Jssg/7VWInWZ317cROcp4i4xk8Yj0aVAwjWefXn6KBAWbQjAY5W/viKmvobmiapoG+wCgOvP3azFXyfOtiSw7/2FsTOMhfYr13ezce9ui8f/n17IXd7OXRmAos6NKNmV8SDvKJi0daZPCmt3fOVnsHaO+CpLSa7ylp3vuDZrM9mAJ5TEPLYzmptfqsMYIkQGIcY1wYfxeHlgBSFtfJ+FD7bK0hGEBXNndWFmCwjb05cutKyxa0RGxVQEbBFM1xgTMVX/dx8vnmdnzFswM0KZIx2ocfpPJEX25GKny+YJAv6oE6Ry2e4aJO5L+aMakMaGnCZARDM5IvQO9XgnBUkgSEU1q2oCek9bVghVs8gOB5iXDCWakM5xXjebpBRItlOi5oKcYZW8KdxUirIhDXtjJQ12Tbiaqekh9oXdSzHrQwwN1Jcg8UhdkETWEAbh/FkNxLGadCTwTiJMOqMpmjAuI42DLiJZmkJh3k4kgy5Dd0rwqt4SKZMa7+HSXmyKzvI9+rNh5nfgfcp8YbWhcqu4dyV7pAmPGXgaWU5zqOQk4GXMKFbg/VvanJkdkxfV5f/jA5NfUM6dtXD/M9FDOjc/Jf86JqEOOc1gEYCyxmv+krz0bjOc3Ukfw3JHhFfOxqLB5a5iYWUP9Me0fyu9UDhrNgccEukFUc2KmIhcbXYlp7bJK3brvOYQHS4Gy0EQenrhO7ZHAJgdhjWpQC2+NjL58g9ayCRQYW0dQIdZKzKrXyeyr/NdsIl4sUp1jgsEhf6K/KFkg8UDhv2mQNOE2n0GBqUMqWCSlLddYwEu6NGgDGC86kRFjHKRv6p76Mnrrlw32s1yBynX0CN141YnXcCRCnc5yRAGk8pyN8n6RHxydBbWipTyQGNDmrj9GKT2YqtGz+hN5JMYFGLE/dVWI6JBk3rlkCTO6Rs2DjTjlzaJgO2iN2N5l6QHX7wZS2WDoNWtuuH4faHCczWhBQMFsR0wBjB2BbWu6pYLqFNu2G2paqlvFtJ661vralw0lmjd5uGl7TIH6jj1KWPIKsaoV0Zv4PLC/1DZUCC7mt5rnKoADaSH2T67qcMS6maluwdpHZxRW9Ua2MNuy2dbdQ4HHPB/GUiNqa3Jq6YWY5DAuDBJm2gZTUOMOpgaZzFtRAqg3I7YjGk9NBPOgndHt1diUNm5W0zucY0leW5P9bffGsDNRtaaDN+hzVOl11YWwkV+7nVm7/UP8FkEyKB+ZKq94WJDgyusYRUPl7UDz1vvHh9MatM0sLY/SQpByv5zqv8E/6CRfrSrfy6GMhG064rE4esFnSN0+N5ykbTnrbx94HyxF4KLLT3qbLyvF9RfM2yfaM1rv33tGbs6PDt3vbdefqBgEF99o83JGEpSS4Drr6UgpORDLbvjOGinK1L9a1BD5W94QXRMA7hpbDP93fAnjt99rY8y03ixS5UtitVS1Qr2b1Ot0tc02OL1gaVjuDFrPDgQVTqfLbkytJVQEdHkvpmqXoy+SsTUj+LRc4eb5BWYxtYixtqfwdiRm/vTYxrS5/2VkxO5+nc7xY0CLTbfd+2XIVOT3WG8kcL9pdBn989Rr2j+u307dw5zmBlPolEc87xRbvholOySJna0hn8qyELd4NhKUhSB6q/NmH7CDeQLrHDoolXKPtJRs2+nanq/DqDUbrcru7XNc/BPDqj3ZfqQ+1oX3A4kaDNgHytK3ZqSmMyRNJKuG8ZqKA6alH/BfL2SPFI1wJltISHirs8P+lvqIz/WWN3HbIOXn33p4EULm7sO5HjXLTraBuN1ZXTP67xIArNeOoqd0x2EPdAcddM0yTdl0lbyD3ASczHX2iEkzVziG6FJCOpCYUsv3UFfl1IZZSYC6qhXeniVQqg7nyS6kvBYVOoInnRMiBcf1WBfMGxf2JykOhfpD/HmjnB+ga3HDjHELJS3XpPbk+MFdLIO40PYD4Mni88roEV92iBM6EWahz1y04S6tEDGckePPVa1ejkWZiPbYustHi4pH9uaw9kPcdyi96SDuODwMpK1jDajt8RxZKxKuiUCVNwv0wKQAHU//y+VwnYZZHFSCnpRV60sX0pOLb1waxVL/VSa/M+Fa4rEVcHylxJWakELVPp0pQZNTaihY5y6wi2/sGP9wTLPbC2kqHrNdxY9+UCzz6AC8V5yzbeIubs2z8QHMydnIFhXisX827Igt8zrvvGJCRzmagUpVRsL4LgmTKdoTIKRrCdbI6k11QR9kVaEyW4gnQNl4P1ItHI4xLauwVp4Lo3aO37xyv0H8uzm2eKc/1Vg2C3YMg60FohjeKntSZqyCBn31HkrgacQGlSTxp3uY1RquFzVSid9cTtH8BGWrZg6jn+ist5emwSFFBVoS/GDeyZ7nBqybVn9zA9KOaeqLVztLKnQg+l0RAn+40zPRpnis+2tIguGxpcbawwboF5M5e0rTC5vFMip2fv6iP31C8BCJ54U6Gs+o+J+WMMeFmzlhUfMFKUqrEQrCBmzy6pnS6qlUmh+YIXa0U5gvsZrTTD+YuItlRSEuEs4KpvMj3OZk337HqRYyCBtMG6XuX56antf++7kNrTbvv82gGPhyO2IVugfCCOkaVXdLOqujom5mpegZBEsH71uRqglWtUn0kjKdqFur8y7oAFebEw7m3ogXgzFm2V9+4tYcrqTGO9kzbjBa2vYexhpFNJJwja2YUrTagllJS0qzQWtp04UZlej8+PDzx0DhNjg8PD9trGtKdeuvzwJFoPQQPJfXzoCtNaTo1RlcNdBAQjcFWMrQ9dLofBx0cVesqHburQZpXcwwv7/naQ6jshVIbfjD/DNJDSn4ZdV0PrwxcxOFE0CUV6+lW9zXhbadHSN+hLGf3EJvdCpVv1WwQTs1/0zeQWw+lTjcNwHLZQaIfSPUN7hJgXjhEoImbyck/diJLKXRqVN4r0y3PqrHL2N2ga48ZGKCKB4Jc6s5ShoqdqnxLc2+qOSTFYKWcQXR1FaAitatK46Z2yzv/jf0uwAVAN9Wv2z4Lht7sRMlQrehsHJXsTHNTNXW0kK2jJQXCQwWZJmAod3B4WbMKBCTBC6GOSIp3sMmwwtjnpfKz8VAJFlIn9YkJnL3uLOvugI5kaIruoNXR3YHfN/j1+M7JXX2A7kmC5Zq2it6hIDFWhcJJC18EMM8pOCnrAbCH2jAaNMPuRtk7Tzr9PjyakKcZrkrI+QJ5udiD2/V69cJ21ei84ata6WP0fo1meKmtsZLYaES132pjQJD5IlcJvYivKd0shrRAKS5n9wzztNS+cPCUNMoJ5nDy+YvdOxF97QsVl3PvvNPDNU4ecUYumypms8awmN7TAvN1BJjI4cn1S0n4pFhU4pbGUGdMXLA0DvDWPvgPAKxonn5tVP/aFvhUGofFcG6dMs4rEN534Gp+I9yyfVtj4QSm+4tIoph91orSGwIrbD6uIWBLmsQJpgU9J0XWUKjbI4jklATVUnKB/2ro4OEoaBGDgtNlJO8kJN8RNJbt8stXPFxWPhSCr09ZVYjhoE+C40nxwAZDfsQ0r3gclx3YSF59pDmJ1UUfaYFzqUiqcjDsp8buuh3UJM3JZL7ISV1APAoFKL+4eZ7MF4SXTFV9PydLMlzKJiYuJBJ88U5lDIyAvLbJr7cH+5OsI4XrHJdCbpOfGEujgG9mlUjZqohDMN/FKjlnGSs++Q/6AyAnkXD6RSy+y1EmCWwwsWrgAj/ReTW/ttWsrglPSMTiuoCsilFjV6A3EdN1QYvn6r7CdDvjTIh8FzTxk3FJVlqEIiTQAkfNwSVZqfzTUcvmkqyiLKVLNpf70EfIdlckw03jS3jBHAx2lac7jPYqT6NGe6VfFeS+HTVJ1zhCkTuLY8ft95qTJWVVuetJwuCJBNZxuOe0HL4+49fXLotLw8ZNn4aNkNNr7515AFyF4wys6wpfs5wm6wj+/vsh2pb9THAZAQYaAMcSvYHD8PucJY+3bjaXreFV2s4oedKw0V3Xlpm6TYgyOgwKeAo4jbmCMRhiJ49mBRYVjyBsICNPPzfwlDIcTGAed8sVd90TOzrBFnG9VBV+VcHAOKlWGGJNcA3+pYy0Qh34GFP09iaiz7eYZ2QXnikEUXcXCjT+qOTAR49cPYzuMPLo2bbgUZMNFT9wfkMgdjxm/OyRFB9yssTROviW46KcUyFIqjeE4cs9lgGxW883xh/LSPNTvT/FgR3HgZ3Egb2MA3sVB/Y6DuzXOLA3nWD/14RRj3QDn+pj3Ens47lyGlE1emjbDUZnz3J9gwKPi7p75aB+D3weNjTsk6JgJlvj2sk42upcMsNF4V0//tC3fUXNONvRRLsrqHf92hlv7NZGor4qYkWNTWJ2HA31Y3POsvLOhM1BNo7CuHtan7AAJ1Qffqx86XFOznx/spxlnpcSpJ6pmcKlXvZ1nJNFFoAtC7Uf9pF6RGfg/qk+KdlQ3xtGZwl3JoLiPF+b2noNhJzgZKZdVObqpk/Pz/7x95Pj7x4+4zfV9muSnTr+/vrl927fqhe+ZwBMNnkSjT5BLap7gg6Ds5ljQdLpP9HFx/RJTiMsAg9dwgrBWQ6LAYqgPxDOYUGPtQzByIwbkKpTLWZEV4gSs8aCcV2BgD7l6M5hy52r7wLBiovEP5M9u+5SFJreDEphoVtcPipRVq0gLHW9UO5gRtOFxquiIXKm3Zo1VryAkCRR18OGWrG+P7CHLWdZRtIAX0x8xTTbLtrv7xGtOh8HfFSdby2lTXuBCXtZBAbkFELdabI1jSmtq0+e5lQyXjs2fq4KQefE3FV1Mb74sT5pgc3dUdRovylOjNf1UyTzA1LkqNUXgYEJXD7+yHUm8f+zV5kKD9HJzhVZHdXU3kn2WYEWnPg+aL6l0HSBhYS0ejtVJpxxn+tYDGIGFsnwJdHCWLvetTD9vV6EaHcvQsetL8A6XdrKKKqdZNpWyBkdjV6Njo9GJ69eHr08OXx7/GZ0fPjq6Nejo+Ojw9HRydujkzcvT16/HR3ZdKpbsMTIj83PZjXs/s3k7EUdmZUkrCoEwmXJEgpbcIsxIFFN9YpUogLfw79gkACO5Uu1Lm4mZ2DVAQsP1H4ORq0tDdbwloQPqoacdplUP0ke3xkXQWMiMXW4t8ayU4HA6eOaVagOSnQ6bHsrl9PN5Kw8QJwsKVnp9Z+hh4ZfUaL860tl5OjiATo+QdcH2CQ6Wyr2joltV13yJy08UV4nGuVcf4A+1vX/6soKGwTM6evmooNe14V/BfT8G4lOct7f4UAPl63rnl0MjFunGJANQa0F/GftJEv1mU8nzyJlffxwUmjpiDcT0mFj3s5JhhMvRMeEDW8Kf1MNSIlU+kjmBZW9Hj/phNuMqoogTkyQSRQPuJa2CoqFHzsJWlTkr8ZAi5Q8WS/g1UwfGu/qiOXx66lg01/HKqRKR07BxQYRG47J4eBh0Z8SS8UcjW2YT2eyqPYxrQ9vC6ATfyiQoYdCCKSTRuN+qgd9o3Un5sYNUg/mRutOzDnLhrDEuyzqyf5VljgjU8I568s+B23GGmIb5PqqpnA9Nnq63rzd6cG/6fKgl8omwE563hm7h4TXthNr6ITagzwE0kdDH+e2JtA4YnaiV2ewARIaOhx258u0h64e1E7LboxwYBjMkeY5o5NG2MLeRMmQCkP1E/JMoZ7htAH68W+/mzSbd+IOJSnYiNlv3In3aZ73KbRQ5HcT5/8CAAD//wIJypI=" + return "eJzsvXtTHLmSOPr/fApdNuKHOdsUD4ONuXcjfgwwM8TamDH4zJ5Zb9DqKnW3DlVSjaQC92zsd7+hTEmlegCNTfkxy5zdGbq7SkqlUql857+Q3w7enZ6c/vz/kCNJhDSEZdwQM+eaTHnOSMYVS02+GBFuyA3VZMYEU9SwjEwWxMwZOT48J6WS/2SpGf3wL2RCNcuIFPD9NVOaS0G2kt1kM/nhX8hZzqhm5JprbsjcmFLvb2zMuJlXkySVxQbLqTY83WCpJkYSXc1mTBuSzqmYMfjKDjvlLM908sMP6+SKLfYJS/UPhBhucrZvH/iBkIzpVPHScCngK/KTe4e4t/d/IGSdCFqwfbL6fw0vmDa0KFd/IISQnF2zfJ+kUjH4rNgfFVcs2ydGVfiVWZRsn2TU4MfGfKtH1LANOya5mTMBaGLXTBgiFZ9xYdGX/ADvEXJhcc01PJSF99hHo2hq0TxVsqhHGNmJeUrzfEEUKxXTTBguZjCRG7GernfDtKxUysL8J9PoBfyNzKkmQnpocxLQM0LSuKZ5xQDoAEwpyyq307hh3WRTrrSB91tgKZYyfl1DVfKS5VzUcL1zOMf9IlOpCM1zHEEnuE/sIy1Ku+mr25tbL9Y3d9e3n19s7u1v7u4/30n2dp//vhptc04nLNe9G4y7KSeWiuEL/PMSv79iixupsp6NPqy0kYV9YANxUlKudFjDIRVkwkhlj4SRhGYZKZihhIupVAW1g9jv3ZrI+VxWeQbHMJXCUC6IYNpuHYID5Gv/Ochz3ANNqGJEG2kRRbWHNABw7BE0zmR6xdSYUJGR8dWeHjt0dDD53yu0LHOeAnQr+2RlKuX6hKqVEVlh4tp+UyqZVSn8/j8xggumNZ2xOzBs2EfTg8afpCK5nDlEAD24sdzuO3TgT/ZJ9/OIyNLwgv8Z6M7SyTVnN/ZMcEEoPG2/YCpgxU6njapSU1m85XKmyQ03c1kZQkVN9g0YRkSaOVOOfZAUtzaVIqWGiYjyjbRAFISSeVVQsa4YzegkZ0RXRUHVgsjoxMXHsKhyw8s8rF0T9pFre+TnbFFPWEy4YBnhwkgiRXi6vZG/sDyX5Dep8izaIkNnd52AmNL5TEjFLulEXrN9srW5vdPduddcG7se954OpG7ojDCazv0qmzT2nzEJIV1tr/xXTEp0xgRSimPrB+GLmZJVuU+2e+joYs7wzbBL7hg55koJndhNRjY4NTf29FgGauwFN3VbQcXC4pzaU5jn9tyNSMYM/iEVkRPN1LXdHiRXaclsLu1OSUUMvWKaFIzqSrHCPuCGDY+1T6cmXKR5lTHyI6OWD8BaNSnogtBcS6IqYd928yqdwI0GC03+5pbqhtRzyyQnrObHQNkWfspz7WkPkaQqIew5kYggC1u0PuWGvJkzFXPvOS1LZinQLhZOalgqcHaLAOGocSqlEdLYPfeL3ScnOF1qJQE5xUXDubUHcVTDl1hSIE4SmTBqkuj8Hpy9AZnE3ZzNBbkdp2W5YZfCU5aQmjZi7ptJ5lEHbBcEDcKnSC1cE3u/EjNXsprNyR8Vq+z4eqENKzTJ+RUj/06nV3RE3rGMI32USqZMay5mflPc47pK55ZLv5YzbaieE1wHOQd0O5ThQQQiRxQGcaU+Haycs4Ipml9yz3XceWYfDRNZzYs6p/rWc90+S8d+DsIze0SmnCkkH64dIp/xKXAgYFN6LdC1F2rsVaYKEA+8BEdTJbW9/bWhyp6nSWXIGLebZ2PYD7sTDhkR09ijO9Pdzc1pAxHt5Qd29llLfy/4H1a+efi6w31rSRQJG967gYt9wgiQMc9uXV7WWJ799xALdGILnK+YI3R2UBOKTyE7xCtoxq8ZyC1UuNfwaffznOXltMrtIbKH2q0wDGxuJPnJHWjChTZUpE6OafEjbScGpmSJxF2npL5OWUkVnOIwNtdEMJahAnIz5+m8O1U42aks7GRWvo7WfTK1kq/nPLBUZEn+Kzk1TJCcTQ1hRWkW3a2cStnYRbtRQ+zixaK8Y/s8t7MTEG3oQhOa39j/BNxaWVDPPWnitjpxHN+1t3lSo0YEnh2wWj+LJO6mmLD6EbjC+LSx8fWOtQmgsfkFTedWJ+iiOB7H49lpmwOg+u9Oj20iuwXTi2Qz2VxX6XYsxuiGDFMZKWQhK03O4Uq4R545EITWr+AtQp4dnK/hwXTSiQMslUIw0BhPhGFKMEPOlDQylbmD9NnJ2RpRsgJ9sVRsyj8yTSqRMbzIrbCkZG4Hs9xNKlJIxYhg5kaqKyJLq0dKZQUer+SxOc2n9gVK7H2XM0KzgguujT2Z1164smNlskBJjBri9FZcRFFIMSJpzqjKFwH7UxByA7Qy5+kCBMs5s6IvLDBZ+sIUVTEJAs1dV2Uuw63d2Ap3JeA4VhGVKQhXDqLONjl5I3wdCN7tohvo2cH56RqpYPB8Ud84GoXngHo8EyeNdUekt7W79eJVY8FSzajgfwJ7TLrXyOeICaCmXMZYjlid1+9IV+UjIGOpQu+TKc11fSNkbEqr3OCQzR8be/A2WhPM18HDz1JaGnz9+jA6g2nOW7rEYf3NHcrEgXvTHjZPj1Q7AuSG27OApO+3yR1BC95UempzSoJiM6oyEB6tbCiFHkXPo+A44Whu49Jqn9Nc3hDFUqtXNVTXi8MzNyreTDWYHdjsF/bxCDI4gJqJoDLYZ87/cUpKml4x80yvJTALarulYyGdqdCsZEW7xqRe11FgM2PawuGkcY8lo6jQFIBJyLksWJCPK416hmGqICveVibVSq1ZKzb13MqBIloL1Hj03M9OD8SdnbCgB4EeGCHAHUsLlpj5ba6niOFHjdYRkZ/A3l6VrixC3Ki1AsaFBe+flcANAH0MNSxvyewZrMavkKYzpBWscL/W4UR7E1IwPOF4G36eYCqEw4OiGs0yollBheEp8H720Tipjn1EeX2EQpTnCDrIdkaSa26Xy/9ktXJtF8oUKNyam4q67TiZkoWsVJhjSvPcE5+/ESw3nUm1GNlHvVCiDc9zwoRVLx3don3SCi4Z08aSh0WpRdiU53lgaLQslSwVp4bliwcoVjTLFNN6KJ0KqB21aEdbbkIn/wQ2U0z4rJKVzhdIzfBOYJg3Fi1aFgzssiTnGuxWJ2cjQv09KxWh9mL5SLS0dJIQ8o8as05MA8Nhza/njCh642HydD9O3BdjRFlTyhRWCa+FyKxC2yFejeOEl2MLyjhBsMYjkrGSicyJ+SijS1EDASq927Faikr+113gVCdPd3gE1WRhmL5HtI/2Hi08zdcagPxof0DrTvCwuDPpSAJZZ3er9nYagCFhD6B0OB6O4yeNOWdMJik3i8uBDASHVmbv3Z03VkdgNO+CI4XhggkzFEynkbEiTNaB71QqMycHBVM8pT1AVsKoxSXX8jKV2SCowynIyflbYqfoQHh4cCtYQ+2mA6l3Qw+poFkXU8Ae71emZ0xelpKHu6npHJBixk2V4X2dUwMfOhCs/jdZycHVtP7yefJia2fv+eaIrOTUrOyTnd1kd3P31dYe+Z/VDpCPyxNbNkDN1Lq/j6OfUOL36BkRZwNBKUxOyUxRUeVUcbOIL9YFSe0FD2JndIEe+nszWJiQwrlCiSpl9sZwwvc0l1K5i2cEFpU5r0Xb+oZC8HJSzhea2z+8hyP1x1pHIJxKE7lxwX/D0e5QwAU5Y9KvtmuHmUhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzCmoji5T0whAeaxHlyFoQ0zxHhsogpC42x3pDjXYsnZ9c79ouTs+sXtfDZkrcKmg6AmzcHh7dBTRo2b5O08dJ7rG/BzYVVL1FLOjmzEzmdAQNTTg8uggJOnrFkljhrEs1jQwFBbdMbmhqujXBWIp3TKrVgfhQzkkuakQnNqUjh6E65YjdW5QEdX8nKnugWxu2iS6nMwwRcL+Roo3i/1Btjw47/veADddsHyHuNVZ/h258k3W034ejsyTJC5+37ceb24Dbit9xJG6ZYdtknVz7e9WaVmzmfzZk20aQeRzj3CBZSlizzIOtq4sXRsP8/1T4evKai4ZwuOpUKwkiSGcj2SSqLFcI1WYk+t11PGE7jXEoZM0wVcBWXiqVcW10L7CgUtV9wxEIYUTXJeUp0NZ3yj2FEeObZ3Jhyf2MDH8EnrI61lpALtbCUaiQaDj5ye/Xh9TpZEM2LMl8QQ6/qXUVtOafagF8DY2lQMRfSEFD6bliew9ovXh/Vzt+VVCbV1Ur3Lq2R0SAJI8tL2P4vQBFsOrUH+JrZWZ1M4/bwGbt4fbQ2Qm/OlZA3wlvJGmARh/qRN0cCikpak70bD67ILvG05w3DWjzWGALq+b7JBkjmNoqpN2I52oHvG2RTaaaSYSkm1sjQcC0VmoPt5OijKhiYSeT0No5BBXl9dHAGoRC44qMwVEwqq93VsYLyfKDFWfGfwAReZkm6AEyrPO+RJL9Lw4xd8KomdkkwHSgY9JrynE7yrjB7kE+YMuSYC22YI7EGbsDO+tUIEGYfngJxkYPF4HTjUKYu5grX513lYJHcKHNqrATSQ6gI54DqcrwTOFkXiDnV88G0dcQU8B07j+XJqVSKWdG3EfA1RcM4MChBqJBiEYePohAXkcp7zVwwyxhWwTM0aMMHu7pxCDJMpZjiXtG8MScVmb2SakcO8VHBfUQ1SExTh5SCDgZzdqF4PAX5q7G087mVttGqAsGFXHQXHfE0Cjyt4TmWFS4vOI79F7f7jTHRgCDpBf8CDEXAGTpVNAQf12GV6ADCmCSvTkBkErk1jHJK3jCjeIrhTToOn6KCHB9uY/CUpb4pM+mcaTAqRaMTbrSLXK2BtJTbDLhuRM5yHcJymiC4cVUlXEisYoU0IYiHyMponrFopjZkCBMlLmbTL8gTmKhfdQaxZmw4DloPBMGpbnKv8tlhua5BdQh7iIswBXPtcFx/9aJGEM4FQbmx44RnIdDanegFyfh0ylSssIPZj0N4sb0H7TFcN0xQYQgT11xJUTRtRjVtHfx2Hibn2cg7ZYD+ydt3P5OTDEOhIUigajOXroD64sWLly9f7u3tvXrV8nOhiMFzbhaXf9aewMfG6kE0D7HzWKyg+xFoGo5KfYg6zKHS64xqs77VsuC5+LXhyOHExy2eHHnuBbD6Q9gGlK9vbT/f2X3xcu/VJp2kGZtu9kM8oDgQYI4jTLtQR/ZG+LIbKPloEL3xfCCKmbwTjWY7KVjGq6YyXip5zbOlHNGf7eOCs+YnTPzhjPN+6I0eEfpnpdiIzNJyFA6yVCTjM25oLlNGRfemu9GNZaFRfKBFOZv4Jx63+DqWGbvUfCaovTob97LMGDlv/HL7BX0xZ5q1E0Qa4hrcdBMuqFrApCRMqpcPOcTg8HtEqImUOaOiD20/4k8gydIShAWOcZYOFos+F9XT9akZVbHVMOwt8pIHVRtqqsGCXg6yjLuQti6WgdKZstdGakV1BKUnDr1COdyliczstZ2qRWnkTNFyzlPClJIK87g6o17TnGexR86qUarSxs9HXjN6zUgloqgtPIb+1foVfz7r8cOwN1STSqRzll6xnhj/43fv3r67fH968e79+cXx0eW7t28vlt6jCjMSB3JcnePwDYYdSD/wuzoMgKdKajk15FCqUjbC8O9dCqCRLXNf3nE8Vs+NVAzl03gre7aHpPOmyfrvdk8pRPrVr9/2HqRhYeKdD20ageRq+VitNYIo6uKgpMgXzRysyYIYKXONUWwUzAyQFcPSK5RNkQ47JPOwgwzE+pl47ec7aGKBK6XJga6ZsiJfRujMCuGRNjdnNQ8Vpilp9h432kD+PWdpGcTUFwcweUfG4c6Iv7wjDjg82Iz1dFGYnXzeKMOwZKldjQMyQIFE4Ozjzhsnp/EgUXJ4dFfNWV5GVg1QdNCLF4bWToUSC3uzGh7MVsvcWEMaHurF86wp/PGCzgYVRmOhCiYLIUQIkCW0ScVzY/XAHtAMnQ0EWU1ZDi46a5mZo5T1u6ePUtfvSF5vi+kwq8sDb8w74HbUi66jJIIcijQ7lCCKo5OCCjpD5s91TQgdIQpT5iM+EoUcx5zkqPX1HbwkevTu0HRkuNHTEHaEbvGNZuZ4z5hRNPp9cejIflwc+rcYKN2I814qWjrcMq7axCNFS4dhIWr6KVr6KVr6f3e0dHwwfVCNKy3T3q8vFTIds8KnuOmnuOnHAekpbnp5nD3FTT/FTX9PcdPRJfa9BU83QCfDRFDz0s4W3/T3hA2zRrxwqfg1NYwcvfl9rS9iGE4N6CHfVNA0ROlGxhm3UjDZ1LgxkkwWgIkjBiWGHn+FQ4RBP0Bs+3Kx0LfS8tcOiM46EuVTVPRTVPRTVPRTVPRTVPRTVHSb4J6iop+iop+iop+ior9llvbZUdFZjteL9369fg0f7y7Lu0zEFcSb5HyiqOJMk2whaIFqlEe5pJmvfOyKrIJJxv38hoqFq1IXF2l1JaMkWdFzCkmOjXlWXIFcHz6Lhh4fSzepQjV8CPBgBseDWvQ0zz3qpjLP5Q0Xs30Pzd/IES5gPefiys23IM/GSZbn4zVX+M6riFKQ37jI5I2u3z9HcN9iZM6zcaJl33vvBf+4DjJbZ+0dWBpgLHI+6RuwoOnb8+Vdgc2wvOQ7intrQf4UBvfth8G1t+yvExXXWtlTkNxQQXItRD/FzN2CJysxJkW2OxBDfHO0i1M8CB49p1sDAXT+y8HWp0G0vftiOJi2d198GlS7zn47CFS7W9sPg2ogDt3Qdp1w074261KaBS21N3rHPB1aHUlBMq6vusfmiinB8ufbiZd8l1huSc1Qat1PVZ4jxHaSztpbwB/uf3CC5QesOf18+8MnLQgsjCUVi4GWdRLKzuA0nQ0a+WSYjEBrjqLkOVuHGNdHvYhLlkSADb3alov8ExZ7RuM4gvsXZ4e/7K2V/viru24WTn/gyl4kz5NXLzY3k62XO1u7D1ii7+BzCWsdNNHNLfRziPX87ODk9CI5/o/jByzRNdAZel1ums9Z30o4jR8+Hhx7NRf+fhsUVuRNK3cjIFggRKOs/tHp+X0WiJ8asbZ2wqPTc/JHxcDSYAVVKvQNi1p32d9dYrYTWBmHZNdQSrmuee/HWpBScQm2hhkzWEkah3WDPhtnQkOa4z48P15zTXQWfpJ4dLA6+1LMaC6r2xm5EXHaEDqs0VlCdWybcDCgWH3DFKv3Di2nXOM4XSjx1fHaQyKDGyt+9Jj11QNBqFJ04ZGBWHbvo5uIpnMHBtGu6rliplIiMmj6ZniuDFgkMTAC1u0rtnAoq+N1/d7gFmjm+7I1wpEnC3J8eF63zXiHJdxxrLmV4aGtQmwEKOrl4I9+ckFu7FvHh+du+HYEkt1mS34Q9YR+fOxaAr80Q8rtc57MyYEhBRe8qIqR+7K2CrhFFVbjiztoje0sYwscpP53lsF17RsZWWErDEntaCkIK9z4No5Uk1JqzSfob8igIrm9+WltKnFGQx933A8o1STFjjaNOPYWRSZpTgeLWMecfYrROWFDfG5BhhTDofERxpRgYf8Oszw57QU9qtswiIsboI24I0YstDpFusPBKBZN8HF0+GrJRKa97wWyrIFheZTEA/q1dwTtrc3E/18vFoaMW7xoOuEtxUXpyi3QSYll7nWzcRB1xhA5JYenB2+O7YGYMIss+35+zbJRzJxWVzUZo7OkZjEmyl+QwjdekkoxXUqL4mDZiwaBc5mQk8CrhDTe094e0zc3HEN7Bh8sP7Y3D4PGpJ1tubm5SW4Jw/A7Y8wyLufbApUs7iEzB2LIrsFCajk3rBcQ0LsJ3uZE03nM2NkU+FIjz4LrlKqMZQn5nSnpc+gLsNnMXSgqstAaf5MaaThFT1x7P50OWMfgYl7XMPhEFgOk2bQYMJoxdTnNfXPIIczfcGfLKdkmOTOGKeCSODOBmRuFSEpsZVQXO9gnBwcjcnE4Iu+ORuTdwYgcHI3I4dGIHL3tkKz7uE7eHdV/NuPHB3NP2x2yS8PYvdhNTTWYjeuWt0rOFC2QAkOb3oAE+wiIZZhcEw0EWWslr/NxkDnoHg1qe2trq7FuWfbEFT/64p0nSgo0l6MYhemwzhx9xQUE0KEA25BpSWhpGkcvQS9G43FXN4fBwHIcBmVkwAw4CeMxb8XRr++P3/2jgaPAGb+YxODa/LjbAvWSe4WDBgMf8l6EC7EFWnzvBXNaqyCTkGK9VFwY6NeXzim0tFaaPJuwXN6Q59uQeGchIFvbL9ZGEe1L3Xij5uVBQ8J2TEyntLRnimpGtjbhCpnBHB+Ojo7WajH8R5peEZ1TPXca3x+VhKSmMLIbKiEXdKJHJKVKcTpjTnfQKKPmPEq/mzKWxSOkUlwz5YKDP5gR+aDwrQ8C6I85n8aD7tiwzV89FvYp/vWbiX8NRBGQPyQxhElAxastC26BdQvBDol2GYUbaA4qoUusAKCBEYaZRjVqdDXZtuvcShxWgDRGDZzXEDacjF57rcdYGSGJCEmMojyH7oJMcdkv+PYj/Sn6GNnfU/Txg6KPa/r5MgqC05PuFioODg6akrHXVS8/J4fooGOiy3NycmZlOAa1wMaxaWPcsjH4H8fe1Odoh0+nPK1ysCBVmo3IhKW00sEyfU0VZ2bhlaOYUAtqtFUK7VAOrIQcfzTKt/wD+KIKAx5Qg+3PJQGraISccS2uQst3boI5C3slZOyjfbuwVBIPjSIBvgS/M6o5hKiFEevmeiipWOF2Krt1FYN20zadNL/bam8wSMJfQhHwc/WnGp6+hVigBnQDno3V+HAEA78P2chGDtFWJgX6a15e0MOwLtcTOQgglGXGr5mG7oWRa6HRzhAeSxWLQ6UyocMoU4St7SNYFooaAG/wd+6ABhCt+aGNOWChZMqt/5ks0fqaL+wQWspwrzhtDU/HWkIORAb1WlMpasXVYbV59m93VHh7vtXjHE/o8NJg+A3V9dKGC+j48D4X0Btm6HpsrPbVmZw1evnCfve1mVbsj4orlkGhs0eIcDg+PA9+VLjHAn7tYjQxMiFjlurEPTTGCH8PRs0EQTAC1lNpg/UJIdo777QPJeS3ORO4Z7CB2LU/yGtcZDxlmqyvOyOpc2BYgCw+dc5nc5P3FaWNVgPvR8G1ObMs2upvyrUppdk/Lag+TTGds4K28E8873dL6BqVk81kM6YcpWSjENhx+GLpEGZoQ++dQS7iEsh3AXaNgMf32NC2QPkBn3NuoLJkUNAlZ1gC2aLZMwIIwk+pvYVu8PYJdgzce240y6e1ok0Fjv4AN91AyeWATDT6tNwJCOCdNrhhYvpDekgPBM7QdA8YUfB9z2K9saoxsDY0vbq00sVfIQ3qAoMvU2jenLLg+wGMWmItc/ARso+tfkZfSNANuzvCk+ZK5ZpgYovDF9jHlJV1pnHEKv5Jr2mSUzFLTqs8P5Pgjjj2j8c85LrVUfz4eomG4qGRb28hQd8duT84PJdeXcGag4qnDV4QWM6BfbTVstyyh/ad7G9iaAhWMDPHcxp4U60pvJaBM8HFwUWaV66OO3htqAmuMtC0xKweI9QUtxPVi3Dj+aGoT+ewVKaML2LvStPXDdadTR0VmpDW7sb0/m/Q/eLE7RGW9+rp0j5h5saK+TS0Y3byjLoObmaczDU4Z1DDP82ltms78DtxP7qxlIQ/x1JBbS0otpOTglFdKVZgFwAImu7DbPQYBPoaesUCDcdojsmjxnHBCgkRKkxDP203XFZj2rXVvuaBZxlWgCG/Uiwh5wz3fIzl5+xFN8Zlc+MKPANT0HUL/MiTH45wHJHgILXzamP19MYlvlw1/iWq7XyyroCjBwXBOx+a9feclSPUk8FCk3FYhIjeIidQ+hNIoBZB51R4vPpO6OPadB021zKMMSBknWbZeETG7tysw7lh8NWU52wdxfxsjL4j70Fp3AYg30dBK1gfs8yBwvpq+FeaqfWSam2RuY5hSU2ZwoE+zHZgAgwcpCmZWjXIypKHOKcvkoaBXqhhg5RKDe5IbQsDZcUZtNzW2IE88GTOmaIqncdxxO29qcU/3O6VCZ+RSQX1NlYsfNGInOmmUS2SyHPDlON2rSn23c6OycJdFkFMx94izsrlHgtjQtoENwvnO0PJmmvkWfki7kviZrSbMnad/l2KkWVj9YhEVxMPVpvqw/hejXPzgg2N5rm8sRBa3TJtbpS7d9ySIlMcNVYOga0J+kaEya5qWJm5FfWiulu3y7iPZ0o4cfJlGrk5QzQdLApyxUG/hoy4CHNRdUsfslVpFi6NjOlGZw8nYGpSiajU5YgoNqMqy+PdB+4PTxMrx1T2D6mIXR7ocaBP4UUjr5mCW8Zq8UFk8pIdj7eE+aBNlHPIyVF3G3Ze7Ow1kY8c6B5ekNXGiCZ+3WnAQTrtaNgG3I83VksNvBVuxSlXUUKNYhR4m6XOGeyJVPYzWFFKXrIcej/cQtMZtzJE6orn/F+oH2poUSLboCb+ysRtUE1sJQ+3OUNro5X3fDGeEI3TvlJOBCnslay5qVAZHrmQQ3MjSZjWHbQJ61G5kfX7j2kczSJ8pjVmLOUpJBS5Sjw5hNWgYBRbm1yEgou3RBKvmUQstsC2wKuAdNyTkLGbEW4cl2hBUkjBjazj++ohVldBLfY7Zj/6Xi5GkivGSlKV6EaAl+LD1cSqVasR0iYe7dWKJy6l+Sje2dq9G+Wmx1lV25tbL9Y3d9e3n19s7u1v7u4/30n2dl/+3oxCzKihmt1XQenzKz7gNK3ANNHACLpWwBFeYClbKjDYzOlTVoWQyl83WN+Lpo17JpezkdP/cjlbG8WTh1vESCfjLOratdF5TWURld/Ddlc12LDpiqWyKIBnQy62kCZYtmB4K/c05gZVLwTJFTKr8pr0sYYHJmuj1ENJJrH9legM03PZlDSdsyTCRdjeSi1T+LGnQlbrTS7Kylz6HwUV0kXCef2vMvEDVL/hec57n0EHG9DIVi/hHLmpGzY0Ap7AMG2TkpBPIdbtmcfPzKpNijkfpKmdfo24xj5e5BkNzC4yrwrYPeWd6iJMLBO0dduVUoPauU3aFwnSm704/fderAqA27sGfIZyAupiq6r9gGU9fqF6Tp6VTM1pqe3h08Z+M+VixhSE26yB84/euJvMSLsBFP1Ske2nkEIbZZcPJgMwvFrJsU30dT+pvr8Ofjw8+mJWvZMju5pQMj1Sxlow79Gd6e7mZtaETMxYN6l6eZnkItwJQBeBq1Kl+LWPwGRQfFTR3AWUGqk6EgbIFr7eBAgD4/rCiWXxFl16cSFfEJmmlVIsSxynrG/iXMvO6A1pKp6gYBR7ovu8ZUzwsfd1VImfBAGKaHrTqwOfCKdU2tOFSr9Vw7SuCisxCEns2kDbGQVJwd293jU1V1LIXM4aRT/sVSOvfFgA1/sNXJH/r724+hu/3eOl7uzdZGtz6/els6OveJsZfWN6rg/g+iRFF4076FG0A637Udq2SUhP8WJD/LPp1OH3XBcDcKDFFtrxIkecL1IdHKK13aRXg3bxwV5rQX6HYvus4npOaM6U8YIMnIWGdawVd4CXVnO0loyKayRzeePkcYsqgKCRLRZdcGRORZZDXOGcLcBVdmNVZWGiY6qYXTMYK+svUcwAhCiZ16vmBkaBkw5NYSAASxtLDDdzBmlqIaIdW4qCo8+AW3BW5VSFUPtadVRWuOoReXLm6n4Gp0ksUw0myOIsUY4JRD3DWtqSovOKO/UBFBTkVVVZSuVMNKkUKSsh5AmHRo0ir2YgCXQtKbVbnsJJEF56Rnn4AERBuH/XRv7c4MjjVvhZQxWsXRFgBrTP3yZnNrDuef8QeH9nmTr7aILxwJKzMFyF0/fekf8dUsMtSrSV2CEWhqF0l8n0MuphmHFtJZMMDKNYDgzUWWY5E8tqorfSv4vfgShgozi79rr0+BL3pofVn7OSbL0im3v72y/2tzbR0n14/NP+5v/5l63tnf/3nKWVXQB+ImZu7xFoEcMUfreVuEe3Nt0ftRRoeYGu4JxOK3svayPLkmX+BfyvVum/bW0m9n9bJNPm37aTrWQ72dal+bet7efNOruyMlYx+qYvF6s+ferd4tY39sF4GRMQiB1zLrwxIiMr9VgGX06tM1KeW6klGFRKpnyYdbg/oIo7GmwwnZllvSLMqTQuVQHFO5/eCzWfnSsgMvRnDRMlcgvM72pdfJZX+6ItEXev764WYkbQehctdngn8tomEi0wAv3AXgUiwO8FUYqhcXAJlLLy+hp5FtaGn12SGd7PYdA6PBdFMrdG0PXrimh1cmyoSxO0b7xP7ejRfahDxBUyZnkN1TniDV5qW6/jsBK3sXHI1k+VAnqq0SJcwqzj7GA6g4RcK91qLVPn4cN9uEXkMA3uVtcWsYPXKJi23LSWMvysZh6b3vetRDFu9G6lYhFEFlBCOeQMesBIJhny1YJe1bujmdA9V4lDa4PFDNzGdvU8xKf1nTM0IsOpwuvZh9KeL7SzPHVtzq/lLLKxFigsNS7WOijOK2b+TulpFEG0nJobqthd2VfusMB1f77QhZXO5saU2Ro2v56ib8T1OHIDt4vwhRGfYdmVUV2dZN0tcd3fQesHlVWdxGzttio0jW2ESoSROeXR9/Gdn4C8f/ea5Fxc+djqu4vZeRdIWyjwo2D1RPD58jT2ITscRiOQg0iCH4XrqJHIHykt+yCuWhaqGPK9QgrwrgAzDB4a7M3VQbLdXb2/seG6Wl0zkUmVpLLAnmsb/7K5CaaPZbVExfXVpY4u79uu82kuaW+M0TuurwiMAOKq4lJxjHBuU6h2RES0zCvQv6Psp/eaOWM+rAzM6c71gEx6zlS7GV+A/dJq9kvQ2K2LWD0F0wD/k2Uw7D0LGmFMgk4peKTCIjYt2WxtbvaYUwrKXQlLV5d2ISvY9qaB2x1VLDAH6Zg6Akg3/Rl2iBtnHtHMkpOol4FYc4GRcH1hyc2WyVKzP6olT+jDelScu4F9a7VbeC1EbrUehfBQhN87AsAUrjtuyRF4ZehVM4WcfaSpIVJlzncdVN/IPxl7J8OpDuazYJjuYOuaRR2AHqXNBGYwYrBNmKB5fhri1l3+o99CrniQ4sKIcU55lK+AT3kzt3f30ihc2jMnnTifR1V6U0gUjhF2AoJ33KzcKVGpFJprEwtEjjJjywdce/YK7K3r4C7fsJ4Js2iGvobjXM4SDb8n/vcklRkbJ573+q/rpIjYuFgHy2LNFTdFW8xtOqmQq/k2KfXRPDk6X0t8NlnjjSAXObIm3OrvNyLMiJHwVh6vQ9zDuKksMQjm9uVGURNhwd1L5GWTpg1dqkXN3W4L9Inc67hwYUCx6yKiCHRh1G7yW3wX9pz+WXeZHCAL427tobEkeyBqxmF3OCwILQsuGNHB3BRHcsVotnCU5C5rT+i1/Tm6JvEAeuIg0ioQN1w3VK00ZSVmNIdJfX4R1Cmg9vhLATL5yZGbfOW4UrJkGweFNkxltFiJsp3pZKLYNSof/vHzi5U11AXIL7/sF0XNTDjN/VPrm7v7m5sray022o26/cbMB2bO1SeGYEG0UtMy0IosWtHVZB1jsVbgph8hSWFcU3R3kFpR7cR3IXkiTx8RJux+6yhgy/HVDPydMrJI4KIg97BUdktB5nTatk/ravcb+4KhVE7hX5SdxmWVGqptyGpbexAwNhSY8xKZdM0pK3uEr5k2fOZX11S9l1AsBJxbPzSmUHCxnrHSzDuj45XUbNVO0L0GQlOIdXe5YgICb0mZ05Tdqp3copXUJ/6ztJNi4fSTYuGyrK2GAnNs7G6/3MpYNlmf7k4213e2t/bW915ON9d3aLqz93KTPt+bsru1F08PU+6M/C7G/Sf/+Y4Q9wMsTNqKh4bCHR3/EISaazKxclEzWMyFbNtfIXbOBynbsd3K/f7/BJVbXR0wJ3ZFphw44GDx9Vvko8D9ZyqyDanqxZJG1MvIVaIIdsPJAqc88XZv8qb2OvznTydv/suXTNR1vLe9ZHnK9FqCL7vwf2eF6Wn8TSHVmGWIzdZ6/HGMvMLO1PSguGmMxfoMwWT1NXVeYhJq6FrRwg/da1n1Jrh6KzWGbxlF0yswqaAVsCf8gxqj+KTqdDYeoEgR4j3MF1//4UtsFIHs+ZqqhaWN0G2G/MIUhqlBFRT2cU4rDeZLSGCXU3e3NLm1ZQvM1z7y8fTueNr7kF+zEdhyIZE4G9X9fewdBY0AYpcJ+8jSyrARmfMsY2IE4ZD4bynyxchxyBG5Udz0mA5X/3PFP7syIiv49Mp/fWql9afOEE+dIZ46Qzx1hnjqDGG+784QvaH9D5MdQA6CcUAYhLrRS4oLEFGHxNZ4vykspFH42mNJN7VA4GQuihE2kAnVL+/gb6GALQzjNhAlh6oEO864sFONncrH7VlhmoxhFeNIX8Vgf8zjwNrbwapnHx1ZTTMNw3lt0sMdV/Bu4auR9/fYVxw2SHa+ad3y1gWA2kSpW/31g7AzFJShwWHIug/qDLRyd1Eqjk3FebCZ4tdRdAQUuHRmh8gU0FnhxlwWbIPmHvNhpXa4SxzmcxfbS9xHCkRRLMR5x2qbhglgzIrl7JpGlua6dVlvNF2UPlGWTFlFFy+AhvkOrs+8r1X+4bJcCVAzYFMDYFlhks5els6uFJrmD1Zh9Ezxwl4E2O7y5Ig8+/nkaO3Oo7S6tbm51TzwtX44NITt3gE9LQbbB+CL9h76Sg2GvmIXoa/YKqiOxR8uOfPEjl3biL2gitxNhL+9Kal9VrZ3Xzzfe948LQUv2OWA1SzenLw5xjhqf7v47E+AFpTCZrciRbRRjELcyWRhIlNCpaEEgzMW3tzcJJwKmkg120CfNySAbhQs43QdLMHx38nHuSny/zw5OD2oWfx0ylNOc7Qb/9fIXRm+3FmC5YJ6csms/FGC3D9x1QTDmJjeGGK/o6X7TLtlGX8xHCW9sYQUo50LIlMrtgfqor2lRFY3X+xstkjoMyXSHoE0SJIUQolBdWgeswFLA5+2G2jhZR7q/fibso73N3FH6g7KfHHP9kUqb8RgkWpoPrYTrIIFRUHa3/330+O29/pqdX2glRh0EYv0k1FrI2FvsTRoR/ht6KdZJFQ+TPjduG3vn7qOPXUde+o69tR17Gt2HYtCefifDwzk6zF62UGsGAEyW6Qxv42Va+SeUMrHRTxwTVbsx55Cw1svnu/tNAA1VM2YufyL3FIXsBq8pyCYYlGAr/+LlZqDfQMJ9RlSYcYVeKgdJGsd6gvu5BBcMWi/ESu5gCHgPRgCVB0LHJVBfHbeshKg4HO7rSBYChhmjbs4gJ/dxzvCAH5mMq6VmVKlFpjEh04tWgv+YGrCDm2hMFGwpTdjPVwzVxleib1lobw4pmJjwCNL55A3XqcYWMhOzryLVCqnbKh1XVk9JdjGlyqhyc1iKP/Sod28XmH0jRRW72tmAmDsDBOD+btOG34uN1m3nrNUZk4OsLBdC8BKGLW45Fr2lJ1+HJThFOTk/G1/tenDg16QhtpBB07vJh5SQVvWbU/V94AyY/KylLHsFauIUsy4gYqKIiM5NfChe8L/m6zkUqzsk/WXz5MXWzt7zzdHZCWnZmWf7Owmu5u7r7b2yP+sfilVcvW9PYI+ZKglnNKAmpH3d2CQnZySmaKiyqmKXdfQTjOFCCvLbKIr9jAuRhLJFly5VGmItMZKS2SaS6lcyPwInXZxlb8wKIKXk3K+0JglB/mGI2APGCPS6tlYpzFBSCIXhFZGFsD9IvbWvegnUhsp1rO0sS+KzbgUQ56sdzDDXQdr/dfDPpgGOloOnt6T9WvFJiz9oc/O7e+v8MXtN5i9VNF4HZVq7Qlnh2d0HbzTco7EYe3LFxgftqdIo1hU8HiZsGDIDimYSyq5raUPFeT10cGZvUEPMC2z9p7F3USaLGQwIej2os+4KNeXEi2+GyFK60vxtxjnAFDyQ0+pIEefv/jP95QSnmPVHyDPmiLrnBP4neYzqbiZF6GyLFcu9CyKoWR55qLZsBIxhKXOsVUWhpq/OdodgQNjDei8VMxx64QcZJkHYxpCHjEC1w0xWUDCuEqp9kalJnDIjC2AaLvGehaQI6ZZSRU1MnQUproRXf1MC3qF8bMjgnlwc/r8cndr+yFNi7+0q+nLe5m+joPpS/qWwnmSulGb+xf/+c64ZQgSbsctu+xusDRUBsuoaENFlDx1fHgO7yZ/84fg1oz4bpwvTCpFXeQ51ntCEW1QNUGhua8YNKwVnTQtC+2cquyGKjYi11yZiuakoOmcC6ZH5EimV0yFTqLKpW78ezVhSjCIdJUZe1BVZpXOuWGpqe5NfP2UjX/bSrFuzNeRCD7uvbh8sfO1bli8C+U02jtPav6ave2OrQMrUPZMY/HVDrK6qm+7fcOIUpFTZn48eXve7fL1movqY8/YNdDRTGFEuPd9BYGeeI23pxdvz98GzNxjU5sxmXxDijSA860r0wjkN6dQx2B9I0q1BembV6wtkE/K9bepXNu9+RYV7Aiur6lkN6WugSBZ/cWNHd9IjUrBdT+DkCF941P1xx6yMSg29vy6hr5eK4T72IlD9yisj7Mep62iHBDHDR/ogEdfOo3mN3ShSQWvjCBX0FUaCEaHglHBxQwKX7i620xccyUh0KfRVt3tH/SerhSoiZUv+DaeMGqAEY3bWCjvwUJ/E0gQRnlZNz5s9V6i6QDI/cVt5m2zDkWjp3fSZ9R1EikzosqIGt8L/tEXEnGMEorK/VHRHIJ7wpiRLOfb20BlB9djPTT0qDRTiasCAl16M5byDKqtWXEUSKlm7tBVs7X5UidTWvB8qAiMt+cExyfPvJNGsQzStjM24VSMyFQxNtHZiNygONz1t+GTHbir/BFTmr+a/7Oj7uCuN6N0QsyD677WL/LS1OL7jfwnvWZtbEUFpgbY5fYacLYANqjbit64Qi4dyHeSnWRzfWtrex10cp62oX9cAepb2+s4gs6h7LbN/Y82Zry180vtrJ/PnWcr90k9ItWkEqa66wxTdcM7Z3jYkKEO8MvS49ZmsrWTNPvqDlZ2w5VXbl0rVoM/zGWVBWXc2wnqindOqsHgBSihPTbbScEyXhVjKKJzXbRKGzYsAcEm1Gish9XvwMIbu+BrOSSM2CePtKpOlEuGxd4WVXOObQpqSS4UFUAze3Pbnm/vNqe39+PXcrhA2MaQ/hZYHSsoH4qtW9WSwARe3kq6ANhr+JHD4b4af7YLXtUglvlreEroNeU5nfRkthzkE6YMOeZCG9ZiboAb9Ab9dT1+0SK/aedfBOeX9gO2gBiwc4hXPIHvgAcOyu4oDL1q8HJo3ugYlCBUSLEo+J9xN2lAYfj4PhReHMMqeDa2lIIfvPaN+k8qxRT3ql3wQGSuAngYttl0qYGnL9M8OCTEw5xdKB5PnfxqLO18LpUPtYXaEbXpv150Ixtigh0BgunHmEaAxS8XF2fw+XaH20/ebR1i/uxLUfNC1zmbjCuV+2pcmmEpThNh2AKpcg+vYn9UTD8g1MK/MJHZIomzqB5YqDN+tYncONq3BSaBWdvo3dt7eTuILuHnL3CRXjjjBm78nRj5heW5JDdSubYaHcwMsG8XEmsz3LF7zyywwLTmjFrpu6vSbO0879/Mgpm5HOo+XG2gFKdqpWZH5e2wqfOExcVtjQwBG1iV7I+KqYXVg0IX4EymVeHT38LYvvfvyomvXGp1q+PD856w9RkzI1JCh+eyMr1oggLXarDsr3du+LrwWoy5zm76jMpJLmeJz1hKZbHRgl2XUmj2xXkKTrssU4mB/Otylbtwcjtb8bj50nzFQftpjMUBjZVwehxVn19zuolTVy+o11+1s9mMtxjWiANw3WYV2wIjTZ11bpia0rRR2PCk8eXdQaFhgE4Pf4gLTaXKCBczqwljf0T8szkvaYi9kOqjWCmVK3VEhS/Mq9pFkImSFWRX5pJmZEJzKlKm1sKowWjDPoZ08TAW9KGC7kg9vfATaOFm6q4hbszQKSQMU6MAgfNjaSa0VK50e0kFsStaw6IhMRyJw08PKnpCp5aX5WjO6VA12gKJ4CzopKh3rFYvRz0OaL97gZuFst7Y2RdNaxaVXGiesRGRlXF/KJIVf4YWHzXqBS36zJLuxR/u4ZqDx+PW+Do5aiOrQd41ts5P35x1zgkhJ0c93G9z2QUOnYTp94LdThHdPHczvwf+OiVkFvOp1+7jHXGMR50Qw1BE2xcFLFg6p4LrgkSVAkMzlijZCjrL1GGN0Csl7Na9oY2d6dy4oes01BDz5VfD/FG8fNP8hPXYw0RYnd6PCZ7NuGz738aNhfi34laDnTr/rRUKaWARLIvH/1so4jupDFHUGcF9sd+/gdXDKtDww/HhuUPfA4IngVCbRPs4foS3vuOHRWSI8nGb1W3oOe2p04X4cv4GDeE5YSgFclwFnYh8uf1GkT9X+Qt7QFNDZpLV7QVgEHRJxE3HM8m0WF01oY+0FFEvJl/Nv6xMvJ+Bmizdh24DULIkNPOJex2sdXrzI9Uh0Y9vqBLjERkzpex/OPyrvrVo3tMDAIptNrfV0pIaYF8vWp2NcCJ3l0D5N6zAgrd8XS60AjKPS7LEo6Q51T5KALrzeNUwzAC3ky+5TNJKG1n0u52lmiUsp9rwFPv6JRMpjTaKlsmP/q8GsjCVHooGJDlfqhUBdCIMCO5gyI7S6pUSSqhQLrwb3ZEduNBdy3I8Ne3eUNGRaa12Z/vWpQx4HbWp4JEWF5UyNI5yLGM0XZrrL+0Vtjf5J72mvYipRDpgyYsOXtx0roLjXGYdVNyzv/Y09CxkmM6c/rgC44z5t+/USdv9zEH9jZ4IGzthU0ioKXNuMJfBkKpsNAcoqWr0xD3BqCUFlYcwl23shvVGWUReHN+E1f0VhSLWdsRmCX8WA9doJdhYhl/sqLMg39UtjIkt/FyvD+iEgLWQUideU8zsRv83E6mEoBmpiGA3wBes6FbI6/gQSJJC3daqbIP8uY1OiZauj6m91iYMbGtxaNfEx3mAde6z+51CAC04xt8sgkQZ8nPgIlzi6GGJffcVfrjsI+vO2XNXbSiW2uzzxWOxAvJY7NVdcBNzpGtO3TAJOcuZVU81Y+TdT4ea7O5s79itfL71YifpWVoypSnPfQOfx7aIrEYr9C2m/IQd2artKg7rO4jbINWrsjRkl+XOSLuaJhX+ygvdpTbDkPbd7edd4th+fieOBr6ffOcd9tGsT6hVBJZGVmsdQNQv+9biG8o9+la3tvmWxnWfvsWsHpJrskf+ViPnX4OkmjR5T93QzaobyN9D/wDXUgVYsqOeQCgw89arrZ5iMs93+9Da6IP1MNzee2LaTdnuPzF9zb9czy+L45phxKpKnRnbnrjmNIClts3t5Oh8bRRrJVat6ADvTuZM9jYJuxP00LfMKznU9bBPTat1mb0N7mpd1m7itlS/sl6eEDZ8yMyUb4EYmg38wqhLEQGYWW+hgEip/YqbH0HR7bbgdNRgLENDbmxyOo2+uicd3ZuBmzm0aI8uiko4cQzLOMlrFvoa1wm7BIWyqEGPy4HVDWuOe+KTMm796D7SwA3bbhkUOgg/IOe11rKHOi4HqMnM+DUTro9WNKuzw5RKGpnK3Kn6XkFXE24UVTwiHCwG65pVG3tYNMrIBZROc02LRiCQ0lxLmGyBikD9sL5alJFJhqd/jOzNxSZSXo2IubGynPKtzOL6rlbz0NxUTkqvq5Bj190wIpSzAljqIk/2FspCUae6uyUcqY2MaUNOzrC+lR6BI0KPSDTmDVe+qu436BmnvGiQVo8jcpmeqLc6IVfRC4neR5C4wQ8OOzKR9txAZJ/dliafHbvOofDmGISIsUW21Zu5FOF7xciVkDdiRMb+sLqfUFSJ+tnrqui5kV7sNRDgOIhZXA7msVg9wIg4aKaH5mAB2ZJ+ceTkDF16jpqoJjcszx2TC+vxx69OP2zyv9oCR6GnyTqdCamNvfkMFRlVQGO++nMYdpo36+u/ZlS5isvUhMiEGTfzagIxCZZAcj6bm42AvHWerdtLpkfo25+//Vd9uvPLv775effNPzb25ifqP87+SHd+//XPzX9rbEUgjQGsHStHfnB/+3t2bRSdTnmafBDvmF0P7Dmptev9D4J8CMj5QP5GuJjISmQfBCF/I7Iy0SfuykziJ9+JED9VAgj3g/ggfpszEY9Z0LKMWj8C08HLyykzRd0JzrlgR+FCiuwc8ZiBc0GSvSaQgAzdwTi7SRCGWyb2qJGKlEzxghmmEJAG0MvBVAPSgMD+F0QeN1k8cpg0WelayADbDbqZSnVDVcayy8/JJjw583HmdZtYd1yjn5y9rFTyYzfsY+vVdrKVbCVNKy2ngl6iOjUQgzk5OD0gZ547nKLm9uzeKu2en6wjcN0vsF571MP23PERuK98tzn/lnb8h+bQ+xw4GEg8p8z8lMsb4HAa/nLBmWHcXM68Q6By0Zl9a+rW020iWixXzfuTDE5OXE1gkthxSbPMcWPXa80yWX81XedUuIdjA6DPRkejJQwJNev//vrgFKnvj3Uu1v/ALwxFf2fUgo4c5FZWiGKmESDf9ITYiROO1kL4G0tznAD0EVQtz2SlozEBEM1E5ty4lk3ijgar7t7mdrL1B2EipaW2Jx/kLSs/tmI3WsrP74xdjchvXDE9p+oqWQsovy+swC4gcasb6DgB0rvBBY1Ak87RXzpuIFrBgPrvW6fM4WJuCyO4dTkPDPYYOq8B1ZLJgkhIqpMKaMzJvbquBuGPXXs5P0O46m98yhtglzS9Yve2jbzd3gSirhvkk4Rd926PuFv/0iPw+h9rzciJvv0i73YzYs7z6wGkrNXXLz2jrKVV5DzsYwKy5IjkwMv/SVOrw4XgjKBbfns6U0hCCHGmHuohUHjuzqrf7Eh8QH0ZEr6or2dnl/jvOE98DIkXc2sM53RhxYIqK0fEpOWI8PL6xTpPi3JEmEmTtW8P8yZtIX6gNFgXnvj2/ATasuQovt7E6aqerF9bLCYWdzuIwcg+UWqWjkjJC0Dot4dOC3QDn9/zPfpXuEGDm9+NAk87++jb+Lu76gtGMY+d5uglg95KjpeMQvF2LOzRMStip8YQSJcxw1Iz8uNjVA4G19074npTxncKpr3nsKG4btZeD6nhIdzHlxXEQSn0y1fQ8B2W2mryLsWUzypV77skqhLLI4BoOTV2usSXsmmXOfT2ej0iN2wCGiBn0JjfqAoS+xFdXIqNUsF6YVxfcsXLw7Xa/IM/wVZAdsPGIEUzgn87lxo0gM7QFqsHZ28canTyQ812An1GFm2KnT5vMWi7e8PHHPMpoWLhmRxgHdepA11oH2qJtKFr4f8OfMMqvA4WusyTNy725I+KVTgwOb54DVUypQAS8savUsmUaR1ZL8IwoZ6rYuD+SCUErFnJzOMDogOPD88fYIVncWj5o+uX/rgnLqx/LlGfqyPYwSQehWmjmg/tLmkRmcktY0Sa+FOKZuqtkQSj7/h04fMHvP2LkHOMxqeqaFic6qvG2cTbul0rLt/7TDA83+rzt4TnYywMNWwmFf+TBUiWvQFwAUlASfIUpv9gza2Dw7983H5nxd9nIH9nQd+zLBcv4TsX6TqLskx4KNuIY8PA5+U0+CKCse6O1REjw4GKeTCkNNSeKaoYBNa5y8KP7Oqh+65aI3LsXB31NXT05vcR+eXdiLxmM/uEVTHbGD2rJjlPL3EYtnTPt6fCvk+FfR8OUu+GPhX2fSrs+1TY969X2Ldd17d5qde+mC+j0/m07eGVOj/T96vVudGe1DryOdnXHST+5fW67pK/d8XOr+h71uwaa/jLqHZ+VV9Qt+MilUUciPFpul2dj05x1KZel3h21dHrQJ8Lo96j1x29+X1pVH5ayFYdklVXuem/44epBf/m4PB2ABrzDymlH9aZ0V0khM2qo0LhQbDhu3DnON47vNmI7p6zvJxWeVyjt77upnUkUHBWBAcCxWxJlteFbDCFU6oZFfxPlKkbcRFCxsnekPnIWMYypwBgKifClbOpIawozaIn5vQS4vPOf25sxFO1effDt1aB/Kna/FO1+adq848M/OdUmy+VzKr0EYv2ddJ13Qy33FwtEPX25mYDPs0Up/mwMdVed3eTOc28KVoMVpV/7srqt8usgXWeGkogYgLEwamSRTNmTrkGP1En1RCrXY+0KJlO+krS+Gh6Na7FvbG/3aE+TabhPyX8B25a+EPmOYMqNmg/sH/VQQk9OYIN7bku5xclaD0mUv8OAy9HcOeLggrTMlb1nt/H6TnpNyViiHUBkFpWgnd9dFD7+3tSKONxfCQIE4qncyQoCAFpVMwOeY2pLEoqvNRkxUCwpzaIsZXkGOdU6lDP0IqSkG1KlaJiBvE8U54b5qy9UH3ZC4lQ7gJCfgU86AXNAEa9nodUwPoKleKb4i4ZTDX4eld9TFteXKtvvgbZhmvqHK6pe0j3AoIyPf34kgP9ZCpbN+Dy1R2/S63gSSVo4eh2leA71gf+KhzikZWB71gT+ObVgDg5xtf4ctz7LPrqTqZd3/m382y447WhORauwuhbP6uH78TUpbt8x/Seofxro+DNQgKLGIfmf8ajQtGBMLQDBMd0gbD1WIb7/hVpdIkvVbjh1mblj7bjbk8e3Kd8UvE8uxyWGlcPXEpk767ZUw9Q1Ns0dfmQjiwCnwlUEb6JCriGlNFUFgU35PyXA4xSEBiFziCD2g/RUxBgujN9yfZeZdmLrcnmq729ydY2Y5ubm5NXe69evNh78fLl1mZaO3jvMWinc5Ze6Woo3nTohu8gy68Q5M5rpkKVum7W7N7k+farjL7ae/WcPd/ZfPUqfZnt0Ww3nbxKX+00de1o8oFWdNSMLoH06iYXCJC/LZkIdXiUnClagBKcUzGr7NqNdCSlwRW7oVjO6SRnG2w65SmvQ85JHfDf1A8QnZc6lW3d/hGdhxlsjZiRubyJFwx16sKOuiC7SjO1DiEtIzLL5YTmHbzg130LYcvoOxk1/S0PLOODLOBe+JqYy3nKhB7M1fEah3cFkzFXvI05f9ibzaMIJTr0IXI4hZglN2KssilZkPOzo/8gfrrXXBusH1MzI6k1n+SszrDXZfYRsuvdkHpjrctnDkqazlkYeDvZHFDS670ioilqypFNwYqaoTqEnVEzjyrx+H3jHYKKoNuotNoA0t84ZHlO1cZMbmwlW9vJq3ZnFCi5lQ6Fwl9kYUFGm0WYjLx/9zq4u7wEA50SuK5FEl6XKL296mAosyItL7PEtOx9YwWbJVb9oIqEnmIazUS698j29vP72pQ+YkE3ZxDtygLgrnThSV7ejEkM6hXbmUe+qrqZ0+YjBRW0rvBMXM6yzwTbJ6osRiQrr2YjMlHsZkSE/WLGihERFXz9T6q6Z16VxbLbOKwk5je0OUvcyWQ7eRUL/025/5j8Au1iPkXy/w2VI3ImlbGkT44/srTCP5+dHa+F+q3Li9VNi+QgsT1WZHXTNGzGlpZGvtpfRqiBp3jO1q2W0NVeodyZnBpyKFUpVTPZ8h6SGF70CkvNujLYA1d6RuMw6HtWZsceWPcIS2spFw9c1ovkefLqxeZmsvVyZ2t32fX5CtOXsNCh49DsKj+HRs/PDk5OL5Lj/zhedn3DOgjDovq8hA9c3Eo4gR8+Hhx7ZgR/t23RK3evPlp76qNdPX+MvrrbD7OUYcRP0e9FSamoPSl1h1WX+dps/wT1Jv1whGcbESm6Wl+N6udgcB/76UvotDo1VucydKF9EyicinCjWT4lVITdtasqOeaO2wdRLfFlwMB6i+DWwfTLWVFmQ4X/rh4oRReuihUgiaoZVFnQI7toBfQBeLQLohMt88owrDQaRdlB6dVwr0WyyRu6IBPm3FyImVJJw6ACq9Acuh1He9aRIdzHdZSFJ1xs6NDEd52s5+FPqyaGD1ubif3f1osOIi8h2+ZhAmNLE2NiZuZBVXfEYscGx96iv4q9C9uqsJlvXOHClZmzKLCfJlV6xQyhguYLzTWRwmrJYcjC3shhk8iN1ScCN4AWrlTFZ4i8gUKG4YUCNySq8c+dOo53hK50yVMuK123jO3IdTvLMspUZuxS85mgYJdjH7m+t97QRMqcUdGH+x/xJ4ywL+2QkJ9PwgxxjbA20KtGVWz1EyHHlnyDncL77IQpUwYNWr47YE98Y0RbvkVUqhalkTNFyzlPsXOOro9zPOo1zXkWZy1B66hKGz8fec3oNSOVqOsmuBYD/tX6FZ+nV48fhr2hmlQCjISh+XRcOPndu7fvLt+fXrx7f35xfHT57u3bi0/dsgrTVAbKsDnH4RuXM3jnoPKvelRJuLUyQPJSlq07ztLquZGKaVckqd7ons0j6ZzyOFT173bHUXaoX7/tPc9yrJwC5S9Yhpk8jQ5Wrg81arGQY9Mo0TFZQElXjdG7wJlYvkBjM9ofkEo7BPVZpx4o+zPR3M+zIHiEzzi2LI24F1qurWQ3o1xo07hiJ1xQtSCuqWyzZm33bNLGXtxz8B6Kp6KgIrtcsoHU1/HPNvfhpyrPPdzYsgpICe5L15jI3Zlt97uXesJcTvppST1I1DTP69u23fyscw1/ulzUkIfIOhRFVi25Z5kkfYhlGrD28+1xQW0pH6XvZgoZMhW83lyHwTrdA4OmwBuCleF0HM1XX2RTcgMh/40K6WCIhZxcDwgGIMDhef/+5Ghk1aJCCq/dkJ/fnxzpUXw/0qiudWGPn11qvgglprE0cKjcA0657qoPpdBGVanB/rGoNOQLN1yMOchhsCQsBSmVZYIpuHwKbvgsvmTPTo6IYpVmjVLade1rXxprCt1WcHnQN8DqkCNC7VWl2yFnxGdPWuxJbXqYbbqd7uzuZq+mr149f7m7tMuwPkPfLC9ZPtbjoKUjxbTe0JHuOM8t7HDzCU2nuzGQdiAUUZq6S51MjqXTmVVEoipVvSUpo25JEytuu0stBN/Wk/nzjl0nsP5tbESw/wAX7nEabble3EsQkT2KSZHtDsTI3hzt4hTdSfWcbg006/kvB1t3TLu9+2K4ibd3X9wx9e7W9nBT725t90z9FwkGW/UXCobxNSQEy381SV1AA3r4nYahiOYFz/vcLG2OUVJlj+3XsRsNYvx5uM1nGStujaYnq9CXtAo5xH+/xqH+BTzZiL59G9EtO/fXMRX1L/DJYjSUxagf30+Go/vQ9WQ/+kvYj9x+PpmRnsxIX92M5Gnx27cmDWMwegiKnkxKy2Pri1qWHgjWl7M9PRywL2idejhwX9B+tTxw37SF6wsZsZbHVjlbSt54UOT3SX1NOo4GsVmRpYvpBoOeMDu+vRYfutllG/plGs/eEbMeoty6ObbbO9sPBa4D3WNE1UNXcIe5VVL2g7r1QFCB0S8B661ZPlYf5QVrbKsT67t2ou3NrRfrm7vr288vNvf2N3f3n+8ke7vPf3+oBmTmitFsubKGD8LyBQxMTo4egwwclANG8Dpwe1Pacfb1pYsteqC5+V5kv8BGAeaWVGRpEb4foWKAfDXUlqM6UCumaxxSgXm9E1Y34d8PQ0YV7AglEyVvNJT3MaAxcOOA8BIoNPmhM0bSStmBcug+KCITwLL7UZUW8s8QNc9ZKkXW5Luh9VFVdpO5n28vHaruYLyR6oqL2SV2LJTqEZMrhqQfSyYOdBJAbzshOorDXBZsg+Y8XbrgZ8mS/yVJJyVL/rp5JyVL/uqpJyVL/vLZJyz535iAEiHgWxT8A3BfXqwPU39toT3k5H5DInm4ar+iwN2C4VsQpwNI37Sw/AlRNd+fJO3x8/XkZA/B9yMFL08YjyAi11UWZlwbhxWX+/gu/u725MefMHnRNYW1lOHzwv0AvoAfNEsnS6YGQt44VCcYiJ+svnXCFNZAIDeKG8NcauWEavZihzCRygyKaoXN+UmqsEDVXWBdW+qcmb/TvGLHH8H7+Y7Nfq2YWrjvRk2PP6RP6hJpXNbOO2hBhQ69cV5e2u/GSQh5kb41wqQyXm6px5wwY5giiqXymik64Tk3C4CldkfUznF78t8d/3z548npwbt/4MqZa2vd48j6/dcfq4PDzYO///rjxcHBwQF8xn/+bVlhB7YYb5/7gqM+rYY+xgRgnRu7vVA9DeZzVXLrbT0LiKCaWB4JUYB9b8K+uD3yBJAAWWjoxxOGdM8HIoEpyTOL5PPfR4Ds4/84Ozg9ujz/fQ3pIXYUBRh4KNxCoGSqq/OGU7I/KiZSbFTgJgQCtqO/ef/64gTmgrH9cNAjOIx4TRXUUSI5hPnhsKKCPnOw1pqi7ZhHv719d4QEffzz5a/2UwP0iPrabYixAWHKC5oTxVy4GnrOnrFkRsYrWyvjHrfW6n+uHO5/UIZ+UCy7NKb8MOHiQ7GgZZmwj2zlv5a22gDBDVTa+dxQkVGVNfcbL1THRXyQim6vEEli2VXM+fUQCziYTBS7xkq/oBV5V6Sdr3ON/PLvr98sC/AVWwwA7y/8mmErcn7tPMxyakfq3nnnb3+6+O3g3fGHWmPzLPz04sMhyi5/R5X+w0lhBZqfeKhnYgkUm9DoDzdcWEAt3S2t0nUKLz3K8iFox44dx+TYrRrZ4eCEAu/u27gPn42QcMx7EPPhiE2qWV1z5/4CORGcQzXWhDn8Hd/tarMUxLWwVPe/D7JS/dWddSJCfLRmxl7hBaPC2OtkSlN7QVPDSMmvJca6KOj5SknJWWqX4uGDmjruA4RPwQMa+/7UEbQuBltbIRliD8WClDlNoQO+vWGOD89d1AK5iEFwQ2sGtSfFzPOCYoSlvOvbSU4hrgumQFnB3Y1cRUJNrV/i4rkgY4fFZBxWcmAZZKqYCTFKFkNxP6CRKw/ng8uhYtxcahM61quRD3iqKcK3vB2RNOdMmBHxj0I3PmzHlPjq+NklLxNyMsV65mXJXOjayZnn20bW0PNyPMJ6HVh3SjikAcao68JzckaM4tec5vliRIQkBQXRLK4+xw1MRhXLRlbcC9Hy0VT7W6+2k81kO9naHT+gysac6qFKvx3kOd4RVM+ZRjKQwiJEecJykhWGDHryh7Y/NRepNKqXENBf48+NGuqicEE0N5VrwYcV5xayWlWWFHSlGMSx1fqWA4zQfCYVN/PC0tMzDLdlik0lvGEJyrJMuPQCAGvLtzUsl0Buf68riz7HoE7OetHXVKP1YE0x/EZCrKSd7XZo7uePVd4oMvbOf76DM9pnfB2c0FQqig8Gi4aLyMNAQbGoe16EvhJ0ZgV+C4CLjvYhi4TmTBlNpCISCsUJiYXKYGG1JuALw9kpovBJN9oNSOderkUVIAIcL2K273mKByoruAZ3gRUAlcxD1Wk9Cq05JTIycnJ0vnFydl7/ENpvjcgNm/ghSwwfx54P4YFK5S5wVo8IExmojyRjhqWYUiGsfGpZsmbk2fHRuzVXTTqEbTKTPqR+T2Xm7Z4ej9cnD4p6xj0WoLlmqVmVSbEIdXIRCAg3hb8sZ5AkVYyaqNBw2CtPWYEygCs16LuTpHVuqFp/HfeCva+KAPbmG8qneFA3/0MaQPHGDYVLdDHArqUHcliPhIAVy2Vr8vCxxL3IIAfGsKK06sFJJGO8ZvRqaf1rcPfjBTa5b3seYePdhns89C/yx1ymV0RZtVobkGVK6GRPjk7PMQL4l4uLs3OyQS5en0Ngukxlrpe+K4YKIz/ANZ4cIaPi2kdHW9XbVfeCysfIO5FRRlJTbWHwDLKXcB5EMFubSwc8DVtiOFYE8luqDd/OGwJqMCbXCu00Y3dUfHX1gH0d4CWWP6jbpNF/HdcJxiqfYbPcuXj99vDfL49Ozy/tIbi8eH2+7NqGLuC7+q5RtNdIqy7cnU8Y73XY3d77IPxq0WiHT6FpNkedDbtbiEyq1VVNMplWdV5GczZQKOzJXF2t6UlIU1PRyIq/aeSdoSTn4grWQwoZ9ilHhwuiYOKl6vqac7V0Qdzp2tJ8MWImkht+xUuWcQr1re2njU/aXitrsaH89actytXMjEgpc54uRiiboEyArlx/61pFAU72g25/DOgvWN0NLjYhOfPe5Zlj+Zc/oZy1LJ6q6hvh/WB5kCoEAQQcwZWg6ztBj1qXAWd6qeugyTC718LW5ib+/9IGokGDei6iPkQbRLFrrtuiw4TZVQPtgF7vctW7S0vuWVPU59B3E3ZK0nn9zR1q0oF7zm6y7wBItfNFgKnF/iailv+pFMJtzzSI6qj0EMVmVIHhUDNQUPQoeh73f8LRtYj8dJrLG/AoqazWmX6SilwcnrlRsaOvDmAibCnj13UAChfccJqT83+cQqFuZp7pNfejG9QOWMOCbgmkxSB0tWdyDDJfdPDxQ80FPF6MokJTNzjY0JwmRGhqKswvc91HDFMFWQnjrVj+AbdaNKyHQrQA1wnQl/vZ6YmOeTPfkKa+LLzhDVv8UJfypltTxOtwVpbzxgSoQcMq3IhRFiyoof+sBBIFuGbQLube7husRq2QpjPkFFiw3cZ1OJxtpfoQh9/wS2h6f9DAQ7OMaFZQYXiKjpKPxrWvZh/TORUzNmowda5DB2sjyTW3y/W90LF5oYBkX9qwGnnLngpzTK3q7McUvoc2XiRo2nNOOW14nhOGhibMkHUt10UWmxkBYVMedeigZalkqTg1LF88RL1Gu+dQghO2CIWrz21M3ffcriEwmGLCZ5WsdL5AaoZ3ApcHj6IO2THQkJQKcnI2IpRksrAbAMbQSvCPREtLJwkh/6gxS/MbutBoWm5e2fTGw+Tpfpy4L8aIsqaMJqwUVTtRs8pn2YPRNuHl2IIyThCs8YhkrGRgnybSyQyk7vwPVlmuW8EsVCdL96e9LZ7FJf3iOITm0ICqLq9MKyOFLGSlfctDwHv9dQDQd13DgZ4dnJ+uddJs7b3NaDqvbU2ISgyGZD039O7Wi1ftNTeaXX7T6VzLR9D09rdsoOJnKWc5I69fHzbw0ROYskwwZPxas8ILhKBAaihU7474vSMJZNHdrdprNv9Cwr4Hsk/ybyM0OH7TLD1jMkm5WQxVZOSQm0X/7ryRwijW6o8E4EhhuGBisMInp42CJ26yDnynUpk5OYBgCtoDZCWMWlxyLXtSlh8HdTgFOTl/C/nFHQgPD24Fa6jddCD1bughFTTrYsr357sHnBmTl6Cc9837WooZN1WG93VODXzoxtz+N1nJpVjZJ+svnycvtnb2nm+OyEpOzco+2dlNdjd3X23tkf9Z7QA5oBFn9b1mat3fxy0DJw3tC0eEoskBpTA5JTNFRZVTFZc2MnO2IClUdrBiZ6PQgrs3TdNoxF0b55QJdC1AtHwuMVJowlSdFO9F2/qGQvByUs4Xmts/0LA4Iqk/1nEc1qk0Fk/2QZTAsWt0ZWQBF+SMydCssWPdmEhtpFjP0s7eKDbjUgx50t7BDHcdtPVfD2+Da6Cj5mDqPWm/VmzS6oPedmR2YOh3Yq7WHvrQMst1X68pCx32rY7f5OTsesd+cXJ2/aIWPlvyVkHTAXDz5uDwNqhJwzJrks9w8K5eWDXTKV6QchErChPoX3l6cBH0b1fxgTvJrD6zkpSKX1PDyNGb39cimbd5VkCbyyXNyITmVKRwWiMHoVREycoe4haS7TpLuVRqw4NSCGIE2PG/YRSgBvsAqa7Th4uZT5PhWrkunW34zDwbh/bbSBwDFpli2WWf9PiIfd4gmHA2Z9pEk3oc4dwjWEhZsiyAXE280Bm2POoRO4oCcWE4p3FOpSIrUymTGUjwSSqLFcI1WYk+t6sIohfVBRdlDGu7QKUHlnJtNSrXdwd03JxfuTQe9BDqajrlH8OI8Aw0ktzf2MBH8AmrSa0l5ALDe4xE88BHXgRz9GSBXU4XxNCreldRJ86pNsTcSJLTCcs1qt9CGkgFwFpGdu0Xr490iNxdSWVSXa10b8waGQ2SMLK8hO3/AhTBplMGJezsrE5ycXv4jF28PloboUvkSsgb4W1hDbCIQ/3ImxsBRSWtyd6NhykwHeJpzxuGtXisMQTU832TDZDMbRRTb8RytAPfN8im0kwlw1JMrHfVOS8hcily4RA5vY1jUEFeHx2c2avgAFd8FIaKSWW1uzpWUJ4PtDgr5BOYwEsm3fCvZFrl+SNn/n4184td8KomdkkwHagRd/jV8wlThhxzoQ1rNd8H3IA19asRIDrUBqdAXORgzsTbyxE6h6HzJ4LdccMHsvUQKsI5oFIc7wRO1gViwNBXX7gR+A6EmRoZde2LIw8wFhgZlCBUSLEo+J9RcBqiMHx8j6WM+ZSMYRXQrU+5D3Z149BkMJViinvVjnYQUIO7dtcQX9mxj6juzex+FFIKmhbM2YXi8dTgr8bSzkM/coKFqLnoLjriaRR4Wssz7MuXRK5h/9XdTSj92x1Ho4l/w2BJ0FHq+KeMGuqAu6GapDLPWWqijuuNVpWhTeWUiwxpLVB+LmfakXyooennhrQU9LU/wA/GyjkrmKL5gGVYj/0cMevz8W0e/Gd8CjYMLOi+1qlCngHxgC6KLkvtS4UqBkn+Guuwjt2AcLIzybQVx7oS1h7dme5ubk4byBjkqPZUoQ3xD0JghABCjIFMNTVBa9CiVFxH/ExOMdlEyIw5c2FjybWHLmSqA8GAXJqxbnn3kLPaKSEbA+MyYwt6xTThpu7nH3PmWtK2dGoJ0jdYhYMhWIdqmykb9sBY3YKnVU4VwBuGZAU3vmRyO4LsVBrnNuaYWyKY62DAWP2CxnPZAAPiwmUD7XW8ZuSgxshvvKGpIWP7nrsu7O0BHy32QX6iPQWvs+cv2S6bTNkmZS/SnVcvt7MJezXd3Hq5Q7dePH85mext77ycvmhZjgaxXTYELU9s6NePuBNgqxWmJ3pehDKr7mTCPQyJOY5eaJ7LG9z+jGuj+KSKI8fdGC4FQFWQFBFMmFDot3n1o0HCR1toQyFBFyxd9QkRwcgegX+C36ZUwwqOrdLGU5cR0zhFXgpod8ZP80qbTrt7K3v+yKjRfYOg5uguOKifXIYqAuFRu5HjWl7BLK6pPRiA7rj6dJeuWLyOdXfcmkQkMzaoA8VTEw0kAVO2+ExECeZGIi8KpGRH8C97ruilYfsbHNMooDSusAFpteDEx7SjUbQJfumBLdb+j4mvmR0GdddJgMynmPnRlqOlFkuOQOhSVAsA+yzueRRd2CRUR4OJBcFO71O1GidZMi1WV2upa06vmfempqw0uLgwG0IMKPbClQPS5StFDWeipA8JJ5qLWcX1POxafSjhSNv7glRl46p395zUFlQSS9GuzoLDi2DaW6wDS6iHb3GhJtXUDMZTzxpZR64QcOwWVVCBIWma9YgJfr71TfdPqzm0jlI6H9WTi3nCOH5rrU3pfqCcexB5fcTzg+8JeDGiGggLBh23R55tyAnhho4Ec7+SaJJjv0EnUxxEqjAGVawFXfuE3sJ6b7zkNG5w1fE9XLexHb3xtI+zI39vFsbzGxKC8hq6RXdXah5sJMmlvCLUXkmYiccMNkNp6RZRLb7A3bvYeJ5sJzuxngWxew01q/7mDi0Ln7o/ktMHB2JPA3AObTRFwuZIUcjmPcGasfvMRWx+kyGFLjjyKaTwKaTwKaTwGwkpxDPpK0zVjOQrxhUiSE9xhU9xhY8D0lNc4fI4e4orfIor/K7iCuGy+O7iCh3UZMi4Qne13xNPR3MXhFafWhlC7Xpj6qJUNmIUBWVLzL75GMNb0ZF8Jj6+wRjD5YW6Lxho2EPzXz3QMBY1nwINnwINnwINnwINnwINnwIN2wT3FGj4FGj4FGj4FGj4LbO0zw40hJ4pCIxzgF3U39zhAHP9HiwN5lRrPl34yCVs8g5lNmmaSqwsA/WrcC5i6EcpZOFNRv7itzC/4UYxcnBx8X8O/51MFS0YFOXtDT6E+hpSwTqbgLjZQTWiobYqV6GKJ+h+bsyTo/MROf35p99GUPVyzQc0hA7iHlz0lOAaEgNdxZO/ARS+erMbMS5WavUPJ+yFslRufxw2UA9d4UVJU7Oy1pyFpXMg6uRvXv2q1x5qRvv5XA1bLkCXAXGNpnMoBBUqQYINzYDb1dM5TDWCHUpTWZQ51xhlNJM09+BFVUSFPfpWt0Yf68raA/yOYUu/AI92+A1TBu/+tFJQQSgUz0SbrSefhhiL+wy/h80IMZHMqs4Q5we7RX4KU7mxeMOuTLzMHnqLQcAVlM0Ss1CClTAr4GMTCkO4mFn9FRvOS0UUM0rqEiXnPAKWzma4PF91p3Xy35xcvDt2R6upfCEpD3bDW3rmqF4jMhvU6HH3D1c821dbijlBWOQbahT/SC5wnGbx01HctSghz9jHJNS5o8bQ9Cop7JhQ5w4h0RsXB5ubO5sbYYK1NtbwgT58fSFJI8S1LI+7Gl0xN/3yuEOW1oe7oYtBXsDp9PUgK5V/pxh80Ai1vOEvjS9xpANTbOIV97n/VIf1PjpePTB642Jr59Wru861/f0WtP1FtN1GEPR3uk23ix237N3X4SxLY7chWwzEXJbH7oPGCLh2ZfK8tuBqxD6kMxz9/9n71t5GcmPt7/kVhPfD2gdSW5Lv+2JP4JHsXb+xZ3xGnt3gBIlMdVMS162mhmRLdn79AYuXZl90a1szk8ECQbBjNYtksVgsFqueAtRsH9YxZ9iPWJgKe/HPMGgt4COiUpB4BDYZhUpKAEoZvyA8ZxTw95sRmcmJA+jMDDY9hOfgpHVhjXXCpTbUdOXXLWrThXQ22Vklhr6u4kWTCIxIg7aqu9RiFqXc/dmE4HosLSm82/7gqtv79WrwsX85+P3m4dfB5VV/0O6cD7rvuoP+r5edk9O/rNEwbuYawcLj3Y64cH9117Q16ITESdTEMUtIbtUYBNc7pHszNnCVO9GHO5COqpymGtezSZ7DOBV0DgrysTylQTjBNHlEgiah8Xj7JYqQfibQOWAOMjKmohync3dzEwQbFxJZNpIdsfjSFvDxee11XoqOz3E/u9pMIBpz+VrUWoMs4NmuApbm/SOfPDaiXMicWNhMmIkLKKuo6JBbmWa9hZpgMQmm0cmO1qebU1DJmPAZVydiBsF81ztBEYVrIhuh3tVHt4z5CG9IyNtg51zrrApBhSRJaF6TNOgu+B11gaeGd5a5R6lsUbRnMKukmM5mhEMWCvCruEVa12en3bPrTvfk5N1176x3fnX+7vz6+N31u+tW9+KqW2dNxAS3v9qi9H+9bP/Hr8rF1dHFUe/iqH10fn5+3uucn3dOT7ud3kX7pNM+7rV77W736l3nsubqZCfOV1mfzslp9Qo5Hno5Ba9foYyqXqm32Ten52fXp6enl62T46vr9tll6/yqc91pn3auLt8dd991W73O6clVu3d2fnby7urs+N31Ufes3eleXnR6l9cbl6Ywc6RCpDszeXpZjpYtPqns/XT4Bwnd07oegf0XWHKV55GBli6tUpGB3fc/37309BPYR8Yk6l420IdPP98kI46F5GkIvtUHgqcN1Ov+PH2xgSO97s82jmFzBv6Bj3Z1jptHIUgtzsLzdb8m71QZ1RO20DGaM8KVsCkh6/dvDzNDG6EJTiIxwU/lN9HomJwM2+fR6fDkJDxrd8465xdHnU47vDgd4s7xtvKUMDnAI7mRSC2rpd/Dkhw+0CnxjWUo2WvwzHNWgUAJg3gmYjZrpLayvzcr6v//2Gl12s2W+t9Dq/UT/C9otVr/u3HNWW++Q0j9/IITNrbRxpNtX5y13mKyGtHtjYMHCuXqBEMhjmOlLhPUf39jtKokcZyDy9dvIxMmZGLq+5UrgxjuUYGwrnFlHq7MrSpAvysee1pbfZkr3FIofjwmiu0zapKE/Jg8kyZUYv5isQhMxl4Qsm0ZrlXl11TPJYWcKWLHlrUKefpiK3R++PRzL1dP5630sEhn+vFmoK/Uu0qFc7cr00217ZC7y+u/TEgcs6X3liW3+c7J6eCX7p26zR+dH1d8fdXtbfD9j0EQbL7ZU14sRL1rJ4jqMSvDAk+VkP2uedzQutDURqwK7BEknHVOTvnGlWeIkHgYg+BvMNMhYzHBSdWE3umf0CjGuWnRkXV2oYSMmaRa2hcY4uJCIsQojRFOvJx2jhMB9a2MTy1BJAn5C1Tmk2mSkHjji2xCnuXAute+6FI6n54uraPHTaIA3RO9sKaYsBckCfmFl+8vswrr+9aPqZQnxYkuZYWFoONEaQ5xKGPRhJkoa17NoanpLv0heJ7IafwDjmdJ046xSSNxULhfmVr7mfkeswW8LIuy1KlRHq4tDeTHSYt0ulOBo6LgiAWBM/1C+ETm60q0p0u1LUjpxmJmUGe/Sa+hGdu2XsPylL6W13DZSHZ9ru3Aa+ivRa01+Ka9hma4343X0K7Wf7LX0F+T78Nr+DVX5a29hoXV+U68hhuukH9Z/4/zGpo57tRr2N/KP1jyC2ZHhYeJ/xX8g6b7P/DRzq6i1Q5CU+XzrRyERxfHx8dtPDw9OTs5Jp1O62zYJu3h8cnZ8Oj0uB1tyY+3cBA+0Km6wE1nJX+ZcQ59Cw5Cb76vdhBuO+Ev7iA0k92tv6q/sWeqoJIrVIC6WdqdHYRsuhMVsNv6tu9TwAnJ5Snak2qGubD4Y+rvjNMxTXBs7rcVEhB0Nl5s08muHQzvAdiT/ptE+hIOp5/zL4C70p/muinKddX8XTwUx6FNfrQxUd6flsdF9TKQUUukGrMWwpj+Taw+xvpKw1k6nrDU7h6MpjTkzCEs83BCJdGSieNYXWzUFXhOySK7WWUB/2YTeANHXuoE4uRzStSNtZkJia3euyBD+7u9Po04S2STJFEBG6+ppvM5JVwdPFA+38wjw2wY4vDJb7lFPJYa/Q6DXpeDI+uOs3yqS/0XPVyRzc0kyOiM3KzwsLkrD4k6dZBkY6KsP7AMHcksk0/ndVmGq4M41ovnAU9KwpvGq0M8TpZSao+Ho4vO6Ojk7Gx4dBzhU3wUkovORdQiLXJ8dnRaZK8rlfx1mOy6L7Da/t3mY9ukf4dTAzkZU4JFyg1sAyT4OGBnkXpPQcqCdvyFaEVzLpTY12qNWqdnGLeG+KLVGZ55WiHlsa8RPn28XaMNPn28tfGPFlrUvFGAkxv2KZHElLmHjffp461oQBik+dJqLMWDISeQlI0itkiUSDAkwgmZkoZDPphhOTHtGbJ+vE022m4zXo2xbbPYeNzIcsPzz2N7eZxbwabEIM1i4OcUv+hgXeMgv7lXsz1ULFR81em08UsDJIKl0qEKOqo6g//GvPop2jqF38Ok0UicY2aRNx7N054BESwJTcULn3tmsJ7oXbH2YWKCbG0+pzBuMKWcbOcVZoDZDY4tKY8LKKoFElRojE5BAOecSuPxbKhVTJhUqpC/QPz0BPZbvn2BeEwwJBHOCKcsQtNUSCAyVLoujNOIRBUwC/qODB8PCdqbJeO9zM+hmu8F6m/lFZqZE9BLWhtPM3CYN1+Ve8alB5aqmAJXHi1OPzx68i/ZbK/AnMcfHvWlJQ9BYQddyL4dpfEbGmBfLbfhZqSz+JUKhGRIOlVb2iREQmH3VJBsw754vhIAA83uODRBj0qeFb1HeDsE3wtseANwLhAn6nYEpr66JHN7d7AGTx631Ee9qQi3z2uAn46Pjw41Ou9fP/+cQ+v9QbJZbvXshvwOVvDHT8mURYAUn+kZEH2BBCFJjrNlxC+vjELi0EenLKGSKXNeawA2hJM7cofBkChVYwSnofHIsfBFAcNjK+A0axqqKWQQSJKgP1KAEsoujqC71DlaxGhxkuOydF0zRxaDpb/Awg20kTvnK4uB1BIiRW3Jzzn5mmEhPKl583c5Q75wqwgKY5C7glC4x3JS6NvTrYZBe4Xh7ACpzEfIKo3j+PiopDmOj49yg1JXqJddGgnQgRFih7kI49W/mHfvqjn4dvReQdhKZ9df4eyC97zId0D4vQAGvzbonNWSMNUWdqiXqKZ9d97YbZkarmO1oL9hKt1XDa8zPVltpjiKGkgpQWQ6k9l4YOj6y0fTugAgn6v4gIZELgjJhzDIBdO2auGA/troaEoF/wmN9u1Ao+lL266EoA/Ul+tEOG32CueuzoJ8/KnS7tTjXXJu5f0Jf4K+oT9B32qBvu0wpPiTIV9ho/gjyDl37L/XVOUDx12xYkQOQ8lVjYBPtXkLmbNkjt39wvgZ8lUkTJKtkg8ooQPl6QAI2wfEVX+hRJgT1SJJoSkDtBqsXcQ0stdk64jCCcIQ72MMbjithecfnm4BAfPd4vV9Tai+P1H6KlH6vneAvv8AbL6vDcv3JyLfWkS+rw7G9ycOnzYqBnhs3YieaYGyv25gYGga1szI6tCyKTGAeGjI2cJ7Q/TR9V6Mo0tM2AIp5ZXA8659VYbyZSGbKuPQ3dXNq3rqhmrvyVvYBMQVovwCWsL0VlwSej+xBZqWC+ZOBpSxrjSoPh5hTnOD+uadwAU94MnHICcfxbnesX/TOMaHJ0EL7evV+H+oe//JrAz60EftzqCtLzd3OFR/+PsBupzNYvI7Gf6NysPT1knQDtonbnj7f/v14e62odv8QsIndoBMcbrDdidooTs2pDE5bJ9ctY/PDbsPT1vHJk/DMV0EIzyl8a68bh/6SNNH+/ZOxEk0wbKBIjKkOGmgESdkKKIGWtAkYgtxUE7OhS9L4/4+nnw+zAjHHlCitQ3hNmLjc13oLYcyKUvKOmnRuWN/4DkpcuuJ8ITsyowvzUH35oatQw/wYtkOOQ6Og1az3e40xyQhnIbF0X8nV4Ala22f6b2VXra4fy9yxlqnX2plbX9mP4ckkUw0UDpME5mu2sOYL2hpD+82NLA0+E3lsd0K2kVNuduhFgqLrjg5lXb37Kt5bDSjsax+u718v4lNpb7LF+fUHn5XeP681Qnan5HE431x4Nf5tF4ULLT7CwtEkzHEjCjTnOj/BPpYCBbqbDpdzjmxT4JwX4ALhZq1gxj26p7qzkwlZIf+Zb57r19GAzX7qllwEjIeKXI0GcdmthKPAWoWnlBTCESA5EG7eF456c9NmjQ/I5KEeCZSPUrRMNedqpGh3GunK8VlSPvAuNg96wqSCMYNEvH/EvLUQL9TTsQE86cDeLMEKFyDx2srK3M8GtGwxAmaJIQvXVVNAumPzOSyBRZo37rSDFXzW37+B0smuXp6OVDqbWe5Yno5TAIIyrHvVOomGkXUSJYdT05WoAxSpMOlDTskHo9BFxiSH4Y2y8MTbiu9gS/lJpe3Qv7s54akk23/Ogvx625XmFBKewmOqAg5gUt3cYcZmjACj96ydfHKN5naTQ19o/OrPG1xtdmZcwYmdNPTlqIBojZx7I77ZX39lzUH8Re4+XyYacBGPQO4Mm8zB5ZKQSOyeiJO66dxQjge0tiWKLTqv/TD8nNAHQM5Qhs48XFF16jk0beJ+3N3gG2EO2mA5He0Prly6sYgUPrcjyiHicgSXzC87jjscQvYb0JvrEnUdPt7f+T7QHtwfVF99T/1rw7Uf4CZi2P40BHNGmCJh3AScXRt9u1B7u0twwb4nOL4RYxTzKNA/3cQsunh5wUZTkg8OxyxAUSQxYdPCVvEJBoTRfowN8GBxWUlIpjI6T/+Bwi5geWZkX37z4PK6CAbmmifV8qvXz/+Y8/Oa++fW8DvVIDP7wIIN9+RSyrJcUGEjGeWZW5xsku6H9QEyUiA4BDOhTgsgdZ2f+v3N+WEN+Jv9lZU4mqh/mqZpbD5zJkl3BGOYzgN/d6qWi/ZHuGcePi/oMMOR/gziHn8QzgnA3hNHHiDE4OQEyxJ9I8uFMpw3fq6lRJ9Fl89z5hQmqP725U/w3+W1vcmQVMcfugjnQaHOkG7E5w2/DCePDtMoODH++4WWfgkSadw6dnpBrFa1HtB8WBrqFixNOXNUbVEFbvjalMW7BgdXs/YqIb9m96BDZwwFeVnWdRz9WGJ9AN2gG78N2dTg77YgSFq36fKfC2eHpuK/mKC5YCKgdoCNDowsl6UcUe9JOs3vX9WrFGz02pfNFutVmsLOJjdIptfIk5sDdFlCiZnPxttozNIplTSsb7+OF7YxXDSHxXWpciY6hUJx7Q5pIn6K7jzwjH9q/qPnx0fT9vtLdioBG+wU+E3t0jGkQhxUi2qpcmrmbRb7fNgG6FQ9BPCgzlJIrarDPuHfLnu0gEPQ0B6CGXccZLgYbzGXPcnxDgJlOW1wWRGMcOVxdh/7CsyOhyG42Rsnr5aQUtZ3O1W0NLORPhPiz01IWjKhESCzAn3Y83fKRNTGIpM3T6VxSYEEWIKb22gtWcxo9IyZUokp6FA+xpaH83hKT9LP9Fh3s9QqHzG6ZzGZExMMpd5JZaE66y2g4appJJR9d98FQ1HVzUbcyALZbh01ASM6cCkeoVsRpYYARXmlzXVQXSbkcHiOyhZqifByXZLTJI55QzwuTZ6yvpCa33lD2vdouPkBbkkBpASs0INVGeF4EGWcgKYZd/AEkkynTH+La3OgxnRuoWBt58plqlmtGJpZCD1YBaN3Hlt1yp8u32xIYd36yuHi/x7bL0tOa3trs7773/rHWSHvboaU4klnfvIKHPCQT5x8kSTMbio927ZYq+B9u5IRNPpnpbmvV/peLIHS6CuaWjeUYvq1KejCJIgig5IDcHg+pLQVUbrKGiZyNwX8CFGZESTfCKXopB9nFsjT4rgCyoQWySAGxuhKU7wWPuerm8+9h+CD3zcQDdJGKB9+INSnuhTv6lBUhIGqIAj6l21+BgnrlzLYsKUMqDCJkNKhiYknoHeB4+6ICEIp7JsQU8o62vGEr9EDMFTgXDImdCG84LxOFoiosk8ChIqZDBmc/BZNI0qAnEtKwP9OLKZqJol2aF14Va90sKAoFbFPVAU9hC05V94FgqB1FnKOJVmIRAnY6zrT3oqoB4HS0a86iZ0XVdysakY8hMa6nKaOAknjOt/NkN7ZTb+yHf6mxxn/htod23OiylHOYSihubpwkZFwlaKY5MtpxYDnHBV3kP9WmaRkFcsX24sv1rkZLNC5s0tR3kIJSvplPzbxtFYwjimLs1uhuXkJ+PyLHw8pWN9Jf8JSZ6SPHU9lxxZ5sPH6H8M1s7kvzM9YDkLFhecAuOUAzt1Z1XzKzGtPDfFW/+7ldMCopWrUSZcuXQrqSsGC4DbCGgiJM6uj2v5BADjui2ybRGNrFCHMUujTH676p/2GOFqk+IIS1wt0nfmV20LhLmmcN/MngFwFA3gg4Elqb4MiRD6rmElPDdraBDMOFMSkYXHZgne+pfm82r58EO0TBO1z36BZA09Y33dqeicTvGYVHSNp7SJh2HU7hxVasOs9xtFAd303DVa88kuhZHNH9ClEhP4iMWRv0vsgBTjAscSYPIaOav8eKWceX3YAWZX7NXduAm577fuaYOtU+hr0/3j9TbF4YQmBBTMRp2ZBoHXYNO+/FvBYANturrVpr0aGd904Ur7a9N+OBlnRu/qPnKfVtK3+ihi4RPIqlFIPfvviu2lf0NCYnhCjmONkwPaSP+m9rWYMC4H+ljI7CJ7iuv+mk4ZLTlt3bBQxeNevklOieijya+UXs0sj2HVTSqZtqQrpXG27w00nbehtuy10HKzTut3Z1I10Q/o4UPvgzJsFso6n2IAKRbkr6Wx5KwMtNrSQMv1OXI6XQ8hsJKrzvNMbn/V/6ogcpOMmC+t5lhQzZHVNZ6Aqr9Xiqc5N666fT8ChtqYj4CEIniZGvT4H8wTLjb1zNXVJ2tZSLVgDiJmuaQvX5pcPkQ1tPk69o4yjsBDUbbs5X6ZCIYpjctdllfUnd577fNeu3Wxt9lwPvQR9OC7zasHErKIVO6DVWMRkhMZTjYfjO1FJ1QlL04Cn9Ih4QmR8I5h5PBv/t8q6Ga/O2Mvb7llRJEvhau1atZorWbNDXq1zBU5PmNRtdrZajN7HJgxXRClvLiqq7RCh9ft6Z5F6NNNr9yR+n8xw+HbTSqjWO6MRSWV/8rObLR2uTOjLv/r1YrZ+3kwxbMZTcbm273/2nAXeSM2B8kUz8pDhqwr/Rr2zY3bG1v14DmBwimCyLdd4ozukoWOyCxmLwBa9aYdZ3SXdKwMQTJK4zefskd4Sddr7KC6HTuya7utNvpe36+maw4Yo8uz0+Xe/aGCrvkxO1fcpbbqHMhoo60OAfK8qdlpegjIMwlT6b1mogrT08z4DxazJ4qbOJUsogIeKrLp/3/9K+qZX16Q/x3ybt5rvScVpPxT2IzDkVzmFTTfBdrFlH+X2MKlZsPzTTgGG7kBeEH61X3SVa7kJd1d4XBicg41jKALDjEF3wxeBqGA6ebifE25LSExl+ks59NEGrBmquNSnFNQGphkPCVSTYybtypYNyLBJNewCvAH9c+GCX6AoYGHG8cAGCK00/vmvmFdSyDuNGpAFjE8XuWGBK5uKYAz1Sw0sbIzzqI0lNszEqL53N41ZJSZ6Oa2qtva4pLr9kfh8k72vZ4P1nTtBT5s2bNua1mdTd+TBYF4miS6cFX1OCzQ69a9f/p4a6D21VUFujPSCiNZxfQw5ZtXgMp6/d1BG9r5LbBwIm6ulDiVE5JIF9OpYeisWlvQJGbjTJHt/Q5/GBIs96q1lQEmcdnCv+vEJ3QFLxW3bLzUixuzcTCiMQk8RLgqHptX81X5ZHnO++8YgDua4Qzq+lfY+IIg5SCbIfJKQ3EDSWoxZE1udYICMpfPQLbweqBfPArJu0pjLziVxJwea8fO8QL9/e42QxPMhd7qSbAhCLKZhGF4obSVwyeEjJDsHUnRKmSDCQsvbN/mDcVMC9ulRJf3N2j/DnDI2Ui6tf6NCnU7TCKUkAXhB0EBI9GHKLCAruoAM49q+onWBEvrcCL4WRAJY3o0bQbP01jzMSsAhUVJi7NZBsmQQHrLnEYpto9nSuzyKHXr+A0lqgCvAXwynKXDmIgJY9LHR5qlfMYEERo+Dg5wi5aut4ifAeEJnVMK0xn2cUvNg7lPSA0UwOfwOGEa/X4Yk2nxHcttYlRpMC2Rvss4dilFNn7fjKG0p/33eTSBGA5P7Kq8QHhGPaMq29LerlgxNrtSbgVBEiH6Nss0wpEBdAoZj/QqOJT9LDUpR3NvQROgGbPxnvO4laeremMc7dlvxzTJvs9RdG3UJ6qdJ2t2FqVvQC1FRNBxYrS0HUJfZ0N1Wq2jHBnvk06r1SrvaQC1zu3PhifRZgo5kjRf7UJrSjuoAH0okIOkKQy2ku07R86Mo7GCo3pfRYG/G5R5NcUylzVoRUPZC8IYfrD+DECAFb+sunbTExWOOBxKOqfyZbCRv6b62FkjpJdoHLMhJJ2lJXCdYmUeqWudcjABzdhAbnMkTSYcNFbbDuDcoKADhEuAeeF1Ap/4eH35ayfKeqq6NerolcGGd9W629g/oF3EDExQ5wNBxQxvK0NdZl2kq3g2OQ4pMVjoYBBTQwt6UdpVg3Xq0/Ix/8b+WMEFIDcwr9t5Fmzr2aklQ07RZXlUajDFQ9VWS0RZtUQlEDlSgCcEU3mEy8sLS0FAQjyT+oqkeQeHDEusfS50nE2OlGRV6sTdmCDY6zFj3SP0oxgaoUf4qv3YyI8N/tp59CoUNNCQhFjt6UzRez1AYmmiadIkLwKYxxSClM0E2MgZRlutsH9Qrl0nU2QFHk3I8wSnApC9AH2Rjfyhu91rEnNzhCxf9U4P0LsXNMFzY40JkmUj6vPWGAOSTGexhm0keU3pY9XSBEVYTIYM80iYWDh4SmrGBHO4+fzBhl5GX9mh4nPuMnd7uMfhEx6T90UVs1xjZJTe0QTzlxrNZAxPrp8E4TfJLJUPtE7vjMk7FtVr+JA9+G/RMKVx9FuhxuOmjbvKOEy251aXcZ6C8F5CqHlf+sVZN6bCCSz3JxnWYnavlKW3TVuZoS5u02xOw3qCmTW9Jcm4oFA3J1CTU6qpkZI7/EdBB29PgiZ1SHA6r8k71ZK/smldtqtffsPby8pVIvlLl6WJ3L7ps+T4JhmxrVteYxqnvB6XvbY1eXVNY1JXF13TBMdKkaRi67a/FE7XzVrdRDG5mc5iSJzAtdSIIgHKr94630xnhAuWQOe3ZE62l7IbmxdSs/nsUuPC1mh5n5U42LzZ38hLTeG6xUKqY/IXxqJajfuTVEZskdQjMH2NVXLLxiz5Jf+gv0XLm5rtzItY/SHXMknggKmrBu7wM52m0/usZuE94SGpsbnuADu31tx1036N5bqjyVsNX1N6mHAmZfwaMvUX4z1ZGBGqIYFZ41pr8J4sdJWBWtvmPVnUspTes6k6h64B4zQJtzeN38ML5tbNPsTRK2b7IY5qzfaDeVVQ53atRbrHNRS5tzleefzeczKnLBWvvUlYOjUbmzzcWyq235/199drNpdpW2/5TNsacnqfe2feol2K6xlY9ym+ZzENX2rw939GtW3ZjwSLGs1AA+C6nfbhMvwuZuHTg4/msnF7DdZcS55M29pDN5aZ9ibUMjosCXgK6NZxwVgKdRePjhMsU16jY9uy5u2nD08p2zeTmNfzctVz99SdnWSzeqPUddx1Wdh6Uq0p1DXBTfNPoqYV6rWvY4o+9GuM+QHzMXkNzzSBWr4L3bT+VclrX3vm+mH0FTOvvdpZ81qLDXWdcNwnkDteZ/7siSRXMZnj2jr4geNETKmUJDIHwvbbvS4D6h49vzP+JGqan/r9qV6zTr1mR/WaHddrdlKv2Wm9Zmf1mp2vbPaXYhv9SLflU32dcJLs8VwHjehKbLQcBmPQs/zYoIrHRTM8sdW4t3wetn3ksHYNWuOLhzhaGlw4wUmScz/u9G1f92aD7WhowhUMKrANxgv8Cng0r4pY4qgpyl6goXlsjtlYPNq0OUDjSGy4ZxYTVsEJPYbdypeZ500vH08Ws3EuSgmgZxxTuNLLeR3nochC44yFJg67rR/RGYR/6p+0bOjfC0anAJ+JpDiOX2wF1QJBTnA4MSEqU+3pM+uz3/nXUedfOXo2bqoc16QG1fnX6fG/VsdWHeQjA2CxybMsjAkqDg4JalWuZowliQbfYoiPHZNaRtgEOXIhSyRnMWwGqc7lEeEcNnRgZAhmZsOAFlDlXE6IqQMoJ4UN44cCQf+Uo0ePLY++vqtIVpyF+TvZm+su3UMxmkErLPSAxZMWZf0VpKU6HG+j6armq7MhYmbCmg1VPIOUJB0PaiJ+eSEeOEctZuMxiSr4YvMrBuPNsv2+jGg5PA74UQ++tJWWnQU27WVWMSGv3PWrFtv0MaCuxnA3porxJrDxY5pIOiXWV7WK8cluY9IqDndPUaP9ojgx7qpmKeZXSJGnVg8qJiaxeNrlPlP0v+1dptNDDNi57tZkNZVPkn2WoBkn+Ri0vKVQDIEFQFpznGoTzobPrdgMcgIWyfZbokTRhd6VKH3ZKEL0+ihCL6yvgnWmgKFVVK+S6awuWrPdPGl22s2jk+P28VHronPe7LRO2mftdqfdaraPLtpH58dHpxfNdganugFLrPxk+GyZht3v3/QOXGZWGLI0ka50i4m3LWhXKkrqFWmggnyEf8IAAI7Fc70v+jc9sOqAhQ19noNRmxWALERLwg+6UqgJmdR/Ujx+tCGC1kRi+nKfGcteBQJvjC8sRS4p0RtwNlq1nfo3PdFAnMwpWZj9P0ajQlxRqOPrhTZyTPEAk59g6gMsE50NFfuKhS3X2ssvWvVC5QZRKNq9A31sqry6ygpLBMwb6/LSsrmhy7wL6O0PEgNyvn7AFSOcl9w9rzEwHrwScFkKqhPwH02QLDV3PgOeRYS7fngQWibjzaZ0ZDlvt2SMw1yKjk0bXpb+pj8gAmn4SJZLKjsNng3gNqO6IoiXE2SB4oHWPKt9lbUPPIAWnflrKNAkIs9ZFPBiYi6Njy5jOTgdSDY4C3RKlcmcAscGkUuuydXJw3I9JJbOOQqyNJ+VYFHla9o6uqUGK+lXJTKs6aGqyco+Cv6pNeQLX6+kXPAgraFc+Hol5ZiNt2FJzlm0Bv1LCDwmA8I5W4c+B98EpsUmxI2rJvEjNtYMvejdWUN/mfNgbS/LGq7sL3fHXtNF7tuVVKtuqGuIVzVZ14e5zm3cQeGKuZK8voNtIaFVl8PVeJnZpWsNae/L1RThwrA1R4r3jJV9VFvYy3qyXVW3Wt9RzhRaM51yg/X0Nz9Nip+vpF0FUrCUcv7jlXSfp/E6hVaV+V2k+X8BAAD//5Sx9Ts=" } diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 06eae873c2b0..06912ba9e887 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -251,7 +251,7 @@ Example: `docker` and `k8s` labels. type: object -example: { "application": "foo-bar", "env": "production" } +example: {"application": "foo-bar", "env": "production"} -- @@ -706,7 +706,7 @@ type: keyword *`client.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -812,6 +812,70 @@ example: us-east-1 -- +[float] +=== code_signature + +These fields contain information about binary code signatures. + + +*`code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + [float] === container @@ -840,7 +904,7 @@ type: keyword *`container.image.tag`*:: + -- -Container image tag. +Container image tags. type: keyword @@ -1199,7 +1263,7 @@ type: keyword *`destination.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -1223,6 +1287,189 @@ type: text -- +[float] +=== dll + +These fields contain information about code libraries dynamically loaded into processes. + +Many operating systems refer to "shared code libraries" with different names, but this field set refers to all of the following: +* Dynamic-link library (`.dll`) commonly used on Windows +* Shared Object (`.so`) commonly used on Unix-like operating systems +* Dynamic library (`.dylib`) commonly used on macOS + + +*`dll.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`dll.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`dll.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`dll.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + +*`dll.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`dll.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`dll.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`dll.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + +*`dll.name`*:: ++ +-- +Name of the library. +This generally maps to the name of the file on disk. + +type: keyword + +example: kernel32.dll + +-- + +*`dll.path`*:: ++ +-- +Full file path of the library. + +type: keyword + +example: C:\Windows\System32\kernel32.dll + +-- + +*`dll.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`dll.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`dll.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`dll.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`dll.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === dns @@ -1524,7 +1771,7 @@ example: java.lang.NullPointerException === event The event fields are used for context information about the log or metric event itself. -A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. +A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the `event.kind` definition in this section for additional details about metric and state events. *`event.action`*:: @@ -1574,7 +1821,7 @@ In case the two timestamps are identical, @timestamp should be used. type: date -example: 2016-05-23 08:05:34.857000 +example: 2016-05-23T08:05:34.857Z -- @@ -1643,7 +1890,7 @@ In normal conditions, assuming no tampering, the timestamps should chronological type: date -example: 2016-05-23 08:05:35.101000 +example: 2016-05-23T08:05:35.101Z -- @@ -1688,7 +1935,10 @@ example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0&# + -- This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. -`event.outcome` simply denotes whether the event represent a success or a failure. Note that not all events will have an associated outcome. For example, this field is generally not populated for metric events or events with `event.type:info`. +`event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. +Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. +Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. +Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. type: keyword @@ -1708,6 +1958,18 @@ example: kernel -- +*`event.reference`*:: ++ +-- +Reference URL linking to additional information about this event. +This URL links to a static definition of the this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://system.vendor.com/event/#0001234 + +-- + *`event.risk_score`*:: + -- @@ -1731,7 +1993,7 @@ type: float + -- Sequence number of the event. -The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision. +The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long @@ -1784,6 +2046,18 @@ type: keyword -- +*`event.url`*:: ++ +-- +URL linking to an external system to continue investigation of this event. +This URL links to another system where in-depth investigation of the specific occurence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. + +type: keyword + +example: https://mysystem.mydomain.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe + +-- + [float] === file @@ -1813,6 +2087,64 @@ example: ["readonly", "system"] -- +*`file.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`file.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`file.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`file.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`file.created`*:: + -- @@ -1947,6 +2279,15 @@ example: 256383 -- +*`file.mime_type`*:: ++ +-- +MIME type should identify the format of the file or stream of bytes using https://www.iana.org/assignments/media-types/media-types.xhtml[IANA official types], where possible. When more than one type is applicable, the most specific type should be used. + +type: keyword + +-- + *`file.mode`*:: + -- @@ -2007,6 +2348,61 @@ type: text -- +*`file.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`file.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`file.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`file.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`file.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`file.size`*:: + -- @@ -2375,7 +2771,7 @@ type: keyword *`host.ip`*:: + -- -Host ip address. +Host ip addresses. type: ip @@ -2384,7 +2780,7 @@ type: ip *`host.mac`*:: + -- -Host mac address. +Host mac addresses. type: keyword @@ -2579,7 +2975,7 @@ type: keyword *`host.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -2744,6 +3140,45 @@ example: 1.1 -- +[float] +=== interface + +The interface fields are used to record ingress and egress interface information when reported by an observer (e.g. firewall, router, load balancer) in the context of the observer handling a network connection. In the case of a single observer interface (e.g. network sensor on a span port) only the observer.ingress information should be populated. + + +*`interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + [float] === log @@ -2981,6 +3416,37 @@ example: 6 -- +*`network.inner`*:: ++ +-- +Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) + +type: object + +-- + +*`network.inner.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.inner.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + *`network.name`*:: + -- @@ -3040,6 +3506,28 @@ example: ipv4 -- +*`network.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`network.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === observer @@ -3047,6 +3535,81 @@ An observer is defined as a special network, security, or application device use This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. +*`observer.egress`*:: ++ +-- +Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.egress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.egress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.egress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.egress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.egress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.egress.zone`*:: ++ +-- +Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: Public_Internet + +-- + *`observer.geo.city_name`*:: + -- @@ -3146,10 +3709,85 @@ type: keyword -- +*`observer.ingress`*:: ++ +-- +Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. + +type: object + +-- + +*`observer.ingress.interface.alias`*:: ++ +-- +Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. + +type: keyword + +example: outside + +-- + +*`observer.ingress.interface.id`*:: ++ +-- +Interface ID as reported by an observer (typically SNMP interface ID). + +type: keyword + +example: 10 + +-- + +*`observer.ingress.interface.name`*:: ++ +-- +Interface name as reported by the system. + +type: keyword + +example: eth0 + +-- + +*`observer.ingress.vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`observer.ingress.vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + +*`observer.ingress.zone`*:: ++ +-- +Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. + +type: keyword + +example: DMZ + +-- + *`observer.ip`*:: + -- -IP address of the observer. +IP addresses of the observer. type: ip @@ -3158,7 +3796,7 @@ type: ip *`observer.mac`*:: + -- -MAC address of the observer +MAC addresses of the observer type: keyword @@ -3579,6 +4217,67 @@ example: 1.12.9 -- +[float] +=== pe + +These fields contain Windows Portable Executable (PE) metadata. + + +*`pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + [float] === process @@ -3610,6 +4309,64 @@ example: 4 -- +*`process.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.command_line`*:: + -- @@ -3629,6 +4386,19 @@ type: text -- +*`process.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.executable`*:: + -- @@ -3738,6 +4508,64 @@ example: 4 -- +*`process.parent.code_signature.exists`*:: ++ +-- +Boolean to capture if a signature is present. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.status`*:: ++ +-- +Additional information about the certificate status. +This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. + +type: keyword + +example: ERROR_UNTRUSTED_ROOT + +-- + +*`process.parent.code_signature.subject_name`*:: ++ +-- +Subject name of the code signer + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.parent.code_signature.trusted`*:: ++ +-- +Stores the trust status of the certificate chain. +Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. + +type: boolean + +example: true + +-- + +*`process.parent.code_signature.valid`*:: ++ +-- +Boolean to capture if the digital signature is verified against the binary content. +Leave unpopulated if a certificate was unchecked. + +type: boolean + +example: true + +-- + *`process.parent.command_line`*:: + -- @@ -3757,6 +4585,19 @@ type: text -- +*`process.parent.entity_id`*:: ++ +-- +Unique identifier for the process. +The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. +Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. + +type: keyword + +example: c2c455d9f99375d + +-- + *`process.parent.executable`*:: + -- @@ -3787,6 +4628,42 @@ example: 137 -- +*`process.parent.hash.md5`*:: ++ +-- +MD5 hash. + +type: keyword + +-- + +*`process.parent.hash.sha1`*:: ++ +-- +SHA1 hash. + +type: keyword + +-- + +*`process.parent.hash.sha256`*:: ++ +-- +SHA256 hash. + +type: keyword + +-- + +*`process.parent.hash.sha512`*:: ++ +-- +SHA512 hash. + +type: keyword + +-- + *`process.parent.name`*:: + -- @@ -3924,6 +4801,61 @@ type: text -- +*`process.pe.company`*:: ++ +-- +Internal company name of the file, provided at compile-time. + +type: keyword + +example: Microsoft Corporation + +-- + +*`process.pe.description`*:: ++ +-- +Internal description of the file, provided at compile-time. + +type: keyword + +example: Paint + +-- + +*`process.pe.file_version`*:: ++ +-- +Internal version of the file, provided at compile-time. + +type: keyword + +example: 6.3.9600.17415 + +-- + +*`process.pe.original_file_name`*:: ++ +-- +Internal name of the file, provided at compile-time. + +type: keyword + +example: MSPAINT.EXE + +-- + +*`process.pe.product`*:: ++ +-- +Internal product name of the file, provided at compile-time. + +type: keyword + +example: Microsoft® Windows® Operating System + +-- + *`process.pgid`*:: + -- @@ -4132,8 +5064,17 @@ example: Debugger This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. -A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`. +A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:192.0.2.15`. + + +*`related.hash`*:: ++ +-- +All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). + +type: keyword +-- *`related.ip`*:: + @@ -4160,6 +5101,17 @@ Rule fields are used to capture the specifics of any observer or agent rules tha Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc. +*`rule.author`*:: ++ +-- +Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + +type: keyword + +example: ['Star-Lord'] + +-- + *`rule.category`*:: + -- @@ -4193,6 +5145,17 @@ example: 101 -- +*`rule.license`*:: ++ +-- +Name of the license under which the rule used to generate this event is made available. + +type: keyword + +example: Apache 2.0 + +-- + *`rule.name`*:: + -- @@ -4574,7 +5537,7 @@ type: keyword *`server.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5014,7 +5977,7 @@ type: keyword *`source.user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5731,7 +6694,7 @@ type: keyword *`user.id`*:: + -- -One or multiple unique identifiers of the user. +Unique identifiers of the user. type: keyword @@ -5893,6 +6856,37 @@ example: 12.0 -- +[float] +=== vlan + +The VLAN fields are used to identify 802.1q tag(s) of a packet, as well as ingress and egress VLAN associations of an observer in relation to a specific packet or connection. +Network.vlan fields are used to record a single VLAN tag, or the outer tag in the case of q-in-q encapsulations, for a packet or connection as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. +Network.inner VLAN fields are used to report inner q-in-q 802.1q tags (multiple 802.1q encapsulations) as observed, typically provided by a network sensor (e.g. Zeek, Wireshark) passively reporting on traffic. Network.inner VLAN fields should only be used in addition to network.vlan fields to indicate q-in-q tagging. +Observer.ingress and observer.egress VLAN values are used to record observer specific information when observer events contain discrete ingress and egress VLAN information, typically provided by firewalls, routers, or load balancers. + + +*`vlan.id`*:: ++ +-- +VLAN ID as reported by the observer. + +type: keyword + +example: 10 + +-- + +*`vlan.name`*:: ++ +-- +Optional VLAN name as reported by the observer. + +type: keyword + +example: outside + +-- + [float] === vulnerability diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 595261657c6b..884bb2e208e8 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" }