From d6d7c85714217c2dd9d5b341ad1925aea5209f15 Mon Sep 17 00:00:00 2001 From: kaiyan-sheng Date: Wed, 7 Oct 2020 19:34:40 -0600 Subject: [PATCH] Cherry-pick #21540 to 7.x: Add support for additional fields from V2 ALB logs (#21579) (cherry picked from commit a2decea3c5011668156711f06fa8a1e6195bc5df) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 40 ++ .../filebeat/module/aws/elb/_meta/fields.yml | 16 + .../module/aws/elb/ingest/pipeline.yml | 14 +- .../aws/elb/test/application-lb-http.log | 2 +- .../application-lb-http.log-expected.json | 50 ++ .../module/aws/elb/test/example-alb-http.log | 5 +- .../test/example-alb-http.log-expected.json | 215 ++++++++ x-pack/filebeat/module/aws/fields.go | 2 +- .../zia/test/generated.log-expected.json | 512 +++++++++++------- .../zscaler/zia/test/test.log-expected.json | 5 +- 11 files changed, 650 insertions(+), 212 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 36801b951aa..eda75356a92 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -694,6 +694,7 @@ field. You can revert this change by configuring tags for the module and omittin - Add related.hosts ecs field to all modules {pull}21160[21160] - Keep cursor state between httpjson input restarts {pull}20751[20751] - Convert aws s3 to v2 input {pull}20005[20005] +- Add support for additional fields from V2 ALB logs. {pull}21540[21540] - Release Cloud Foundry input as GA. {pull}21525[21525] - New Cisco Umbrella dataset {pull}21504[21504] - New juniper.srx dataset for Juniper SRX logs. {pull}20017[20017] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 8e56d73aa85..d7b4bad2d7d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1884,6 +1884,46 @@ type: keyword The error reason if the executed action failed. +type: keyword + +-- + +*`aws.elb.target_port`*:: ++ +-- +List of IP addresses and ports for the targets that processed this request. + + +type: keyword + +-- + +*`aws.elb.target_status_code`*:: ++ +-- +List of status codes from the responses of the targets. + + +type: keyword + +-- + +*`aws.elb.classification`*:: ++ +-- +The classification for desync mitigation. + + +type: keyword + +-- + +*`aws.elb.classification_reason`*:: ++ +-- +The classification reason code. + + type: keyword -- diff --git a/x-pack/filebeat/module/aws/elb/_meta/fields.yml b/x-pack/filebeat/module/aws/elb/_meta/fields.yml index 9499f8bbb0e..aac074e9347 100644 --- a/x-pack/filebeat/module/aws/elb/_meta/fields.yml +++ b/x-pack/filebeat/module/aws/elb/_meta/fields.yml @@ -101,3 +101,19 @@ type: keyword description: > The error reason if the executed action failed. + - name: target_port + type: keyword + description: > + List of IP addresses and ports for the targets that processed this request. + - name: target_status_code + type: keyword + description: > + List of status codes from the responses of the targets. + - name: classification + type: keyword + description: > + The classification for desync mitigation. + - name: classification_reason + type: keyword + description: > + The classification reason code. diff --git a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml index de772ccdf01..8cb2a914921 100644 --- a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml @@ -31,7 +31,7 @@ processors: %{TIMESTAMP_ISO8601:event.start} \"(?:-|%{DATA:_tmp.actions_executed})\" \"(?:-|%{DATA:aws.elb.redirect_url})\" - \"(?:-|%{DATA:aws.elb.error.reason})\" + \"(?:-|%{DATA:aws.elb.error.reason})\"( \"(?:-|%{DATA:_tmp.target_port})\")?( \"(?:-|%{DATA:_tmp.target_status_code})\")?( \"(?:-|%{DATA:aws.elb.classification})\")?( \"(?:-|%{DATA:aws.elb.classification_reason})\")? # TCP from Network Load Balancers (v2 Load Balancers) - >- @@ -141,6 +141,18 @@ processors: separator: ',' ignore_missing: true + - split: + field: '_tmp.target_port' + target_field: 'aws.elb.target_port' + separator: ' ' + ignore_missing: true + + - split: + field: '_tmp.target_status_code' + target_field: 'aws.elb.target_status_code' + separator: ' ' + ignore_missing: true + - date: field: '_tmp.timestamp' formats: diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log index 88ea2d75c26..5d754c4bbaa 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log @@ -8,4 +8,4 @@ http 2019-10-11T15:03:49.331902Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.2 http 2019-10-11T15:55:09.308183Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37838 10.0.0.192:80 0.001 0.000 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5dd-4d9a423a0e9a782fe2f390af" "-" "-" 0 2019-10-11T15:55:09.307000Z "forward" "-" "-" http 2019-10-11T15:55:11.354283Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37850 10.0.1.107:80 0.001 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7d64cabe9955b4df9acc800a" "-" "-" 0 2019-10-11T15:55:11.352000Z "forward" "-" "-" http 2019-10-11T15:55:11.987940Z app/filebeat-aws-elb-test/c86a326e7dc14222 77.227.156.41:37856 10.0.0.192:80 0.000 0.001 0.000 200 200 125 859 "GET http://filebeat-aws-elb-test-12030537.eu-central-1.elb.amazonaws.com:80/ HTTP/1.1" "curl/7.58.0" - - arn:aws:elasticloadbalancing:eu-central-1:627959692251:targetgroup/test-lb-instances/8f04c4fe71f5f794 "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4" "-" "-" 0 2019-10-11T15:55:11.987000Z "forward" "-" "-" - +http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366 "GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337262-36d228ad5d99923122bbe354" "-" "-" 0 2018-07-02T22:22:48.364000Z "forward,redirect" "-" "-" "10.0.0.1:80" "200" "-" "-" diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index 28e1564e928..3682fb6520e 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -500,5 +500,55 @@ ], "tracing.trace.id": "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4", "user_agent.original": "curl/7.58.0" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "forward", + "redirect" + ], + "aws.elb.backend.http.response.status_code": 200, + "aws.elb.backend.ip": "10.0.0.1", + "aws.elb.backend.port": "80", + "aws.elb.backend_processing_time.sec": 0.001, + "aws.elb.matched_rule_priority": "0", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.0, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.1:80" + ], + "aws.elb.target_status_code": [ + "200" + ], + "aws.elb.trace_id": "Root=1-58337262-36d228ad5d99923122bbe354", + "aws.elb.type": "http", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 34, + "http.request.method": "GET", + "http.request.referrer": "http://www.example.com:80/", + "http.response.body.bytes": 366, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 4431, + "service.type": "aws", + "source.ip": "192.168.131.39", + "source.port": "2817", + "tags": [ + "forwarded" + ], + "tracing.trace.id": "Root=1-58337262-36d228ad5d99923122bbe354", + "user_agent.original": "curl/7.46.0" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log index 9e4526d2d61..94c0ec1360b 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log @@ -7,4 +7,7 @@ http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.13 http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - 0.000 0.001 0.000 502 - 34 366 "GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-" 0 2018-11-30T22:22:48.364000Z "forward" "-" "LambdaInvalidResponse" http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - -1 -1 -1 400 - 0 0 "- http://www.example.com:80- -" "-" - - - "-" "-" "-" 0 2018-11-30T22:22:48.364000Z "-" "-" "-" http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 - -1 -1 -1 400 - 0 0 "- - -" "-" - - - "-" "-" "-" 0 2018-11-30T22:22:48.364000Z "-" "-" "-" - +h2 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 10.0.1.252:48160 10.0.0.66:9000 0.000 0.002 0.000 200 200 5 257 "GET https://10.0.2.105:773/ HTTP/2.0" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337327-72bd00b0343d75b906739c42" "-" "-" 1 2018-07-02T22:22:48.364000Z "redirect" "https://example.com:80/" "-" "10.0.0.66:9000" "200" "-" "-" +https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-" +ws 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 10.0.0.140:40914 10.0.1.192:8010 0.001 0.003 0.000 101 101 218 587 "GET http://10.0.0.30:80/ HTTP/1.1" "-" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-" 1 2018-07-02T22:22:48.364000Z "forward" "-" "-" "10.0.1.192:8010" "101" "-" "-" +wss 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 10.0.0.140:44244 10.0.0.171:8010 0.000 0.001 0.000 101 101 218 786 "GET https://10.0.0.30:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-" 1 2018-07-02T22:22:48.364000Z "forward" "-" "-" "10.0.0.171:8010" "101" "-" "-" diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json index eb1fad5f705..2c1490142fa 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json @@ -368,5 +368,220 @@ ], "tracing.trace.id": "-", "user_agent.original": "-" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "redirect" + ], + "aws.elb.backend.http.response.status_code": 200, + "aws.elb.backend.ip": "10.0.0.66", + "aws.elb.backend.port": "9000", + "aws.elb.backend_processing_time.sec": 0.002, + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.redirect_url": "https://example.com:80/", + "aws.elb.request_processing_time.sec": 0.0, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "aws.elb.ssl_protocol": "TLSv1.2", + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.66:9000" + ], + "aws.elb.target_status_code": [ + "200" + ], + "aws.elb.trace_id": "Root=1-58337327-72bd00b0343d75b906739c42", + "aws.elb.type": "h2", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 5, + "http.request.method": "GET", + "http.request.referrer": "https://10.0.2.105:773/", + "http.response.body.bytes": 257, + "http.response.status_code": 200, + "http.version": "2.0", + "input.type": "log", + "log.offset": 3284, + "service.type": "aws", + "source.ip": "10.0.1.252", + "source.port": "48160", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "tracing.trace.id": "Root=1-58337327-72bd00b0343d75b906739c42", + "user_agent.original": "curl/7.46.0" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "authenticate", + "forward" + ], + "aws.elb.backend.http.response.status_code": 200, + "aws.elb.backend.ip": "10.0.0.1", + "aws.elb.backend.port": "80", + "aws.elb.backend_processing_time.sec": 0.048, + "aws.elb.chosen_cert.arn": "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012", + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.086, + "aws.elb.response_processing_time.sec": 0.037, + "aws.elb.ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "aws.elb.ssl_protocol": "TLSv1.2", + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.1:80" + ], + "aws.elb.target_status_code": [ + "200" + ], + "aws.elb.trace_id": "Root=1-58337281-1d84f3d73c47ec4e58577259", + "aws.elb.type": "https", + "cloud.provider": "aws", + "destination.domain": "www.example.com", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 0, + "http.request.method": "GET", + "http.request.referrer": "https://www.example.com:443/", + "http.response.body.bytes": 57, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 3750, + "service.type": "aws", + "source.ip": "192.168.131.39", + "source.port": "2817", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "tracing.trace.id": "Root=1-58337281-1d84f3d73c47ec4e58577259", + "user_agent.original": "curl/7.46.0" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "forward" + ], + "aws.elb.backend.http.response.status_code": 101, + "aws.elb.backend.ip": "10.0.1.192", + "aws.elb.backend.port": "8010", + "aws.elb.backend_processing_time.sec": 0.003, + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.001, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.1.192:8010" + ], + "aws.elb.target_status_code": [ + "101" + ], + "aws.elb.trace_id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "aws.elb.type": "ws", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 218, + "http.request.method": "GET", + "http.request.referrer": "http://10.0.0.30:80/", + "http.response.body.bytes": 587, + "http.response.status_code": 101, + "http.version": "1.1", + "input.type": "log", + "log.offset": 4306, + "service.type": "aws", + "source.ip": "10.0.0.140", + "source.port": "40914", + "tags": [ + "forwarded" + ], + "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "user_agent.original": "-" + }, + { + "@timestamp": "2018-07-02T22:23:00.186Z", + "aws.elb.action_executed": [ + "forward" + ], + "aws.elb.backend.http.response.status_code": 101, + "aws.elb.backend.ip": "10.0.0.171", + "aws.elb.backend.port": "8010", + "aws.elb.backend_processing_time.sec": 0.001, + "aws.elb.matched_rule_priority": "1", + "aws.elb.name": "app/my-loadbalancer/50dc6c495c0c9188", + "aws.elb.protocol": "http", + "aws.elb.request_processing_time.sec": 0.0, + "aws.elb.response_processing_time.sec": 0.0, + "aws.elb.ssl_cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "aws.elb.ssl_protocol": "TLSv1.2", + "aws.elb.target_group.arn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067", + "aws.elb.target_port": [ + "10.0.0.171:8010" + ], + "aws.elb.target_status_code": [ + "101" + ], + "aws.elb.trace_id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "aws.elb.type": "wss", + "cloud.provider": "aws", + "event.category": "web", + "event.dataset": "aws.elb", + "event.end": "2018-07-02T22:23:00.186Z", + "event.kind": "event", + "event.module": "aws", + "event.outcome": "success", + "event.start": "2018-07-02T22:22:48.364000Z", + "fileset.name": "elb", + "http.request.body.bytes": 218, + "http.request.method": "GET", + "http.request.referrer": "https://10.0.0.30:443/", + "http.response.body.bytes": 786, + "http.response.status_code": 101, + "http.version": "1.1", + "input.type": "log", + "log.offset": 4708, + "service.type": "aws", + "source.ip": "10.0.0.140", + "source.port": "44244", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", + "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", + "user_agent.original": "-" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index 352932f1b1c..e8968b65e8e 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzcXN+T4raTf9+/oisvma0Crr6b1NXVXOWq2NnJhctkMzewyd2TI+wGdCMkR5JhyV9/1ZL8AywDM5jd1JeHXQbb0qdb/VstD+EZd7fAtuYNgOVW4C2Mf5++AdAokBm8hTla9gYgQ5Nqnluu5C38xxsAgF9UVgiEhdKwYjITXC5BqKWBhVZrGmb0BmDBUWTm1j0wBMnWWE5HH7vL8RaWWhV5+CUyD31+dMNUI7t5RuFqc4rmNKlQRWY146K6FJuRPofUlp8MF6wQNnFT3MKCCYN7l6Ngm4CVdnjvCMuMsOxBj8FvkoAblDbZoDZcyb07SkqecbdVOju4dgQYfWYrbCIK44NagF0hAfQTE/o1s6MotMKgTniG0nK7i0I7ZHIb2DCKjEaehIEBBa4JSqqkZVwayNAyLgywuSqsw0uzgVq0xpqMf4ESINgVs7BmGbpHNP5ZoLEDYDKD7YqnK0g1unuZMLBFja3hCoPZCCYLsLjOlWZ613rG3TNwM5S4zUptDazUln5tjdkaQM2JSsxGB7fGhKS5GsSD1sXjMtJejsgNfkUChx1hHUve0G59KKkvR9IWjBLKeM3+UhKe0KhCpwgf2RrhZvz08W0JMNdcpjxn4mDNUybEIVsbqNMUjUmecZfwGL6+8Pt5aCCYfPAIt8w4wQGrwPClbEpoN2CDhpQ2IcXAz7YTckwLzwU8WTSxOKCOnVtuVw01MJgWOiYSsC/ipG6VYjjSc602PEMDXHpbQ2ao1uxAY3TcinWpRmYxc6bWrpTB5pSRR7tUqcnc9YIlrLArGiWl0aN3n5aKcxkNQTo2TBQI3IDV9H9gv1LWGUVQ2hk1931LpHYOFrVMgUX1gjJhlOPhHq1+eVmc7fT55ccxZLjhKf47KLtCveUGB947tgW2yVe3ViS1GbNd4D1Pj9zwEobSMM7IW75G2K7Qa1dbdtsc48YUbUO8T0+phO5efZSgLj18CUV96CO8Xic7xwvu7Xx3Vn6O6SKcdm/l5xw1hBfwGYL0BB8THMtxoRmAKdLV0SGZgSel7ICU+JNBPSCFflKiQ2maDKicWtw7XZsRXFrUkgnyWYEbzbiq6cGW2C0nsC97p8mOxxLXpnb89LGkMkjADUtTVUi/dM7+urXTSuDbo8PF2HNCkM7gigfzdUQhTO4pU1tpricNJb1cbtQzZsk8ZtH6CsxoqnLVKWMzqMnDdSUOpOzAYvEFlDHq/d07GBdWwTRlLjkOueC9YMbyFN4jk8Yy8RxPsFBrpZNUZYeW7/zEL55fNalzk1SBRvArGm2hpXGega4fw7dGY9iyT4iT42B8etUYpDJI3VDDWEnONFujRX24bpeytB54QMxkcjcIukBe0JBv9T66O7JfF8Ly5GSedyzU77h4oojRZJPJlTSYhHigby6V41fxBsWjLKVnTKlnzwjpisklGrjxkf2gnYnnFNY5C5yhQIrw/CBv/4ZMZVnGCRwTiSuqZGyvwnQpX8fV8BTrskby5Es4lUWWypKY2qAurYFKfSO3Ftbpb8jNUpNbru9S2fSZl+OWr3AsOJo9ffURYbCbc+Ry2S7nMCEwgyVK1My657nxQ3fYUFffi0S3FxnQffxl8aYhDyXArCEoGlOlszhMlvOLi5AncY4fJ1UlkhmjUl4no+761oxzfseEaI3kKJgRnUd4vWaSLZ3d8YrYpxLCe6UEMtkhRtsVUprc4DY3cGgFoIHQ39XlzFiWKCniRdeLl6LGyg2onOSEVoQAu6mHNHV9oQujD5zjHuQ1heExCG6c8arGDrU0zIDLmrUvrZxer1xZ1SjHTx/bgeJZwXwfMMYhYK9Tt5KDFL5Hqha91pRPsMYZp0pTdLmSvvDg9qJub9nWDIPdHTpkt+TphvSo+7tDAlOec1L2TgZfojBPmGukuM7bLlbz2Om+xhT5xtlXbo4pc6DLW6Qk7G1cz8ZWYT9NNwAuU1FklJpsCbXVfLlE7d1C3Mj6WpqXoUL8HYNYs2Ias8DQXtf8Pz9NPjRc53zX3EOzCgrJ/yxQ7Ep5bl6PczNsaLqVofSTMjMfygYXYnzuYBVkfLFATX/4/dn9T5A/ExeyTZ4mKLNc8b5ZciBevz3eQTkRqbLfWQsBVCgJulTakd12gPS8VcCkqyo3E9Uq4S6T6+l3cVpTJY0SmAi15PFg5TXeJ+zmmhxTvuApgbzzEz3QPGE1X+p5TmcGx1G3kccdQJ0i3Dsd/kCJAuVep2k4RkeTlrWac4EdQeI+JXMfKnXcc3YpvB2x7FFDKY+TMo8MjiEriXAyk1h1FH4/mz2fnh5aK3CcwQuWFObERtTVWOvsOixYailjrzeLyFJtO6pgEPbMISs0uZhOUksSF4JZi7JF4+vV9n5aD+rSYxduEN/V/P8wtY5A7St7pph7QQemUX5r4VmqrSQrxrINk2krG+5Vvbtob1N5SsUvqwLAeZWAF5TWXkNjd5W2h0Lb+fWufqH3Vf2CF1XAXhZq9kdxj4EnnBV8lmRmfIkmntxf4PmdK7mrGsrgg5sFHtTypV5fqGWy4KKVGtcwJZp4x8FZ2V6VJz+opZunbJ2q82TPoiOSYpm2ieXr7vSvY3v+XF1wM9Dyf5rd+a15TVLv1aCGCEQApIqcd1wRLHumYZivTrgIOfX23I1axaBCLcFzY8U2cRGbI0rSJr5xkrgX3nfzCmV2VU6hzP4p+GS+S+ZF+hzdDrzKFl6ZJoCflkJ2T6JrVCi0bpcAw2wNlq6YOaD3KIU+qrgihTVVfirXR3YTcsVBlPDoWEL54K1qmgsMaRLfTanELbn8ULy+ovBXUh9QrpXxtZWyQgpsrUishTgW0IRcO1i/WsTPNIdKZF+HXD9xB6Xd+Rq8mtJc44arwiRfQluPa2gJZU8du1KNM7SzIm3FzCphYqk0t6v1F7JGNClUk7bbJNz1LvGNseIIocVc8NQ1si64XKLONY9aur7oXOFnlmHK10wAylRlmEFj5qot1+FyBovIjw63ZjZdhYgx13zDLLoHDrpj+ZmsoNuZLTR+kfWul7fVzNuJtu5wMXy5Ol4A7orIT+Gbug70eINtITPUYkehQYjBDa0XkzDxiNr6FiL4shznjZOv5g98Zypb+jsss9xYnpqB29sjStvBiW/Aj2yP2TJMpCQHZVbK0XFgNXv3ToFsSbDeHHL065wC+Z2wvOgUyLEem0i5/ES9YB9EOXibcZi++/ocu797588UcdkAfi7jeJ6wLNNoXr+l0mJf3Q6JFsLo9caaqzigjnBTzM/n5vI6vHx4/yKxa+2tXcy3pksUimUwZ4LJFDvati7qi4gCaB5k2QPgmLR5Bw/04/vwY8d2imV6iTZxqzdqbx9fCLHRfOon8mJSH7HrLG1VFQZuyE8cbuxeiMtJTxi5tclJyaeUmHZ3BORaWZWqw42wC0GVo8bX9GZlbU7uw6b52xOdgVqlaAyXSxfhjwymHU5YtWKXc+ROWSaqVNtgqmRmwPAyCa+556uuvgDLTc3jQlougO/tCVIqv6QlcXk4S59RdjTwhIt/IzIbZNCVABAsF2LvBxcCmFA8zbhcdjac+FLuV6awKvI2167a5N2jcn8tHXsE72wUqFnn6VrHXZpQrba0l1FV1gMaKyVhzYXggdhBoNbDV7nbW2kQlAplDhOxynIKyr9kZlbsGa9LR3nUafYwhWpKYnSq1rmrmB/QBSoipVX9B41lc8HNqou0Uv34YYH5Qgs3eTwMMkohqiXdp0SnLHCJMFf69b1vcSustC1LDJeiI5M9qradKIcozGVN8FHIfmCggdvqedO82lZQ/wD5Q9Jfq7SvrP/RCf2PKMXGiCTl+apvRz2dPoAf1yeiXJIS/Iv7uVqEjtCGMF3HU9P0lbd+Ma50pQzKJEVtrxpx+XmA5uELdxoSQp+Xz+gbQvBa+AY1Zz0z148JsljPUV+ZFi5TtXbuVZiECezbmFButUQdOmnVwllwN0/Do853sRC+1GNPldsgDhR3uyP6liWxncEL6SDYbnAfv3cg0CzFS1qyolO7I+HSVh7jj/8Zjtd/yeGMZhtOsj9ghSzryrp8ES5LdCEonOIqcpT04rDdj1ovsoudClEdt3IQ9k9c8QUFvHRPuNzRq+6DJPyMadHeRr0QeGjOKwf3B4r3XF19cOlmofSW6WwAC/4Zs2HpGQZ7p61Ho9HbEUwspEyWO7VgcIOaCc+eDj3UmHGNqU0K3bM1+fT0ECy043iYxxUO07Ljp2LBkbNhI43M9P3aEn9gzY9cnlurliPgWzAumsjqHTrfMf61CzHT71w/BOrybRAvqcr4zZIk1rp9qdlgUkmeMuHLuHW/uJvr4ESsh9ERy8W2jnosHZX7ReUmePM8fFBGEoYl47KrRqJxrSwmHdF66+dzTEOeM+2d6dnFQWhXIr7YolbzuS4iBkMnnoXcfxVE2bt7vHrSpwMbg7GuX3Cv07reLIw2WiOr+4zjUKsDK/2ytz4g42pjGaz8qyMgw1QwygyYgemv48dRdecAnu6ns9FPs9ljska7UtmoPJDhToIN4Pf799PJ7P7YLUrD+/Hs7qfRh/uH+9n96Nf3/3V/N4uT/ow9u+9vnnH3TbONsHbS5DvCJqAD+c3wm9JK16zKFPpOREs5OXNbfFVj33FJKzTvl5YnP/Dw09NkjyLifWVYWnskTWiU9iU+2+uxlCGLNWqeehzNfLQ+wxPpzOzx7Hg8VarU8N754TuVYXOdpQoOWqWuo6SrWLKzaBLTdQjv1RwL2U9VhHPzuAx+APi5bDl0LK0rxxvUFA43yfgLteowI67tJjH8rzhnL6lb0aCVy/XtPVyCk8DOsol7MtaU0g8n9wpkh66WS1gIvlzZxikWF9Z8ayBHbXKKGjcdEmoLLROmVRHvn7sKfGYbAmxyctaN2H2nCn3ch7jGOd23h97LgZxsPoV5Qpp2OpF17+Jz2+7XhvbJoB6OaaajOWQ4bdF7ZlueD558KOuNlec519mEISbZKZezUj1HNkTA5yFb/zXk2fCdextIJY342aLM6oALJh86KnRVT8tV3gpZDV/yaQBTvvzNoaUv3w/azUvNiHHPSLw6rvTly8QUvNVPd2kZElMibqoogzDwwHao4WY6fXhb1kzroxK4VJZXr5Yj8Z/GSKMLHaWIvYMylx3zj/uNsJ1dvc9t/2SOfxvluLCrn5yu+hMH+/d4LTYD+O8C9W7qQ2+670/6u4zFb3KNQ5INzCjEe/v6pXVa5SftuTBQnjssxTJUMunriTODVpjraNNMM2nc7ogXtGn5uqeb2cP0bWXNGpIWCpuHO4GNk5wLobbnFzCu1Zfz2+MdEJIXlS6uwmNC8iMheVBLU07h3tO6UwUJQ3hfkCM8HCz3ndIl+7mBd9UD/ojnDhikhbFq3fVEhyj1cNg8Hni7k8HVIfNyd7Ncgq5SvUW9uEaFuS4jSLRbpZ/ruRy2uo/XarZY8DTshyudHa/b9gvz4Cx17K0iAd8Axnd3948z90a+++5cWqjlsVzv1UiFWi7J0IZMLzC3XN4B/PrzAD7++mE8GztP/PPkkb53NpNaJq+66uUUjrXftjn7CqkYlKFbNTY3rvLojOJOFR19Rc82MTplWRb3J68p5eWMooOhwA0KuFGaL7lk4m1Z+mxvyQdyuhFmxn4RhBnlitJ79gbM0lwcxbnJ0ytKjDvaT3pYvci7V+thirnE/s1ujd9PcE0SbJonC8FaBwovJGHO7ZqZ55DLVY5DCaG2ZHFmd4/gpr2Fdz9M//fj4B//Rv8Nx3c/D/7xw4+Tj4Pvf3iazuKQr9eg6bl2C5PHzfcD+vdfXYp3/+N49Ob/AwAA//+8xDjD" + return "eJzcXN9z47Zzf7+/Yicv8c1I7nwvmU7HnXRG53MaNc7FtXxJ+8RA5IpCDQEMAEqn/PWdBcAfEkFJtqi7zFcPd7JIAp9d7G8sOIZn3N4A25g3AJZbgTcw+X32BkCjQGbwBuZo2RuADE2qeWG5kjfwH28AAH5RWSkQFkrDkslMcJmDULmBhVYrGub6DcCCo8jMjXtgDJKtsJqOPnZb4A3kWpVF+CUyD31+dMPUI7t5rsPV9hTtaVKhysxqxkV9KTYjffaprT4ZLlgpbOKmuIEFEwZ3LkfBtgEr7fDeEpYnwrIDPQa/TQKuUdpkjdpwJXfuqCh5xu1G6Wzv2gFg9HlaYhtRGB/UAuwSCaCfmNCvmL2OQisN6oRnKC232yi0fSZ3gY2jyGjkaRgYUOCKoKRKWsalgQwt48IAm6vSOrw0G6hFZ6zp5BeoAIJdMgsrlqF7ROOfJRo7AiYz2Cx5uoRUo7uXCQMb1NgZrjSYXcN0ARZXhdJMbzvPuHtGboYKt1mqjYGl2tCvnTE7A6g5UYnZ9d6tMSFprwbxoHPxsIx0lyNyg1+RwGFHWM+St7Rb70vqy5F0BaOCMlmxv5SERzSq1CnCR7ZCuJo8fnxbASw0lykvmNhb85QJsc/WFuo0RWOSZ9wmPIZvKPx+HhoIph88wg0zTnDAKjA8l20J7Qds0JDSJqQY+Nn2Qo5p4amAp4s2FgfUsXPD7bKlBgbTUsdEAnZFnNStVgxHeqHVmmdogEtva8gMNZodaIyOW7Mu1cgsZs7U2qUy2J4y8mifKrWZu1qwhJV2SaOkNHr07uNScSqjIUjHmokSgRuwmv4P7FfKOqMISjuj5r5viNTewaKWKbCoWVAmjHI83KHVLy+Ls50+v/w4gQzXPMV/B2WXqDfc4Mh7x67Atvnq1oqkNmO2D7zn6YEbXsJQGsYZectXCJsleu3qym6XY9yYsmuId+mplNDdqw8S1KeHL6FoCH2E1+tk73jBvZ3uzqrPIV2E4+6t+pyihvACPkOQnuBjgmM5LDQjMGW6PDgkM/ColB2REn8yqEek0I9K9ChNmwG1U4t7p0szgkuLWjJBPitwox1XtT1Yjv1yAruyd5zseCxxaWonjx8rKoMEXLE0VaX0S+fsr1s7rQS+PThcjD1HBOkErngwX0cUwuSeMrWR5nLSUNHL5Vo9Y5bMYxZtqMCMpqpWnTI2g5o8XF/iQMoOLBZfQBWj3t2+g0lpFcxS5pLjkAveCWYsT+E9MmksE8/xBAu1VjpJVbZv+U5P/OL5VZs6N0kdaAS/otGWWhrnGej6IXwrNIblQ0KcHgbj06vWILVB6ocaxkoKptkKLer9dTuXpc3AI2Imk9tR0AXygoZ8q/fR/ZH9qhSWJ0fzvEOhfs/FI0WMNptMoaTBJMQDQ3OpGr+ONygeZSk9Yyo9e0ZIl0zmaODKR/ajbiZeUFjnLHCGAinC84O8/RsylWUZJ3BMJK6okrGdCtO5fJ3Uw1Osy1rJky/h1BZZKktiaoO6dAaq9I3cWlinvyE3K03uuL5zZdNnXo5bvsKx4Gh29NVHhMFuzpHLvFvOYUJgBjlK1My657nxQ/fYUFffi0S3ZxnQXfxV8aYlDxXArCUoGlOlszhMVvCzi5BHcU4epnUlkhmjUt4ko+76xkwKfsuE6IzkKHgiOg/wesUky53d8Yo4pBLCe6UEMtkjRpslUprc4jY3sG8FoIXQ39XnzFiWKCniRdezl6LByg2oguSEVoQAu6nHNHVzoQ+jD5zjHuQ1heEJCG6c8arHDrU0zIDLhrUvrZxerlxZ1ygnjx+7geJJwfwQMCYhYG9St4qDFL5HqhaD1pSPsMYZp1pTdLWSvvDg9qJubtjGjIPdHTtkN+TpxvSo+7tHAlNecFL2XgafozCPWGikuM7bLtbw2Om+xhT52tlXbg4pc6DLW6Qk7G1czsbWYT9NNwIuU1FmlJpsCLXVPM9Re7cQN7K+luZlqBR/xyDWLJnGLDB00DX/z0/TDy3XOd+299CsglLyP0sU20qe29fj3Awbmm5lKP2kzMyHssGFGJ87WAUZXyxQ0x9+f3b3E+TPxIVsXaQJyqxQfGiW7InXbw+3UE1Equx31kIAFUqCLpV2ZHcdID1vFTDpqsrtRLVOuKvkevZdnNZUSaMEJkLlPB6svMb7hN1cU2DKFzwlkLd+onuaJ6zmSz3P8czgMOou8rgDaFKEO6fDHyhRoNzrOA2H6GjTslJzLrAnSNylZO5DpZ57Ti6FdyOWHWoo5XFS5pHBIWQVEU5mEqsOwh9ms+fT431nBQ4zeMGS0hzZiLoYa51dhwVLLWXszWYRWapNTxUMwp45ZKUmF9NLakXiQjBrUXZofL3a3s2aQV167MIN4rua/x+m1hGofWXPlHMv6MA0ym8tPEu1kWTFWLZmMu1kw4Oqdx/tXSqPqfh5VQA4rRLwgtLaa2jsr9IOUGg7vd41LPShql/wogrYy0LN4SgeMPCEk4LPisyM52jiyf0Znt+5ktu6oQw+uFngXuUv9fpC5cmCi05q3MCUaOIdBydle3WefK9yN0/VOtXkyZ5FByTFMm0Ty1f96V/P9vypuuBmoOX/9HTrt+Y1Sb1XgwYiEAGQKnLecUWw7JmGYb464SLk1NtzN2odgwqVg+fGkq3jIjZHlKRNfO0kcSe87+cVyuyinEKZ/VPwyXyXzMv0ObodeJEtvCpNAD8theyeRNeoUGrdLQGG2VosXTKzR+9BCn1UcUEKG6r8VK6P7CrkiqMo4dGxhPLBW900FxjSJr6fUokbcvmheH1B4a+lPqBcKeNrK1WFFNhKkVgLcSigCbl2sH6NiJ9oDpXIvg65fuIeSvvzNXg1pYXGNVelSb6Eth7W0ArKjjr2pRonaGdN2pKZZcJErjS3y9UXskY0KdSTdtsk3PU+8Y2x4gCh5Vzw1DWyLrjMUReaRy3dUHQu8TPLMOUrJgBlqjLMoDVz3ZbrcDmDReRHh1sxmy5DxFhovmYW3QN73bH8RFbQ7cyWGr/IejfL22nm7UXbdLgYni8PF4D7IvJj+GauAz3eYFvKDLXYUmgQYnBD68UkTD2irr6FCL4qx3nj5Kv5I9+ZynJ/h2WWG8tTM3J7e0RpNzjxDfiR7TFbhYmU5KDMKjk6DKxh784pkA0J1pt9jn6dUyC/E5YXnQI51GMTKZcfqRfsgqgG7zIO03dfn2N3t+/8mSIuW8BPZRwvEpZlGs3rt1Q67GvaIdFCGL3ZWHMVB9QRbor56dzML8PL+/cvErvO3trZfGu7RKFYBnMmmEyxp23rrL6IKID2QZYdAI5J63dwTz++Dz/2bKdYpnO0iVu96+728ZkQW82nfiIvJs0Ru97SVl1h4Ib8xP7G7pm4nPSEkTubnJR8Solpf0dAoZVVqdrfCDsTVDVqfE2vltYW5D5sWrw90hmoVYrGcJm7CP/aYNrjhFUndjlF7pRlok61DaZKZgYMr5Lwhnu+6uoLsNw0PC6l5QL4zp4gpfI5LYnLw1n6jLKngSdc/BuR2SKDrgSAYLkQOz+4EMCE4mnGZd7bcOJLuV+ZwrrI2167epN3h8rdtXTsEby3UaBhnadrFXdpQnXa0l5GVVUPaK2UhBUXggdiR4FaD18Vbm+lRVAqlNlPxGrLKSj/kplZsme8LB3VUaen+xnUUxKjU7UqXMV8jy5QESmt6z9oLJsLbpZ9pFXqx/cLzGdauOnDfpBRCVEj6T4lOmaBK4SF0q/vfYtbYaVtVWI4Fx2Z7Ot624lyiNKc1wQfhewHBhq4q55X7atdBfUPkD8k/bVK+8r6H73Q/4hSbIxIUl4sh3bUs9k9+HF9IsolKcG/uJ/rRegJbQjTZTw1TV976xfjSpfKoExS1PaiEZefB2gevnCnISH0efmMviUEr4VvUHM2MHP9mCDL1Rz1hWnhMlUr516FSZjAoY0J5VY56tBJqxbOgrt5Wh51vo2F8JUee6rcBnGguN8d0bcsie0MnkkHwXaD+/i9B4FmKZ7TkhWd2h0Jl7b2GH/8z3iy+kuOn2i28TT7A5bIsr6syxfhskSXgsIpriJHSc8O2/2ozSK72KkU9XErB2H3xBVfUMBL94TLPb3qPkjCz5iW3W3UM4GH5rxqcH+geMfVNQeXrhZKb5jORrDgnzEbV55htHPa+vr6+u01TC2kTFY7tWBwjZoJz54ePdSYcY2pTUo9sDX59HgfLLTjeJjHFQ7TquOnZsGBs2HXGpkZ+rUl/sCaH7k6t1YvR8C3YFz0hqA+eR82CLoPW+5NsIbGVTZpGlPHon5uUx+zDt3rLj46mNEH0BeJhirsrZin1ZZaCa3ZrUn0+TnBjPHOZvD31eyO7XiaodnKFFbc8vzAYYTdJ5NLSOUeuCCexMtuJdB8588tfO1y4Ow715WDunonyUtqg37LLokdIDiXlUwqyVMm/GZCc2rBzbV3LtvD6MkoYhuYAxYwq13LqhWj/VaGRrlZzrjs02uNK2Ux6ckZOz+f4qCKgmkf0p1cooZuPeyLLWo9n+tlYzB24lnK3ReSVB3kh2t4Q4ZREzDWda3u9Ps3W9bRdn9kTbd7HGp9bGpY9jbHtFyFNoOlf4EJZJgKRvkpMzD7dfJwXd85gse72dP1T09PD8kK7VJl19WxIHcecQS/372fTZ/uDt2iNLyfPN3+dP3h7v7u6e761/f/dXf7FCf9GQcOIr95xu037WbWJlSkCCZsRTuQ34y/qWKFhlWZQt8Pa9kzAnMbzXV76WFJKzUflpZHP/D40+N0hyLifW1YOjt1bWhLa4sQIAxYUJPlCjVPPY52VaQ5SRbpDx7wDQbxhL1WwzsXDd6qDNvrLFUIE1Xq+pr6SnZbiyYxfUdBX82xkIPXpWA3j6sjjQA/V42vjqXN/sUaNSVlbTL+Qq16zIhr/koM/yvO2XOqpzRo7XJ9kxmX4CSwN8JyT8Zao4bh5E6Zdt/VcgkLwfOlbZ2lcmHNtwYK1Kag3GXdI6G21DJhWpXxLs6LwGe2JcCmIGfdyiC3qtSHfYhr39RDe+idTNzJ5mOYJxQLjpdT3BshXfPHpaF9MqjHE5rpYCUjnPkZvL5SnVKffqiq3rXnOdXZhCGm2TGXs1QDRzZEwOcxW/015tn4nXsnTS2N+NmizJqAC6YfeurEdWfVRd5NWg9f8WkEM57/5tDSl+9H3Ra6dsS4YyReHVf6InpiSt7p6jy3GI4pETdTlEEYuGdb1HA1m92/rSr3zYEdzJXl9QsOSfxnMdLoQk9BbOe41nkvm4j7jdBUUb9VcPd8mH8n6qS0y5+crvpzL7v3eC02I/jvEvV25kNvuu9P+ruKxa8KjWOSDcwoxHv7+qV1WuUnHbg8VZ1+rcQy1NPp65GTq1aYy2jTk2bSuD06L2iz6qVjV0/3s7e1NWtJWiiv7+9Ht84TL4TanF7AuFR32G8Pt0BIXlS6uAiPCcmPhORe5aaawr0teKtKEobw1ipHeHi9ge/Xr9jPDbyrH/AHjbfAIC2NVau+J3pEaYBXHsQDb3c+vX7VQVXXrJagb8PIol5cYp+jKSNItBuln5u5HLamm9xqtljwNHRlKJ0d3j0YFubeif7Yu20CvhFMbm/vHp7ceyHv+nNpofJDud6rkQqV52RoQ6YXmFst7wh+/XkEH3/9MHmaOE/88/SBvve2NFsmL7rq1RSOtd92OfsKqRhVoVs9Njeu8uiM4laVPd1tzzYxOmVZFvcnrynlFYyig7HANQq4UprnXDLxtip9dhtDAjn9CDNjvwjCjHJF6T17C2a9DXII57pILygx7gUTpIf16+QHtR6mnEsc3uw2+P0ElyTBpkWyEKxzrPVMEubcrph5Drlc7TiUEGpDFufp9gHctDfw7ofZ/34c/ePf6L/x5Pbn0T9++HH6cfT9D4+zpzjky7UJe67dwPRh/f2I/v1Xl+Ld/Ti5fvP/AQAA//9d8O3V" } diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 1fbe44131f5..7e79d153b0f 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -23,6 +23,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "rci737.www5.example", "rci737.www5.example" ], "related.ip": [ @@ -41,8 +42,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "Blocked", - "pisciv" + "pisciv", + "Blocked" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -97,11 +98,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "eosquir5191.www.example", "eosquir5191.www.example" ], "related.ip": [ - "10.26.46.95", - "10.173.22.152" + "10.173.22.152", + "10.26.46.95" ], "related.user": [ "eataevi" @@ -115,8 +117,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "tur", - "Allowed" + "Allowed", + "tur" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -173,11 +175,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "orsitame3262.domain", "orsitame3262.domain" ], "related.ip": [ - "10.204.86.149", - "10.254.146.57" + "10.254.146.57", + "10.204.86.149" ], "related.user": [ "tenima" @@ -249,11 +252,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tempor4496.www.localdomain", "tempor4496.www.localdomain" ], "related.ip": [ - "10.103.246.190", - "10.252.125.53" + "10.252.125.53", + "10.103.246.190" ], "related.user": [ "equun" @@ -325,11 +329,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ore2933.www.test", "ore2933.www.test" ], "related.ip": [ - "10.136.153.149", - "10.61.78.108" + "10.61.78.108", + "10.136.153.149" ], "related.user": [ "ercit" @@ -401,11 +406,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ollit4105.mail.localdomain", "ollit4105.mail.localdomain" ], "related.ip": [ - "10.183.16.166", - "10.66.250.92" + "10.66.250.92", + "10.183.16.166" ], "related.user": [ "tessec" @@ -477,6 +483,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "cup1793.local", "cup1793.local" ], "related.ip": [ @@ -553,11 +560,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "icab4668.local", "icab4668.local" ], "related.ip": [ - "10.74.17.5", - "10.119.185.63" + "10.119.185.63", + "10.74.17.5" ], "related.user": [ "erc" @@ -571,8 +579,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "nsec", - "Blocked" + "Blocked", + "nsec" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -629,11 +637,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "aperia4409.www5.invalid", "aperia4409.www5.invalid" ], "related.ip": [ - "10.25.192.202", - "10.78.151.178" + "10.78.151.178", + "10.25.192.202" ], "related.user": [ "quip" @@ -705,11 +714,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "sitvolup368.internal.host", "sitvolup368.internal.host" ], "related.ip": [ - "10.135.225.244", - "10.71.170.37" + "10.71.170.37", + "10.135.225.244" ], "related.user": [ "atu" @@ -781,6 +791,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ite2026.www.invalid", "ite2026.www.invalid" ], "related.ip": [ @@ -857,11 +868,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "radipisc7020.home", "radipisc7020.home" ], "related.ip": [ - "10.181.80.139", - "10.2.53.125" + "10.2.53.125", + "10.181.80.139" ], "related.user": [ "ihilmo" @@ -875,8 +887,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "Allowed", - "lorsitam" + "lorsitam", + "Allowed" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -933,6 +945,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "uamei2493.www.test", "uamei2493.www.test" ], "related.ip": [ @@ -951,8 +964,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "veni", - "Allowed" + "Allowed", + "veni" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1009,11 +1022,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "piscin6866.internal.host", "piscin6866.internal.host" ], "related.ip": [ - "10.135.160.125", - "10.0.55.9" + "10.0.55.9", + "10.135.160.125" ], "related.user": [ "volupta" @@ -1027,8 +1041,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "Allowed", - "ionevo" + "ionevo", + "Allowed" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1085,11 +1099,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "spi3544.www.host", "spi3544.www.host" ], "related.ip": [ - "10.111.187.12", - "10.63.250.128" + "10.63.250.128", + "10.111.187.12" ], "related.user": [ "saute" @@ -1161,6 +1176,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tlab5981.www.host", "tlab5981.www.host" ], "related.ip": [ @@ -1179,8 +1195,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "xeacomm", - "Allowed" + "Allowed", + "xeacomm" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1237,11 +1253,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "upida508.example", "upida508.example" ], "related.ip": [ - "10.201.171.120", - "10.91.126.231" + "10.91.126.231", + "10.201.171.120" ], "related.user": [ "exercita" @@ -1255,8 +1272,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "umdo", "rsa.misc.action": [ - "orumSe", - "Blocked" + "Blocked", + "orumSe" ], "rsa.misc.category": "tanimid", "rsa.misc.filter": "itam", @@ -1313,11 +1330,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "oditem5255.api.localdomain", "oditem5255.api.localdomain" ], "related.ip": [ - "10.107.251.87", - "10.135.82.97" + "10.135.82.97", + "10.107.251.87" ], "related.user": [ "str" @@ -1331,8 +1349,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "Allowed", - "itecto" + "itecto", + "Allowed" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1389,11 +1407,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "uamei2389.internal.example", "uamei2389.internal.example" ], "related.ip": [ - "10.31.198.58", - "10.215.205.216" + "10.215.205.216", + "10.31.198.58" ], "related.user": [ "aturve" @@ -1407,8 +1426,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "oNemoeni", "rsa.misc.action": [ - "nre", - "Blocked" + "Blocked", + "nre" ], "rsa.misc.category": "labo", "rsa.misc.filter": "tutlab", @@ -1465,11 +1484,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "eacommod1930.internal.lan", "eacommod1930.internal.lan" ], "related.ip": [ - "10.29.155.171", - "10.229.83.165" + "10.229.83.165", + "10.29.155.171" ], "related.user": [ "ulapar" @@ -1541,11 +1561,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tem6984.www5.domain", "tem6984.www5.domain" ], "related.ip": [ - "10.129.192.145", - "10.161.148.64" + "10.161.148.64", + "10.129.192.145" ], "related.user": [ "lor" @@ -1559,8 +1580,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uaUten", "rsa.misc.action": [ - "Blocked", - "amcorp" + "amcorp", + "Blocked" ], "rsa.misc.category": "umdolor", "rsa.misc.filter": "velillu", @@ -1617,6 +1638,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "lapariat7287.internal.host", "lapariat7287.internal.host" ], "related.ip": [ @@ -1693,11 +1715,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "licabo1493.api.corp", "licabo1493.api.corp" ], "related.ip": [ - "10.86.22.67", - "10.218.98.29" + "10.218.98.29", + "10.86.22.67" ], "related.user": [ "olori" @@ -1769,6 +1792,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "stenatu4844.www.invalid", "stenatu4844.www.invalid" ], "related.ip": [ @@ -1787,8 +1811,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "gnaal", - "Allowed" + "Allowed", + "gnaal" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1845,11 +1869,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "sitam5077.internal.host", "sitam5077.internal.host" ], "related.ip": [ - "10.179.210.218", - "10.32.39.220" + "10.32.39.220", + "10.179.210.218" ], "related.user": [ "boreetdo" @@ -1863,8 +1888,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "risnis", - "Blocked" + "Blocked", + "risnis" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1921,11 +1946,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "dquia107.www.test", "dquia107.www.test" ], "related.ip": [ - "10.128.173.19", - "10.88.172.34" + "10.88.172.34", + "10.128.173.19" ], "related.user": [ "agnaaliq" @@ -1939,8 +1965,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "dtempo", - "Blocked" + "Blocked", + "dtempo" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -1997,6 +2023,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "lloin4019.www.localhost", "lloin4019.www.localhost" ], "related.ip": [ @@ -2073,11 +2100,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tamet6317.www.host", "tamet6317.www.host" ], "related.ip": [ - "10.115.53.31", - "10.2.67.127" + "10.2.67.127", + "10.115.53.31" ], "related.user": [ "Cic" @@ -2091,8 +2119,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "Allowed", - "tatem" + "tatem", + "Allowed" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2149,6 +2177,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "saquaea6344.www.invalid", "saquaea6344.www.invalid" ], "related.ip": [ @@ -2167,8 +2196,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "Allowed", - "quasiarc" + "quasiarc", + "Allowed" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2225,11 +2254,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "utaliqu4248.www.localhost", "utaliqu4248.www.localhost" ], "related.ip": [ - "10.101.85.169", - "10.18.226.72" + "10.18.226.72", + "10.101.85.169" ], "related.user": [ "rroqu" @@ -2301,11 +2331,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "mdolore473.internal.test", "mdolore473.internal.test" ], "related.ip": [ - "10.242.182.193", - "10.87.100.240" + "10.87.100.240", + "10.242.182.193" ], "related.user": [ "stenatus" @@ -2377,6 +2408,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tatio6513.www.invalid", "tatio6513.www.invalid" ], "related.ip": [ @@ -2395,8 +2427,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "onproide", - "Blocked" + "Blocked", + "onproide" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2453,6 +2485,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "lapar1599.www.lan", "lapar1599.www.lan" ], "related.ip": [ @@ -2471,8 +2504,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Section", - "Allowed" + "Allowed", + "Section" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2529,11 +2562,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "aquioff3853.www.localdomain", "aquioff3853.www.localdomain" ], "related.ip": [ - "10.236.230.136", - "10.54.159.1" + "10.54.159.1", + "10.236.230.136" ], "related.user": [ "mUteni" @@ -2547,8 +2581,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "Allowed", - "tatema" + "tatema", + "Allowed" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2605,11 +2639,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ura675.mail.localdomain", "ura675.mail.localdomain" ], "related.ip": [ - "10.131.246.134", - "10.49.242.174" + "10.49.242.174", + "10.131.246.134" ], "related.user": [ "umdolo" @@ -2681,11 +2716,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "iamea478.www5.host", "iamea478.www5.host" ], "related.ip": [ - "10.166.10.42", - "10.142.120.198" + "10.142.120.198", + "10.166.10.42" ], "related.user": [ "olori" @@ -2699,8 +2735,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "Blocked", - "doconse" + "doconse", + "Blocked" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2757,6 +2793,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "eaque6543.api.domain", "eaque6543.api.domain" ], "related.ip": [ @@ -2833,6 +2870,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "eufug1756.mail.corp", "eufug1756.mail.corp" ], "related.ip": [ @@ -2909,11 +2947,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "orp5697.www.invalid", "orp5697.www.invalid" ], "related.ip": [ - "10.243.6.41", - "10.55.81.14" + "10.55.81.14", + "10.243.6.41" ], "related.user": [ "eiusmo" @@ -2927,8 +2966,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "lestia", - "Blocked" + "Blocked", + "lestia" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2985,6 +3024,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "pariatur7238.www5.invalid", "pariatur7238.www5.invalid" ], "related.ip": [ @@ -3003,8 +3043,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "Blocked", - "quu" + "quu", + "Blocked" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -3061,6 +3101,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "fficia2304.www5.home", "fficia2304.www5.home" ], "related.ip": [ @@ -3137,11 +3178,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "mquisnos7453.home", "mquisnos7453.home" ], "related.ip": [ - "10.118.177.136", - "10.134.128.27" + "10.134.128.27", + "10.118.177.136" ], "related.user": [ "Utenima" @@ -3213,6 +3255,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "aquio748.www.localhost", "aquio748.www.localhost" ], "related.ip": [ @@ -3231,8 +3274,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "Allowed", - "edutp" + "edutp", + "Allowed" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3289,6 +3332,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "remagnam796.mail.corp", "remagnam796.mail.corp" ], "related.ip": [ @@ -3365,11 +3409,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "etdolore4227.internal.corp", "etdolore4227.internal.corp" ], "related.ip": [ - "10.156.177.53", - "10.30.87.51" + "10.30.87.51", + "10.156.177.53" ], "related.user": [ "psaquaea" @@ -3441,6 +3486,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "rors1935.api.domain", "rors1935.api.domain" ], "related.ip": [ @@ -3459,8 +3505,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3517,11 +3563,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "idexeac1655.internal.test", "idexeac1655.internal.test" ], "related.ip": [ - "10.180.150.47", - "10.141.195.13" + "10.141.195.13", + "10.180.150.47" ], "related.user": [ "taliq" @@ -3535,8 +3582,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "uip", - "Allowed" + "Allowed", + "uip" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3593,6 +3640,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "laboree3880.api.invalid", "laboree3880.api.invalid" ], "related.ip": [ @@ -3667,11 +3715,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tecto708.www5.example", "tecto708.www5.example" ], "related.ip": [ - "10.100.143.226", - "10.22.122.43" + "10.22.122.43", + "10.100.143.226" ], "related.user": [ "ute" @@ -3743,11 +3792,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ine3181.www.invalid", "ine3181.www.invalid" ], "related.ip": [ - "10.121.9.5", - "10.119.53.68" + "10.119.53.68", + "10.121.9.5" ], "related.user": [ "ssec" @@ -3819,6 +3869,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tsunt3403.www5.test", "tsunt3403.www5.test" ], "related.ip": [ @@ -3893,11 +3944,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "pitl6126.www.localdomain", "pitl6126.www.localdomain" ], "related.ip": [ - "10.229.102.140", - "10.243.182.229" + "10.243.182.229", + "10.229.102.140" ], "related.user": [ "duntut" @@ -3911,8 +3963,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "Allowed", - "etquasia" + "etquasia", + "Allowed" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3965,6 +4017,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "remaper3297.internal.test", "remaper3297.internal.test" ], "related.ip": [ @@ -4041,11 +4094,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tamr1693.api.home", "tamr1693.api.home" ], "related.ip": [ - "10.133.102.57", - "10.53.191.49" + "10.53.191.49", + "10.133.102.57" ], "related.user": [ "onsec" @@ -4059,8 +4113,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "emp", - "Blocked" + "Blocked", + "emp" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4117,6 +4171,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "cia5990.api.localdomain", "cia5990.api.localdomain" ], "related.ip": [ @@ -4193,11 +4248,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "riatu2467.lan", "riatu2467.lan" ], "related.ip": [ - "10.221.20.165", - "10.7.18.226" + "10.7.18.226", + "10.221.20.165" ], "related.user": [ "uasiarch" @@ -4269,11 +4325,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "pici1525.www5.corp", "pici1525.www5.corp" ], "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "related.user": [ "inrepreh" @@ -4345,6 +4402,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "dolo6418.internal.host", "dolo6418.internal.host" ], "related.ip": [ @@ -4363,8 +4421,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "aerat", - "Blocked" + "Blocked", + "aerat" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4419,11 +4477,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "imveni193.www5.host", "imveni193.www5.host" ], "related.ip": [ - "10.112.190.154", - "10.55.38.153" + "10.55.38.153", + "10.112.190.154" ], "related.user": [ "oremeu" @@ -4495,11 +4554,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ionu3320.api.localhost", "ionu3320.api.localhost" ], "related.ip": [ - "10.195.153.42", - "10.250.48.82" + "10.250.48.82", + "10.195.153.42" ], "related.user": [ "tsedquia" @@ -4513,8 +4573,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "upidatat", - "Allowed" + "Allowed", + "upidatat" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4571,11 +4631,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "remips1499.www.local", "remips1499.www.local" ], "related.ip": [ - "10.60.52.219", - "10.252.164.230" + "10.252.164.230", + "10.60.52.219" ], "related.user": [ "gnamali" @@ -4589,8 +4650,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "Blocked", - "fdeFin" + "fdeFin", + "Blocked" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4643,6 +4704,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "mdoloree96.domain", "mdoloree96.domain" ], "related.ip": [ @@ -4661,8 +4723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "Allowed", - "turad" + "turad", + "Allowed" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4719,6 +4781,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "iatnulap7662.internal.local", "iatnulap7662.internal.local" ], "related.ip": [ @@ -4793,6 +4856,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "sBonoru1929.example", "sBonoru1929.example" ], "related.ip": [ @@ -4811,8 +4875,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "Allowed", - "uteiru" + "uteiru", + "Allowed" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4869,11 +4933,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "onorumet4871.lan", "onorumet4871.lan" ], "related.ip": [ - "10.129.66.196", - "10.7.152.238" + "10.7.152.238", + "10.129.66.196" ], "related.user": [ "equamn" @@ -4945,6 +5010,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "onproi4354.www5.invalid", "onproi4354.www5.invalid" ], "related.ip": [ @@ -4963,8 +5029,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "squirat", - "Blocked" + "Blocked", + "squirat" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -5021,6 +5087,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "beataevi7552.api.test", "beataevi7552.api.test" ], "related.ip": [ @@ -5097,11 +5164,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "rvelill1981.www.invalid", "rvelill1981.www.invalid" ], "related.ip": [ - "10.12.130.224", - "10.26.115.88" + "10.26.115.88", + "10.12.130.224" ], "related.user": [ "Nequepo" @@ -5115,8 +5183,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "rmagnido", - "Allowed" + "Allowed", + "rmagnido" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -5173,6 +5241,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "quia7214.example", "quia7214.example" ], "related.ip": [ @@ -5249,11 +5318,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "aturExc7343.invalid", "aturExc7343.invalid" ], "related.ip": [ - "10.146.69.38", - "10.55.192.102" + "10.55.192.102", + "10.146.69.38" ], "related.user": [ "quia" @@ -5267,8 +5337,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "userro", - "Allowed" + "Allowed", + "userro" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5325,6 +5395,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "olo7317.www5.localhost", "olo7317.www5.localhost" ], "related.ip": [ @@ -5343,8 +5414,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "Allowed", - "onevo" + "onevo", + "Allowed" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5401,6 +5472,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "uiin1342.mail.invalid", "uiin1342.mail.invalid" ], "related.ip": [ @@ -5419,8 +5491,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "maccu", - "Blocked" + "Blocked", + "maccu" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5477,6 +5549,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "agna5654.www.corp", "agna5654.www.corp" ], "related.ip": [ @@ -5495,8 +5568,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "iqu", - "Allowed" + "Allowed", + "iqu" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5553,6 +5626,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ites5711.internal.host", "ites5711.internal.host" ], "related.ip": [ @@ -5629,11 +5703,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "oluptat2848.api.home", "oluptat2848.api.home" ], "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "related.user": [ "squir" @@ -5705,11 +5780,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ngelitse7535.internal.lan", "ngelitse7535.internal.lan" ], "related.ip": [ - "10.209.203.156", - "10.110.16.169" + "10.110.16.169", + "10.209.203.156" ], "related.user": [ "mes" @@ -5723,8 +5799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "lupta", - "Blocked" + "Blocked", + "lupta" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5781,6 +5857,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tiumtot3611.internal.localdomain", "tiumtot3611.internal.localdomain" ], "related.ip": [ @@ -5799,8 +5876,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "Allowed", - "uianonnu" + "uianonnu", + "Allowed" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5857,6 +5934,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "gnaa4656.api.example", "gnaa4656.api.example" ], "related.ip": [ @@ -5875,8 +5953,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "Blocked", - "ici" + "ici", + "Blocked" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5933,11 +6011,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "psaqu6066.www5.localhost", "psaqu6066.www5.localhost" ], "related.ip": [ - "10.223.11.164", - "10.164.190.2" + "10.164.190.2", + "10.223.11.164" ], "related.user": [ "ten" @@ -6009,6 +6088,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "iavol5202.api.example", "iavol5202.api.example" ], "related.ip": [ @@ -6027,8 +6107,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "rinc", - "Blocked" + "Blocked", + "rinc" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -6085,11 +6165,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "uame1361.api.local", "uame1361.api.local" ], "related.ip": [ - "10.90.20.202", - "10.10.93.133" + "10.10.93.133", + "10.90.20.202" ], "related.user": [ "evita" @@ -6103,8 +6184,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "Blocked", - "nia" + "nia", + "Blocked" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -6161,6 +6242,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "rsitame4049.internal.corp", "rsitame4049.internal.corp" ], "related.ip": [ @@ -6237,11 +6319,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "elit912.www5.test", "elit912.www5.test" ], "related.ip": [ - "10.75.144.118", - "10.176.233.249" + "10.176.233.249", + "10.75.144.118" ], "related.user": [ "isnos" @@ -6313,11 +6396,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "tat6671.www.local", "tat6671.www.local" ], "related.ip": [ - "10.149.6.107", - "10.236.55.236" + "10.236.55.236", + "10.149.6.107" ], "related.user": [ "redolo" @@ -6389,6 +6473,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "uis5050.www.local", "uis5050.www.local" ], "related.ip": [ @@ -6465,11 +6550,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ficiad1312.api.host", "ficiad1312.api.host" ], "related.ip": [ - "10.141.66.163", - "10.230.61.102" + "10.230.61.102", + "10.141.66.163" ], "related.user": [ "umdolo" @@ -6541,6 +6627,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "itaspe921.mail.invalid", "itaspe921.mail.invalid" ], "related.ip": [ @@ -6559,8 +6646,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "remap", - "Blocked" + "Blocked", + "remap" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6617,6 +6704,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "archite4407.mail.invalid", "archite4407.mail.invalid" ], "related.ip": [ @@ -6635,8 +6723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "nofdeF", - "Blocked" + "Blocked", + "nofdeF" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6693,11 +6781,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "aria1424.mail.home", "aria1424.mail.home" ], "related.ip": [ - "10.124.81.20", - "10.250.102.42" + "10.250.102.42", + "10.124.81.20" ], "related.user": [ "tNequ" @@ -6711,8 +6800,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6769,6 +6858,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "Bonoru7444.www5.example", "Bonoru7444.www5.example" ], "related.ip": [ @@ -6787,8 +6877,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "onevolu", - "Allowed" + "Allowed", + "onevolu" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6841,6 +6931,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "icero1297.internal.domain", "icero1297.internal.domain" ], "related.ip": [ @@ -6913,6 +7004,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "oloremeu5047.www5.invalid", "oloremeu5047.www5.invalid" ], "related.ip": [ @@ -6989,11 +7081,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "edutpe1255.internal.lan", "edutpe1255.internal.lan" ], "related.ip": [ - "10.98.126.206", - "10.195.62.230" + "10.195.62.230", + "10.98.126.206" ], "related.user": [ "ptassit" @@ -7007,8 +7100,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "oriosa", - "Allowed" + "Allowed", + "oriosa" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -7065,6 +7158,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "nderit1171.www5.domain", "nderit1171.www5.domain" ], "related.ip": [ @@ -7083,8 +7177,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "Blocked", - "nima" + "nima", + "Blocked" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -7141,6 +7235,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "nos4114.api.lan", "nos4114.api.lan" ], "related.ip": [ @@ -7217,6 +7312,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "oremeum4231.internal.host", "oremeum4231.internal.host" ], "related.ip": [ @@ -7235,8 +7331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "exe", - "Allowed" + "Allowed", + "exe" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7293,6 +7389,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "ueip6097.api.host", "ueip6097.api.host" ], "related.ip": [ @@ -7311,8 +7408,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "Blocked", - "temvele" + "temvele", + "Blocked" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7369,11 +7466,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "fugiatqu7793.www.localdomain", "fugiatqu7793.www.localdomain" ], "related.ip": [ - "10.26.149.221", - "10.217.193.148" + "10.217.193.148", + "10.26.149.221" ], "related.user": [ "uisa" @@ -7445,6 +7543,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "onsequ3168.www.corp", "onsequ3168.www.corp" ], "related.ip": [ @@ -7521,11 +7620,12 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "oremquel3120.internal.localhost", "oremquel3120.internal.localhost" ], "related.ip": [ - "10.119.106.108", - "10.135.38.213" + "10.135.38.213", + "10.119.106.108" ], "related.user": [ "ore" diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index d2e89ea6140..b138a4f3b75 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -18,6 +18,7 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ + "", "" ], "related.user": [ @@ -31,8 +32,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "",